We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

Error Page Display

hefterr
hefterr asked
on
Medium Priority
253 Views
Last Modified: 2012-08-14
Hi,
When we go live with an application, I'd like the standard CF error display to be more robust.  Perhaps show the line number in the program or the SQL statement involved.

Please see attached screenshot of the standard display.  This will be very hard to resolve if a user gets one of these messages.

Please advise. error-screen-shot.doc
Comment
Watch Question

CERTIFIED EXPERT
Most Valuable Expert 2015

Commented:
It's better *not* to show detailed exception info in live apps.  Showing sql strings (and other info) is discouraged because it exposes your schema to hackers.  

Instead you could use the onError method of Application.cfc to capture exceptions. Inside that function you can cfmail yourself the full error details. Then display a simple user friendly error page.

http://help.adobe.com/en_US/ColdFusion/9.0/CFMLRef/WSc3ff6d0ea77859461172e0811cbec22c24-7d4a.html

Brijesh ChauhanStaff IT Engineer

Commented:
Use CFTRY and CFCATCH statements, if you catch an error, then display a custom message something like 'the system is experiencing problems and will be back soon, please try later' or whatever message you like people of see, and email the error details back to ADMIN with the CTCATH details so that he knows that error has occured and can work on it.

<cftry>

--- CODE BLOCK --

<cfcatch type = "any">
<cfoutput>
 the system is experiencing problems and will be back soon, please try later.
<cfmail to .....>
#cfcatch.detail# #cfcatch.message#
</cfmail>

</cfoutput>
</cfcatch>
</cftry>
Brijesh ChauhanStaff IT Engineer

Commented:
here is a good post which can help you if you are using Application.cfm and not Application.cfc

http://www.coldfusionjedi.com/index.cfm/2007/12/5/The-Complete-Guide-to-Adding-Error-Handling-to-Your-ColdFusion-Application
CERTIFIED EXPERT
Most Valuable Expert 2015

Commented:
If you're only interested in handling one or two code blocks, then cftry is fine. But if you're looking for general error handling for the whole app, then go with onError (or even cferror). With onError everything is handled in one place, instead of having to wrap every code block in a cftry/cfcatch.  You can use cfsavecontent and cfdump to email yourself information from multiple scopes  like FORM, URL, etc...

<cfsavecontent variable="errMessage">
<cfdump var="#Exception#">
<cfdump var="#FORM#">
<cfdump var="#URL#">
....
</cfsavecontent>
<cfmail to .....>#errMessage#</cfmail>

Author

Commented:
@aqx,
Where would the onError function go in the application.cfc  (or doesn't it matter)?

Do you recommend writting to the application log and an email to look at the log.  Or just an email with the details.
Q:  Will the application log (or some other log) have the error anyway?

Sorry for my ignorance on this topic!!!

hefterr
Brijesh ChauhanStaff IT Engineer
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
CERTIFIED EXPERT
Most Valuable Expert 2015
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
CERTIFIED EXPERT
Most Valuable Expert 2015

Commented:
<cflog file="#This.Name#" type="error"


Fyi: That ends up writing error messages to 2 log files.
CERTIFIED EXPERT

Commented:
no points but I'd just like to echo the importance of -not- exposing any kind of error data to the client side. Bad guys can use errors as a means of profiling the the server and targeting the attack based on information they get.

IIS & ASP? sure there's an attack for that.

Exposed table names? hmm INSERT into leakytable (Access,name) values ('admin', 'haXor3d')

And one thing that people often miss (because they don't necessarily see it) is error handling for ajax calls and more importantly API calls to cfc's  

One very neat bit of code on this I found this morning is http://www.bennadel.com/blog/1567-Handling-Remote-API-Errors-With-Application-cfc-s-OnError-Event-Method.htm

CERTIFIED EXPERT
Most Valuable Expert 2015

Commented:
One very neat bit of code on this I found this morning

Ooh, nice one. That's a great tip!
CERTIFIED EXPERT

Commented:
funny. just hit this - I've removed the -major- hotel name

lots of juicy info here

OS, App server, Directory structures, patch levels

The other thing that this kind of exposure does is tell a bad guy "hmmm, if this simple thing isn't dealt with properly, maybe the people coding have left me other, bigger holes, SQLi time!!!?"
Server Error in '/' Application.
Compilation Error
Description: An error occurred during the compilation of a resource required to service this request. Please review the following specific error details and modify your source code appropriately.

Compiler Error Message: BC30648: String constants must end with a double quote.

Source Error:

Line 1:  <%
Line 2:  Response.Status = "301 Moved Permanently"
Line 3:  Response.AddHeader ("Location", "/restaurants/foo-restaurant.aspx)
Line 4:  response.end
Line 5:  %>


Source File: F:\Websites\Content\hotel\dining\foo-restaurant.aspx    Line: 3


Show Detailed Compiler Output:


Version Information: Microsoft .NET Framework Version:2.0.50727.3615; ASP.NET Version:2.0.50727.3618

Open in new window

CERTIFIED EXPERT
Most Valuable Expert 2015

Commented:
OS, App server, Directory structures, patch levels

Good grief ... might as well lay out a welcome mat for hackers.  How hard is it to put up an "oops" error handler page.

Author

Commented:
Thanks to all.  But for local testing I would prefer to turn on all debuging options.  So I need another case for a different test versus prod application.cfc

hefterr
CERTIFIED EXPERT
Most Valuable Expert 2015

Commented:
It's fine to enable debugging for development.  Just not in production.

Echo strikes again.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.