> I don't think anyone is saying that PHP is more or less prone to bugs > because it's open. PHP (the language) has its own bugs/CF has it's own, but > I wasn't talking about the bugs in the language itself. I was talking about > bugs in the code. CF is so simple, that a lot of non-technical people learn > it and are able to create fairly bug free sites.
I was talking about bugs in code too -- SQL injection, XSS, bad logic, etc. And I'd argue personally and professionally using dozens of sites I've been hired to work on as a basis, that since CF *is* so simple, it's more likely that there are deadly bugs in the code -- even now, years into the existence of CF, I see CFQUERY without CFQUERYPARAM around form or url variables. I also see plenty of files uploaded to web accessible directories through web forms. Wow, it sure was easy for the developer to add the capability to hose both the database and the entire server with those bugs respectively. Does that happen in other languages, sure. But easy doesn't mean a thing about bug-free. > As I've admitted, I am not very familiar with PHP/ASP, but I do believe that > CF does prevent inexperienced developers from making mistakes. Not one bit. There's no automatic type checking. There's no automatic database parameterization. There's no few options for input validation and cleansing built in, etc etc. I'm not arguing that those things are required by a language, but I *am* disputing the assertion that because CF is "easy" that it prevents inexperienced developers from making mistakes. Truthfully, I'd be more inclined to argue that languages like Java and Python _prevent_ inexperienced developers from making mistakes because many inexperienced developers simply don't understand them :) I don't > think I've seen working SQL injection code for CF and MS SQL to date, but I > could be wrong... CF auto escapes the query for you, so that the risk of > SQL Injection is greatly reduced, if not eliminated. That's ridiculous. CF autoescapes quotes -- that's got *nothing* to do with SQL injection. And it's *easy* to demonstrate it in CF -- here's one from DevNet to get you started http://www.adobe.com/devnet/coldfusion/articles/cfqueryparam.html > Plus If I feel that CF is better, and that PHP and ASP don't come close, > that it must be true. And that's the truthiness of it. I appreciate and respect your right to your beliefs -- unfortunately I believe that you shouldn't propose that your ideas or beliefs are facts when it is clear that 30s of google would show them inaccurate. It wastes time, bandwidth, and adds data to the collective mailing list to sort through to get to the real, useful stuff. Unlike this message :) -- John Paul Ashenfelter CTO/Transitionpoint (blog) http://www.ashenfelter.com (email) [EMAIL PROTECTED] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 & MX7 integration & create powerful cross-platform RIAs http:http://ad.doubleclick.net/clk;56760587;14748456;a?http://www.adobe.com/products/coldfusion/flex2/?sdid=LVNU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:269042 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
