ColdFusion – Page 30

Spammers 1000, ME 0

After trying pretty hard to not have to institute anything that makes commenting harder, the spammers have forced me to do something.

I tried to install a MovableType Image Captcha component… It completely fragged my MovableType install, and I had to blow it away and reinstall. I bet this wouldn’t have happened to me if I was a good ColdFusion developer and started to use Blog.CFC.

After getting everything back up, I installed the Comment Challenge text-captcha plugin. It’s accessible, and it doesn’t, you know, completely hose my site, but I’m not sure how effective it will be. If anyone runs into any problems commenting, please drop me a line via my Contact page.

Why Isn’t There a Local Scope?

I was giving a presentation today on CFC’s, and was explaining the difference between the variables scope, the ‘local’ scope, the this scope, and the arguments scope. It was incredibly hard to explain, mostly because an unscoped variable in a CFC function can refer to either a local, variable-scoped, or arguments-scoped variable.

It made me think, why didn’t they just create another default scope named ‘local’?

However, I realize the ColdFusion development team has some noggin-horsepower, so I’m sure there is a good reason. I just can’t think of it.

I’m a This-Scoping Fool

Hey, ColdFusion experts! Remember when you said “Just don’t use the This scope in CFC’s.”?
And then I said “No, I can totally use it.”
And then you said “No, you totally can’t”
And then I was all like “I totally can!”
Yeah?
Well I was totally wrong.

(In case your wondering this conversation happened entirely in my head.)

We were having a weird issue with one of applications. It uses cookie based authentication that was written centrally into a cfc, and every once in awhile users were getting someone else information. We couldn’t track it down. The CFC was all properly var scoped. However it turns out that it was using the This scope to return the results of each function. The CFC was instantiated in the application scope of the calling application. So things like this were happening:

User 1 authenticates.
Application.Obj.username is set to User1
User2 authenticates
Application.Obj.username is set to User2
User1 sets session.username to Application.Obj.username
User2 sets session.username to Application.Obj.username
Both are User2 in their session

This is dumb stuff from me. At the time I wrote it, like a year and a half ago, I assumed no one would instantiate the CFC to the application scope. But now time has proven me wrong. It just goes to show, that no matter how small your application is, or how narrowly you think it is going to be used, always follow best practices, unless you have a specific reason not to do so. If I had just set the proper response to be returned from the function instead of in the this scope, I wouldn’t be rewriting code, and trying not to break existing calls to this central CFC in 20 or so applications by 10 or so different developers.

Var Scoping ColdFusion Tag-Specific Variables

I came across this issue during a code review, and thought it might be of note. Specifically, use of cfstoredproc. StatusCode inspired this.

You know that rule about var scoping all variables called in a function unless they are specifically needed elsewhere? Well don’t forget to do it to most of the “ColdFusion tag-specific variables.” They are:

cfdirectory
cffile
cfftp
cfhttp
cfindex
cfldap
cfpop
cfquery
cfregistry
cfsearch
cfstoredproc

Anything that returns a simple value (string, numeric, Boolean, numeric) or an even arrays and queries can be var scoped at the head of the function with an empty string. (Although for every type but query I like to initialize it with the correct data type.) Structs however have to be initialized with a StructNew().

I omit from the list:

cfcatch
cferror

CFcatch only exists during the execution of a cfcatch block and is accessible only by code in that block. In any case, my normal test for variable scope leakage doesn’t detect it, so I’m assuming it’s a special case. If anyone knows different please let me know. Likewise CFerror only exists in page referenced by a cferror tag, which probably couldn’t be in CFC call. (But I could be wrong.)

Hacking ColdFusion – Disable Administrator Security

During MAX 2006 I attended the ColdFusion CFC Birds of a Feather. Someone was complaining about the fact that their administrators were too restrictive despite not understanding the ColdFusion service. They were unable to see CFC introspection because of an administrator password. So I suggested they disable security programmatically.

After thinking about it for awhile, I decided that it was an interesting challenge. I looked at it a couple different ways, and finally settled on this solution:

<!--- Grab the security file contents --->
<cffile action="read" file="#server.ColdFusion.rootdir#libneo-security.xml" variable="rawfilecontents" />

<!--- Convert it to a structure --->
<cfwddx action="wddx2cfml" input="#rawfilecontents#" output="loginfo" />

<!--- Change the setting --->
<cfset loginfo["admin.security.enabled"] = JavaCast("boolean", false) />

<!--- Convert back to WDDX --->
<cfwddx action="cfml2wddx" input="#loginfo#" output="fileToWrite" />

<!--- Write it back to the disk.  --->
<cffile action="write" addnewline="yes" file="#server.ColdFusion.rootdir#libneo-security.xml" output="#fileToWrite#" fixnewline="no" />

<!--- This seems to restart the server eventually.  I had to rerun it several times to get it to work.  --->
<cfset serverFactory = CreateObject("java", "coldfusion.server.ServiceFactory") />
<cfset runTimeService = serverFactory.RuntimeService />
<cfset runTimeService.ReStart() />

You have to run it a couple times before it kicks in.

Now, it is important to point out the following:

If proper sandboxing is enabled, this won’t work.
If proper IIS restrictions on CFIDEadministrator are set, this won’t work.
You should never do this on a hosted server as it will probably violate your hosting agreement.
I’m not advocating messing with your administrators.
But you totally could.

MAX 2006 – Day 3 or The End is Nigh

It seems like all this started just yesterday. But MAX 2006 is pretty much over. I have to say, this has been my favorite MAX to date. I think the sessions I attended were awesome. I didn’t get stuck in too many mislabeled sessions. I also really like participating in MAXUP. I hope they do it again, and if you were thinking about doing it but didn’t, you missed out.

So on to today.

The Sneaks Session was pretty interesting. Despite (or perhaps because of) my strong interest in ColdFusion, I wasn’t wowed by the features they showed off. But in the ColdFusion’s teams defense, I was wowed the first time I saw them. Soundbooth looks awesome. I’ve dabbled in video and sound production, and it looks like Soundbooth was written for my type of user. I know I have a sound, I know it needs modifying, but I don’t know which frequencies I need to tweak. Soundbooth looks like it handles that case well. I’m going to give it a try and also see what some more experienced sound people thing about it. The Fireworks to Flex stuff was also awesome. It makes me happy that they’re continuing the product, especially since they’re tying it to one of their more important products. The rest of the stuff was cool, but outside of my ken.

I attended two sessions today that I think were very good.

First I attended the ColdFusion .Net Integration session. Ray Camden did a great summary of it. I’m excited about this because it has the potential to simplify some of the troubles I’ve been dealing with over the past year. Not in terms of programming, but in server consolidation and what not. Another Wharton Computing Staff member, Dave Konopka, has some good thoughts about it. I hope he blogs some of them like he’s been threatening to do. We were able to corner the speaker, Rupesh Kumar and ask him some questions about why we would use this and not just continue relying on webservices to provide interactivity between .Net and Coldfusion. He boiled it down to security, and performance which are better in the built in version. I buy that.

Tangentially, were all of the ColdFusion team trained by the CIA? None of them would spill anything about Scorpio outside of the areas that they were revealing at MAX.

The second session that I want to mention was the AJAX/Spry Framework Overview. I briefly looked at Spry when it came out, but didn’t have time to fool around with it. This is going to make me make the time. I can’t believe how easy and powerful it looks. Additionally, they spell out a philosophy for it that makes a tremendous amount of success. Once they make it easy to degrade your pages gracefully I’m totally onboard.

Adobe, you’ve done your job. I will most likely be spending money on more Adobe products this year.

MAX 2006 – Day 2

I managed with 3 alarms and a wake up call to get to the keynote. It was interesting, the mobile stuff looks even cooler this year. I can’t wait until Flash gets on the Blackberry, cause I think that’s when enterprise customers are really going to look at Flash as a solution.

Also, my fellow members of Wharton Computing from the Student Services group won a MAX award. They also placed third on the People’s Choice Award. I’m extremely happy for them. They do a such creative and innovative work, so they definately deserve it.

I have to admit, I’ve been a little light on the formal sessions today. Mostly because I was pretty nervous about my MAXUP presentation. I was following Ray Camden which was very intimidating. But it went really well. For some reason I held on to my audience, which is decidely hard to do in that space since there is so much to distract one and it’s so easy to leave. I suspect my cohorts from Wharton were blocking the exit paths. Thanks, guys.

Finally, I have to admit I’m definately a fan of the ability to reach out and really talk to the people I’m used to only reading. I got to sit down and talk for 30 minutes or so to both Ray Camden and Ashwin Matthew in the same sitting. Ray was giving his list of features he really wants for Scorpio, and I found myself saying “Me too” a lot.

I think I’m going to catch the 4:30 MAXUP session on Mission Critical Application Architechture, then stall until the ColdFusion Components Birds of a Feather tonight.

MAX 2006 – MAXUP Coldfusion and Exchange Integration Today

It’s done, I gave the presentation. I was very surprised/pleased at the turnout. Thanks for all that attended. If you missed it, or wanted to review what was said, the presentation is now online.

ColdFusion and Exchange MAXUP Presentation

MAX 2006 – Day 1 Complete

Day one is finally over, and despite my slow start, I think that I got a full day’s worth out of it.

I talked about it earlier, but the Getting Started with Apollo by Mike Chambers was really worth it. Especially if you’ve been living in a cave and haven’t really wrapped your mind around Apollo. Which I hadn’t… until after this session.

Next came Developing Hybrid Applications with ColdFusion and Java by Jason Delmore. This was really cool. I’ve done a bit with Java from ColdFusion, but I still learned a huge couple things.

Then came Unlocking the ColdFusion Server Black Box by Ashwin Matthew. I have been waiting for this stuff for so long. No more taking a random poll of my developers and seeing which one will cop to writing an infinite loop. This stuff is very well done, and I highly recommend if you manage ColdFusion servers at all.

The final official session I visited was Image Manipulation in ColdFusion by Prayank Swaroop. This is the only one that didn’t wow me. Basically it was a laundry list of all of the image things you will be able to do with the potentially upcoming CFImage tag. It’s not that this stuff isn’t cool. It is. And it wasn’t that Prayank Swaroop wasn’t a good speaker. He is. It’s just that between tmt_img.cfc, and other image tools, this just isn’t new. It’s awesome that ColdFusion will be supporting it natively though.

In between I stopped in at MAXUP and was impressed with what I saw.

Finally I attended the ColdFusion Birds of a Feather. The team was, as always very impressive. Their answers were great… yada yada yada. By this point great from the ColdFusion team is what I expect. What really impressed me was the attendees. Great probing questions, and good acceptance of answers. Also there was no panic about ColdFusion going away which I was half expecting.

All in all, Day One was fantastic.

ColdFusion String Manipulation

I don’t know if this is new to everyone, but it was to me. Jason Delmore , the Product Manager for ColdFusion informed us of something intriguing in his Developing Hybrid Applications with ColdFusion and Java and talk today. He informed us that ColdFusion strings are an extension of the Java String class. Which means that methods of Java strings are available to ColdFusion. What does this mean? It means that this is valid code:

<cfset test_1= "A string to test" /> <cfset test_2= "A string to add on to a string to test." /> <cfset test_1 = test_1.concat(test_2) />

Not only is it more elegant of other ColdFusion string concatenation techniques, it appears to run about twice as fast.

Also any other method listed in the Java String reference will work.