Raymond Camden's Blog Rss

Quick Transfer Tip

5

Posted in ColdFusion | Posted on 03-19-2009 | 3,412 views

Using an ORM means never having to write SQL. Well, ok, maybe not. As much as I love Transfer (and am beginning to love Hibernate), there are still times when you have to resort to writing SQL. Here is a quick tip.

Using getDatasource() to get access to the datasource configuration? If so, you may have code that looks like this:

view plain print about
1<cffunction name="getFoo" access="public" returnType="numeric" output="false">
2    <cfset var ds = getDatasource()>
3    <cfset var foo = "">
4        
5    <cfquery name="foo" datasource="#ds.getName()#">
6    select    sum(rabbits) as total
7    from    huntinglog
8    where    club_no = <cfqueryparam cfsqltype="cf_sql_varchar" value="#getId()#">
9    </cfquery>
10    <cfreturn val(foo.total)>
11        
12</cffunction>

Notice I pass ds.getName() to load the datasource name. My datasource.xml looks like so:

view plain print about
1<?xml version="1.0" encoding="UTF-8"?>
2<datasource>
3 <name>romulanale</name>
4 <username></username>
5 <password></password>
6</datasource>

Notice that I did not specify a username/password. But what happens if the production system needs this? It is trivial to supply it in the XML. Transfer will use it. But my query above will fail. Luckily I can just switch to:

view plain print about
1<cfquery name="foo" datasource="#ds.getName()#" username="#ds.getUsername()#" password="#ds.getPassword()#">

What's nice is that this works just fine when the username/password values are blank. Now I'm set no matter what.

Comments

[Add Comment] [Subscribe to Comments]

Justin Johnson said on 03-19-2009 at 9:03 AM #
Remember Ray, Romulan Ale is illegal
Will B. said on 03-19-2009 at 9:42 AM #
@Justin: Not if you use it for purely medicinal purposes.

@Ray: Sometimes it's not really necessary to var out the extra variable. Just put datasource="#getDatasource().getName()#" user="#getDatasource().getUser()#" etc. Then you can create a snippet in Eclipse to quickstart your queries, and not have to have that extra command since you'll likely only use it for the query itself 99% of the time.
Phillip Senn said on 03-19-2009 at 5:34 PM #
Could someone read your xml file and thereby learn your username and password?
If so, and if they could guess your server, then they could use management studio to connect to your database.
Will B. said on 03-19-2009 at 5:37 PM #
@Phillip,

The trick is to make your config.xml be config.xml.cfm. You read it like a normal xml file, it's just text. But you put <cfabort /> in an application.cfm in the same folder...voila..untouchable.
Phillip Senn said on 03-19-2009 at 5:45 PM #
I've seen config.xml.cfm before with ColdFusion comments wrapped around it.
I've seen config.xml.cfm before with a cfabort at the top.
I seen a peanut stand, heard a rubber band.
But I ain't never seen a config.xml.cfm with an application.cfm! That's kinda of clever.

http://lyricsplayground.com/alpha/songs/w/whenisee...