Proposals for ColdFusion 9 - From the Enemy's Camp
Yesterday I was reading an interesting article (from Dzone):
So why is an admitted ColdFusion fan-boy reading about PHP? As much as I love CF and think nothing compares to it (cue Sinead), I don't for one minute think that it has a monopoly on all the good ideas.
While reading the article (oh, btw, congrats on getting XML, SOAP, and Unicode support in guys - welcome to CF6) I noticed a few things that I thought could perhaps be of use in ColdFusion. I'm definitely not sure about these ideas, but I've shared them with Ben and a few friends and thought I'd share them with my readers. Again - I'm not sure about this. Feel free to call em out as dumb ideas. Also note that my knowledge of PHP isn't high - so I may be misunderstanding how PHP works.
1) First off - PHP6 is disabling a feature they call register_globals. This feature is much like CF's auto scope check. If I put this on a page:
<cfoutput>#x#</cfoutput>
Then CF will check local scope, then form, url, etc (I may have gotten the order wrong).
By turning this off, CF could - perhaps - be a bit more secure. The example they show up on the URL I think is a good one. Probably rare though as most folks would store authentication info in the Session scope. It appears as if PHP checks the Session scope, which CF does NOT do.
Imagine we added a per app setting (this.scopecheck = false) that would tell CF to NOT chekc other scopes. If you do
<cfoutput>#x#</cfoutput>
CF would only check the local Variables scope, and perhaps the unnamed Var scope. The setting would default to true for backwards compat.
2) magic_quotes
This seems to mesh with CF's auto escaping of quotes. While this is a good thing, folks should be using cfqueryparam. What if there was a way to turn off CF's auto escaping? It would mean queries would start throwing errors - but that may be preferable to a SQL injection attack. It would also force you to use cfqueryparam. (Again, this setting would default to being enabled for backwards compat.)
Comments
I think Railo already does the first of those, though I'd need to doublecheck.
# Posted By Andy Allan
| 5/9/08 8:22 AM
There's a bit of a Catch-22 here.
I would say that the majority of people reading your blog would not be affected by either of these changes. (Maybe a little, but not much.) If someone is CF-savvy enough to be reading CF blogs, then odds are good that proper variable scoping and query parameter use are already within their toolbelt, or at least within reach of their toolbelt.
The people that would be most affected by this are the n00bs. While I agree that explicit scoping is a good thing (who doesn't hate trying to debug old code where you can't tell what the source of a variable is?), it's going to confuse the heck out of many n00bs. I know that many of us are a long way away from where we started, but remember that one of CF's benefits is that it is wicked simple to get up and running by just adding a few tags to an HTML page. Yes, being lazy about variable scoping is cheating, but do you really want to have to explain that whole thing to every n00b and front-load all that learning? That just ups the learning curve and makes CF slightly less accessible. They may as well go learn Perl and what @ $ and % mean.
Repeat the last paragraph, replacing "scoping" with "query parameters".
I would say that the majority of people reading your blog would not be affected by either of these changes. (Maybe a little, but not much.) If someone is CF-savvy enough to be reading CF blogs, then odds are good that proper variable scoping and query parameter use are already within their toolbelt, or at least within reach of their toolbelt.
The people that would be most affected by this are the n00bs. While I agree that explicit scoping is a good thing (who doesn't hate trying to debug old code where you can't tell what the source of a variable is?), it's going to confuse the heck out of many n00bs. I know that many of us are a long way away from where we started, but remember that one of CF's benefits is that it is wicked simple to get up and running by just adding a few tags to an HTML page. Yes, being lazy about variable scoping is cheating, but do you really want to have to explain that whole thing to every n00b and front-load all that learning? That just ups the learning curve and makes CF slightly less accessible. They may as well go learn Perl and what @ $ and % mean.
Repeat the last paragraph, replacing "scoping" with "query parameters".
For point 1 above, I believe Railo allows you to configure this setting per CF instance (or module as they call it). It basically means any unscoped variables in your code will throw an error. There is also a significant performance gain, as Railo only looks through the variables scope. That's the theory anyways.
# Posted By Darren Walker
| 5/9/08 8:32 AM
For the first point, I am not sure why it is occuring for you but it never does that for me. I hate scope checking in any language and turn it off if I can, but I have tested putting <cfoutput>#x#</cfoutput> and it only checked outputed local (if it was set) eitherwise it errored (variable not defined) when adding ?x=whatever to the URL.
As for the second point, I fully agree. I ALWAYS use cfqueryparam though. As for those who say PHP does not support query paramaters, take a look at MySQLi. I am pretty sure that the PostgreSQL library has similar functionality.
As for the second point, I fully agree. I ALWAYS use cfqueryparam though. As for those who say PHP does not support query paramaters, take a look at MySQLi. I am pretty sure that the PostgreSQL library has similar functionality.
To address point number 2, right now, as far as I know, the auto-escaping of quotes in ColdFusion actually PREVENTS SQL Injection attacks. Here is a quick example:
A url that gets a user’s profile might look like this:
http://domain.com/?username=jason
With CF Auto escaping if I try to pass in:
http://domain.com?username=jason';%20DELETE%20FROM%20USERS;--
Then what will actually get passed to the query for execution will be:
SELECT username, firstname, lastname
FROM users
WHERE username = 'jason\'%20DELETE%20FROM%20USERS;--'
At which point I would simply get an error that user "jason\'%20DELETE%20FROM%20USERS;--" does not exist.
However, if auto escaping was turned off, the DELETE statement would be processed after the select statement returned the "Jason" user, anything after it would be commented out by the "--" and my user table would be lost.
I have only done brief experimenting with this, so please correct me if I am wrong, but this is my understanding of how this works
A url that gets a user’s profile might look like this:
http://domain.com/?username=jason
With CF Auto escaping if I try to pass in:
http://domain.com?username=jason';%20DELETE%20FROM%20USERS;--
Then what will actually get passed to the query for execution will be:
SELECT username, firstname, lastname
FROM users
WHERE username = 'jason\'%20DELETE%20FROM%20USERS;--'
At which point I would simply get an error that user "jason\'%20DELETE%20FROM%20USERS;--" does not exist.
However, if auto escaping was turned off, the DELETE statement would be processed after the select statement returned the "Jason" user, anything after it would be commented out by the "--" and my user table would be lost.
I have only done brief experimenting with this, so please correct me if I am wrong, but this is my understanding of how this works
# Posted By Jason Dean
| 5/9/08 9:06 AM
I love the idea of disabling the scope-trolling. Force cleaner code, faster processing? Its like a 'strict' mode for your code ;)
@Jason - Yeah good point. Not quite sure what I was thinking. Although what if your sql was
seelct * from where id = #url.x#
and url.x was 5;drop%20users
That doesn't use single quotes so it's a dumb example.
As I said - I wasn't sure about these ideas. ;)
@Jim - I think the idea is that a page may be cfincluded and expecting X - if I find I can run it as is - see X is throwing an error and then I provide X, it is a way to attack.
seelct * from where id = #url.x#
and url.x was 5;drop%20users
That doesn't use single quotes so it's a dumb example.
As I said - I wasn't sure about these ideas. ;)
@Jim - I think the idea is that a page may be cfincluded and expecting X - if I find I can run it as is - see X is throwing an error and then I provide X, it is a way to attack.
# Posted By Raymond Camden
| 5/9/08 9:13 AM
@Ray - You're right. When you are dealing with numeric values begin passed in, SQL injection attacks are MUCH easier. In fact, if you are not cfQueryParaming your numeric variables, you can be easily hacked. String, however, are tougher because of the magic quotes. It's still <a href="http://www.coldfusionmuse.com/index.cfm/2008/2/22/... impossible</a>, but tougher.
# Posted By Jason Dean
| 5/9/08 9:24 AM
What CF9 really needs is a runtime. A way for application developers to write and deploy applications without having to charge their clients an extra $1,300 on top of the price of their software. I'm tired of having better looking and better functioning apps and getting beaten by inferior products based on .NET and PHP (because they're essentially free).
We've already got what in my opinion is the most rapid development platform with the most built in value adds - and I know that it costs money to provide all of those features, but we need to be able to attract companies that write from scratch, shrink wrapped software to ColdFusion as a development platform and the way to do that is definitely not by adding $1,300.00 to the price tag of their software. If they make small apps that are usefull but not enormously feature rich then they would look like idiots trying to sell a piece of software that is $1,000 but has a system requirement needed to run it that costs more than the application itself.
What about an edition of CF Server that costs $500 to deploy that can just run apps and that's all?
We've already got what in my opinion is the most rapid development platform with the most built in value adds - and I know that it costs money to provide all of those features, but we need to be able to attract companies that write from scratch, shrink wrapped software to ColdFusion as a development platform and the way to do that is definitely not by adding $1,300.00 to the price tag of their software. If they make small apps that are usefull but not enormously feature rich then they would look like idiots trying to sell a piece of software that is $1,000 but has a system requirement needed to run it that costs more than the application itself.
What about an edition of CF Server that costs $500 to deploy that can just run apps and that's all?
# Posted By Andy Sandefer
| 5/9/08 9:25 AM
@Ray
We'll see if this works. I was trying to direct you to an post that discusses getting around the magic quotes in certain situations.
http://www.coldfusionmuse.com/index.cfm/2008/2/22/... impossible
We'll see if this works. I was trying to direct you to an post that discusses getting around the magic quotes in certain situations.
http://www.coldfusionmuse.com/index.cfm/2008/2/22/... impossible
# Posted By Jason Dean
| 5/9/08 9:25 AM
@Andy - Respectfully I'd like to ask that you keep this on topic. Jason Delmore has a good article on the costs of CF:
http://www.cfinsider.com/index.cfm/2007/11/10/Thin...
Also - I'd probably think that if a web site cost < 1k, then most likely this is not a web site that needs to run on it's own server. I'd assume thats something that could easily run on a shared host and NOT require buying a full CF license.
http://www.cfinsider.com/index.cfm/2007/11/10/Thin...
Also - I'd probably think that if a web site cost < 1k, then most likely this is not a web site that needs to run on it's own server. I'd assume thats something that could easily run on a shared host and NOT require buying a full CF license.
# Posted By Raymond Camden
| 5/9/08 9:28 AM
Ray,
Thanks for the link - there was some good info (and fighting) there.
I think that you're missing the boat on the numbers. A lot of companies can't use shared hosting because of things that Adobe pretends don't exist - like SAS, Sarbanes Oxley, Generally Accepted Accounting Practices, etc. ColdFusion is a great development platform for making apps that do everything from Secure File Transfer and Messaging to Help Desk, Document Mgmt. and many other types of little niches where companies in fact do sell high volumes of small, but usefull applications, for under 2k a pop.
Thanks for the link - there was some good info (and fighting) there.
I think that you're missing the boat on the numbers. A lot of companies can't use shared hosting because of things that Adobe pretends don't exist - like SAS, Sarbanes Oxley, Generally Accepted Accounting Practices, etc. ColdFusion is a great development platform for making apps that do everything from Secure File Transfer and Messaging to Help Desk, Document Mgmt. and many other types of little niches where companies in fact do sell high volumes of small, but usefull applications, for under 2k a pop.
# Posted By Andy Sandefer
| 5/9/08 10:07 AM
@Ray -
register_globals was turned off by default in PHP5, so it's actually not a new feature of v6. However, I agree that allowing something similar in CF would be a good idea.
@Rick -
As someone who teaches ColdFusion, I can tell you that teaching proper variable scoping and using cfqueryparam does not make the language more difficult to learn in the least. If anything, it's *harder* to explain the need for scoping when it's semi-optional - if it was off, I could just say it was required and be one with it. :)
Most places I teach are Adobe Authorized Centers, meaning that they are forced to use the extremely sub-par "official" courseware for CF, which unfortunately does not talk about cfqueryparam. However, I always teach it anyway, because a)it's important and b)I don't believe in teaching the wrong way to do things because it's easy, hoping that the students will take the time later to learn the right way. (It's the same reason why I refuse to teach table-based design in Dreamweaver classes.) And as I said, I haven't had a student yet that couldn't grasp the concept. It really isn't a terribly difficult thing, so once again, here I have to agree 100% with Ray and say that it would be a great idea to have CF essentially require it.
register_globals was turned off by default in PHP5, so it's actually not a new feature of v6. However, I agree that allowing something similar in CF would be a good idea.
@Rick -
As someone who teaches ColdFusion, I can tell you that teaching proper variable scoping and using cfqueryparam does not make the language more difficult to learn in the least. If anything, it's *harder* to explain the need for scoping when it's semi-optional - if it was off, I could just say it was required and be one with it. :)
Most places I teach are Adobe Authorized Centers, meaning that they are forced to use the extremely sub-par "official" courseware for CF, which unfortunately does not talk about cfqueryparam. However, I always teach it anyway, because a)it's important and b)I don't believe in teaching the wrong way to do things because it's easy, hoping that the students will take the time later to learn the right way. (It's the same reason why I refuse to teach table-based design in Dreamweaver classes.) And as I said, I haven't had a student yet that couldn't grasp the concept. It really isn't a terribly difficult thing, so once again, here I have to agree 100% with Ray and say that it would be a great idea to have CF essentially require it.
# Posted By Rob Huddleston
| 5/9/08 10:14 AM
I disagree. CF9 should be secure by default, but provide a means to enable the older less secure way of doing things, if needed.
I would argue it is almost always better to invest the time and money to fix the problem with the code.
I would argue it is almost always better to invest the time and money to fix the problem with the code.
# Posted By Tom Chiverton
| 5/9/08 10:32 AM
I 100% agree with the scope setting. I dont even like the fact that #x# equals #variables.X# - all variables should be scoped! CF9 should concentrate on web service security, and a CF based web service enterprise bus would be kinda cool also.
@Rick O
Even the elistist of the elite developers forget on occassion. I'd rather that my code not compile/throw a runtime error if something wasn't scoped properly than to have to figure out the error after it's in production and i end up with a global variable race condition that's extremely hard to debug.
Even the elistist of the elite developers forget on occassion. I'd rather that my code not compile/throw a runtime error if something wasn't scoped properly than to have to figure out the error after it's in production and i end up with a global variable race condition that's extremely hard to debug.
# Posted By Ken Sykora
| 5/9/08 1:52 PM
@Andy Sandefer,
You DO know about Open BlueDragon, don't you? http://www.openbluedragon.org
According to this blog post, OBD addresses the very issue you bring up (the high cost of CF for smaller apps):
http://alan.blog-city.com/bluedragon_open_source.h...
Also check out
http://neilmiddleton.com/2008/05/07/open-bluedrago...
Specifically this passage: "It is now possible to have your CFML projects include the actual openBD runtime itself."
Sorry for the OT comment, Raymond
You DO know about Open BlueDragon, don't you? http://www.openbluedragon.org
According to this blog post, OBD addresses the very issue you bring up (the high cost of CF for smaller apps):
http://alan.blog-city.com/bluedragon_open_source.h...
Also check out
http://neilmiddleton.com/2008/05/07/open-bluedrago...
Specifically this passage: "It is now possible to have your CFML projects include the actual openBD runtime itself."
Sorry for the OT comment, Raymond
# Posted By Tony Garcia
| 5/9/08 3:52 PM
I'm well aware of BlueDragon but I don't think that it has feature set that I'm looking for. Thanks anyway.
# Posted By Andy Sandefer
| 5/9/08 4:03 PM
Yup, Railo does have a variety of scope settings which can be set on a per-web basis. You can have strict which will scan only the variables scope up to standard for the CFML standard method, and also a separate setting for whether to scan recordsets as well. There is also a setting for automatically combining URL and form scopes which allows for some of the flexibility people are looking for when they don't scope these. Hopefully these kinds of options will make their way into ColdFusion as well.
# Posted By Mary Jo Sminkey
| 5/10/08 12:01 AM
As already mentioned Railo supports 1 above - what hasn't been mentioned is that it also supports 2.
You can toggle the single quote escaping on/off in the Administrator, and/or on a per-query basis.
(I'm doubt I would actually recommend turning it off, but it is nice to have the option for if I do encounter a situation that requires it.)
You can toggle the single quote escaping on/off in the Administrator, and/or on a per-query basis.
(I'm doubt I would actually recommend turning it off, but it is nice to have the option for if I do encounter a situation that requires it.)
# Posted By Peter Boughton
| 5/11/08 7:58 AM