Recently, the application log for Coldfusion in CF Admin was helpful in showing me pages where sql injection has been attempted on a site. It would say that there was invalid data, show the page, the line, and the value of the invalid data. But then I set a site-wide error handler in application.cfm, because I'd rather not have the screen display a standard CF error message:
<cferror
template = "myDBErrorHandler.cfm"
type = "exception"
exception = "database">
which has been working well, but it seems now that when cfqueryparam catches invalid data from sql injection attempts and there's an invalid data error, it's no longer logged in the application.log file. Is that expected behavior? This seems counterintuitive; even if I'm handling these errors with cferror now, they're still errors, and I'd still like to see them recorded in the logs. I'm not sure why they'd just stop showing up.
I can still find these incidents in the exception log, as I was able to before I started using cferror, but the exception logs also contain the full stack trace, so they're very bloated and involve a lot of mouse clicking (or scrolling if viewing the log file in Notepad++). The entries in the application log were a lot simpler to use.
Also - if this is indeed expected behavior, for the application log not to log errors that are handled by cferror, does it say that anywhere in the CF documentation? I ask because I haven't seen it said anywhere, and it would be great to find this out for myself rather than have to ask someone else on Stack Overflow. As a workaround, I'm thinking of using cflog on the handler template; in fact, it might be better for my purposes to have a dedicated file for these specific kinds of errors than to have them mixed in with other application log entries. Thoughts? Thanks.
https://helpx.adobe.com/coldfusion/cfml-reference/coldfusion-tags/tags-d-e/cferror.html
Usage
Use this tag to provide custom error messages for pages in an application. This lets you maintain a consistent look and feel within the application, even when errors occur.
Ideally, the code should be full of cftry and cfcatch statements, to deal with potential errors on a case by case basis. The cferror tag suppresses the default debug output.
You generally embed this tag in your Application CFC or Application.cfm file to specify error-handling responsibilities for an entire application. You must put it in one of these files if you specify type="validation"; ColdFusion ignores it on any other page.
Instead of cferror, try using the onError function in your Application.cfc file.
https://helpx.adobe.com/coldfusion/cfml-reference/application-cfc-reference/onerror.html
You can add calls to cflog inside this function and to write your errors to specific log files. You could also record the errors in a database or trigger emails to let you know as they occur (although I don't recommend sending emails).