Is It Time to Stop Using ColdFusion for Remote APIs?

so, let me begin by saying i’m a bit frustrated, and so this blog post may be one i regret later on, but, i try to be as honest as possible here and right now, i’m kinda ticked off about something and i want to get it off my chest. for a long time now i’ve had an incredible amount of respect for how coldfusion makes it easy to access data from client-side code (or remote servers). as much as i’m digging node.js these days, the fact that i can write up a cfc and get an api that can be used by javascript is pretty darn powerful. this feature has come a long way. when it first came out, the only option for output was wddx. you can now output anything, from wddx, to soap, to xml, plain strings, and of course, json.

in fact, i like this feature so much that i proposed a topic for it at this years coldfusion summit . my session will be an overview of how to generate output for remote consumption and cover everything from the beginning (coldfusion mx and earlier) to the upcoming release (12).

however…

since the beginning of native json support in coldfusion (coldfusion 8), there have been consistent issues with serialization. this all drives from the fact that coldfusion variables are typeless and therefore the server has to (or does it?) make guesses as to how to convert values into json. over the past three releases, i’ve seen multiple bugs, and multiple fixes, and while i had no real proof (more on that in a minute), my gut told me that things had simmered down a bit and that coldfusion 11 had this problem licked.

or so i thought.

turns out bug 3337394 , created nearly three years ago, oh one marked closed and fixed, is still very much an issue for serialization. if you have data in a struct, and it has the string value “no”, coldfusion will convert it to false. here is a sample:

x = {"name":"no"};
y = querynew("id,name", "integer,varchar", [{"id":1, "name":"ray"},{"id":2, "name":"no"}]); 
writeoutput(serializejson(x));
writeoutput("
");
writeoutput(serializejson(y,"struct"));

which gives you:

{"name":false}

[{"id":1,"name":"ray"},{"id":2,"name":"no"}]

as you can see, the struct is broken, the query works fine. (as reported in the bug itself.)

another issue involves strings that contain numbers. consider these two examples:

z = {"productkey":"89900909130939081290830983019819023"};
z2 = querynew("id,name", "integer,varchar", [{"id":1, "name":"ray"},{"id":2, "name":"89900909130939081290830983019819023"}]);

writeoutput("");
writeoutput(serializejson(z));
writeoutput("
");
writeoutput(serializejson(z2));

this returns:

{"productkey":89900909130939081290830983019819023}

{"columns":["id","name"],"data":[[1,"ray"],[2,"89900909130939081290830983019819023"]]}

as you can see, productkey is now a number, and one that will be converted to 8.990090913093909e+34 in javascript.

so…. yeah. in all cases, there are workarounds. but let me ask you this. would you use a database that randomly changed values on you?

it seems ridiculous that this is still a problem now. it may be incredibly difficult. heck, i won’t pretend to be able to solve it. but here are some suggestions:

• obviously the coldfusion team has a unit test for this. they must. so when the unit test is updated for the items found in the bug, share it with us. i know there are multiple people in the community who would give their time to help flesh out the unit test, or heck, just have it locally and test when new versions come up. so that’s my first request – let us see the tests for json serialization. speaking of unit tests, the last time this bug was fixed, why not share the test immediately? i mean, we won’t see it working, but i promise you people who have asked why a bug involving data serialization had a test that only tested queries (and cfcs i believe). i don’t want to harp on the engineer who fixed this – we all make mistakes – but why not post the test when you write it and share it with us? of course, one could write essays on the lack of communication that goes on sometimes on the bug tracker, which is a real shame. you know, i get that some people don’t like to engage or are basically shy. but there’s no excuse for it anymore. i’m very shy too. when someone speaks to me, i have to work hard to respond to their questions with questions of my own. i recognize my lack of engagement in basic human communication and force myself to hack around my lack of social skills. make a list and put it on a postit next to your monitor. “when i fix a bug, respond with details about how i fixed it, how i tested it, and what i may be concerned about. the reporter may have good input!”
• given that the “glue” aspect of coldfusion is one of its greatest selling points, make json serialization a priority for coldfusion 12. obviously the issue isn’t licked yet, which, ok, fine, it’s been years but fine. the coldfusion 12 road map says this: “ability to manage, monitor, regulate, secure rest and soap web services – api management”. before i manage my apis, i want 100% certainty that they actually process data correctly.
• and hey – how about the nuclear option? if the very nature of coldfusion variables means the problem is not 100% solvable, then remove the feature. seriously. ok, maybe that’s overkill, but there are things in coldfusion now that haven’t been updated in a while, look abandoned, and maybe should be dropped. so if they can’t fix it, remove it.

so i started this blog entry with a somewhat bold title – is it time to stop using coldfusion for remote apis? many of us in the community have already argued against using coldfusion ui features . if we can’t trust the data coming out of cf’s built-in json serialization than is it time to stop using it completely? what do you think?

p.s. don’t forget you can switch to nadel’s excellent jsonserializer.cfc .

p.s. on top i made the point that coldfusion has to guess at the data type. adam cameron makes a great comment in the bug about this: “you speak good sense peter: it’s inconvenient but understood that cf can’t infer data types in situations like this, so – on that basis – *don’t try*. if you know you can’t do something… don’t then go ahead and try do it anyhow.” given that “no” is a string, don’t convert it. if someone is using no for false in their data, then why not punish them instead of everyone else?

p.s. as i was writing this, it occurred to me that we have other places where things get a bit fuzzy with data. math, for example, breaks down in large numbers. i get that that’s an issue across other languages, and certainly we shouldn’t remove arithmetic from coldfusion because of it, but it just feels like a different domain than what i’m seeing in json serialization.