I'm very excited about the upcoming Flex 360 Conference. It's been 18 months since I attended the first 360 conference in San Jose. It only cost $100. An amazing deal for a 2 day conference. It was hosted at the eBay campus and I believe subsidized by eBay as well. About 400 people attended.

 

This year is a bit more expensive ($480), but is 3 days long and includes a pre-conference on Sunday included in the price. They've got both beginner and advanced tracks setup. Lynda.com is hosting the Flex 101 pre conference event for Sunday.

 

Thanks to Tom and John for all the effort they put into this conference.

 

I was a bit baffled when I encountered this error. While generating multiple pdfs I used the cfcontentsave wrapped around a cfmodule tag and passed in an id as an attribute. I thought simple enough. But my cfmodule would output the content twice.

 

As we all drift towards XHMTML compliance we begin adding a slash at the end of tags. For example, <img src="foo.jpg" />. In the past we didn't worry about that ending slash.

 

So, my cfmodule was <cfmodule template="foo.cfm" id="1" />

 

It was the darn closing slash that told ColdFusion to output the content twice.

 

I recently encountered the error "ColdFusion.setSubmitChecked" when loading a page that contained a cfform inside a cfdiv. Below is an example of the code I was using.

 

 

I had recently updated to version 8.01 of ColdFusion. The thought of that update jogged my memory. This project is using copy of the "scripts" in the root directory. I was NOT pointing to the "scripts" directory under the CFIDE directory. I thought why not? So I archived my old ajax files and moved a fresh copy over from /CFIDE/scripts/. What do you know that solved the problem.

 

That's two bugs I've found AFTER they have been fixed. Guess I'm just lucky that way.

 

 

Last week I accepted Sean Corfield's generous offer to be the co-manager for the Bay Area Cold Fusion User Group. As co-mananger I'll run the meetings if Sean can't make it. Help out with finding sponsoers and speakers.

Very excited to have this chance to give back to the community

 

I encountered this bug while using ddx and the cfpdf tag in ColdFusion to generate a table of contents (TOC) for my pdf.

 

If you are having the same problem, don't panic there is a solution.

 

Install the ColdFusion 8.01 (or later) update from Adobe.

 

I found the following in the release notes.

 

Issue Number 69567

When the cfpdf tag prepares to generate a table of contents, if any font that is required to create the output PDF is unavailable, the assembler processing fails. The error message is cryptic and only says "cause given". To get more information, enable robust debugging in the ColdFusion Administrator. The full stack trace should show the cause.

 

This could be a separate issue, but it sounds somehow related to the error message I was receiving. Either way, the problem was resolved by version 8.01

 

You can find part one of securing your ColdFusion applications here. Part two will focus on securely storing your data.

Step 5 - Use Secure Socket Layer

Use the SSL and https when passing sensitive data to and from your server. This is a no-brainer, but I mention it since passing data insecurely will defeat the purpose storing data securely.

Step 6 - Encrypt your passwords

ColdFusion provides one-way encryption using the hash() function. You won't be able to decrypt the passwords but neither can any hackers. When a user submits their password you'll use the hash function then compare the password with the hashed password value in your database. ColdFusion 7 improved the hash function by adding multiple levels of encryption. Pete Freitag has a nice write up on it at http://www.petefreitag.com/item/270.cfm.

Step 7 - Help users reset forgotten password

In the past developers have used the "forgot password" feature to email users their password or ask them a "secret question/answer". Both methods are a security risk. If you email their existing password, and someone gains access to that email other accounts that use the same password would be compromised. The secret question/answer method may ask the user "the street they grew up on, or high school mascot". This method of password retrieval has gotten more insecure as we share more personal information through social networks. The method I chose is to set a temporary password or reset key in the database and email that to the user. I also insert the date/time of the request so the temporary password/reset key will expire after a period of time (4 to 24 hours).

Step 8 - Encrypt and Decrypt sensitive specifically credit card numbers.

Now, let me start off by saying storing credit card data is risky business. So, unless you really need to store it, you shouldn't. A situation where you might want to store credit card data would be a subscription service. With ColdFusion you can use the encrypt() and decrypt() functions. There are different encryption methods.

 

 

Of course, you could store the secret key in a location other than the application.cfc. This is just an example of how to generate and save the secret key.

Step 9 - Don't use the SA account in the CF administrator

When you create your database, also create a new login user and grant this new user access to your database. But limit access to only database functions you want your application to use. For example insert, update, delete records, but leave out add and dropping tables.

Step 10 - Use Captcha

Add a captcha image on pages that are potential hacking targets. For example you could add captcha to your login page.

 

Well that does it. Happy Coding.

 

Call Doc Brown, there is something wrong with the De Lorean

 

I've been using my Leopard's new Time Machine for backing up my Macbook Pro for the past two months with no problems. The other day during a routine back up I got the message "Time Machine Error, Unable to complete backup. An error occurred while creating the backup directory." By the way, I'm using a 1TB Time Capsule to perform my Time Machine Backups.

 

Picked up the phone and called Apple Support. Here are the steps.

 

1. Shutdown my Mac
2. Unplug the Time Capsule (why no on/off switch?)
3. Launch Disk Utility (Go to Applications > Utilities > Disk Utilities )
4. Open Finder (or double click hard drive)
5. On the Left side you should see you Time Capsule, select it, if necessary click connect as and login.
6. Open up your back up folder and you should see a dot sparsebundle file. Click and drag that over to the left side of the Disk Utility.
7. Select the Time Capsule in the Disk Utility and click repair disk.

 

Now here is the interesting thing. While I waited hours for this repair to take place I launched my VMWare Fusion running Windows 2003 and got the blue screen of death. A message appeared that asked to shutdown windows and allow it to run chksum. I shutdown windows from VMWare after running chksum windows booted fine.

 

I have no idea if the VMWare crash was related to the Time Machine error, but it is possible.

 

After the Disk Repair completed, Time Machine is up and running again.

 

I've been working with SQL Server 2000 DTS (Data Transfer Services) for some time.  DTS allows you to drop and create tables as well as import or export complete data sets between different database instances.  For example, I work with a local copy of the database and want to deploy changes to a staging server database during the development process.

 

Recent experience with SQL Server 2005 has left me disappointed in Microsoft yet again.   My development environment is SQL Server 2000 running on VMWare Fusion on a Mac.  First, I discovered that you could not use SQL Server 2000 DTS tools to update database schema/data in a SQL Server 2005 database.  So ... I purchase the developer edition of SQL Server 2005, which includes SQL Server Management Studio.  I thought this would be the end of my difficulties, but I was wrong.  DTS in SQL Server 2005 does not create primary keys, indexes or default values.  A simple example would be an "id" field that auto increments.

 

Your original data
id	firstname	lastname
1	Jim	Smith
2	Bill	Johnson
4	Bob	Jones
5	Al	Green

 

 

After DTS in SQL Server 2005
id	firstname	lastname
1	Jim	Smith
2	Bill	Johnson
3	Bob	Jones
4	Al	Green

 

As you can see, the data is corrupted. 

 

Others have blogged about this issue and indicate that Microsoft isn't moving to solve these problem anytime soon.  So, I've documented my work around and created a pdf for others to use.

 

Here are the basic steps.

1. Generate SQL Scripts to create your tables
2. Use a third party utility called Simple SQL Bulk Copy.  This will preserve your primary key information during the export process.

 

I won't delve into the politics of this voter registration form.  All I'll say is "It's Florida.  Do you remember the election of 2000?".  What I want to talk about is how Florida's voter registration form demonstrates the challenges of usability when creating forms.

 

Here is a screen capture of the form.  You can download a copy of the original pdf here.

 

 

I'm going to address question number 4, because it's a recent addition to the form.  Take a moment to read it.  What's wrong with this?

 

I affirm I have not been adjudicated mentally incapacitated with respect to voting or, if I have, my right to vote has been restored.

 

The checkbox is blank.  Therefore, you must opt-in or you are too crazy to vote.  This wouldn't be a big deal if I was opting in for a magazine subscription, but the residents in Florida will lose their right to vote if they don't check this box.  Have you ever made a mistake filling out a government form?  Ever incorrectly read or skipped over a question?  Pretty big consequences for a little checkbox.  

 

When we encounter this type of problem in web development, how can we minimize user error while completing the form?

 

1. We could change the question into a positive question. It would look like this         I am currently mentally incapacitated with respect to voting.  Think about it.  99.9% of the population could ignore this checkbox.  And that would be appropriate.
2. We could keep the question the same and default the checkbox to "checked".  Again, make the .1% take action and uncheck it.
3. If we keep the question the same and the person checks it, upon submission have a message appear.  Ask the person to confirm their answer regarding being mentally incapacitated with respect to voting.  This will provide the necessary feedback at the soonest possible moment.

 

So, keep in mind when creating checkboxes, radio buttons, select boxes, etc that the default SHOULD be the most common answer.  This will help users complete forms in the quickest and most accurate way.

 

A shout out to the folks at "Wait Wait Don't Tell Me", the NPR news quiz show for mentioning the Florida Voter Registration form on their show.

 

Recently, I received a phone call from a former client about an application I worked on in 2001.  The e-commerce site was written during the ColdFusion 5 days and has been running ever since.  Unfortunately, he was calling to say they'd been hacked.  Below are the steps I took to secure the application against sql injection, cross-site scripting attacks and general probing by hackers.

Step 1 - Upgrade to ColdFusion 7 or higher

Running ColdFusion applications on pre-ColdFusion MX (6.1) servers poses some security risks.  Upgrade to ColdFusion 7 or 8 to take advantage of the security measures in this post.  One caveat before you upgrade.  Test out your application on the new version of ColdFusion before deploying it to your production server.  I can't stress this enough.  You don't want your customers seeing errors because you haven't tested out your old code on the new version of ColdFusion. 

 

One error I found with my client was the use of dot notation when naming application variables.  For example, we set common email addresses in the Application.cfm file and used names like application.email.service = "jim@acme.com".  This works fine under ColdFusion 5, but throws a java.exception in ColdFusion MX and higher.  Why is this? Newer versions of ColdFusion added dot notation for simple assignment of structure values "object.property" is a value for the structure called "object". Read more about Structures.

Step 2 – Move from Application.cfm to Application.cfc

Ben Nadel does a great job breaking down the features of Application.cfc in this post.

 

Hackers want information about your application, code, database, etc.  "Oh, the better to hack you with my pretty." (said in your best evil witch voice).

 

Use the OnError() function of Application.cfc to do a few things.  See the code below

The less hackers know about your application the better.

Step 3 – Secure any variables passed via Forms or URLs.

Variables passed via URLs are especially vunerable to hackers.  Two ways you can secure them.  First use <cfparam>  and set the type for any numeric values. 

 

For example, foo.cfm?id=1 can easily be modified to foo.cfm?id=1 and 1 = convert(int,(select top table_name from information_schema.tables)). 

 

Add cfparam at the top of your page to prevent non-numeric values.

You should also secure all values passed into the cfquery tag.  ColdFuion MX and higher support the <cfqueryparam> tag.  Use it at all times. 

 

Here is the non-secure query

 

Here is the secure query

STEP 4 – Protect against malicious html code (cross-site scripting attacks).

Hackers will try to insert html code to attack you and/or your users.  They will use the <script>, <object>, <embed> and other tags to run malicious code through your site.

 

ColdFusion 7 Administrator has a setting you can turn on to protect against such an attack.  Login to the ColdFusion Administrator,  and click on Settings.  Near the bottom is a check box for Specify whether to protect Form, URL, CGI, and Cookie scope variables from cross-site scripting attacks.  Check that box!

 

If you want extra protection or can't access the ColdFusion Administrator, there is a great custom tag called CodeCleaner.  Download CodeCleaner here and place it with your other customtags.  Then add this code at the top of your page.

This will remove any "bad" html a hacker may try to insert into pages or a database.

 

That's it for Part 1 of securing your ColdFusion Applications.

 

If you have suggestions for Part 2, please let me know and Happy Coding.