Legacy Code Part 11: Pass It Along

One thing that affects application performance, in your Legacy Code, could be a lack of (or misuse of) variable scoping. In our last post we discussed the usage of the various persistent scopes. Now, we'll talk about some of the other scopes that your application might be using.

In this post, we'll get the easy one's out of the way. It's really all in the name, for many of these, which I like to call the passalong variables.

URL
- These are the variables from the url query string. Not the most secure way to pass around information, but some variables don't always require protection. It is typically good practice to <cfparam> url variables, on the off chance that the link was truncated.
view plain print about
1<script>
2    param name="URL.debug" type="boolean" default=false;
3</script>
FORM
- These variables are available to a template that is the target of a form post. It is made up of all of the form field names and values passed in a post, and includes a special "fieldnames" key as well, that contains a comma delimited list of all of the passed form fields. It is important to note that browsers do not pass checkbox fields that are unchecked, so it is always a good idea to <cfparam> any checkbox fields.
view plain print about
1<script>
2    param name="FORM.categoryid" type="numeric" default=0;
3</script>
ARGUMENTS
- These are variables that are passed into a function method, for use within the function. When you need a variable in a function, from outside of that function (for instance, a persistent scope variable), you want to pass the variable into the function as an argument. This will help to prevent memory leaks, maintain encapsulation, and manage dependencies. A bonus is that you can use the argument definition in the method signature in a way similar to <cfparam>, by providing a default value.
view plain print about
1<script>
2/**
3 * @access public
4 * @output false
5 * @returntype void
6 */

7function setUser (required string firstName, required string lastName, boolean isActive=true) {
8 // Your code goes here
9}
10</script>
It is always important to declare the argument's type in the method signature (as in <cfparam>), as it will assist in the overall security of your application by ensuring that methods receive the proper variable type.
ATTRIBUTES
- The attributes scope is the arguments scope of custom tags. Similar rules should apply, in that if you require data from another scope, within your custom tag, then best practice is to pass the variable in as an attribute of the tag. Just like <cfargument> and <cfparam> you can (and should) define a type for the variable, as well as a default value if necessary.

Quick author's note here: You'll notice, in my code examples, that I use the <cfscript> form of code, while referencing the <tag> form in my dialog. Most Legacy Code is tag based, but you will find more and more core business logic is written in scripted form. Each scripted block can be done in tag form, but I personally stay away from tag based code for anything other than view templates and any inline looping or conditionals of that view code.

In our next post we'll discuss the remaining scopes. These include some of the more tricky scopes used within CFCs and Custom Tags, as well as a few others.

This article is the eleventh in a series of articles on bringing life back to your legacy ColdFusion applications. Follow along in the Legacy Code category.

Legacy Code Part 10: Be Persistent

As I said in my last post, scoping all of your variables can be a huge performance improvement for your dated Legacy Code. By explicitly scoping each and every variable reference, within your application, you eliminate the overhead of the system having to ScopeCheck each reference to determine it's scope. Understanding usage of each scope is an important part of this process. In this post, we'll discuss the persistent scopes of an application.

SERVER
- This scope is valuable in environments where you have a dedicated server for your applications. Use carefully, and sparingly, this is a good place to put crafted objects and variables that can be shared across multiple applications in a shared server. Multi-Site One Codebase setups can get significant use of the SERVER scope, for housing things like utility objects that can be used by each application, without duplicating them in each app. The downside is, any change to a SERVER scoped object or variable will require a server restart to take effect. You can set these variables in onServerStart() method of the Server.cfc.
APPLICATION
- This scope is valuable for creating Application wide objects and variables, that can be used regardless of individual user sessions. This is typically a good place for utility objects (if they aren't in the SERVER scope), asset pathing references, logging objects, and more. Typically you initialize these variables in the onApplicationStart() method of your Application.cfc, and only change these variables when making application wide changes, realizing that those changes will affect all current users.
SESSION
- This scope is used for storing variables only used by a single user's browsing session. This is a good place for storing things like a user object, and shopping carts. Things that are only used for and by a single user, within their current visit to your application. You typically create these variables in the onSessionStart() method of your application's Application.cfc, and you can manipulate SESSION variables during a request, remembering that those changes will affect the remainder of the user's session.
REQUEST
- This scope is used for storing variables only used within the current page request. While a REQUEST variable is available to every template called during the course of a request, it is not best practice to directly access REQUEST variables inside of cfc's or custom tags, but rather to pass them in as a method argument or tag attribute, respectively, in order to maintain encapsulation. These variables are great for storing page specific details for use throughout the request, such as setting a page title, and using it at request end to log the page viewed by the user. Requests typically come in three parts: onRequestStart(), which occurs before the templates execute, onRequestEnd(), which occurs after the requested template executes, and either onRequest() or onRequestCFC(), which allow for some additional pre-template processing, but segment it according to what is being requested. To understand these last two a little further, onRequest() might be used to set a variable to tell the system to log the request on completion, whereas onRequestCFC might set the same variable to tell the system to not log the request (because you don't need to log direct CFC execution, maybe). These last two can be powerful, and confusing, so you might have to play with them a bit, if you want to use them at all. You use any, or all, of those methods within your application's Application.cfc.

SERVER, APPLICATION, SESSION, and REQUEST are ColdFusion's persistent scopes, allowing for the creation and use of variables that can be used across very defined measures of time. In our next post, we'll talk about how you should use the other scopes in CF.

This article is the tenth in a series of articles on bringing life back to your legacy ColdFusion applications. Follow along in the Legacy Code category.

Legacy Code Part 9: Effort of Scope

We've been discussing the upgrade of Legacy Code. For our purposes, this is outdated ColdFusion code, often written against long retired versions of the ColdFusion server, that is still running out in production today. Often a lot of time, money, and effort went into creating these applications, and they were great, which is why so many still exist today. Unfortunately, they also haven't been given the love and care they've really needed, over the years, and now they're bulky, sluggish, and full of security flaws. We've already discussed several first steps towards updating these outdated applications. These were all big steps, so now it's time to focus on the smaller tasks needed.

Every application requires general maintenance, bug fixes, adjustments, and improvements. Going forward, most of the changes you will make will come in the course of this type of work. You'll make changes as you write a new fix, add some field to a form, or make some layout adjustment. You can make small projects, to address each coming task incrementally and proactively, but some organizations just don't have the time or resources, especially if your's is a large application. So you pay off your code debt in small, digestable chunks, within the confines of ongoing work.

A great example of this is our next task: scoping all of your variables. It was not uncommon for developers to write code as they read it out of the CFWACK, and much of that sample code was largely unscoped. Obviously it still worked, as those applications are still around, but most every ColdFusion developer has run into variable bleedover (two variables of the same name interfering with each other) at one time or another.

With smaller applications the performance improvement, of scoping all of your variables, will not typically have a huge impact. On the other hand, for large, high traffic applications, you can see measurable improvement. When ColdFusion processes each request, and finds an unscoped variable, it runs a background method (ScopeCheck) to walk through a hierarchy of scopes to search for the variable being referenced. Now, imagine a lengthy (and popular) dynamic template with 30 or 40 unscoped variable references. Now imagine that same template getting several thousand concurrent requests. That's a lot of ScopeCheck going on!

By explicitly declaring each and every variable with it's scope prefix, you eliminate all of this background process from occurring. The server doesn't have to search through the scopes to "find" the variable in question, because you've told the server exactly where it's located.

In my next post we'll talk more about proper scoping, but to get started it's important to know that A) you need to, and B) that you scope every variable. Even those in the VARIABLES and LOCAL scopes should be prefixed. It will prevent the server from unnecessarily searching for the variables, and reduce overall code complexity, because a variable's scope will never again be in question.

This article is the ninth in a series of articles on bringing life back to your legacy ColdFusion applications. Follow along in the Legacy Code category.

Legacy Code Part 8: Protect Your App Now

There's been a lot of publicity, recently, about the loss of sensitive PII (Personally Identifiable Information) on the web, and legacy ColdFusion applications have been hit especially hard. Hopefully, by now, you've upgraded to the latest version of the server, but that isn't enough. You've got to start actively protecting your system. One area of this is code, specifically in protecting your database from form and url hacking. (Remember Little Bobby Tables?)

Just like everything else we've discussed about upgrading your Legacy Code, the rest of your progress is handled mostly in baby steps. With one, notable exception. You have to lock things down, and prevent these security breaches.

Some time ago, ColdFusion introduced the <cfqueryparam> tag, as a way of creating bind variables in your queries. Aside from providing sql type checking to each param, it creates some inherent security by converting these arguments in to bind variables, in the SQL request. This is a double bonus, in converting Legacy Code, as you get both the security, and performance enhancements, by using bind variables. (Use <cfprocparam> with the <cfstoredproc> tag, for making stored procedure calls.)

This can be one of the single most important things that you do, in securing your application from outside attack. Make a project today of converting every single query call, in your Legacy Code, to utilizing <cfqueryparam>. It might take you days, or even weeks, but it will be your very first line of defense. Don't just do those that are form inserts, or those that reference URL. Do all of them.

Now, there are other things that you can do to protect your app as well. Review the ColdFusion Lockdown Guide, and implement those changes relevant to your system. Run the FuseGuard Application Firewall, as an added layer of security. And, run your site through HackMyCF. The free report can give you some valuable insight on things you can do right now, and a paid subscription can give you even more information.

Don't forget: fix every query. Calling a stored proc from a <cfquery> tag? Convert it to <cfstoredproc>. Leave no stone unturned. And get in the habit of writing them this way going forward. Data breaches are bad for business, so don't become the next news article.

This article is the eighth in a series of articles on bringing life back to your legacy ColdFusion applications. Follow along in the Legacy Code category.

Legacy Code Part 7: How To Map Your App

So, in our last post we talked about Mapping Your App being your next step, but then a question came to me, "How?"

Well, that's a very valid question. When I took on this exercise, several years ago, with one very large (6000+ template) application, I began by making a basic flow diagram of the existing Application.cfm and OnRequestEnd.cfm. What this ultimately did was A) show me all of the small bits of process flow occurring in these templates, and B) gave me a true understanding of exactly what was happening when. This all allowed me to evaluate each of these small bits of functionality, and determine how they each translated into the new ColdFusion application framework, as it is laid out by Application.cfc.

You can typically break your application down into a few sets of events: Application Start and End, Session Start and End, and Request Start and End. On top of this you have a few edge case events you can cover, like if a request is made of a template that doesn't exist (onMissingTemplate), or it an error is thrown but not caught otherwise (onError).

OK, so saying all of that kinda makes sense. But, what does it mean from an application standpoint? Well, then you have to evaluate the variables you're creating and make sure that you're placing them in the proper persistent scope. You have a utility object that you use everywhere in your application? Then you put it into the Application scope during onApplicationStart. Have a single user object that you use to model each user during their visit? Then you put it into the Session scope during onSessionStart. Want to track each page request by logging specifics to your db? Set some variables at the beginning (onRequestStart), or during your request, then execute your sql inserts when the request is done (onRequestEnd).

You'll start with your initial flow diagrams, and then create some new ones with headings to match the new application framework of Application.cfc. Create a diagram titled "onApplicationStart", and bring in the corresponding flow bits from your other diagram. Move flows around until they're in the order necessary, and in their proper place in event execution flow. Once you moved all of the small sub-flows from the old to one of the new, then you have a roadmap for writing your new Application.cfc.

Need cheap software for making basic flow diagrams? I use the draw.io app from the Google Chrome Web Store.

This article is the sixth in a series of articles on bringing life back to your legacy ColdFusion applications. Follow along in the Legacy Code category.

Legacy Code Part 6: Map Your App

You've picked up some new hardware, setup a new local dev environment, and started learning the ins and outs of the modern web age. Your Legacy Code is getting more out of touch every day that goes by. Now what?

Let's get started. The first thing you need to do? Map your App. One of the best things to happen to ColdFusion (many, many moons ago) was the introduction of Applications.cfc. Application.cfc replaces Application.cfm and OnRequestEnd.cfm, allowing you a much finer level of control of your application flow. Here's where a solid understanding of how your application works is most important, as you now have the ability to truly target the creation (and destruction) of variables in different persistent scopes.

Remember when I said it was time to learn the latest ColdFusion? Well, this isn't really "new", but it might be new to you, or to this app. A solid understanding of what happens at each stage of process is important, as well as truly understanding proper scoping. I've already blogged about the different stages of application flow in my MSOC series, and you can download my scripted Application.cfc as a template.

Understanding how and when certain variables are added to your application will help you to identify where things might be sloppy or slow. By making your own diagram, you can write out how your app begins, then a session, then an actual request, and then those ends again. You begin to ask yourself "Does this really belong in the Session scope? Or would it be better served in the Application scope?" If your app is on it's own on a system, you may even decide that there are things you could place in the Server scope, and begin to explore using a Server.cfc for onServerStart().

Diagramming your application flow can be very enlightening, and liberating. You really begin to see where some of your app's inefficiencies lie, and how you can regain control. With such fine grained control, it's much easier to write in "reinit" functionality for "resetting" your application. You find that audit logging is much simpler (or just possible) when attaching to every request at onRequestEnd(). You begin to realize that you're hanging on to some data for much longer than you need to, or that you're requesting data entirely too frequently when you really only need it occasionally.

After you've completely diagrammed your application flow, you might begin writing your Application.cfc. Keep in mind that some of your findings may take hours, days, or even months to correct. Yes, that variable really needs to be in the Application scope, but that also means you have to change every reference to that variable across your entire application. Now might not be the time to do that yet. Chances are you will begin with writing your Application.cfc as a direct replacement for your Application.cfm and OnRequestEnd.cfm, and then gradually, over time, correct your past errors. You've got it all diagrammed out now, and having it in writing will assist you in your future patchwork.

What you're doing here is beginning to make a plan. Over time you are going to systematically refactor small pieces of code across an entire application. Migration to Application.cfc is the first of many steps, and probably one of the largest, overall. It's also one of your most important steps, as it really gives you a blueprint for the future.

This article is the sixth in a series of articles on bringing life back to your legacy ColdFusion applications. Follow along in the Legacy Code category.

Previous Entries