Welcome!

ColdFusion Authors: Yakov Fain, Maureen O'Gara, Nancy Y. Nee, Tad Anderson, Daniel Kaar

Related Topics: ColdFusion

ColdFusion: Article

Toward Better Error Handling

Toward Better Error Handling

We've all seen it: the dreaded "Error Occurred While Processing Request," which is the headline above a normal CF error message. As developers, of course, we relish the detail it offers: the CF error message, the line number and actual line of code in error, the name and path of the template in which it occurred, and so on. But is this the best thing to show our end users?

Probably not. What should they do with that information? Do they care about these details? Could a hacker use them for unintended purposes? And perhaps most important, how do you even know the error has occurred?

Several features - some old, some new in 4.5, but in either case often missed and misunderstood - can dramatically improve error handling in ColdFusion. In this series of articles I'll cover the basic solutions, CFTRY/CFCATCH, CFERROR (three forms of it) and Site Wide Error Handling, which may be new to you.

In this issue, though, we'll focus on some administrator settings that you may not have considered and that may be quite important to any effective error-handling strategy, depending on the other error-handling choices you make. I'll show how you can reduce the level of detail offered in error messages, as well as improve the ease with which errors may be reported to you when they occur. Along the way I'm confident even the most experienced CF coder will learn a thing or two as some aspects of these features are poorly documented and not obvious.

I'll discuss those other error-handling choices (CFTRY/CFCATCH, CFERROR, and Site Wide Error Handling) in forthcoming issues of CFDJ, and at the end I'll offer a clear list of things you should be doing to better handle errors in your applications.

By applying even one of these solutions, with just a few minutes work (or seconds, in some cases) you could dramatically improve not only your end users' experience, but also the security of your site and your awareness of errors that occur in your applications.

That Lovable, If Pesky, Error Message
The standard CF error message is a delight to the CF developer, with all that great detail. And if it's a SQL error, we even see the database error message, the name of the datasource in error and the SQL statement that was attempted. This is just great for debugging. An example is shown in Figure 1.

Clearly, the creators of CF were developers at heart and realized we'd need to see that info to solve problems. Quick Tip: When you get an error, do you jump back into the code and try to find and fix it? Most developers seem to...and fail to take full advantage of the text of the message. In some cases, though (see Figure 1), what's wrong isn't always obvious.

Even then, if you hop back into the code to scroll around looking for the line of code in error, you're missing a useful shortcut. Notice the line number that's offered (line 79 in this example). In Studio, type CTRL-G (or Edit>GoTo Line) to jump to that line of code. It's not a perfect solution, however; if you have any CFINCLUDEs above the line in error, the numbers in the Studio won't be in sync with the one reported in the error.

This detail is great for developers, but when you move your code to a production environment or, more simply, when an end user visits the site, is that error message an appropriate thing to offer them?

Is It the Right Thing for End Users?
There are several problems with letting users see an error message. First, of course, there's the compromise such errors make to your otherwise elegant user interface. How does it look when they go from your site's consistently blue background to the plain white CF error message page? And what are they going to do with this information? And again, how do you know the error has occurred for your users? Do you simply wait for a call and report it? And have you considered the security risks of showing the physical path of your templates and the SQL datasource name and statements of failed queries in this error message to users?

If you're like many CF developers, these are things you probably haven't thought about, or simply didn't know how to solve. As of Release 4.5, there are a host of options you can consider to limit, modify or hide the error message users see. You can even arrange to log the errors in a database and/or send your developers an e-mail indicating that an error has occurred.

But these enhancements generally require programming changes. We want to start off with some quick changes that can be made to assist the user in informing you that an error has occurred, as well as limiting what information is displayed.

Administrator Configuration Changes
In this article we'll consider three changes that can be made in the CF Administrator. They'll have an important impact on the information presented (or hidden) in the traditional CF error message.

Subsequent issues will cover modifying or completely hiding the display of the message as well as logging/e-mailing it to you automatically, with new "error-handling templates."

But even with those in place if you have them (or until we cover them next month), the changes discussed below have benefits. They'll improve both the ease of users reporting an error as well as the security of your site - especially if you won't be implementing error-handling templates.

The issues we'll cover are setting the administrator e-mail, hiding the SQL and datasource name for query errors, and hiding the template path to the template in error. Even if you think you understand these options, there's more to them than is documented. Let's look at them in detail.

Defining the Administrator E-Mail Error-Handling Address
Some experienced developers may be surprised by my pointing this out, but it's one of the simplest improvements you can make, in the right circumstances, and it's easily implemented.

In the CF Administrator there's a place where you can define the administrator e-mail address for the server:

  • Take the "settings" link under the Logging area on the left nav bar.
  • Enter an e-mail address that should receive e-mails sent by users choosing an option that will be presented to them to send such messages.
Entering this address will from then on cause an additional line of display to be shown on the standard CF error page (the traditional unformatted one), at the bottom of the screen:

Please inform the site administrator that this error has occurred (be sure to include the contents of this page in your message to the administrator).

The "site administrator" link will now hold a hyperlink that when clicked will indicate to the browser that a mail message should be created to be sent to the e-mail address specified in that Administrator setting. (If the user's browser and e-mail client are properly configured to respond to such e-mail hyperlinks, the client's e-mail program will launch an e-mail message to the specified address - and the user can choose to fill in the subject and body of the message.)

Of course, we still have to hope they pay attention to the error message that states they should "include the contents of this page" in the message they send. And it's important to note that this doesn't mean that the "administrator e-mail" address will receive notification of every error that occurs - only when end users click the link offered in that message above. That's something we'll enable in the next issue.

Not Enough, But a Good First Step
This still doesn't solve the other problems of the less-than-attractive interface of the error message or getting an automatic notification. But it's a step in the right direction and, unless you're in a shared server environment where no one person is a suitable recipient of all notifications about error messages, it's probably the first thing you ought to do. (Just be sure to change that administrator setting should that person ever change or leave, lest messages be sent to someone who'll never get them.)

It's also useful when you do use site-wide error handling, as it becomes a variable you can refer to in the site-wide error template, covered next month.

Hiding the SQL and Datasource Name, and Template Path
I've already mentioned the potential security risk of showing the end user such details as the path to the template in error and the SQL code and datasource name in failed queries. In the next article I'll show how you can hide the entire error message from the user, so this point about hiding certain details of the message may become moot if you apply the other techniques. But it's important to understand, especially if you're not currently aware of the issue and may not soon implement those other techniques.

The Risk
Let's look closely at the information shown in the normal CF error message, focusing just on the SQL and Datasource name of a failed query, and the path to the template in error (see Figure 1).

Could someone take advantage of knowing your Datasource name (SomeDSN, in the example) and the SQL code of the failed queries? Or the template path (C:\INETPUB\WWWROOT\SOMEDIR\) to the page in error?

Well, perhaps not if they're just a user of your Web site. Of course, if such a user could break in, they could certainly take advantage of the information. But such break-ins are unlikely, or at least well beyond the scope of this article.

But what if you're on a shared Web server with others who aren't related to your application but can also put CF code on the server in other directories? This is certainly an issue in a commercially hosted Web site on a server shared by many users. It's also a possible concern for users on a corporate Web site having multiple unrelated applications. (One solution to this problem is to use CF's Advanced Security, but this isn't a trivial exercise and is beyond the scope of this article.)

As for the SQL and Datasource Name, if someone can place CF code on the same server as you, have you considered the risk to your data if he or she knew the datasource name for your database? What's to stop someone from running a query against your database? If you're not password protecting your database, any CF template that's running on that same CF server can write a query against your datasource. Password protecting the file may be trivial or challenging in your environment, but explaining it is a subject for another article.

There is yet another risk, as described in Allaire Security Bulletins ASB99-04 and ASB99-09. It's possible in some situations (if not otherwise protected using the suggestions in the bulletins) for a Web visitor to append to the end of a URL (in certain rather unusual situations) extra SQL commands to be executed against your database. This isn't really a CF bug but rather a database driver issue.

In both these cases, if someone can see the SQL statements (including table and column names) shown in an error message, that makes it all the easier to take advantage of any security hole or weaknesses in your environment. So let's hide that information.

Hiding the SQL and Datasource Name in Query Errors
The good news is that it's easy to stop that information from showing in the standard error message (or the one available for display as a variable in one of the error-handling template approaches, discussed in the next issue). It's just a simple tick of a checkbox in the CF Administrator.

It may not be so easy to find, however. It's presented along with server-side debugging control options:

  • Take the "debugging" link under the Miscellaneous area on the left nav bar.
  • Make sure "Show SQL and data source name" is unchecked.
Doing this will reduce the amount of detail in the message above by removing the lines:

SQL = "select * from jobs where jobs.companyid = 499 and jobs.composite_ad_yn <> 1 and jobs.jobtitleid = jobtitles.jobtitleid and jobs.cityid = val_cities.cityid order by stateid,city, jobtitle, date_posted desc" Data Source = "SomeDSN"

That's another step in the right direction.
Now you might be worried about the loss of this useful information as a developer, but there's good news.

Interesting Behavior That May Confuse You
The text explaining this option in the Administrator screen suggests that it controls display, not only of the Datasource name but the SQL statement in error as well. You may find, however, that after doing this you'll still see the SQL statement in error. Is the feature broken? Will end users still see the SQL statement in error? That depends.

Although it's not documented anywhere, this option behaves in an interesting way, and it explains why this option is on the debugging options page. A user who can see the server-side debugging information will always see the SQL statement in error, regardless of whether the "show SQL and datasource name" is turned off.

This is a nice feature for developers as it gives them the detail they need. It's likely that you don't show end users the debugging information, so this makes it really safe to turn off the display of the SQL statement. Those who shouldn't see it won't, while those who should, will.

Hiding the Template Path
The security concerns don't stop there. Remember that display in the error message of the physical path to the template in error? That can also be used by hackers, or simply by others not associated with your project but located on the same server. A few tags available in CF, such as CFFILE and CFCONTENT, allow access to any file in the CF server.

The error occurred while processing an element with a general identifier of (CFQUERY), occupying document position (26:5) to (26:59).

If someone running code on your server (again, someone who has access to the server or, less likely, someone who's broken in) knows where your code resides, that person can use those tags to grab your source code...or possibly your database.

There are two broader solutions to that problem: one is to restrict access to those tags in the Administrator, which is an option under "Basic Security." Or you can configure Advanced Security, mentioned previously, to protect directories from access by other developers on the same server.

Beyond those security approaches, you can also lessen the risk caused by error messages showing the template path by simply preventing its display in the standard CF error message. Like the "SQL and Datasource Name" option, it too is embedded, curiously, among the server-side debugging control options:

  • Take the "debugging" link under the Miscellaneous area on the left nav bar.
  • Make sure "Display the template path in error messages" is unchecked.
Doing this, along with the SQL and Datasource Name option, will reduce the message detail by changing the last line in the message to:

The specific sequence of files included or processed is:
C:\inetpub\wwwroot\somedir\sometemplate.cfm

Additional Observations
Sadly, this option doesn't respond the way the SQL and Datasource Name option does: even if you're authorized to see server-side debugging information, once this option is turned on, the template name and path will no longer be displayed in error messages. This will make it a little harder for a developer to determine a template in error.

If you have development and production environments, it's certainly worth considering whether you really want to use this option to hide the template path in the development environment.

Some errors (unless otherwise handled by error-handling strategies to be discussed in the next issue) will still show the template path anyway. Compilation errors are an example. Consider this example: turn off the display of the template path and run a template with the code:

Cfif></cfif>

This compilation error will display the complete path in the error message, after the details about the compilation error itself, as in:

This doesn't happen in all classes of errors, but it's something to keep in mind.

Conclusion
We've covered a lot of ground, and hopefully you've learned some things about configuring the Administrator to improve error handling.

Next month I'll explain further the opportunity to have even greater control over the display of errors, or hide them entirely and simply e-mail them automatically to a support person with no interaction by the user, or perhaps even log them to a database. I'll provide two of the three alternatives: Site Wide Error Handling (new to 4.5) and application-level error handling (which has changed significantly in 4.5). In the final part I'll cover CFTRY and CFCATCH, which offer even finer levels of control over error handling within your code.

As for the recommendations to take from this article, consider the following as a summary of the Administrator changes available to you:

  • Set the Administrator e-mail address (if you're on a server where all the applications are related and one person is appropriately ready to handle all such messages).
  • Turn off the display of the Datasource Name and SQL for queries in error, and the template path to the template in error, in anything other than a pure testing/development environment.
As for some of the security best practices we alluded to:
  • Password protect your databases (even in Access) so users running code on a shared server with you need more than just the datasource name and knowledge of your tables and column names to access your data.
  • Read the two Allaire security bulletins about further protecting your data from end users who might be able to take advantage of certain security issues in some database drivers and with some templates.
  • Consider the "Tag Restriction" options in the Administrator to further prevent the likelihood of abuse among unrelated developers on a shared server.
  • Set the Administrator debugging options to prevent server-side debug information from showing to your users, which allows the hide "SQL and Datasource Name" option described above to indeed hide the SQL in error.
For all these options, see the Allaire documentation for more information. All the administrator configuration options presented in this article are discussed in the manual Administering ColdFusion Server.

More Stories By Charlie Arehart

A veteran ColdFusion developer since 1997, Charlie Arehart is a long-time contributor to the community and a recognized Adobe Community Expert. He's a certified Advanced CF Developer and Instructor for CF 4/5/6/7 and served as tech editor of CFDJ until 2003. Now an independent contractor (carehart.org) living in Alpharetta, GA, Charlie provides high-level troubleshooting/tuning assistance and training/mentoring for CF teams. He helps run the Online ColdFusion Meetup (coldfusionmeetup.com, an online CF user group), is a contributor to the CF8 WACK books by Ben Forta, and is frequently invited to speak at developer conferences and user groups worldwide.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@ThingsExpo Stories
The Internet of Things will greatly expand the opportunities for data collection and new business models driven off of that data. In her session at Internet of @ThingsExpo, Esmeralda Swartz, CMO of MetraTech, will discuss how for this to be effective you not only need to have infrastructure and operational models capable of utilizing this new phenomenon, but increasingly service providers will need to convince a skeptical public to participate. Get ready to show them the money! Speaker Bio: Esmeralda Swartz, CMO of MetraTech, has spent 16 years as a marketing, product management, and busin...
Samsung VP Jacopo Lenzi, who headed the company's recent SmartThings acquisition under the auspices of Samsung's Open Innovaction Center (OIC), answered a few questions we had about the deal. This interview was in conjunction with our interview with SmartThings CEO Alex Hawkinson. IoT Journal: SmartThings was developed in an open, standards-agnostic platform, and will now be part of Samsung's Open Innovation Center. Can you elaborate on your commitment to keep the platform open? Jacopo Lenzi: Samsung recognizes that true, accelerated innovation cannot be driven from one source, but requires a...
SYS-CON Events announced today that Red Hat, the world's leading provider of open source solutions, will exhibit at Internet of @ThingsExpo, which will take place on November 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA. Red Hat is the world's leading provider of open source software solutions, using a community-powered approach to reliable and high-performing cloud, Linux, middleware, storage and virtualization technologies. Red Hat also offers award-winning support, training, and consulting services. As the connective hub in a global network of enterprises, partners, a...
P2P RTC will impact the landscape of communications, shifting from traditional telephony style communications models to OTT (Over-The-Top) cloud assisted & PaaS (Platform as a Service) communication services. The P2P shift will impact many areas of our lives, from mobile communication, human interactive web services, RTC and telephony infrastructure, user federation, security and privacy implications, business costs, and scalability. In his session at Internet of @ThingsExpo, Robin Raymond, Chief Architect at Hookflash Inc., will walk through the shifting landscape of traditional telephone a...
SYS-CON Events announced today that Matrix.org has been named “Silver Sponsor” of Internet of @ThingsExpo, which will take place on November 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA. Matrix is an ambitious new open standard for open, distributed, real-time communication over IP. It defines a new approach for interoperable Instant Messaging and VoIP based on pragmatic HTTP APIs and WebRTC, and provides open source reference implementations to showcase and bootstrap the new standard. Our focus is on simplicity, security, and supporting the fullest feature set.
BSQUARE is a global leader of embedded software solutions. We enable smart connected systems at the device level and beyond that millions use every day and provide actionable data solutions for the growing Internet of Things (IoT) market. We empower our world-class customers with our products, services and solutions to achieve innovation and success. For more information, visit www.bsquare.com.
How do APIs and IoT relate? The answer is not as simple as merely adding an API on top of a dumb device, but rather about understanding the architectural patterns for implementing an IoT fabric. There are typically two or three trends: Exposing the device to a management framework Exposing that management framework to a business centric logic • Exposing that business layer and data to end users. This last trend is the IoT stack, which involves a new shift in the separation of what stuff happens, where data lives and where the interface lies. For instance, it’s a mix of architectural style...
SYS-CON Events announced today that SOA Software, an API management leader, will exhibit at SYS-CON's 15th International Cloud Expo®, which will take place on November 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA. SOA Software is a leading provider of API Management and SOA Governance products that equip business to deliver APIs and SOA together to drive their company to meet its business strategy quickly and effectively. SOA Software’s technology helps businesses to accelerate their digital channels with APIs, drive partner adoption, monetize their assets, and achieve a...
From a software development perspective IoT is about programming "things," about connecting them with each other or integrating them with existing applications. In his session at @ThingsExpo, Yakov Fain, co-founder of Farata Systems and SuranceBay, will show you how small IoT-enabled devices from multiple manufacturers can be integrated into the workflow of an enterprise application. This is a practical demo of building a framework and components in HTML/Java/Mobile technologies to serve as a platform that can integrate new devices as they become available on the market.
SYS-CON Events announced today that Utimaco will exhibit at SYS-CON's 15th International Cloud Expo®, which will take place on November 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA. Utimaco is a leading manufacturer of hardware based security solutions that provide the root of trust to keep cryptographic keys safe, secure critical digital infrastructures and protect high value data assets. Only Utimaco delivers a general-purpose hardware security module (HSM) as a customizable platform to easily integrate into existing software solutions, embed business logic and build s...
Connected devices are changing the way we go about our everyday life, from wearables to driverless cars, to smart grids and entire industries revolutionizing business opportunities through smart objects, capable of two-way communication. But what happens when objects are given an IP-address, and we rely on that connection, sometimes with our lives? How do we secure those vast data infrastructures and safe-keep the privacy of sensitive information? This session will outline how each and every connected device can uphold a core root of trust via a unique cryptographic signature – a “bir...
Internet of @ThingsExpo Silicon Valley announced on Thursday its first 12 all-star speakers and sessions for its upcoming event, which will take place November 4-6, 2014, at the Santa Clara Convention Center in California. @ThingsExpo, the first and largest IoT event in the world, debuted at the Javits Center in New York City in June 10-12, 2014 with over 6,000 delegates attending the conference. Among the first 12 announced world class speakers, IBM will present two highly popular IoT sessions, which will take place November 4-6, 2014 at the Santa Clara Convention Center in Santa Clara, Calif...
Almost everyone sees the potential of Internet of Things but how can businesses truly unlock that potential. The key will be in the ability to discover business insight in the midst of an ocean of Big Data generated from billions of embedded devices via Systems of Discover. Businesses will also need to ensure that they can sustain that insight by leveraging the cloud for global reach, scale and elasticity.
WebRTC defines no default signaling protocol, causing fragmentation between WebRTC silos. SIP and XMPP provide possibilities, but come with considerable complexity and are not designed for use in a web environment. In his session at Internet of @ThingsExpo, Matthew Hodgson, technical co-founder of the Matrix.org, will discuss how Matrix is a new non-profit Open Source Project that defines both a new HTTP-based standard for VoIP & IM signaling and provides reference implementations.

SUNNYVALE, Calif., Oct. 20, 2014 /PRNewswire/ -- Spansion Inc. (NYSE: CODE), a global leader in embedded systems, today added 96 new products to the Spansion® FM4 Family of flexible microcontrollers (MCUs). Based on the ARM® Cortex®-M4F core, the new MCUs boast a 200 MHz operating frequency and support a diverse set of on-chip peripherals for enhanced human machine interfaces (HMIs) and machine-to-machine (M2M) communications. The rich set of periphera...

SYS-CON Events announced today that Aria Systems, the recurring revenue expert, has been named "Bronze Sponsor" of SYS-CON's 15th International Cloud Expo®, which will take place on November 4-6, 2014, at the Santa Clara Convention Center in Santa Clara, CA. Aria Systems helps leading businesses connect their customers with the products and services they love. Industry leaders like Pitney Bowes, Experian, AAA NCNU, VMware, HootSuite and many others choose Aria to power their recurring revenue business and deliver exceptional experiences to their customers.
The Internet of Things (IoT) is going to require a new way of thinking and of developing software for speed, security and innovation. This requires IT leaders to balance business as usual while anticipating for the next market and technology trends. Cloud provides the right IT asset portfolio to help today’s IT leaders manage the old and prepare for the new. Today the cloud conversation is evolving from private and public to hybrid. This session will provide use cases and insights to reinforce the value of the network in helping organizations to maximize their company’s cloud experience.
The Internet of Things (IoT) is making everything it touches smarter – smart devices, smart cars and smart cities. And lucky us, we’re just beginning to reap the benefits as we work toward a networked society. However, this technology-driven innovation is impacting more than just individuals. The IoT has an environmental impact as well, which brings us to the theme of this month’s #IoTuesday Twitter chat. The ability to remove inefficiencies through connected objects is driving change throughout every sector, including waste management. BigBelly Solar, located just outside of Boston, is trans...
SYS-CON Events announced today that Matrix.org has been named “Silver Sponsor” of Internet of @ThingsExpo, which will take place on November 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA. Matrix is an ambitious new open standard for open, distributed, real-time communication over IP. It defines a new approach for interoperable Instant Messaging and VoIP based on pragmatic HTTP APIs and WebRTC, and provides open source reference implementations to showcase and bootstrap the new standard. Our focus is on simplicity, security, and supporting the fullest feature set.
Predicted by Gartner to add $1.9 trillion to the global economy by 2020, the Internet of Everything (IoE) is based on the idea that devices, systems and services will connect in simple, transparent ways, enabling seamless interactions among devices across brands and sectors. As this vision unfolds, it is clear that no single company can accomplish the level of interoperability required to support the horizontal aspects of the IoE. The AllSeen Alliance, announced in December 2013, was formed with the goal to advance IoE adoption and innovation in the connected home, healthcare, education, aut...