Adobe ColdFusion

From FlashSec

Jump to: navigation, search
Adobe ColdFusion
Developer Adobe Systems
Release 8.0
OS Windows, Linux, UNIX, MacOS
Genre Server
License Proprietary
Type Commercial
Website Adobe ColdFusion
Wikipedia Adobe ColdFusion

ColdFusion is an application server and software development framework used for the development of computer software in general, and dynamic web sites in particular. In this regard, ColdFusion is a similar product to Microsoft ASP.NET or Java Enterprise Edition.

The primary feature of ColdFusion is its associated scripting language, ColdFusion Markup Language (CFML), which compares to JSP, C#, or PHP and resembles HTML in syntax. "ColdFusion" is often used synonymously with "CFML", but it should be noted that there are additional CFML application servers besides ColdFusion, and that ColdFusion supports programming languages other than CFML, such as server-side Actionscript. Apart from the tag-based CFML syntax, ColdFusion supports embedded scripts that can be written in a JavaScript-like language, known as CFScript.

Originally a product of Allaire, in 2001 the company was purchased by Macromedia, which was in turn acquired by Adobe Systems in 2005.

ColdFusion is most often used for data-driven web sites or intranets. More advanced developers can use ColdFusion as a productivity layer above a J2EE platform or use ColdFusion as middleware in a service oriented architecture (SOA), generating SOAP or RESTful web services or Flash remoting.

ColdFusion can also handle asynchronous events such as SMS and instant messaging via its gateway interface, available in ColdFusion MX 7 Enterprise Edition.

ColdFusion provides a number of value-added services out of the box:

  • conversion from HTML to PDF and FlashPaper
  • client-side form validation including rich forms using Flash
  • GUI widgets such as datagrids and date pickers
  • platform-independent database querying via ODBC or JDBC
  • data retrieval from common enterprise systems such as Active Directory, LDAP, POP, HTTP, FTP
  • client and server cache management
  • session, client, and application management
  • file indexing and searching service based on Verity K2
  • XML parsing, querying, and validation
  • Server clustering
  • GUI administration
  • Task scheduling

Other implementations of CFML offer similar or enhanced functionality, such as running in a .NET environment or image manipulation.


[edit] Releases

1995 Allaire Cold Fusion version 1.0
1996 Allaire Cold Fusion version 1.5
1997, Jun Allaire Cold Fusion version 3.0
1998, Jan Allaire Cold Fusion version 3.1
1998, Nov Allaire ColdFusion version 4.0 (space eliminated between Cold and Fusion to make it ColdFusion)
1999, Nov Allaire ColdFusion version 4.5
2001, Jun Macromedia ColdFusion version 5.0
2002, May Macromedia ColdFusion MX version 6.0
2003, Oct Macromedia ColdFusion MX version 6.1
2005 Macromedia ColdFusion MX 7
2007? Adobe ColdFusion 8 (Codename Scorpio)

[edit] ColdFusion MX

Prior to 2000, Allaire began a project codenamed "Neo", that would rewrite the basis of ColdFusion using Java, which would allow for greater portability among different platforms.

On January 16, 2001, Allaire announced that it would be merging with Macromedia. Shortly after the merger, Macromedia continued with the incremental release of ColdFusion 5.00 and in June 2002, Macromedia released Macromedia ColdFusion MX (6.0), extending the naming convention of Macromedia's line of products. ColdFusion MX was completely rebuilt from the ground up and was based on the Java 2 Enterprise Edition (J2EE) platform. ColdFusion MX was also designed to integrate well with Flash using Flash Remoting.

Starting from the MX (6.0) release, ColdFusion is compiled to bytecode, like JSP and ASP.NET. The compiled .class files are readily accessible, and are cached until their source changes, like JSPs.

With the release of ColdFusion MX, the CFML language was also extended to support basic OOP.

[edit] Current version

With the release of ColdFusion 7.0, the naming convention was amended, rendering the product name "Macromedia ColdFusion MX 7". CFMX 7 added Flash-based, and XForms-based, web forms and a report builder that output in Adobe PDF as well as Flash Paper, RTF and Excel. The Adobe PDF output is also available as a wrapper to any HTML page, converting that page to a quality printable document. The enterprise edition also added Gateways. These provide interaction with non-HTTP request services such as IM Services, SMS, Directory Watchers, and an asynchronous execution. XML support was boosted in this version to include native schema checking.

ColdFusion MX 7.0.2, codenamed "Mystic" includes advanced features for working with Adobe Flex 2.

[edit] Future

Development is underway at Adobe for a version 8 of ColdFusion, codenamed "Scorpio", scheduled to be released by the second half of 2007. Confirmed new features for Scorpio are the cfpdfform tag, which enables integration with Adobe PDF forms, some image manipulation functions, Microsoft .NET integration, and the cfpresentation tag, which appears to allow creating and integrating with live Macromedia Breeze presentations. The CF Administrator is also reported to have a new Flex 2 interface, and there will be built-in server monitoring. These features were demonstrated at CFUnited 2006 and MAX conferences, and at CFDevCon 2006 in the UK.

[edit] Rich forms

With its newest release, Macromedia included a subset of its Macromedia Flex 1.5 technology. Its stated purpose is to allow for rich forms in HTML pages using CFML to generate Flash movies. These Flash forms can actually be used to implement rich internet applications, but with limited efficacy due to the ActionScript restrictions in place on Flash forms by Macromedia.

Flash forms also provide additional widgets for data input, such as date pickers and data grids.

In previous versions of ColdFusion, some form validation and additional widgets were available using a combination of Java applets and JavaScript. This option persists for those who do not wish to use Flash, however not all features are supported.

An example:

<cfform format="flash" method="post" width="400" height="400">
	<cfinput type="text" name="username" label="Username" required="yes" >
	<cfinput type="password" name="password" label="Password" required="yes" >
	<cfinput type="submit" name="submit" value="Sign In" >

ColdFusion also includes some XForms capability, and the ability to "skin" forms using XSLT.

[edit] PDF and FlashPaper generation

ColdFusion can generate PDF or FlashPaper documents using standard HTML (i.e. no additional coding is needed to generate documents for print). CFML authors simply place HTML and CSS within a pair of cfdocument tags and specify the desired format (FlashPaper or PDF). The generated document can then either be saved to disk or sent to the client's browser.

[edit] ColdFusion Components (Objects)

ColdFusion was originally not an object-oriented programming language, and even today lacks some OO features, such as multiple inheritance (although this is of limited concern as even languages such as Java lack this OO feature). With the MX release (6+), ColdFusion introduced the component language construct which resembles classes in OO languages. Each component may contain any number of properties and methods. One component may also extend another (Inheritance). Components only support single inheritance. ColdFusion does not currently support Java-style interfaces, although there are plans to introduce this feature in version 8. ColdFusion components use the file extension cfc to differentiate them from ColdFusion templates (.cfm).

[edit] Constructions and Initialization

ColdFusion does not support constructors in the same way as most other programming languages. Objects are created using tags or the CreateObject function. Some initialization can be achieved by placing ColdFusion code outside any methods within the component; this code will run once upon object creation. However, this code does not have access to constructor arguments, since there is no mechanism to pass arguments to ColdFusion language features which create objects.

To simulate constructors, ColdFusion developers generally code a separate function responsible for object initialization, and which returns an instance of the current object. This is traditionally named init, following ColdFusion's convention of calling constructors of Java objects.

Example component with initialization method:

  <cffunction name="init" access="public" returntype="MyObject">
    <cfset this.something='do some object initialization'>
    <cfreturn THIS >

Calling an initialization method during construction, possible because the last line in the init function returns a reference to the object.

<cfset object=createObject('component','my.object').init()>

Since this constructor does not take any arguments, the equivalent is to place this code outside any method:

  <cfset this.something='do some object initialization'>

The object can now be created without calling the initmethod.

[edit] Remoting

Component methods may be made available as web services with no additional coding and configuration. All that is required is for a method's access to be declared 'remote'. ColdFusion automatically generates a WSDL at the URL for the component thusly: http://path/to/components/Component.cfc?wsdl. Aside from SOAP, the services are offered in Flash Remoting binary format.

Methods which are declared remote may also be invoked via a HTTP GET or POST request. Consider the GET request as shown.


This will invoke the component's search function, passing "your query" and "strict" as arguments.

This type of invocation is well-suited for AJAX-enabled applications.

The ColdFusion server will automatically generate documentation for a component if you navigate to its URL and insert the appropriate code within the component's declarations. This is an application of component introspection, available to developers of ColdFusion components. Access to a component's documentation requires a password. A developer can view the documentation for all components known to the ColdFusion server by navigating to the ColdFusion URL. This interface resembles the Javadoc HTML documentation for Java classes.

[edit] ColdFusion and Java

The standard ColdFusion installation allows the deployment of ColdFusion as a WAR or EAR file for deployment to standalone application servers, such as Macromedia JRun, and IBM WebSphere. ColdFusion can also be deployed to servlet containers such as Apache Tomcat and Mortbay Jetty, but because these platforms do not officially support ColdFusion, they leave many of its features inaccessible.

Because ColdFusion is a Java EE application, ColdFusion code can be mixed with Java classes to create a variety of applications and utilize existing Java libraries. ColdFusion has access to all underlying Java classes, supports JSP custom tag libraries, and can access JSP functions after retrieving the JSP page context (GetPageContext()).

Prior to ColdFusion 7.0.1, ColdFusion components could only be used by Java or .NET by declaring them as web services. However, beginning in ColdFusion MX 7.0.1, ColdFusion components can now be utilized directly within Java classes using the CFCProxy class.

Recently, there has been much interest in Java development using scripting languages such as Groovy and JRuby. It should be noted that ColdFusion was one of the first scripting platforms to allow this style of Java development. There are, however, some limitations to ColdFusion's ability to offer Java scripting:

  • lack of Bean Scripting Framework plugin support
  • one cannot extend Java classes in ColdFusion
  • ColdFusion MX 6.1 did not support usage of null value method parameters
  • ColdFusion components cannot be consumed in Java as regular classes (see the paragraph on CFCProxy above)

[edit] Custom tags

ColdFusion provides several ways to implement custom tags, i.e. those not included in the core ColdFusion language. The traditional and most common way is using CFML. A standard CFML page can be interpreted as a tag, with the tag name corresponding to the file name prefixed with "cf_". For example, the file IMAP.cfm can be used as the tag "cf_imap". Attributes used within the tag are available in the ATTRIBUTES scope of the tag implementation page. CFML pages are accessible in the same directory as the calling page, via a special directory in the ColdFusion web application, or via a CFIMPORT tag in the calling page. The latter method does not necessarily require the "cf_" prefix for the tag name.

A second way is the development of CFX tags using Java or C++. CFX tags are prefixed with "cfx_", for example "cfx_imap". Tags are added to the ColdFusion runtime environment using the ColdFusion administrator, where JAR or DLL files are registered as custom tags.

Finally, ColdFusion supports JSP tag libraries from the JSP 2.0 language specification. JSP tags are included in CFML pages using the CFIMPORT tag.

[edit] Query of queries

ColdFusion uniquely supports query of queries, alternatively known as queries in memory. Given a variable of QUERY data type, ColdFusion can sort and retrieve selected rows from the result set using standard SQL. Note than in ColdFusion, a query datatype can be generated by methods other than standard database queries. For example, ColdFusion returns a query from a request to list the contents of a directory. For example:

<cfdirectory action="list" directory="/path/to/directory/" name="dirListing" />
<!--- Get all XML files --->
<cfquery name="xmlFiles" dbtype="query">
  FROM dirListing
  WHERE name LIKE '%.xml'
<!--- Get all image files --->
<cfquery name="imageFiles" dbtype="query">
  FROM dirListing
  WHERE (name LIKE '%.jpg' OR name LIKE '%.gif' OR name LIKE '%.png')

Queries in memory often result in a performance improvement as the ColdFusion server does not have to query the database server multiple times. In the above example, only a single query of the file system was needed, saving processing overhead. However, there is a point in the number of queries or their complexity that an alternative solution is necessary.

[edit] Alternative server environments

ColdFusion originated as proprietary technology based on Web technology industry standards. However, it is becoming a less closed technology through the availability of competing products. Products include Railo, BlueDragon, IgniteFusion, SmithProject and Coral Web Builder.

The argument can be made that ColdFusion is even less platform-bound than raw J2EE or .NET, simply because ColdFusion will run on top of a .NET app server (New Atlanta), or on top of any servlet container or J2EE application server (JRun, WebSphere, JBoss, Apache Geronimo, Tomcat, Resin, Jetty, etc.). In theory, a ColdFusion application could be moved unchanged from a J2EE app server to a .NET app server.

Currently, alternative server platforms generally support ColdFusion MX 6.1 functionality, with minor changes or feature enhancements.

[edit] Acronyms

The acronym for the ColdFusion Markup Language is CFML. When ColdFusion templates are saved to disk, they are traditionally given the extension .cfm or .cfml. The .cfc extension is used for ColdFusion Components. The original extension was DBM or DBML, which stood for Database Markup Language. When talking about ColdFusion, most users use the acronym CF and this is used for numerous ColdFusion resources such as user groups (CFUGs) and sites.

CFMX is the common abbreviation for ColdFusion versions 6 and 7 (aka ColdFusion MX).

[edit] Code example

Query your database:

<cfquery name="nameofquery" datasource="odbc_connection">
   FROM table
   WHERE field = 'foo'

Loop through your records:

<cfoutput query="nameofquery">
    <!---Above is a variable reference. This text is a comment --->

Set and display a variable:

<cfset variables.sMyVar = "A Variable defined in CFML">
 Here is the contents of the variable: <cfoutput>#variables.sMyVar#</cfoutput>

Define and use a function:

<cffunction name="AddTwoNumbers" returntype="numeric" output="false" hint="I add two numbers.">
  <cfargument name="NumberOne" type="numeric" required="true" hint="I am the first number.">
  <cfargument name="NumberTwo" type="numeric" required="true" hint="I am the second number.">
  <cfreturn arguments.NumberOne + arguments.NumberTwo>

 <cfoutput>#AddTwoNumbers(2, 2)#</cfoutput>

Define a component (class):

<cfcomponent name="thisComponent" extends="anotherComponent">
  <!--- Propery definitions are required for documentation and complex SOAP types only --->
  <cfproperty name="" type="string">
  <cffunction name="init" returntype="thisComponent">
   <cfreturn THIS>
  <!--- Get a property --->
  <cffunction name="getSomeProperty" access="public" returntype="string">
  <!--- Set a property --->
  <cffunction name="setProperty" access="public" returntype="void">
   <cfargument name="property" type="string" required="true">
   <cfset =>

Instantiate a Java class:

<cfset variables.myPath = "C:\MyFile.txt">
 <cfset variables.myFile = CreateObject("java","").init(variables.myPath)>
 <cfset variables.fis = CreateObject("java","").init(variables.myFile)>

Dump the results of a query (for debugging):

<cfquery datasource="#dsn#" name="myQuery">
 SELECT * FROM myTable
<cfdump var="#myQuery#">

Consume a web service:

<cfset = CreateObject("webservice", "http://web.service/service?wsdl")>
<cfset variables.result =>


<cfinvoke webservice="http://web.service/service?wsdl" method="fun" returnVariable="variables.result">

[edit] Syntax

CFML provides two different syntax formats, each with their own pros and cons.

[edit] Tag-based syntax

CFML follows an XML/HTML-like syntax in that all commands are written in the format:

 <cfcommand argument="something">Some text</cfcommand>
 <cfset variable = "some data">

Note that ColdFusion is not strictly XML because not all attributes have name value pairs and tags need not be well-formed. CFML more closely resembles HTML 4.0 syntax than XML. Since ColdFusion 6.0, the CFML syntax can almost entirely be expressed using XML format, with the key exception of CFIF/CFELSEIF/CFELSE tags.

[edit] CFSCRIPT syntax

An additional syntax format is available that is similar to Javascript:

   command('argument 1', 'argument 2');

This second format provides a cleaner migration path for people with experience in C-style languages: C, C++, Java, Javascript, etc. One thing to remember is that to use this syntax you must include the cfscript command around the code block -- you can't just launch into cfscript. Almost everything that can be done in tags can be done using CFSCRIPT. Some exceptions are:

  • SQL queries, which require the CFQUERY tag. Note that in ColdFusion, QUERY is a type which can be created in CFSCRIPT.
  • Throwing and rethrowing exceptions. (Since ColdFusion MX 6.0, try {} and catch() {} are available to cfscript.)
  • Most protocol-based client functionality, such as FTP, HTTP, POP, and LDAP. These are exposed via tags.

Since the introduction of UDFs (User Defined Functions), however, it is possible to define a UDF using tag-based syntax that can be called from within cfscript blocks:

  <cffunction name="readUserData" access="public" returntype="numeric" output="false">
    <cfargument name="userId" type="numeric" required="true">
    <cfargument name="dsn" type="string" required="true">
    <cfset var userData = "">
    <cfset var rslt = "">
    <cfquery name="userData" datasource="#arguments.dsn#" result="rslt">
       select *
       from tblUser
       where userId = <cfqueryparam value="#arguments.userId#" cfsqltype="cf_sql_integer">
    <cfreturn userData>
    userData = readUserData(110, "myDataSource");

This allows the passing of arguments to tag-based constructs within cffunction blocks. Also, since ColdFusion MX 6.0 extended createObject() to include CFCs, it is possible to use both custom CFCs and Java objects in CFSCRIPT. Using Java objects to obtain access to protocol-based client functionality often defeats the whole purpose of using ColdFusion. Obviously, using CFCs or cffunction-based UDFs to provide script-style code access to the tag-based language features of ColdFusion is the preferred method.

Generally, CFSCRIPT is used to perform simple statements–such as multiple assignments–in lieu of multiple CFSET tags.

CFSCRIPT can also be used to define UDFs:

    function addTwoNumbers(a,b) {
      return a+b;

In this case, however, it is impossible to define the content type detection that ColdFusion provides for arguments (string, numeric, query, struct, array, etc.), access restrictions on the UDF (public, private, package, remote), whether or not the UDF is allowed to generate output, or the return value content type (as with arguments). Using CFSCRIPT to define UDFs is handy for smaller tasks or simple things that aren't reliant on the various attributes that the CFFUNCTION and CFARGUMENT tags provide.

[edit] Criticism

Choices of scripting languages for any task are subject to much debate in the IT community. Criticisms of ColdFusion include:

  • ColdFusion is expensive, especially compared to its competitors, which are almost always free. Even Microsoft-based scripting solutions such as ASP.NET are technically free if you own a PC or server running some version of Windows. The rapid deployment of ColdFusion applications negates the cost of the server, since most applications can be built at manpower savings that significantly make up for the cost of the server. However, there are several free versions of ColdFusion, although they do not have 100% of the features.
  • Many scripting languages such as PHP, Ruby, Perl and Python are open-source. While the language of CFML itself is well-documented, Adobe ColdFusion's server code is not readily viewable or modifiable. Applications built using ColdFusion are viewable and modifiable unless they were deployed as a binary CAR file (similar to a JAR file). With the release of the SmithProject open-source CFML server, looking at the server code is now possible.
  • CFML syntax is very different from traditional programming languages, which use a C-style syntax, although this is a key reason for its success. Although CFScript offers this alternative, ColdFusion code is often written in CFML.
  • Although CFML is certainly not alone in using tag-based syntax (ASP.NET and JSP also uses them to render some UI elements), it is the only language that wraps core application logic in a tag-based syntax.
  • ColdFusion's ease of development is often criticized by traditional programmers who say that ColdFusion developers create bad code. This is no less true for any of the other web based languages, like ASP and PHP. There are also a lot of programmers in other languages that have not kept up on developments in ColdFusion and still believe that it does not use OOP principles. Many CF developers start out developing simple sites, but graduate to more OOP and MVC designed applications.
  • ColdFusion libraries and extensions are few, and not always free, although there are sites dedicated to open-source ColdFusion code and several open-source frameworks have emerged in recent years in active development. ColdFusion also can easily call Java libraries which alleviates this issue.
  • ColdFusion lacks features present in other scripting languages. A significant omission from ColdFusion's tag library, for example, is the ability to manipulate common image formats. Another of note is a client IMAP tag. Missing features are often available as extensions, with the caveat on extensions as above, and image manipulation is planned for CFMX 8.
  • ColdFusion lacks advanced object-oriented features such as providing little distinction between instance and class (virtual and static) properties and methods. ColdFusion doesn't offer constructor syntax per se, but rather forces an object factory pattern to return object instances. A common idiom is to use init to indicate a method which is the constructor for each component. Methods are implicitly virtual if they reference the THIS scope. There are several techniques available to provide mixin functionality. Note: The release of CF 8 is planned to include a cfinterface tag to define interfaces similarly to OOP languages like Java.
  • CFScript is similar to but incompatible with the ECMAScript specification. ColdFusion does include some server-side Actionscript functionality (which is ECMA-script compliant), however server-side Actionscript has significantly fewer features than CFML. Note: The release of CF 8 will allow for more common versions of the scripting syntax. Ex == for equals, < for less than, and ++ to increment a variable will all be permissible.
  • Certain features of ColdFusion such as event gateways, creation of datasources, caching settings and classpath additions are not readily configurable for usage in a shared hosting environment. Note: The release of CF 8 will allow hosting providers to provide application specific settings and administrator accounts, which should help to bring more functionality to shared hosting customers.
  • ColdFusion components are not serializable. Note: The release of CF 8 will allow for CFC's to be serialized and therefore be replicated across multiple instances in a cluster.
  • ColdFusion does have a Duplicate() method to deep copy objects, but it will not copy COM, CORBA, or JAVA objects returned from the cfobject tag or the CreateObject function. ColdFusion objects and components can be Duplicated.

[edit] External links