All platforms absolutely have room for improvement…that’s for sure. And I definitely take your point about Rails developers leveraging plugins. My main point about the sql injection was that their implementation has a bizarre edge case, whereby the automatic escaping of special characters completely depends on context. The escaping works ok for base case parameters substitution (i.e. Form.element_name), but broke down if the substitution came about as the result of an Evaluate expression (i.e. Evaluate(‘Form.element_name’)). Your comment did make me think, “hmmm, I’ve actually never tried the equivalent in rails”. I guess part of the reason is that I don’t think I’ve come across this idiom in Rails (the vast majority of Rails code I have reviewed leverages the built-in ORM exclusively). But, it would be worth experimenting to see if Rails (or other vendors) have a similar edge case with regard to their auto-escaping sql injection prevention approach.
My intent wasn’t to bash ColdFusion developers, so I hope the entry didn’t read that way. I am sure you, as well as many other ColdFusion developers, are fully aware of these edge cases and code around them with no problem. It has simply been my experience that many ColdFusion developers (though not all) leverage ColdFusion as a standalone solution and depend upon the platform to be “secure by default”. But, as you said, every vendor can surely stand to do better.
