While building a recent application I had the need to prevent spam form submissions in quite a few different pages.  I started to integrate the CFIMAGE tag, then had a change of mind and decided to try something new.  I have not been a huge fan of the output of the captcha features of the CFIMAGE tag.  So I decided to give reCAPTCHA a try.  This offering is much more visually appealing, has customizable colors, can speak the words, and best of all it’s a free service. 

I have been hearing lots of good things about some of the CRUD options available for use in ColdFusion applications.  With a new side project coming up I decided to give DataMgr by Steve Bryant a try.  I can say right from the top that I was very impressed with this tool.  According to the documentation DataMgr helps you in three ways:

This is just a quick note that Adobe has released the public beta versions of ColdFusion 9 and the new ColdFusion Builder. Download links are below. I would also like to point out that while you try these versions out, please report any bugs you find to Adobe. This will benefit them by allowing them to address the issues and it will benefit the community as a whole, as in the end it makes for a better more stable product.

Download ColdFusion 9 Beta

Download ColdFusion Builder Beta

Adobe has just released the hotfix for the FCKEditor security issue. You can read about and download the hotfix directly from Adobe.

A summary of the potential exploit taken from the Adobe security bulletin:

A vulnerability in FCKEditor, which is included as part of ColdFusion 8, could allow a remote attacker to upload files in arbitrary directories which could lead to a system compromise. This hotfix updates the version of FCKEditor included with ColdFusion 8, turns off file upload capabilities by default, restricts access to cfm files in the FCKeditor\editor\filenamanger directory, and limits file upload capabilities to users with valid sessions. This issue is remotely exploitable. There are reports that this issue is being exploited in the wild.

While reading through some of the ColdFusion blogs the last couple of days, I think one issue has been missed: The security vulnerability in FCKEditor exists outside of ColdFusion. In other words, if you are using the FCKEditor tool outside of ColdFusion, or your ColdFusion site uses the stand alone version (and not the embedded version with ColdFusion), this issue can leave your site open to an attack. The major error on Adobe’s part seems to be that the 8.0.1 updater introduced this issue by enabling uploads in the file upload connector. The embedded version of this editor in ColdFusion does not allow file uploads, so this feature should be disabled.

It’s been awhile since I have added a new post to the series that compares code in ColdFusion & .NET. Today’s post covers something I use quite a bit throughout some of my applications: storing values in a list type format. If you have programmed in ColdFusion for years, you take the built in list functions for granted. Today’s example covers storing a simple list of ID’s in a variable. You could use this for storing user group associations or something like that. The example will show you how to add an item to the list and then search the list to see if a certain value is stored within it.

First up the ColdFusion code:

 ColdFusion | 
 copy code |
?
 
01
02
<cfset variables.newID = CreateUUID()>
03
<cfset variables.idList = "">
04
<cfset variables.idList = ListAppend(variables.idList, variables.newID)>
05
 
06
<cfif ListFindNoCase(variables.idList, variables.newID)>
07
	Value Found
08
<cfelse>
09
	Value Not Found
10
</cfif>
11

This code is fairly simple. We create a UUID, use the ListAppend function to add the value to our list, then use ListFindNoCase to see if our value is in the list.

Now for the .NET code:

 C# | 
 copy code |
?
 
01
using System;
02
using System.Collections.Generic;
03
using System.Web;
04
using System.Web.UI;
05
using System.Web.UI.WebControls;
06
using System.Collections;
07
 
08
public partial class list_test : System.Web.UI.Page
09
{
10
    protected void Page_Load(object sender, EventArgs e)
11
    {
12
        Guid newID = System.Guid.NewGuid();
13
        ArrayList idList = new ArrayList();
14
        idList.Add(newID);
15
 
16
        if (idList.Contains(newID) == true)
17
            foundLabel.Text = "Item Found";
18
        else
19
            foundLabel.Text = "Item Not Found";
20
    }
21
}

This code is fairly simple as well. The big difference between the two languages is that .NET treats the list as an array, so we first set uo our ArrayList object, add our Guid value to the ArrayList, then search for our value using the Contains function. We then update the value of a label on our front end page depending on our results.

So as you can see using lists is easy no matter which language you use. Both languages also allow you to store your lists in the session scope as well. The one pointer for doing this in .NET is you must cast your value back out to an ArrayList object when reading it from the session:

 C# | 
 copy code |
?
 
1
2
ArrayList newsList = (ArrayList)Session["newsList"];
3

Finally, some good press for ColdFusion! Mark Driver, a Gartner analyst, recently published an analyst note on ColdFusion. It has some good things to say about ColdFusion and that Abobe has strong support for the product. Nice to see others praising a product that we in the ColdFusion community have praised for years.

The report is not free, but Kristen Schofield has some excerpts posted on her blog.

I have read numerous articles this week on the subject of Twitter replacing RSS feeds for some people, so I thought I would share my two cents on the subject. I’ll start by saying I was a late adopter to Twitter, having been signed up for only a few months now. Over that time period Twitter is slowly overtaking my reading of news from my RSS feeds. I have always been a huge fan of Google Reader, and it’s been my primary source of news, sports information, tech blogs, etc… Every day now I find myself removing feeds from Reader once I see the site I was subscribed to also offers a Twitter feed. In the near future I can say I will probably not use Google Reader anymore. Twitter will become my main source of content. So count me in the large group of folks who see Twitter as an RSS killer.

In the next couple of weeks I will be sharing a ColdFusion based project I have created that aggregates RSS based content on certain news subjects (Pro Cycling and Motorsports). This is just one other step I have taken to provide a means of having more content viewable via Twitter.

I have been working on a new application the last few days and one of the requirements was to generate a short URL. There are many different URL shortening services out there today, but I decided to go with one of the original services, TinyURL. Although this service does not provide any sort of API, they do offer a quick and dirty HTTP post method of grabbing a short URL. Using CFHTTP in ColdFusion makes this easy, and only requires a single line of code:

 ColdFusion | 
 copy code |
?
 
1
<cfhttp method="get" result="tinyURL" url="http://tinyurl.com/api-create.php?url=http://www.yourlongurl.com">

All this does is call the TinyURL post URL and pass in the URL you would like shortened. The post simply returns the text that contains the shortened URL. Now that was to easy! It is a good idea to check the status code of the HTTP call. If a status of 200 is returned, then all is well. If not you can handle the error any way you would like.

With the recent issues Twitter has faced in recent days, I thought it would be important to show how you can prevent XSS attacks in ColdFusion. For a detailed explanation of what XSS is you can read a good summary here. So how can you protect against this type of attack?

ColdFusion has some built in functionality to make this really easy. These are the steps I would recommend you take to help prevent XSS attacks:

1. You can enable Global Script Protection in your application. You can accomplish this by using the scriptProtect attribute in your application.cfc. You can set this to automatically add some protection to your form, URL, CGI and cookie variables. You can also pass in a column delimited list of the scopes you wish to add the default protection to.
2. You can also globally enable script protection at the server level via the ColdFusion Administrator. Under settings is a checkbox to Enable Global Script Protection. This will default every application on the server to use script protection by default.
3. Use HTMLEditFormat around ANY variables that contain user submitted input. This function will convert any submitted HTML tags into their HTML character entity. This can help to stop malicious Javascript code for example from being served to the browser.
4. The sure fire way to prevent this type of attack is to simply search and replace any maliciuous data. In other words, replace script tags, etc… with nothing.
5. Validate user submitted input on the server side. If you are expecting a numeric value in a field, make sure it’s numeric. Also validate maximum lengths. If you have a state field that is only 2 characters in length, validate it to make sure it’s no bigger.

As you can see ColdFusion provides many features and functions to aid you in preventing an XSS attack on your site. It’s up to you to put these practices in place!