Recently I have been working on some security enhancements for a client and I ran into an interesting bug when using a combination of ColdFusion's query or a query feature and the encrypt/decrypt functions.
You see when using the default encryption algorithm, CFMX_COMPAT, it apparently may choose to encrypt with some non-printable ASCII characters. So let's suppose you encrypt a pass phrase as it is going into the database, and you don't run a trim there, because you have already trimmed the phrase and you think to yourself, "Hey this function isn't going to return white-space." And you would be dead wrong. We found that in some instances, depending on the KEY value, the phrase, "father father" would be encrypted and stored with non-printable characters.
OK, so what's the big deal? Well as it turns out when you use a query of a query, ColdFusion 7 (have not confirmed with 8 and 9, yet) automatically trims string values. So when we would decrypt the value stored, "father father" became "father fathes". Note the "s".
Unfortunately we did not catch this before it went to production and ended up with some egg on our face, as users started complaining that pass-phrases were not validating. After much head scratching we found where the query of a query's result-set had was returning a trimmed value and giving us grief.
Our short-term solution was to alter our CFC's validation function to query directly against the database for the value. You see we had been trying to be slick, and load the user's various questions and pass phrases as part of the CFC's initialization, then simply query against the object's global query results. Which served to reduce database calls, all good in theory, but the whole auto-trim a string part killed us.