For muse readers who read my previous post on SQL injection examples that use character rather than numeric fields, I offer this tip I picked up on CF-Talk from Azadi Saryev. It appears you can disable the ability to escape special characters using the backslash. Here is the exact note from Azadi.

This annoying error that occurs when using JDBC and MS SQL has been around for a while. The JDBC system in Coldfusion caches information about the tables you access. If you change a table (add a column for example) the column ids get out of whack and they no longer match the correct column.

From a reference on an email list I stumbled onto Pete Freitag's cheat sheet for CFSCRIPT and I thought it was worth mentioning. I use Cfscript for any largish block of logic. With the advent of CFC's it has become even more useful. I think the inline commenting is more readable and the syntax translates to other languages with a few modifications.

Here is one of those finicky nuances that might surprise you about Coldfusion. Many languages have list functions or something similar to list functions. In many of these languages there is some version of split or splitf that allows you to specify any string as a delimiter regardless of length. This might lead you to believe that you can use a multi-character string as a delimiter in list functions in Coldfusion.

So you have a template that runs fine when you are loading it into a browser but runs like a water buffalo on Percodan when it's run as a Coldfusion scheduled task? Here's a tip I saw on CF-Talk that serves as a good reminder. Take a look at the debug settings. By default, debugging includes the address 127.0.0.1 (often called the "loopback" or "local" address). Coincidentally this is the very IP address that the Coldfusion Scheduler will report as the calling address (cgi.

Muse Reader Asks: I'm trying to use cachedAfter in a query. I have tried cachedAfter="#dateAdd("d", 1, now())# but it doesn't seem to ever cache after a day has passed. What am I doing wrong? cachedwithin seems to work fine. This is one of those obscure tags that gets very little use in the community. I confess to never actually having found a use for it in production. Still, it bears some looking at because it is a clever notion that might come in handy under certain circumstances.

Recently a colleague was lamenting the fact that the rich text editor that ships with CF8 seems to load slowly and have a few other problems that are causing consternation for his users. His exact comment was that he wished Adobe would "fix" or "patch" the FCK editor that underpins the rich text editor. I certainly sympathize with his desire to fix the behavior he is experiencing for his users, but I would hasten to point out that the underlying libraries for FCK editor are not from Adobe.

Coldfusion has been navigating the Internet waters in the good ship Java for some time now (6 or 7 years I think). If you are old enough in Internet years to remember Coldfusion 5 you probably know that Coldfusion was originally written for windows in C++ and ported over to Linux, Solaris and UNIX. These ports were not reputed to be particularly good and Coldfusion was largely considered to be a windows server application (and probably justifiably so).

Recently I had the opportunity to work with a server setup that included two load balanced servers running Coldfusion 7 enterprise backstopped by a hefty Enterprise Oracle 8i server. The CF 7 servers were going down repeatedly. The database people blamed the web people who blamed the networking people who blamed the government. No one seemed to make any headway on the issue. I was engaged to get the CF 7 (and 2 CF 8 servers using a separate configuration) stable.

Ok, I admit it. Most of the examples of SQL injection that I give use a numeric field. Why? Because to inject using a character field requires manipulating single quotes. Since Coldfusion escapes single quotes automatically when using the cfquery tag these attacks are much more difficult to pull off. It may surprise you to know that your character fields can still be vulnerable and it is my belief that you should still use CFQueryparam.