In the end, the real cause of the core problem I encountered was to be found in a few SQL statements that I had neglected to check out, wrongly assuming they had been working in the past. The reason they continued to slip under the radar was simple: the original developer had managed to “hide” that SQL code in a
<cftry> statement with an empty
<cfcatch>. So there was nothing in the logs, of course.
Finding the root cause reinforced a lesson I had learned a long time ago: only catch exceptions if you’re going to do something serious and meaningful with them. No, swallowing them whole isn’t meaningful. OWASP summarizes: “Swallowing exceptions is considered bad practice, because the ignored exception may lead the application to an unexpected failure, at a point in the code that bears no apparent relation to the source of the problem“.
This story teaches a second lesson as well. In the future, I will scan code for exception swallowing situations before I start debugging – that could have saved me a lot of time today!