CFQUERYPARAM_REQ false positive: String in SQL Server XML function

[TheRealAgentK]

...
UPDATE
					Something
				SET
					taskXML.modify('insert #additionalMember#
									   as last into (/task)[1]')
				WHERE
					tID = <cfqueryparam value="#arguments.something.tID#" cfsqltype="cf_sql_integer">
					AND taskUUID = <cfqueryparam value="#arguments.something.tUUID#" cfsqltype="cf_sql_varchar">
...

Reports on the taskXML.modify (taskXML is a column from a preceeding IF EXISTS ( SELECT... ))

[ryaneberly]

@TheRealAgentK , can you expand on this one a bit please. I get a single CFQUERYPARAM_REQ because of #additionalMember# as I would expect.

[TheRealAgentK]

Will try to create and then push an isolated test case in dev.

[TheRealAgentK]

Ah, scratch that - I see what you mean now. Yes, that is a valid one because .modify() actually acts like an update on that XML blurb. It's another one that's not fixable with CFQUERYPARAM though and would benefit from the more fine-grained ignoring in SQL.

[ryaneberly]

Thank you.

[zspitzer]

this is also triggered when the case of the <cfquery> and <cfqueryparam> tags don't match, which is only stylistically messy but still valid

[TheRealAgentK]

Hey @zspitzer - can you provide a (couple of) test samples for us and ideally create a new github issue for this?

[zspitzer]

done #380