Why ColdFusion Is So Great With Databases
Having just come from developing PHP for around a year, switching to ColdFusion was an interesting experience.
Being a bit anal about everything seems to help with PHP, but this is true of most languages. For example closing every tag you’ve opened, validating every form to correct user input and handle any mistakes, or explicitly stating every behaviour a page should have.
I have heard it said that anything you can do with ColdFusion you can do with PHP, and vice-versa. However, I’ve found that although it takes some getting used to, there are some distinct advantages to CFML.
How often have PHP developers created a form that takes values, then creates an update or insert query to the database? I recall this to be not entirely painful, but very verbose. First of all, you would either have to write an include file to hold the db connection information, or simply type it out at the top of the script:
mysql_connect(host,username,password)
or die("Error connecting to Database!" . mysql_error());
mysql_select_db(database)
or die("Cannot select database!" . mysql_error());
In ColdFusion this is unnecessary. The connection information is specified server-side as something called a datasource, so it requires 0 lines of code until the query itself is made.
This brings us to the query step.
$query="INSERT INTO users (FirstName, LastName, Age) VALUES ('$_POST[firstname]','$_POST[lastname]','$_POST[age]')";
mysql_real_escape_string($_POST(firstname));
mysql_real_escape_string($_POST(lastname));
mysql_real_escape_string($_POST(age));
$result = mysql_query($query);
Technically the mysql_real_escape_string should be used to prevent anyone from inputting anything to intentionally (or unintentionally) corrupt your database, and is standard practise for sanitizing database inputs. In ColdFusion, however, queries are much easier.
<cfquery name=”query” datasource=”database”> INSERT INTO Persons (FirstName, LastName, Age) VALUES (#firstname#,#lastname#,#age#) </cfquery>
However, this gets even easier.
It’s pretty safe to assume that what gets put into the database at any point generally comes from some kind of form. Well the form basically spits out the same thing every time, even if the value is blank. So say someone fills out a form containing the firstname, lastname, and age as above and submits it. ColdFusion could handle it all and put it in the database with this:
<cfinsert datasource="database" tablename="users">
What that single line of code does is amazing. It takes the values passed from the form (IMPORTANT: This assumes that the form variable names passed forward match the names of the columns in the database, which is best practise anyway), and automatically creates a query to insert these new values into the database. The same is true for the <cfupdate> tag. Not only that, but ColdFusion has an automated character escape feature, so it always assumes you want special characters escaped when performing a query.
ColdFusion skips all the boring parts of working with databases, and lets you just do what you need to.
I’d steer clear of cfinsert/cfupdate. The may look cool and easy to start with, hell I loved them too when I first looked at ColdFusion, but you’ll hit limitations later into your journey with CF. I recommend you spend some time looking into cfqueryparam if you are really interested in securing your database interaction. Then, when you want to get really serious, take a look at an ORM like Transfer or wait for Hibernate support in CF9 due out later this year.
I suspect the big limitation is not being able to do anything *but* insert or update. And there are times that the information passed forward will have to be manipulated or validated before being added to the database. Was there a specific limitation you had in mind?
Yeah, manipulation is the biggy. Google cfqueryparam and you’ll see loads of good advice. The main benefit is help with avoiding SQL injection and speed improvements due to binding. Take a peak at Transfer. The initial learning curve is not to bad but can ramp up when you progress beyond simple CRUD.
Yes, I believe dickbob is correct. I’ve experienced SQL injections with some old code that I had not added cfqueryparam. Mainly you’ve got to be sure to include cfqueryparam on all character fields. But, I don’t take any chances anymore, I use cfqueryparam on all insert, updates & selects when referring to a form value. Also, I stopped using cfinsert and cfupdate years ago. I don’t even remember exactly why, but, I’ve found it’s best to write out the SQL code, if nothing else it puts one on a path to much more advanced db filtering by learning SQL.
Btw, I enjoyed the post from someone who has written both PHP and CFML. Could never understand why CFML hasn’t become more popular, I’ve been using it since vers. 2. The reason always given is the cost, but if, as I believe to be true, that you can develop faster with CFML, it would seem that it wouldn’t take much time to make up the upfront costs.