3

Possible Duplicate:
Common programming mistakes for ColdFusion programmer to avoid?

The purpose of this question is to educate myself, the people I work with, and perhaps other coldfusion programmer's out there..

For those of you who program in Adobe ColdFusion or have programmed in ColdFusion, what are the top ten mistakes that you made, or that should never be made.

I mean give me the worst of the worst, must never do, what to avoid.

Sometimes it helps to show "What To Do" well now I want to show "What Not To Do"

Or perhaps share some of your coding nightmares...

bring it on!

Community
  • 1
  • 1
crosenblum
  • 1,869
  • 5
  • 34
  • 57
  • Not scoping variables correctly – Stephen Moretti Dec 01 '10 at 14:56
  • Not using cfqueryparam in queries – Stephen Moretti Dec 01 '10 at 14:57
  • 4
    As this is not a specifically answerable question, (there is no "right" answer), you should make it Community Wiki. – Adam Tuttle Dec 01 '10 at 15:55
  • Do not know how to edit it and make it a "community wiki". And back to the point of this question, I was hoping to hear stories or examples of bad coding etc. Not just a list. Although those lists are rather nice. Thank you all. – crosenblum Dec 01 '10 at 17:23
  • @Adam Ya, I haven't seen the Community Wiki option in the question for a while now. I think they've removed it – Henry Dec 01 '10 at 19:36
  • Seems to be a duplicate of this question: http://stackoverflow.com/questions/1191131/common-programming-mistakes-for-coldfusion-programmer-to-avoid – ale Dec 02 '10 at 00:28
  • This is not a duplicate, this is an attempt to create a really nice listing of "What not to do" that i can show to other coldfusion programmer's. And so what if it is a duplicate, this doesn't mean it can't be expanded upon. How many other really good coldfusion questions are there, anyways? – crosenblum Dec 02 '10 at 16:14

8 Answers8

13
  1. Programming as if you're the only one who will ever work on the code
  2. No comments about complicated or strange sections of code
  3. Using pound signs (#) unnecessarily
  4. Not using cfbreak to break out of a loop when appropriate
  5. Using CustomTags for "Business Logic", when a CFC would be more appropriate
  6. Not caching singleton CFCs in the Application or Server scope
  7. Paginating large recordsets in ColdFusion, when the pagination should be done in the SQL
  8. Not setting output="false" on CFCs and each cffunction within
  9. Creating arrays of Objects on a high-traffic site when a simple recordset (query object) would perform better and simplify
  10. Putting too much logic in the View layer
Aaron Longnion
  • 187
  • 1
  • 7
7

A starter set:

  • Scope local variables
  • Use CFQUERYPARAM
  • Do not reload the application scope on every request
  • Do not use application scope for request or session specific data
  • Do not store sensitive data (userID, password, username, etc) in cookies. Use session or client scope.
  • Use a database for client variables
  • Cache frequently-used or slow-changing queries
  • If HTML/CSS/etc. is not dynamic, store or cache the generated code
  • Let your DB do as much data processing as possible
  • Never, ever, leave robust errors enabled on production boxes
  • Alsays, always have more than one environment; don't code on the production box.
Ben Doom
  • 7,865
  • 1
  • 27
  • 30
4

To add to the nice list above by Ben - turn off debugging on production boxes.

Raymond Camden
  • 10,661
  • 3
  • 34
  • 68
3

Others have touched on this but it bears putting out there in greater detail for any cf newbs who might stumble on this. Always use cfqueryparam!

Do not do this:

<cfquery name="getSome" datasource="myDB">
  select * from users
  where userID = '#url.userID#'
</cfquery>

Instead, do this:

<cfquery name="getSome" datasource="myDB">
  select * from users
  where userID = <cfqueryparam value="#url.userID#" cfsqltype="CF_SQL_INTEGER">
</cfquery>

Here is a tool (cfqueryparam scanner) that will help you find if you have any vulnerable queries.

The other thing is, if you're a newb and you are not sure if your app is secure, try the free Hack My CF tool, it helped me a ton. (Not affiliated w/ the site in any way, fyi)

jyoseph
  • 5,435
  • 9
  • 45
  • 64
2

What NOT to do eh? Here's 3 that I can think of straight away:

  1. If you use try/catch, don't leave the catch not doing anything, especially on large blocks of code.
  2. Don't use Evaluate - 99.5% of the time it's not required.

  3. Don't use dynamic varaibles, especially when they're set by the URL scope e.g.

    <cfset #url.value# = url.dontdothis> <!--- ?value=application.dsn anyone? --->

Ben
  • 3,922
  • 1
  • 22
  • 21
2

Don't store passwords as plain text.

Dave Long
  • 9,569
  • 14
  • 59
  • 89
  • business rules sometimes demands us to store them in plain text... what shall one do. – Henry Dec 01 '10 at 19:37
  • 3
    Henry, store them encrypted (and salted) and then the odd time the plain text password is needed just decrypt it. Helps in case someone accidentally gets a hold of a database dump - they won't be able to clearly see the password. – Greg Stevens Dec 01 '10 at 20:34
0

I just wrote a new set of coding standards for my company that covers a LOT of this type of thing. I'll post something here and/or on my site later.

Adrian J. Moreno
  • 14,350
  • 1
  • 37
  • 44
0

On Windows servers, leaving the default Client Variables datasource. It will trash your registry.

Yisroel
  • 8,164
  • 4
  • 26
  • 26