User data is getting mixed up some of the time

247 views Asked by At

I am building a website where I have followed MVC to manage my code without using any frameworks. I have put all of my queries inside cfcs and am initializing them inside my Application.cfm, storing them in application variables like below:

<cfset aplication.customerProfileObject=   
                createObject("component","cfc.customerprofile").init()>

To perform any query operations, I have made a function and then call it anywhere like this:

<cfset selectedCustomerOb =   
      application.customerProfileObject.getContactCustomerProfileDetail(session.userid)>

I don't know what is causing the issue, but sometimes a user accesses another user's data. How is that possible? Is it assessing another user's session data or have I initialized the cfc wrong?

Application settings are below:

<cfapplication name="MyDataSourceName" 
           sessionmanagement="Yes"
           setclientcookies="yes"
           setdomaincookies="yes"
           loginstorage="session"
           sessiontimeout="#CreateTimeSpan(0, 2,0,0)#">

CustomerProfile.cfc

<cfcomponent>
    <cffunction name="init">
        <cfreturn this> 
    </cffunction>

    <cffunction name="getContactCustomerProfileDetail" returntype="query"         
            description="Returns customer contact details by contactid" 
            access="public">
        <cfargument name="ccId" type="numeric" required="yes"> 

        <cfquery name="getContactCustomerProfileDetail" 
                  datasource="#Application.ds#" 
                  dbtype="ODBC" 
                  username="#Application.UserName#" 
                  password="#Application.Password#">
            <!-------My query here--->
        </cfquery> 

        <cfreturn getContactCustomerProfileDetail>

    </cffunction>

</cfcomponent>  
2

There are 2 answers

2
baynezy On BEST ANSWER

As Adam says you need to do this:-

<cffunction name="getContactCustomerProfileDetail" returntype="query"         
        description="Returns customer contact details by contactid" 
        access="public">
    <cfargument name="ccId" type="numeric" required="yes">

    <cfset var getContactCustomerProfileDetail = false>

    <cfquery name="getContactCustomerProfileDetail" 
              datasource="#Application.ds#" 
              dbtype="ODBC" 
              username="#Application.UserName#" 
              password="#Application.Password#">
        <!-------My query here--->
    </cfquery> 

    <cfreturn getContactCustomerProfileDetail>

</cffunction>

The reason you are getting the problem is because your CFC instance is in a shared scope (application) and you have not var'd the query variable. This means that it is getting set into the variables scope of the CFC instance. Which means that multiple threads can overwrite this value. By just varring the variable as I have shown you make the variable local to the function and so each call to that function creates a localised and thus thread-safe variable.

Basically you should var all local variables in functions as a matter of habit. This code would never pass code review anywhere I have worked.

3
Adam Cameron On

You're not actually including the relevant bit of the code to answer this... which would be the code within getCustomerProfileDetail().

However I would assume you don't have all your variables VARed in it, which means they go in the CFC's variables scope, which is shared with every user in the application.

But, as I say, you're not giving us the correct info to really answer this accurately. I suggest updating your question to include the relevant code.