Coldbox and VueJS untangled

Month: September 2020

qb: Autodetecting your bind variables in SQL

In an ideal world, everyone is using qb or quick, and you really don’t know what a bind variable is. Before you discovered this ideal world, maybe you were using queryExecute and were executing queries like this one.

var q =queryExecute("Select * from users where userId = #url.UserId#");

This kind of code ( don’t do this in production ! ) is wide open for sql injection attacks. This post is not about sql injection, so we assume you were already so smart to use queryparams, so something similar to this.

var q = queryExecute(
  sql="Select * from users where userId = :myId",
  params =  { myId: { value = rc.UserId, cfsqlType = "integer" }
)
Continue reading

ValidateOrFail: filtering your request collection.

A few weeks ago I blogged about the advantages of validation your request scope vs validating your model. Actually, it is even better to validate your request scope, populate your model with the results of your validateOrFail function and now also validate the model , this time including business logic in your validations.

As explained in this previous post, validateOrFail acts as a kind of filter if you validate a struct. Input of this filter is your request collection( a struct) or a user-defined struct. The nice thing here is: validateOrFail will only return your validated fields, and this way you get rid of all kind of unwanted other fields in your request scope which can help secure your input. At least, that’s what the docs indicate

* @return The validated object or the structure fields that where validated

https://coldbox-validation.ortusbooks.com/overview/validating-constraints

I wouldn’t write this post if this was 100% valid, so let’s see what’s going on based on my simple use case.

Continue reading

Cfcompile to the rescue (part 2)

A few days ago I blogged about some annoying lucee or coldbox behaviour. On syntax errors in components often I didn’t get feedback on the offending file or line numbers. This makes it very hard to debug your application if you made changes in several files at once. After my post I was contacted by Zac Spitzer who asked me if I could file a bug. I already did this a few months ago, but they couldn’t reproduce my case. So we talked about this bug and I digged a little deeper to find out what was wrong.

Continue reading

Cfcompile to the rescue

This is a story about sloppiness, dislexia, or maybe my touch typing skill are just lacking when coding. I also hear friends telling me their cat is sleeping on the keyboard. To add to this disaster, Lucee is not very helpful when trying to decipher my typo’s. I wonder if you ever saw a screen like this:

We all see these ugly screens sometimes, but usually they provide some information on an error. But not this time…

Continue reading

cbValidation: creating a better uniqueValidator

How often do you want to be sure values in your newly inserted records are unique? I just counted in my current project: 28 times. That’s a lot of repetitive code if you validate this requirement each time, so it makes sense to use some kind of uniqueness validator in cbvalidation. In older releases of cbvalidation there only was a unique validator for ORM which looks like this:

{ 
    fieldName : { validator: "UniqueValidator@cborm" },
    // or
    fieldName : { "UniqueValidator@cborm" : {}  }
}

So pretty easy, you don’t have to specify tablenames, fieldnames or primary keys. That’s only possible if you are using ORM entities, because they have all database information included in the entity definition. So if you want to use request collection validation you are out of luck( in a previous post I explained why this might be a good idea ).

Continue reading

cbValidation: validating a model or the request collection?

Recently I was coding a fluent API based on this sample code which was presented at ITB 2020 by Gavin Pickin. When I was testing I discovered I could overwrite existing records when trying to insert new ones, which sounds like a huge security vulnerability. But before blaming Gavin for this let me confess I changed the code a little, just enough to create this security hole. So this exercise showed me the following:

  • never ever populate a model automatically from the request collection without realizing what your customers can insert.
  • validating your request collection before populating your model has it advantages.
Continue reading

© 2020 ShiftInsert.nl

Theme by Anders NorenUp ↑