?
Solved

Error Page Display

Posted on 2011-04-25
14
Medium Priority
?
243 Views
Last Modified: 2012-08-14
Hi,
When we go live with an application, I'd like the standard CF error display to be more robust.  Perhaps show the line number in the program or the SQL statement involved.

Please see attached screenshot of the standard display.  This will be very hard to resolve if a user gets one of these messages.

Please advise. error-screen-shot.doc
0
Comment
Question by:hefterr
  • 7
  • 3
  • 2
  • +1
14 Comments
 
LVL 52

Expert Comment

by:_agx_
ID: 35464021
It's better *not* to show detailed exception info in live apps.  Showing sql strings (and other info) is discouraged because it exposes your schema to hackers.  

Instead you could use the onError method of Application.cfc to capture exceptions. Inside that function you can cfmail yourself the full error details. Then display a simple user friendly error page.

http://help.adobe.com/en_US/ColdFusion/9.0/CFMLRef/WSc3ff6d0ea77859461172e0811cbec22c24-7d4a.html

0
 
LVL 11

Expert Comment

by:Brijesh Chauhan
ID: 35464088
Use CFTRY and CFCATCH statements, if you catch an error, then display a custom message something like 'the system is experiencing problems and will be back soon, please try later' or whatever message you like people of see, and email the error details back to ADMIN with the CTCATH details so that he knows that error has occured and can work on it.

<cftry>

--- CODE BLOCK --

<cfcatch type = "any">
<cfoutput>
 the system is experiencing problems and will be back soon, please try later.
<cfmail to .....>
#cfcatch.detail# #cfcatch.message#
</cfmail>

</cfoutput>
</cfcatch>
</cftry>
0
 
LVL 11

Expert Comment

by:Brijesh Chauhan
ID: 35464109
here is a good post which can help you if you are using Application.cfm and not Application.cfc

http://www.coldfusionjedi.com/index.cfm/2007/12/5/The-Complete-Guide-to-Adding-Error-Handling-to-Your-ColdFusion-Application
0
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
LVL 52

Expert Comment

by:_agx_
ID: 35464124
If you're only interested in handling one or two code blocks, then cftry is fine. But if you're looking for general error handling for the whole app, then go with onError (or even cferror). With onError everything is handled in one place, instead of having to wrap every code block in a cftry/cfcatch.  You can use cfsavecontent and cfdump to email yourself information from multiple scopes  like FORM, URL, etc...

<cfsavecontent variable="errMessage">
<cfdump var="#Exception#">
<cfdump var="#FORM#">
<cfdump var="#URL#">
....
</cfsavecontent>
<cfmail to .....>#errMessage#</cfmail>
0
 
LVL 1

Author Comment

by:hefterr
ID: 35466623
@aqx,
Where would the onError function go in the application.cfc  (or doesn't it matter)?

Do you recommend writting to the application log and an email to look at the log.  Or just an email with the details.
Q:  Will the application log (or some other log) have the error anyway?

Sorry for my ignorance on this topic!!!

hefterr
0
 
LVL 11

Assisted Solution

by:Brijesh Chauhan
Brijesh Chauhan earned 1000 total points
ID: 35466767
@hefterr , my comments..

1. Yes, you should implement the onError method in Application.cfc because that file is called every-time and will trigger the method if there is an error.

2. Log All your errors .. and send an email to check the errors.

use CFLOG for error logging

<cflog file="#This.Name#" type="error" text="Event Name: #Eventname#">
    <cflog file="#This.Name#" type="error" text="Message: #exception.message#">
    <!--- Some exceptions, including server-side validation errors, do not
             generate a rootcause structure. --->
    <cfif isdefined("exception.rootcause")>
        <cflog file="#This.Name#" type="error" 
            text="Root Cause Message: #exception.rootcause.message#">
    </cfif> 

Open in new window

 
0
 
LVL 52

Accepted Solution

by:
_agx_ earned 1000 total points
ID: 35466878
Nope it doesn't matter where you put it.  As long as the function signature matches (ie arguments, types, etc...) it'll work.

<cffunction name="onError" returnType="void"> 
    <cfargument name="Exception" required=true/> 
    <cfargument name="EventName" type="String" required=true/> 
    ... 
</cffunction>

Open in new window


> Do you recommend writting to the application log and an email to look at the log.  
> Or just an email with the details.

Depends on the app, but personally I do both. I prefer to be instantly emailed about problems, but also have the log files as a backup record.  

> Q:  Will the application log (or some other log) have the error anyway?

No. In general whenever you intercept errors (ie with onError, cfcatch, etc...) they're *not* automatically logged.  If you want to log them, just use cflog.

    <cflog application="true" text="#theTextYouWantLogged#" .. />

Open in new window

0
 
LVL 52

Expert Comment

by:_agx_
ID: 35467029
<cflog file="#This.Name#" type="error"


Fyi: That ends up writing error messages to 2 log files.
0
 
LVL 36

Expert Comment

by:SidFishes
ID: 35467376
no points but I'd just like to echo the importance of -not- exposing any kind of error data to the client side. Bad guys can use errors as a means of profiling the the server and targeting the attack based on information they get.

IIS & ASP? sure there's an attack for that.

Exposed table names? hmm INSERT into leakytable (Access,name) values ('admin', 'haXor3d')

And one thing that people often miss (because they don't necessarily see it) is error handling for ajax calls and more importantly API calls to cfc's  

One very neat bit of code on this I found this morning is http://www.bennadel.com/blog/1567-Handling-Remote-API-Errors-With-Application-cfc-s-OnError-Event-Method.htm

0
 
LVL 52

Expert Comment

by:_agx_
ID: 35467758
One very neat bit of code on this I found this morning

Ooh, nice one. That's a great tip!
0
 
LVL 36

Expert Comment

by:SidFishes
ID: 35469038
funny. just hit this - I've removed the -major- hotel name

lots of juicy info here

OS, App server, Directory structures, patch levels

The other thing that this kind of exposure does is tell a bad guy "hmmm, if this simple thing isn't dealt with properly, maybe the people coding have left me other, bigger holes, SQLi time!!!?"
Server Error in '/' Application.
Compilation Error
Description: An error occurred during the compilation of a resource required to service this request. Please review the following specific error details and modify your source code appropriately.

Compiler Error Message: BC30648: String constants must end with a double quote.

Source Error:

Line 1:  <%
Line 2:  Response.Status = "301 Moved Permanently"
Line 3:  Response.AddHeader ("Location", "/restaurants/foo-restaurant.aspx)
Line 4:  response.end
Line 5:  %>


Source File: F:\Websites\Content\hotel\dining\foo-restaurant.aspx    Line: 3


Show Detailed Compiler Output:


Version Information: Microsoft .NET Framework Version:2.0.50727.3615; ASP.NET Version:2.0.50727.3618

Open in new window

0
 
LVL 52

Expert Comment

by:_agx_
ID: 35469935
OS, App server, Directory structures, patch levels

Good grief ... might as well lay out a welcome mat for hackers.  How hard is it to put up an "oops" error handler page.
0
 
LVL 1

Author Closing Comment

by:hefterr
ID: 35470457
Thanks to all.  But for local testing I would prefer to turn on all debuging options.  So I need another case for a different test versus prod application.cfc

hefterr
0
 
LVL 52

Expert Comment

by:_agx_
ID: 35470524
It's fine to enable debugging for development.  Just not in production.

Echo strikes again.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hi, Even though I have created this Tutorial on My personal Blog, Some people might not able to find my website, So here i am posting it again Today, from the topic it is very clear that i will be showing you here the very basic usage of how we …
Sometimes databases have MILLIONS of records and we need a way to quickly query that table to return the results me need. Sure you could use CFQUERY but it takes too long when there are millions of records. That is why SOLR was invented. Please …
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Screencast - Getting to Know the Pipeline

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question