Getting Started with CFML in ColdFusion and Railo

From Hostek.com Wiki
Jump to: navigation, search

CFML is the programming language used to create applications in ColdFusion and Railo, and it traditionally uses a tag-based syntax to perform tasks. Those who wish to avoid using tags also have the option of programming in the language's script-based alternative, CFScript. Below we'll cover some of the basics you'll need to master to build an application (Web site) using CFML.

Setting Variables

You can create/update variables using the cfset tag:

	<cfset foo = "bar">

In CFScript you just type the variable name and assign it a value:

	<cfscript>
		foo = "bar";
	</cfscript>

Displaying Contents of Variables

If you wish to display a variable on a page (send the variable's contents to the page-output stream), you can either use the CFOutput tag:

	<cfset foo = "bar">
	<cfoutput>#foo#</cfoutput>

Or in CFScript you can make use of the WriteOutput() and Echo() functions:

	<cfscript>
		set foo = "bar";
		set thud = "plug"
 
		WriteOutput("The value of foo is " & #foo#);
		Echo("The value of thud is " & #thud#);
	</cfscript>

Conditional Statements

The CFIf, CFElseIf, and CFElse tags allow you to create conditional statements for flow-control:

	<cfparam name = "Role" type = "string" default = "Guest">
 
	<cfif Role EQ "Author">
		<cfset AllowedToPost = true >
		<cfoutput>Welcome #UserName#! Feel free to add new content.</cfoutput>
	<cfelseif Role EQ "Reader">
		<cfset AllowedToPost = false>
		<cfoutput>Hello #UserName#, glad you're back.
	<cfelse>
		<cfoutput>Please log in to read articles or author new posts.</cfoutput>
	</cfif>

In CFScript you would make use of the if and else keywords. Combine them as else if to form the equivalent of CFElseIf:

	<cfscript>
		param name = "Role" type = "string" default = "Guest";
 
		if (Role EQ "Author")
		{
			AllowedToPost = true;
			echo("Welcome " & #UserName# & "! Feel free to add new content.");
		}
		else if (Role EQ "Reader")
		{
			AllowedToPost = false;
			echo("Hello " & #UserName# & "! Enjoy your reading.");
		}
		else
		{
			echo("Please log in to read articles or author new posts.);
		}
	</cfscript>

Note about CFParam: The CFParam tag checks that a variable is defined, validates the data if it is defined, and allows you to specify a default value if the variable is not defined. More info on the tag is available here:

Loops

With the CFLoop tag, you can create an index-based loop, a conditional loop, or a loop to iterate over queries, lists, and arrays. For example, this will create a basic loop that prints the numbers 1-10 on new lines:

	<cfloop index = "i" from = "1" to = "10" step = "1">
		<cfoutput>#i#<br></cfoutput>
	</cfloop>

In CFScript, just use the loop keyword, followed by the attributes, and contain the statement(s) to be executed within braces:

	<cfscript>
		loop index = "i" from = "1" to = "10" step = "1"
		{
			echo(#i# & "<br>");
		}
	</cfscript>

More CFLoop Examples:

Accessing Databases with CFQuery

To interact with databases, first define a ColdFusion datasource (DSN) in your control panel or in your Application.cfc (Railo 4.1+ and CF 11+). Once you have a working datasource, you can use the CFQuery tag to run SQL queries against your database server:

	<cfquery name = "customers" datasource = "MyDSN">
		SELECT firstname, lastname, phone
		FROM contacts
		WHERE customer IS TRUE;
	</cfquery>

In CFScript:

	<cfscript>
		customers = new Query(datasource = "MyDSN", sql = "SELECT firstname, lastname, phone FROM contacts WHERE customer IS TRUE").execute().getResult();
	</cfscript>

CFQuery References:

Securing Database Queries with CFQueryParam

An easy way to protect dynamic SQL queries in ColdFusion is through the use of the the CFQueryParam tag. The tag will help sanitize ColdFusion variables used in your application's queries to help prevent SQL injection.

For example, this query will select customer data based on a supplied URL variable:

	<cfquery name = "customers" datasource = "MyDSN">
		SELECT firstname, lastname, phone
		FROM contacts
		WHERE customerID = #url.customerid#;
	</cfquery>

However, the variable isn't sanitized so it could allow for successful SQL injection if an attacker used a malicious URL like this: http://mycfsite.com/showCustomers.cfm?customerid=4123%20DELETE%20FROM%20contacts

In that case, the following SQL would be executed which would remove all rows in the contacts table:

	SELECT firstname, lastname, phone
	FROM contacts
	WHERE customerID = 4123 DELETE FROM contacts;

The easiest way to fix this vulnerability would be to use a CFQueryParam tag to validate the #url.customerid# variable:

	<cfquery name = "customers" datasource = "MyDSN">
		SELECT firstname, lastname, phone
		FROM contacts
		WHERE customerid = <cfqueryparam value = "#url.customerid#" cfsqltype = "cf_sql_integer">;
	</cfquery>

In CFScript:

	<cfscript>
		customers = new Query(datasource = "MyDSN", sql = "SELECT firstname, lastname, phone FROM contacts WHERE customerid = :customerid");
		customers.addParam(name = "customerid", value = "#url.customerid#");
		results = customers.execute().getResult();
	</cfscript>

References:

Further Reading