- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
APL should be pretty dumbass-proof.
Admin
<cfif Not IsDefined('cookie.admin') or cookie.admin is not 'yes'> <font size=100> You should not be here. Please close this window</font>
</cfif>
so much better
Admin
Admin
Admin
Actually, if I remember correctly, that will lead to an runtime(or compile?) error when cookie.admin isn't defined. In running
you are using a undefined varible. You must put the part inside the CFIF code block.P.S. I hope I never have to look at <CFCODE> again...
Admin
id like to think that this is just placeholder code for some real security stuff, and they really quickly needed to test the "admin logged in or not?" functions.
id like to.
Admin
Russ: CF does suck. It lacks all basic and common programming syntactical structure. It complies with no conventions but it's own. There is no true relationship between structural components, and it is slower then any other web language. Honestly, the only edge that it has is cheap scalability... but I(personally) would rather have reliability.
Admin
I hope you never do as well, because either you really don't understand CF, or you haven't used it since before ver 4.0, back when it didn't support short circuit boolean logic. If the cookie value is undefined, the first part of the logic will be true, and there is no need to evaluate the second part of the 'or'. If the first part is false, then the cookie is defined, and we can safely check the value of it.
Admin
CF was designed from the ground to be a web programming language, up unlike 90% of so called languages you refer to. This is why it's designed with tags, and you don't have to do any funky string concatenation all over the place.
While CF might not be exactly like Java or C++, I'm not sure what you think it's missing. Personally, I wouldn't use Java or C++ for web development. For that matter, I probably wouldn't use ASP, .NET or PHP either, but that's more a matter of personal preference.
CF both easy to use and powerful, and you can jump and code almost straight java when you need it using cfscript, or you can write your code in java and just call it from CF. Either way, all the code gets compile to java before it gets run by the server.
Admin
Admin
You would dismiss someone for accessing a web application with Javascript disabled?
True, you usually have some trust with the people who can access intranet applications. However, data that is stored there is often very sensitive (employee personal information, customer information, trade secrets, etc) or subject to regulations (such as HIPPA), so you still can't simply disregard taking reasonable security measures.
Admin
This is what the code should look like:
file: security.cfc <cfcomponent name="security"> <cffunction name="isAdmin" returnType="boolean"> <cftry> <cfreturn session.isAdmin> <cfcatch type="Any"> <cfreturn false> </cfcatch> </cftry> </cffunction> </cfcomponent> file: application.cfm in the admin folder.
<cfapplication name="myApp" sessionManagement="true"> <!--- Cache the cfc in application scope ---><cfif not StructKeyExists(application,"cfcSecurity")> <cfobject name="application.cfcSecurity" component="someMappingOutsideWebRootPointingToCFCFolder.security"> </cfif>
<cfif not application.cfcSecurity.isAdmin()> <cfif ListLast(cgi.script_name,"/") neq "login.cfm" and ListLast(cgi.script_name,"/") neq "actLogin.cfm"> <cflocation url="login.cfm" addtoken="false"> </cfif> </cfif>
Admin
That's like comparing a rotary engine with a combustion engine and concluding that a rotary engine can't be any good because it doesn't use conventional pistons and cylinders. Not everything has to work the same way in order to be good! It's really nice to come at things from a different angle or "outside the box". (Ugh)
There are many ways to achieve the same results and none of them have to follow the same expectations and methodology. I embrase that choice and freedom. I prefer to spend my time concentrating on implimenting good functionality, features, security, and a great user experience instead of thinking constantly of how to program and wasting time typing out THREE times as much code. (The VB example we saw earlier has 537 chars and the CF equivalent had 177.)
I don't understand why you suggested that ColdFusion was unreliable. Any platform is "unreliable" if it's programmed incorrectly. I'm sure my first C# apps would be fairly unreliable. I've had ColdFusion based apps running for years without any reliability problems. So long as you don't employ people like the programmer this WTF is about then you will be okay! ;-)
Admin
VOMIT.
So you're getting a list of users from the database, then doing what? You have a list, and you're printing one entry? Or does cfoutput automatically loop through the list?
Used to be that you'd write two lines, no XML required, e.g.:
User u = UserDAO.getUser(username); out.println("<a href="/user.cfm?id=" + u.getID() + "">" + u.getName() + "
");
for what I think you meant to do (you missed out the WHERE clause on your database code). You'd also have a check for null, a bit more code, but at least you're in control.
Admin
Well obviously, you don't understand ColdFusion. Perhaps you should read up on the docs before you make comments about things you don't know. It is obvious to everyone here that my code:
Retrieves all the userid, username pairs from the users table. I meant to leave off the where clause.
<cfoutput> automatically loops through every row in the query. I am outputting a list of users from the database, one per line, and outputting a link to the user detail page.
Not only is your code solving totally the wrong problem, it's also missing a crucial part of the problem... the actual DAO that you're using (Which is probably at least 30 lines.
CF has frameworks that you can use that generate the DAO's for you as well. I'm just showing what the simplest example is, and asking people to show it done better in a different language.
Also there is no need to check for null in CF. If there are no records returned, the cfoutput doesn't run. If any of the values are null, they get converted to empty strings and no errors get thrown.
CF Rocks!!!1five
Admin
Wow Russ, really jumping in to defend CF. I respect anyone who can stand behind what they say and take the abuse :). For that I give you props.
CF is good for those who are developing a family website, or can't afford a developer to build their store website. Under those unique circumstances, CF is exceptional because it requires no real knowledge and it sort of levels the playing field for some types of applications.
Industrially speaking however, the industry is moving toward web-based interfaces for highly complex applications with more advanced business rules. You cannot mix business rules with CF and expect a functional project... I saw them try at the Department of Energy, and it ended badly for them.
To conclude this, my argument is based on industrial needs which I feel is applicable in this sense. The insufficient convention and structure play a key role in my previous comment primarily because this single fail-point makes Cold Fusion a poor choice for any company that can afford developers with knowledge extending into authentic programming languages.
To counter your point about JAVA, under those circumstances CF becomes simply a presentation format. Under those unique circumstances it is decent... but not good or great.
As far as concatenating strings... that process gets done one way or the other. I don't typically require string concatenation in my source code to produce output, nor any other general tasks.
To respond to the point of comparing a rotary engine to an internal combustion engine, I would argue that the purpose for our engine had already been previously established and therefore I was making a valid comparison.
Admin
First of all, again, it's ColdFusion, not Cold Fusion.
Second of all, again, what is it that you think CF is missing? I use it to build large apps that run on server farms. Don't forget that MySpace has started out (and I believe a large part of it still is) in ColdFusion. The fact that most of their developers have no idea how to code properly nonwithstanding, they were able to build one of the largest sites on the internet in CF and sell it for a lot of money.
So, like I said, what is it that you think CF is missing?
Admin
I have been developing stuff in CF for almost a decade. I can't think anything I have conceivably ever wanted to do in CF that hasn't been possible, either directly or extending via Java (C++ CFX in the past).
I think it's one of the most concise and powerful toolsets for building applications, delivering more functionality faster (and with higher quality in right hands) than any of LAMP/Claaaaghhhssic ASP/.NET/(and definitely) J2EE.
But I would never recommend using CF to build new applications, for a number of reasons:
It's a dying skill. Too difficult to get good developers at reasonable cost. Especially amongst non-idiots. And no-one wants to learn it. And fewer people will want to maintain it in a couple of years time.
Too dependent on whims of Adobe. While there are multiple strong implementations of most of CF's competitors, Adobe are quite stupid enough to kill CF without warning, and BlueDragon is not an adequate replacement for any modern CF apps. In this case, proprietary = scary.
Too different and strange as a language. The various CF OO frameworks are a good thing, but they end up throwing out most of the benefits that CF has a language, and instead try to create overly complex simulacrum of "real" OO constructs.
If you are trying to be thrifty, CF is quite spendy to scale-up to reasonable levels.
And if you are trying to be enterprisey, CF is significantly more spendiness on top of your already spendy WAS licenses. You might save in dev costs, but it makes a difficult case to convince budget holders compared to an alternative which probably costs effectively "nothing."
Adobe are not brilliant at supporting the product, as they are not well set-up to support enterprises on server-side stuff. When you come across CF defects that may only show in complex, high-volume implementations, they tend to throw-up their hands.
Unfashionable and (even though it's J2EE-ish) doesn't fit in with standards in most organizations.
The real WTF is probably that there really isn't a good replacement for CF that uses less ugly linguistic constructs, is open source, and delivers similar degrees of efficiency.
Admin
cursor.execute( "SELECT userID, userName FROM users" ) users = cursor.fetchall()
for (id, name) in users: print """%s
""" % ( id, cgi.escape(name) )
I would argue that's at least as elegant. Personally, I find it considerably more so than your sample, for its generality if nothing else.
I hope, by the way, that CF auto-escapes #userName#, and you didn't simply omit that. If it does escape it, that's definitely one excellent thing in its favor. (Of course, at least one app I know of HTML-escapes things in the database, but I'm not sure if that's a great way to do things.)
Admin
Wouldn't the Python equivalent be something more like this (forgive errors, as can't be bothered trying this out) when you include the code needed to setup and close db connection:
db = whateverdb.connect (dsn = 'foo:bar') cursor = db.cursor () cursor.execute( "SELECT userID, userName FROM users" ) users = cursor.fetchall() for (id, name) in users: print """%s""" % ( id, cgi.escape(name) ) cursor.close () db.close ()
This assumes no proper exception handling in either CF or Python.
CF doesn't automatically escape HTML entities, that would be:
Although, I'd hope you were sanitizing input before it's written to the DB anyway.
Admin
Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion. Cold Fusion.
Russ's head just exploded.
Admin
I would like to add that one of the big draw backs to scripting languages like ColdFusion (and Classic ASP, PHP, etc) is the default configuration is to litter your presentation layer with business code.
This is probably why these languages are so easy to get into and definately with they are so easy to abuse. Within these languages if you want to code things the "proper" way, you really have to work at it. Why would I want to fight that?
.Net fixed a lot of this with code behind. Also, with the various add on frameworks like Enterprise Library, building apps is becoming dead simple.
Admin
As for closing, I'm not aware of any reason to close the connection explicitly, since it will be done implicitly when the script ends, just as (I assume) with the ColdFusion snippet. My code stands, and IMO it's definitely at least as elegant as the CF code.
Well, you can certainly argue that it's better to forget to unescape than to forget to escape, yes. Either way, it's a handful characters' change in the code, in either language, and not of particular relevance to the question of elegance.Admin
There are CF frameworks that are designed to work with code behind type approach, Fusebox being just one. They do require addition skills but as with all things once known are not are fight.
The real big advantage that .net has over CF in having to fight the language is with master sheets; even with the various frameworks in CF they suck at doing master sheets type stuff. Not that .Net is that good, just try to setup designs with different css sheets for multiple media types.
Admin
There is always Microfocus Fortran for the Web.
Admin
Beautiful points, OldFusion
I started my development career in PHP, and moved to ColdFusion for a job. I documented my progress and opinion in a now-defunct blog at phptocoldfusion.com. It's still there I just haven't updated it.
I worked there for about a year, switching between CF and PHP for projects as needed, and since came to work at a new PHP place.
In my opinion: CF is a long way behind PHP. I'll not speak of ASP, etc, because I don't know.
Everyone seems to be keen to show their "how to" for their language of choice, so here's mine.
$result = mysql_query('select * from users'); while($row = mysql_fetch_assoc($result)) $array[$row['user_id']] = $row['user_name'];
foreach($array as $id => $data){ print $id.' is '.$data['user_name'].'
'; }
Apologies, I've forgotten the exact task. But something like that.
The point has to be made, though, that this is a really crap thing to do. Anyone putting inline SQL these days needs to have a really serious think about what they're doing.
Terseness is not the only (or best) judge of quality, and what language CAN'T get stuff out of a db and display it?
I'm not going to say PHP is perfect (and I can give you the list of it's flaws right now) but in many many ways it's better than CF.
Overall:
CF's implementation is one that has an interesting basis: It's intended to be easy for non-programmers to develop applications. I just want to say for the record... non-programmers should NOT be developing applications. The "non developeriness" of CF is an inherent flaw. It breaks with many conventions of C-derived languages, adding a whole new level of learning to be required. Conventions like == and != are ignored, and these most basic understandings from Perl to Javascript require yet more learning. Things like arrays starting at 1 (instead of 0) are another good example.
The Tag syntax is another flaw. "It's easier!" say CF developers. "No. It's wrong." says everyone else. By making the commands "tags" you're deliberately mixing presentation and application code. The very suggestion that they should be "compatible" in any way suggests major flaws in overall thinking.
CF is proud of its complex data types, but in many ways those themselves are flawed. <cfquery> is not a query. It's a RESULT from an SQL query, and is the sort of poor and slack terminology that shows how little care is taken for good process. While on the subject of the datatypes, CF has four data types for what in PHP is just an array. Structs, queries, arrays and lists. While the list is relatively neat, skipping the step of exploding in PHP, the rest are completely incompatible. They're quite difficult to make manually, requiring many more steps than the equivalent in PHP. (13 compared to 3 in something I had to do recently.)
As a last point, CF is very light on functionality in some areas. In regard to display especially, the thing it should be best at.
PHP:
You have <?=$num?> item<?=($num==1?'s':'')?> in your shopping cart.
Today is the <?=(date('js \of F, Y'))?>[2nd of September, 2007].
Try recreating that in CF. It's remarkably difficult.
There are also a number of basic methods and operators missing in CF, including things like ucwords ('big title words' to 'Big Title Words) and ++ increment operators. += or .= or &= or something would also be handy for a concat operator.
Anyway, I'm supposed to be working, but I agree with everything OldFusion said. In my last company that was a CF dev studio every new position we filled had to be filled by someone from another language, and then trained into CF. Not a good sign.
Admin
Oh, and I forgot to mention the terrible implementation of what might be referred to as "OOP".
Admin
Back in the day, many shopping carts had a hidden field with the amount the user needs to pay. Adjust that to zero and that's exactly what your credit card was charged.
Admin
In other words, they just wrote a half-assed implementation of a half of LISP ;)
Cheers!
Admin
I still say this code is ugly. CF code is beatifull. It's very simple and elegant. I mean seriously... mysql_fetch_assoc? foreach($array as $id => $data)? If I wanted to have my code look like that, I'd stick with building cgi apps in perl.
The tag syntax lets you put in code within your html without having it to look like ugly PHP or ASP code. I mean if you want ugly code, there's always cfscript... But most of the time we try to keep out business logic from display pages and just use them for display...
You have #num# item<cfif num neq 1>s</cfif> in your shopping cart.Looks like cf's version is actually a character less...
<cfset suffixes="th,st,nd,rd,th,th,th,th,th,th"> Today is the #Day(Now())##ListGetAt(suffixes,Day(Now()) mod 10+1)# #DateFormat(Now(),"mmmm, yyyy")# [2nd of September, 2007].Ok, so this is twice as long as php, but only because CF doesn't have a built in function to format the date like that. If you wanted something normal though, such as thisToday is #DateFormat(Now(),"full")# [Thursday, September 20, 2007]How long would that take in php?I believe CF8 is inroducing things like ++, and as far as ucwords, even though I think that's better done in css, there are UDF's (User Defined Functions) available on cflib to do things like this, so it's not really an issue.
While I agree that it's hard to find good CF developers, the fact that you can get ny good developer and have them pick up CF fairly quickly far makes up for it.
I think the best thing about CF is the developer community behind it, something that I have not seen with any other language.
Admin
Admin
I wouldn't say terrible. It's a bit odd, but I guess they implemented what they though was needed. They don't want to turn the language into straight java now. What exactly is so terrible about it?
Admin
Although it does lead to a lot of people mixing presentation logic with business logic, at least they're being productive. I wouldn't say it's terribly difficult to put your business logic elsewhere. Just use any of the frameworks and you're forced to put business logic into a different place.
Although I don't really know what code behind is, if you say it's the best thing since slided bread, I believe you. It still doesn't fix the fact that other languages let you mix presentation logic with business logic as well.
Admin
Russ is seriously an expert, I wouldn't question his authority.
I've seen him create an entire content management system using nothing but a screwdriver, a roll of duct tape and an avocado.
Admin
Even if they were stupid enough to kill CF, there are at least 3 different competing implementations now, and the community is not going to let those die off.
CF will live forever.
While CF is a little different than other languages, perhaps it's the differences that make it better?
$1200 per server for the standard edition is not that spendy. You're paying more for the windows license itself if you're running .NET. CF can run on *nix. Oh, and don't forget the money you have to shell out for Visual Studio. Oh and for the extra developers since it will take you twice the amount of time to do the project in .NET.From what I understand, after buying a WAS license, CF's license of $6k per server is a drop in the water. If your company has money for WAS, they won't even flinch at buying CF.
Of course CF doesn't need WAS to run. It runs perfectly fun on the built in JRUN platform.
I haven't really dealt with Adobe's support, as I've never needed to. Personally, I've never found good support from the vendor, which is why I prefer to use open source stuff. There is much better support from the community.With CF, 99% of the time you're going to get your problem solved on CF-Talk.
Admin
I'm starting to dislike ColdFusion just because of your attitude. Of course, the OP wasn't exactly polite either, but how can it be that no-one else gets web development but you?
ColdFusion may be an excellent webdev platform, but it's certainly not "the best". That depends on the project. My project specs and budgets seldom allow for anything like ColdFusion server. Hence, PHP-based frameworks are better for me.
Admin
Admin
Admin
After reading this entire avalanche of ignorant comments I have reached the conclusion that you are all wrong. There's really only one good language out there and that's BASIC :P
Admin
a 400 line query is an SQL problem, not a CF problem. A complete rewrite from CF to ASP might well have made it twice as fast, but that'll probably be down to having fixed your queries and nothing else
Admin
Oh it be so!
captcha = alarm. ALARM! ALARM!
Admin
Why not use <CFLOCATE> instead of JS?
Admin
This may be answered elsewhere, but I'm too lazy to look.
In CF, you have a few options for including/reusing code.
<cfinclude> does just what it sounds like. Variable scopes are shared between the files (may or may not be a good thing) and in most practical ways, the code in the two files can be considered as being in one, with the code in the included file being processed at the point of the <cfinclude> tag in the calling file.
There's also an optional file called application.cfm. In a nutshell, this file cannot be directly requested by a browser and is automatically included in any requested file in it's folder path. Very handy for many different purposes. Security and global settings often go here.
There's another optional file called application.cfc (note the different file extension). This is more similar to a Java class, and has methods that automatically fire onApplicationStart/End, onSessionStart/End, onRequestStart/End, and onError. Or Exception. It's early, and I forget. Again, uses should be obvious to anyone familiar with web programming.
Is <cfinclude> an effective solution for including security routines from a shared location? Yes. Is it the best? No. Was this much of a concern to the original developer? Likely not.
Admin
...and you can run it with Apache if someone likes to know. IIS, too, of course
Admin
Never used it. That being said, I've never run into a language that could protect an application, or data, from an idiot developer.
Admin
Hasn't been true for quite awhile. CF does lazy evaluation. If admin.cookie isn't defined, CF won't bother to check if admin.cookie has a value.
Not defending the practice- in general, if I find myself needing to use IsDefined(), it raises a warning flag that I'm approaching something incorrectly. Just explaining.
Admin
Actually, all of those statements are incorrect. Are you a troll, or someone who hasn't used CF since version 4, where most of those statements were true but it still beat the hell out of using asp?
Or someone who's never used the language, but is going off something read on a MS message board?
Admin
CF also addressed this problem years ago- at about the same time .NET came out. The concept is the same as code-behind, although it isn't called that. Boils down to the same thing, though. I have a back end that is little more than an API that offers functionality, I have a presentation layer that does nothing more that take variables from a "black box"-style construct and display them, and I have a layer that does nothing but marshal data between the two.
Admin
Darwin, that's a great post. I am a long time ColdFusion programmer, but what happens when these types of post is someone invariably comes up with the "Well, the problem with the code is they used [Insert Programming Language here]" and that turns the comments into a free for all to bash the language and other languages. If the circumstances arise that you cannot afford (or pass on to customers) the cost of a server like ColdFusion or development tools like VS, then the OS languages, led by PHP would be the way to go.
One area I know Adobe is trying to address is the cost of CF-based hosting solutions. It used to be you couldn't get a good one for less than $20/month. Now, you can get reasonable, fully functional (beware, the cheap ones limit functions and tags that can be used) for just under $10/month. The point is everyone should use the tools/development language that helps you deliver your application on-time, on-budget, and can be readily adapted or expanded as further requirements are defined/modified.
Admin
Really? I have not found that to be true. In fact, I find CF's ability to do "mastersheet" style functionality more flexible. Caveat that with the fact that I might have been doing it wrong with .NET, but I don't think so.