Application.cfc importing variables

Report · Jul 10, 2009

Hi all
In my application.cfc I have:

<cffunction name="onApplicationStart" returnType="boolean" output="false">
        <cfscript>
               Application.DNS = "BS";
               Application.SitePath = "D:\Sites\FF";
               Application.IPP = "10";
               Application.SiteName = "meta site name";
               Application.SiteKeywords = "equipmnet";
               Application.SiteDescription = "Meta Description";
               Application.SiteLogo = "logo.gif";
               Application.Key = "myzlvEmrSbUcyDFdwdfsdfsdfE";

          </cfscript>
        <cfreturn true>
    </cffunction>

I would like to move these variables into file outside the site folder. How can I import this file into application.cfc again and set application variables?

Report · Jul 28, 2009

Well there are many ways to go about this.

Load them from the database and then set them into application scope.
create a configuration file that has them in, read that off the file system and then set them into application scope.

It really depends what you are trying to do. Is it because you are in a shared hosting and do not want these settings in a easily read text file? Or is there some other reason?

Report · Jul 28, 2009

How can I import this file into application.cfc again and set application variables?

Why would you want to do that?

Report · Jul 29, 2009

The reason I want to do this is to hide some sensisite data from that application.cfc file place it somewhere off the site.

Report · Jul 29, 2009

You can do a few things, a cffile tag should be able to read something outside the web root. generally any shsared hosting gives you that for the exact purpose.

next - if you are really paranoid about it, store your parameters either encoded or encrypted, then decrypt before reading into the application scope -

most of that stuff does not look sensitive enough to be worth the bother, maybe the key value ... but you could also store the params in a database [cept for the dsn]

-sean

Report · Jul 29, 2009

The reason I want to do this is to hide some sensisite data from that application.cfc file place it somewhere off the site.

Two things. First, Application.cfc is safe when handled in the usual way. In particular, it is safe to write the following in onApplicationStart:

Secondly, no matter how you import the data, you will still have to expose it by writing code similar to that one. You would therefore have gone to all the trouble for nothing.

Report · Jul 29, 2009

Application.cfc is safe when handled in the usual way.

Yes - true enough from a CF standpoint, though I would imagine that is would be possible to read an application.cfc via php or somehting else that's not cf... maybe he's got other people in there with ftp access as well ...

who knows...

just encrypt it.

Report · Jul 30, 2009

Yes - true enough from a CF standpoint, though I would imagine that
is would be possible to read an application.cfc via php or somehting
else that's not cf... maybe he's got other people in there with ftp
access as well ...
who knows...

I was thinking particularly about importing files, reading them and setting application variables. In any case, I would gladly turn the subject on its head.

Suppose your Aplication.cfc is composed in the usual, recommended way. It is under the web root and you publish its content. What are the possibilities for someone to use it to compromise your site?

Minimal, absolutely minimal. The security of the Coldfusion platform is mature enough -- in fact, more mature than most! -- to cope with this situation. In my experience, developer colleagues should be more worried about exposing code like this in their components:

<cfif>

Adobe Community

Application.cfc importing variables