Skip to main content

Using NULL characters in a ColdFusion string

The issue:

ColdFusion language (CFML) seems to interpret the NULL character (which is 0x00000000, or chr(0)) as an empty string instead of a valid character.  It would be easy to see why most programmers don't care, however this is a significant issue.

Take for example, if you are encrypting strings.  Lets say you have a 10-character long string, and you are encrypting it character-by-character.  So loop through all 10 chars, encrypt each one and append it to a new string, right?  Ok, what if one of the encrypted values is null, or chr(0)?  This actually happened to me, so don't think it never happens.

So what happened to me?  I looped through 10 times, encrypted each character, built the new string, and then for some unknown reason, my new string was only 9 characters long instead of 10.  Why?

Well, one of the characters encrypted to be chr(0), and I appended it to my new string, however it since ColdFusion treats chr(0) as "" (empty string), appending it to my string resulting in no change -- nothing appended.  Thus my encrypted string was 9 chars instead of 10 and completely useless.

Some potential solutions:

The first solution I came up with was if I am passing this info to another page or application (which was the case), then I can simply URL encode the string and pass it along.  When my encryption algorithm runs, now I am checking if the value is 0, and instead of appending chr(0), I append "" which is the URL Encoded version of the same thing.  This works so long as the recipient (a .Net server in my case) URL Decodes the string first.

As I did further testing, I figured out that if I URL decoded that string within ColdFusion, the null char actually shows up!

So I put 1 and 1 together, and ended up with an interesting conclusion.  If decoding a URL encoded null character works, then I can just append that to my string and see if it work... and it does!


This does NOT Work:

<cfset mystring = "abc123" & chr(0)>  <!--- length will be 6 --->

This DOES work:

<cfset mystring = "abc123" & URLDecode("")> <!--- length will be 7 --->

I hope this is of some value to somebody.

Popular posts from this blog

Installing python 3.4.x on OSX El Capitan

I love "brew" package manager, but sometimes being too progressive breaks things.  I have several python apps that I maintain that get deployed to AWS using Elastic Beanstalk.  AWS eb can deploy with python 2.7 or 3.4.  Any recent 'brew install python3" will get 3.5.1. #annoying

Making Macbook Air with 128GB SSD usable with Bootcamp

I recently got a new Macbook Air 11" (the 2012 version) and loaded it with goodies like 8GB ram and 2GHz Core i7.  What I DIDN'T upgrade was the internal SSD.  My config came with 128GB SSD and I refused to pay $300+ to upgrade it to 256GB.  Yeah I know, some call me cheap, but SSds cost $75-$150 for 240GB, so adding another 128GB for $300 seemed way too steep for me.  I figured "ok, I'm going to make 128G work!"

Here is the story of how that went...

Election day plus 1: Social Media Nightmare

It is election day plus 1, and a very emotional day with no way to win for many.

Social media was a force to be reckoned with this election year.  No matter what position you take, the world is ready to pounce on you and tell you why YOU are evil, intolerant or a deplorable -- and the reason for all their woes.  This isn't a new problem, though...  All of the liberal vs conservative issues are causing rifts between otherwise civil people, and it seems to be the worst on Facebook and twitter.

If I say I am for Hillary:
i am part of the "corrupt system."

If I say I am against Hillary:
I am stupid and uneducated

If I say I am for Trump:
I am against women,
I am religiously intolerant,
I am a bigot

If I say I am against Trump:
I am against the 2nd amendment,
I don't have any idea how government works,
I am part of the problem with American society,
I am against the police

Stay with me now, this isn't meant to make people angry, but it is mean to shine some light on a social …