Technicalities aside, I totally agree with your general point here, Ray.
Anyone who uses "undocumented features" of an application, ColdFusion or
otherwise, runs the risk of finding themselves in a bind when future
revisions and releases are made with the potential of changing or
eliminating those "features". I preached the same thing about Spectra when
people immediately wanted to make changes to the customtags and COAPI. I'm
on your side of the fence on this one. This is a fundamental concept of
best practices that developers should never ignore.
Put simply, the fact that a search on the Allaire ColdFusion Support forums
on the keywords "encrypt" and "decrypt" returns numerous messages outlining
this very same problem indicates that this IS an issue - at least for some
developers. However, I'll add that I did some rigorous testing of this
issue last night on my system at home under ColdFusion 5.0 and was unable to
produce any of the error messages that were claimed under ColdFusion 4.x -
perhaps the problem was solved with the release of 5.0? I wrote a script
the ran high numbers of loops creating encrypted string, inserting them into
a simple database table, retrieving them, decrypting them and displaying
them. I was able to do this over 1,000,000 times without causing any errors
indicating that "The data to be decrypted is invalid". But, I do remember a
time in the past on a previous project where we ran into these errors while
encrypting strings with ColdFusion 4.x versions.
<cf_shamelessPlug intImportance="2">
As a dedicated veteran ColdFusion developer since July of 1995, a Macromedia
Advanced Certified ColdFusion Developer, a BrainBench Master Certified
ColdFusion Developer, and a former Senior Consultant in Allaire's Consulting
Services division for a year... I would consider myself a ColdFusion expert
as well. Plus, I still dabble with Spectra. :)
</cf_shamelessPlug>
-Tyson
-----Original Message-----
From: Raymond Camden [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 27, 2001 10:09 PM
To: CF-Talk
Subject: RE: Encryption differences in ColdFusion 4.5 and 5.0?
> The issue with the out-of-the-box ColdFusion encrypt/decrypt functions is
> that it doesn't limit itself to "safe" characters when doing the
> encrypting.
> Specifically, there's the possibility that the encrypt() function will
> generate an encrypted string with single quotes ('), spaces ( ),
> pound signs
But don't you mean unsafe in regards to forms/sql, which is a different
subject? I mean, what about my argument that even RepeatString can make a
string that isn't safe for forms or sql. Does that make sense? In other
words, I don't see it as an issue.
=======================================================================
Raymond Camden, Principal Spectra Compliance Engineer for Macromedia
Email : [EMAIL PROTECTED]
Yahoo IM : morpheus
"My ally is the Force, and a powerful ally it is." - Yoda
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
