Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Debunking Common Myths About ColdFusion

Debunking Common Myths About ColdFusion

ColdFusion has been around for quite some time — since 1995 — and like any technology with a bit of age behind it, quite a few misconceptions exist about the platform and its capabilities. This contributed article by Ray Camden addresses some of the common myths around CF.

ColdFusion is slow

This is perhaps one of the most common complaints people hear about ColdFusion. Every programming platform in the world has the capability to be slow. ColdFusion is no different. Consider a developer writing inefficient code that loops over data and performs some type of logic upon each row, perhaps taking two columns and creating a sum. This could have been done in the database layer instead, and would have been faster overall. This "problem" could exist in PHP, .Net and Ruby, just as much as it could happen in ColdFusion. So why is ColdFusion being called out for this? Well, typically it happens when a developer encounters poorly written code and then decides that—obviously—the entire platform is slow. While this isn't exactly fair, it's also been known to happen. Sometimes it takes one large customer-facing site, like MySpace, to leave a bad impression in developer's minds. MySpace publicly decried the speed and robustness of ColdFusion while at the same time admitting that their development process was to just "throw code" up on the server.

So is ColdFusion slow? Not at all. Plenty of high-traffic sites use ColdFusion. Each new version of the server has increased the speed, with the latest version, ColdFusion 8, having dramatic improvements in speed all across the server.

No matter what platform you use, you are going to have to work (with some platforms more than others) to ensure your code is efficient and follows best practices. This will help create a site that responds quickly. You also have to spend time in the server settings and the hardware.

ColdFusion is not secure

Much like the previous myth, this one is really something that applies to the code level. ColdFusion doesn't force you to write secure code. If you create an administration interface to your site and don't bother to password-protect it, then obviously you have quite a large, gaping hole in your security. This would apply to every development platform. It takes both planning and testing to ensure your server is secure, but ColdFusion actually does quite a bit to help out in this regard. On the server, you have fine-grained access levels for the ColdFusion Administrator. This lets you give access to parts of the Administrator based on trust. ColdFusion also ships with an API to the Server Monitor that lets you roll your own complete solution for server administration. If you don't care for the security rules you can apply out of the box, you can simply roll your own. You can also define sandboxes from within the ColdFusion Administrator. These sandboxes let you lock down developers' code and restrict what developers can do—including what functions and tags as well as what types of resources they can access.

At the code level, multiple features exist to aid developers. One of the biggest is the use of cfqueryparam. SQL Injection attacks are one of the prime spots that hackers use to attack sites. While ColdFusion doesn't force you to protect against this, it does make preventing them very easy. Consider the following simple code:

<cfquery name="getUser" datasource="users">

select id, username

from users

where id =


To lock down this query you would simply do one quick replacement:

<cfquery name="getUser" datasource="users">

select id, username

from users

where id = <cfqueryparam cfsqltype="cf_sql_integer" value="">


Another feature is role-based security and CFLOGIN. The CFLOGIN tag (and related tags and functions) enable developers to create a security system quickly (based on authentication and authorization) that they can use with their web sites. This system also extends out to CFCs (ColdFusion Components) and their roles attribute. While it still requires the developer to do a bit of work, the CFLOGIN system will handle many of the more common tasks.

Along with SQL Injection, another common attack comes from cross-site scripting. ColdFusion comes with a feature called Script Protect. This feature will automatically scan all of the input scopes (form, URL, and others) and strip out any code that appears malicious. This setting can be used both at the server level and at the application level. While it is a blunt tool, it is very effective.

Yet another feature involves Ajax. The built-in Ajax support that ships with ColdFusion 8 is really improved. While many UI and data management features were added, Adobe also took care to look into helping Ajax developers create secure rich Internet applications. Features included in ColdFusion 8's Ajax arena include secureJSON and verifyClient. The secureJSON feature allows you to add prefixes to your JSON code. This helps protect against folks who might interfere with the JSON while in transit. The verifyClient feature allows you to specify pages that work only when requested via an Ajax tag. While neither of these tags are perfect, they go a long way in a few clicks to help lock down your server.

One last point to leave with you: one of ColdFusion's biggest clients is the United States government. Do you think security is critical to them? ColdFusion has had - in the past - various security issues. This is true of every single product on the market. Adobe's response to these issues are to fix them and document them as quickly as possible. The product has gone through - and continues to go through - rigorous testing, including penetration testing by third parties. ColdFusion also ships with very strong cryptographic libraries. Specifically, ColdFusion includes the RSA BSAFE CRypto-J library, which is FIPS 140 certified, and probably one of the best cryptography libraries in the world.

ColdFusion is expensive

Well, this one is a hard one. I'm not going to argue that ColdFusion doesn't cost money compared to PHP. It does. But there is a lot more involved here than just the cost of the server. Consider the following points:

1. ColdFusion ships with tools that cost extra for many "free" platforms. These tools include a server monitor, a report generator, charting, enterprise-level mail support, enterprise-level search, a code debugger, and other features. Again, all of these tools that are extras for other platforms come built into ColdFusion.

2. ColdFusion hosting, for those who can't afford their own server and license, is cheap—not "$1.99" cheap, but frankly, I'd be afraid to put my client's website up on a host that costs less than a cup of coffee.

3. For developers, ColdFusion is 100% free. They can run the entire platform on their machines (including the debugger, server monitor, and everything else) at no cost at all.

4. And lastly, and what is probably the most important point: As we all know, even if your development platform is free, your developers are not. ColdFusion has always been a rapid application development platform, and by rapid, we mean rapid. Developers can quickly create complete websites in much less time than other platforms. Less time developing mean less money spent overall.

For an excellent article on this subject, please see Jason Delmore's blog entry, "Things ColdFusion is not... and... Why ColdFusion isn't free..."

ColdFusion has no open-source applications

For a while there weren't very many open-source ColdFusion-based applications. Luckily, this has steadily improved over the years. Now you can not only find open-source blogs, forums, and wikis, but also entire frameworks and content management systems. Entire sites, like, are dedicated to hosting ColdFusion open-source applications, and are excellent ways for folks to find, and possibly even work on, open-source applications. While there may not be as many open-source ColdFusion applications as there are PHP applications, the pool is growing steadily and many options are available to developers.

ColdFusion is going to die!

And finally we come to the Chicken Little argument. In May of 2007, ComputerWorld listed ColdFusion (along with other technologies) as being on its deathbed. To say there was a negative reaction to this would be to put it mildly. But this was certainly not the first time that developers have heard this. When Allaire (the original creators of ColdFusion) was bought by Macromedia, and then Macromedia by Adobe, everyone was "certain" that ColdFusion's death clock was ticking away to zero. Guess what—it didn't happen. Sales have only improved, and ColdFusion 8 is not only a sales success, but also a critical success. It recently won a Jolt award from Dr. Dobbs in the Web Development category. So unless Adobe decides it doesn't like making money off award winning products, it's probably safe to assume the product won't be cancelled anytime soon—far from it, actually. ColdFusion 9, code-named "Centaur," is already well along in the planning stages. Another thing to keep in mind is that CFML (the language ColdFusion developers use) is no longer just in the hands of Adobe. Multiple vendors now sell, or even give away, CFML platforms, including BlueDragon from New Atlanta and Railo.

This article was contributed by Ray Camden

Rate this Article