In order to integrate reCAPTCHA into your application, you will need to register at reCAPTCHA.NET and obtain your public and private keys.  Once you have those you can start writing the code for integration, which is super simple.  To display the reCAPTCHA module on our form page, simply place one line of JavaScript code in the area you need it to appear.  The JavaScript call will also pass your public key to the service:

With this code you will now see the reCAPTCHA module integrated into your form page.  The module also has some customizable features that you can use to change colors, the tab index or load up one of the available themes.  This requires a little more JavaScript you write before loading in the module:

So now that the module displays, we need to be able to process the information on our form post to validate the input.  This is super simple as well, and just involves a HTTP post call and passing them your private key, the remote user’s IP address, and the two form fields created by the display module.  The response from this call will return a “true” or “false”.  You then use that to validate whether the user submitted input matched the words that were displayed.

<cfhttp method="post" url="http://api-verify.recaptcha.net/verify" throwonerror="Yes">
    <cfhttpparam name="privatekey" type="FormField" value="#YourPrivateKey#">
    <cfhttpparam name="remoteip" type="FormField" value="#cgi.REMOTE_USER#">
    <cfhttpparam name="challenge" type="FormField" value="#form.recaptcha_challenge_field#">
    <cfhttpparam name="response" type="FormField" value="#form.recaptcha_response_field#">
</cfhttp>
<cfset variables.reCaptchaStatus = cfhttp.FileContent>
<cfif NOT FindNoCase('true', variables.reCaptchaStatus)>
      <!--- reCAPTCHA validation failed --->
</cfif>

And that’s it.  I hope you see how easy integration is and in my opinion is a much better visually appealing interface than using the CFIMAGE captcha features.

• CRUD: Database reads/writes including those of the type performed by cfinsert/cfupdate
• ActiveSchema: The ability for your code to define your database structure. DataMgr can introspect the database structure or it can define it.
• Prototyping: The ability to use simulated data for prototyping (much like QuerySim, but more powerful and less work).

The only piece I have used this far are the CRUD features.  For the project I was working on CyclingShare.com, I was needing to get the application built as soon as possible.  Everyone knows that you can easily get bogged down into writing general insert, update and delete statements when starting off a project.  It’s also up to the developer to add in query param tags as well to prevent SQL injection attacks, etc…  DataMgr handles those tasks for you, and lets you focus your time on other aspects of your application.  I completed my project in a total of around 6 to 7 hours, and did not write a single insert, update or delete statement.  DataMgr took care of those for me, as well as most of my select statements.  I choose to write some of the more advanced SQL queries myself (although DataMgr will allow custom SQL).  So how easy is DataMgr to use?  Below you will find snippets that display how to use DataMgr for CRUD handling.



//insert function
variables.foo = Application.DataMgr.insertRecord("yourtable",form);

//select function
filter = {pk_id=Session.pk_id};
variables.qryUser = Application.DataMgr.getRecords("yourtable", filter);



These are just simple examples to show you the high level functions of DataMgr.  One tip that makes using it even more of a breeze, is to name your form fields the same as your column names from your database tables.  You can then just pass in the entire form structure and it will take care of everything else.

I would highly recommend giving DataMgr a try.  I have already found it to be quite a time saver already.  You can see it in action here: CyclingShare.com

Download ColdFusion 9 Beta

Download ColdFusion Builder Beta

A summary of the potential exploit taken from the Adobe security bulletin:

A vulnerability in FCKEditor, which is included as part of ColdFusion 8, could allow a remote attacker to upload files in arbitrary directories which could lead to a system compromise. This hotfix updates the version of FCKEditor included with ColdFusion 8, turns off file upload capabilities by default, restricts access to cfm files in the FCKeditoreditorfilenamanger directory, and limits file upload capabilities to users with valid sessions. This issue is remotely exploitable. There are reports that this issue is being exploited in the wild.

If you are using the standalone version of the FCKEditor and have file uploads enabled (using any of the connectors), you should take some steps to ensure that rouge files cannot be uploaded. The great thing about the FCKEditor tool is that it’s open source. You can easily modify the code for the connector to add in some security checks (sizes of uploads, mime type exclusions, etc…). If using this editor within a password protected admin or client area, you could also add in the authentication checks within the editor code as well. This would prevent someone from being able to upload a file without being logged into the password protected area of your site.

So in conclusion I just wanted to make note that this particular vulnerability does exist outside of the ColdFusion server install itself if you are using the standalone version of the FCKEditor. This latest issue can be used as a reminder to always check those third party applications you use, and to make sure you implement them the correct way.

To quickly patch your ColdFusion 8 installs you can follow the below recommended steps from the Adobe Security Team. It sounds as though Adobe will be releasing a hotfix for this issue very soon, but they do recommend the steps below while waiting for the hotfix to be released:

1. Disable connectors by setting config.Enabled to false in the editor/filemanager/connectors/cfm/config.cfm file.
2. Remove unused cfm files under editor/filemanager/connectors/cfm directory of the FCKeditor.
3. Inspect FCKeditor directories for content that has already been uploaded. The uploaded files go under the directory specified in the config.UserFilesPath set in config.cfm.

First up the ColdFusion code:


Value Found

Value Not Found



This code is fairly simple. We create a UUID, use the ListAppend function to add the value to our list, then use ListFindNoCase to see if our value is in the list.

Now for the .NET code:

using System;
using System.Collections.Generic;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Collections;

if (idList.Contains(newID) == true)
foundLabel.Text = "Item Found";
else
foundLabel.Text = "Item Not Found";
}
}

This code is fairly simple as well. The big difference between the two languages is that .NET treats the list as an array, so we first set uo our ArrayList object, add our Guid value to the ArrayList, then search for our value using the Contains function. We then update the value of a label on our front end page depending on our results.

So as you can see using lists is easy no matter which language you use. Both languages also allow you to store your lists in the session scope as well. The one pointer for doing this in .NET is you must cast your value back out to an ArrayList object when reading it from the session:


ArrayList newsList = (ArrayList)Session["newsList"];


The report is not free, but Kristen Schofield has some excerpts posted on her blog.

In the next couple of weeks I will be sharing a ColdFusion based project I have created that aggregates RSS based content on certain news subjects (Pro Cycling and Motorsports). This is just one other step I have taken to provide a means of having more content viewable via Twitter.

All this does is call the TinyURL post URL and pass in the URL you would like shortened. The post simply returns the text that contains the shortened URL. Now that was to easy! It is a good idea to check the status code of the HTTP call. If a status of 200 is returned, then all is well. If not you can handle the error any way you would like.

ColdFusion has some built in functionality to make this really easy. These are the steps I would recommend you take to help prevent XSS attacks:

1. You can enable Global Script Protection in your application. You can accomplish this by using the scriptProtect attribute in your application.cfc. You can set this to automatically add some protection to your form, URL, CGI and cookie variables. You can also pass in a column delimited list of the scopes you wish to add the default protection to.
2. You can also globally enable script protection at the server level via the ColdFusion Administrator. Under settings is a checkbox to Enable Global Script Protection. This will default every application on the server to use script protection by default.
3. Use HTMLEditFormat around ANY variables that contain user submitted input. This function will convert any submitted HTML tags into their HTML character entity. This can help to stop malicious Javascript code for example from being served to the browser.
4. The sure fire way to prevent this type of attack is to simply search and replace any maliciuous data. In other words, replace script tags, etc… with nothing.
5. Validate user submitted input on the server side. If you are expecting a numeric value in a field, make sure it’s numeric. Also validate maximum lengths. If you have a state field that is only 2 characters in length, validate it to make sure it’s no bigger.

As you can see ColdFusion provides many features and functions to aid you in preventing an XSS attack on your site. It’s up to you to put these practices in place!