ORM (Hibernate) SQL Injection - Security Series #14

During Bob Silverberg's awesome ORM presentation today the topic of SQL injection came up. There was a question was about whether or not the Hibernate ORM service built into ColdFusion 9 would prevent SQL injection. On the surface it would seem that it does, but just like everything else, there are exceptions.


User Input Validation II - ColdBox Series Part 9b

After a week of being sick I am finally getting back on track with my blogging. This is going to be one of the final entries in my Building an Application with ColdBox series. There are a lot of other things I want to blog about. I will still blog on ColdBox topics, just separate from this series.

Last time we talked about how to go about validation. Validation is a really complicated subject that I am still struggling with. I understand the concepts of the different ways of doing it, I just cannot seem to make the time to figure out how I want to do it. I think I will be looking at ValidateThis! in the near future.


User Input Validation - ColdBox Series Part 9a

I decided to start a new sub-series on Validation, since it is a huge and controversial subject, I suspect it will take a post or two, or three.

So, I was chatting with Peter Farrell some time ago:

me: Peter, I have a quick question for you

Peter: Sure, what?

me: Where should input validation go? In the Controller or In the service layer?

Peter: THAT is NOT a quick question.


Adding Todo Lists (Handlers and the Service Layer) - ColdBox Series Part 8d

Now we are really getting into this ColdBox stuff. We've got a view set up, we've got some handlers, we've auto-wired our handlers, and we've added ColdSpring into our application. Now we can start to do stuff.

So where did we leave off last time? Thinking.... thinking... thinking... oh yeah.

Accepting user input

Before we went off on a tangent of setting up ColdSpring and Autowiring Handlers, we had two simple handler methods inside of the list.cfc handler. We had addList() and doAddList().


Adding Todo Lists (Autowiring our Handler) - ColdBox Series Part 8c

As Luis stated in the comments section of my last post, we need to set up autowiring in our handler component. This is really cool stuff. I did not do this the first time around because my post was getting to long and because I wanted to demonstrate both ways of doing it.

What is autowiring?

When you are using object factories (like Lightwire and ColdSpring) in your ColdBox applications, you can set up dependency injection for handlers, plugins and interceptors. This is done using the Autowire Interceptor.


Adding Todo Lists (Integrating ColdSpring into our Application) - ColdBox Series Part 8b

In the last post, we looked at how to create a view and how to use handlers to display that view and to receive user input from the view. Now we need to do something with that user input. Here is what we need to get done first:

  1. Create our todoService.cfc
  2. Set up ColdSpring to create our todoService object and inject its dependencies
  3. Instantiate our todoService object in our handlers so that we can start to do something useful

Wow! That's a lot. It may not seem like a lot, but it is. So let's get started. here is our doAddList() handler method so far.


Adding Todo Lists - ColdBox Series Part 8a

So we've set up our Coldbox Application, we've built our model, now we need to build some front-end pieces and handlers to work with our model through the service layer.

Today we will begin by creating a form and some handlers. In the next few posts we will look at creating the service layer, form validation, and persistence.


Creating the Gateway Object - ColdBox Series Part 7b

In my last post we began creating out Gateway Object. It was a lot more work then I thought it was going to be, hence, this is the second part of creating a gateway object. Hopefully, we won't get to three. But the fact of the matter is, we need these things in place so that we can create our ColdBox application. So suck-it-up :)


In the last post we created 10 methods, for some we used the Illudium PU-36 code generator, and for some we used our insanely fast typing abilities. The methods we've created so far are:

  • createList(list:List):boolean
  • readList(list:List):void
  • updateList(list:List):boolean
  • deleteList(list:List)boolean
  • createItem(item:Item):boolean
  • readItem(item:Item):void
  • updateItem(item:Item):boolean
  • deleteItem(item:Item):boolean
  • getAllItemsAsQuery(id:Numeric):Query
  • queryRowToStruct(qry:Query):Struct

After we created our methods, we modified our readList() method to return a List object with its child Item objects in a private property of type Array.

Modifying updateList() to include child objects

Now we need to make the same modifications to the updateList() and deleteList() methods.


Creating the Gateway Object - ColdBox Series Part 7a

Geez, it doesn't seem like we are doing much with ColdBox in this ColdBox series, does it?

Of course, to get to the point where we are actually using something like ColdBox to manage the communication between our model and our views, we need to have a model and some views.

So in the last post we discussed creating our Domain Objects(beans). So now we have two domain objects. We have our TodoList bean and our TodoItem bean.


Creating our Domain Objects - ColdBox Series Part 6

Now that we have our database tables set up from our UML and our folder structure has been created we can begin creating our domain objects (Technically we could have done it first, it could probably be argued both ways).

Code Generator

I am going to use Brian Rinaldi's Illudium PU-36 Code Generator to help create our domain objects. Since Illudium uses the database tables to create the objects, we needed to have the database set up first. To see the MySQL DDL script check out part 2 of this series.


More Entries

BlogCFC was created by Raymond Camden. This blog is running version 5.9.1. Contact Blog Owner