I know this is a bit of a thread hijack... Sorry about that, But I am super
curious how things have been working out using Railo in a production
Environment..
Speed-wise, it's great. And I love some of the configuration options Railo
gives you as well, although since my code is designed to run
I'm strongly considering dumping Plesk. It seems designed for people
who want to offer public
hosting services
Exactly, it's built so you can just hand off a login to the customer and let
them manage everything themselves, perfect if you are reselling hosting. If
your clients don't access
Not dissing anyone. Just curious. With all the ORM's and code generators out
there, why are you not using cfqueryparam?
One reason I can think of is that until recently you could not use it with
cached queries. For those of us that have to support older versions of
ColdFusion, it's definitely a
Please advise about Spry screen dimmer effect.
Does it exists?
Do you mean a lightbox? Not to my knowledge, but you can certainly use others
with it. There is a Spry Forum here:
http://www.adobe.com/cfusion/webforums/forum/categories.cfm?forumid=72catid=602
--- Mary Jo
What do you think about this solution for sites with 5000 files:
This looks similar to the solution I am providing to my customers (I have a lot
that run old releases that are not as well protected as my current one and have
little desire to either update their software *or* the code). I used
Ok gonna check that out thanks.
I just uploaded a new version that includes the cookie scope, and commonly used
CGI vars as well.
While this has been a headache to deal with, at least it might convince more of
my customers to get around to updating their sites. ;-) It often doesn't matter
This will fix a problem in which a long string containing too many back
references for non-word chars can cause a stack overflow. As much as I love
CF, I find the native regex implementation sadly lacking.
Thanks for the update... I'm not sure if any of my customers are using a host
that
The code on my blog is a working example, but it's not
drop in ready - you would still need to check the form and cookie scope
for example... So either way you will need to do some tweaking to get it to
work for you situation.
I'm going to post an updated version of my tool later today, just want
Version 2 of the scanner I did is now available here:
http://www.cfwebstore.com/index.cfm?fuseaction=page.downloaddownloadID=18
This has *not* been heavily tested as of yet, so use at your own risk!
--- Mary Jo
~|
Adobe®
This has *not* been heavily tested as of yet, so use at your own risk!
There was a little mistake in the scanner I posted earlier that could cause it
to hang, if anyone downloaded it before, please grab the updated copy.
In just some basic iteration checking, the new version does appear to be
MaryJo produces a product that she supports on older platforms, hence
the need to bypass cfqueryparam.
Actually, that's not really the issue so much as customers that are running
older versions of my software that don't have all the text inputs covered with
cfqueryparams. While this is
Captcha drives me crazy. Sometimes on other folks sites I have to sit
there and guess the freaking crooked letters four or five times before
I get it right. Is that a lower case or upper case W - damn, got it
wrong Sheesh..
AMEN! I detest captcha with a passion, it's rare that I get it
1) It protects only against known threats. In order to be excluded we have
to be a step far enough ahead to make sure the pattern is included.
2) It will produce false positives.
3) It is not role or user based.
4) Tend to give a false sense of security.
Just to add to this, in my own testing
I am planning some e-commerce work with a client of mine and they have
read about MIVA and they are very impressed by it. I have read a bit
about it, but I have to confess that I don't feel like I really
understand what it is or the advantage it offers.
While I've not used it myself I do
I also had a concern about thread safety; it's caching the java.util.
regex.Matcher object in Application scope, and calling Application.
injChecker.reset(testvar) for each url/form/etc variable -- seems like
Matcher.reset() changes state of the cached Matcher object?
Thanks for pointing
I am currently using the SQLprev.cfm from Jochem to stop the onslaught
of superfluous bandwidth suckage from my server, but was wondering
what the difference would be with this one.
Since I am not familiar with his, I cannot say what the difference would be. I
did include URL, form, cookie
When you say Update Your Code, are you saying using cfqueryparam?
Yes, that's what he is saying.
so, go back and fix 1,000's of lines
of code I have developed over the last 'upteen' years or stop it
before it starts?
Because if you don't, you are putting a LOT of faith in these
P.S. Speaking of Smack Down's. Mary Jo's got a great right cross :) Go
get'em girl!
LOL, actually I am a pacifist at heart and always try to not lose my temper
(serves me well with customers, particularly the endlessly annoying ones!)
As for not knowing what cfqueryparam is and how to
Eric is pretty good at the Smack Down too, Eric The Great takes David
the Geek over the ropes and into the first row of chairs! (Yes, I am
from the South and everything references Wrestling or Nascar)
Here's another smack down for youit would be nice if you could remove all
the extra
Can anyone suggest a modification to the code
that would eliminate the false positives without substantially
weakening the filter?
The one in there now is by Luis Melo and his email is in the credits. You might
want to send them along to him as I know he plans to work more on reducing the
My site has community profiles for cities and towns. The URL for these
profiles includes the county name as well as the city or town name.
There are Union counties in North Carolina, New Jersey and Ohio.
Or...maybe you could just get the states to rename that county. ;-)
I've done some additional testing and have found that the prior
version of the SQL Injection Blocker does better when challenged with
the HP Scrawlr testing tool then the newest version. Rolling back to
the prior release also solved the false positive problem for the three
towns mentioned
I have columns in MySQL database containing boolean values, using a data
type of unsigned tinyint. Would the cfsqltype of cf_sql_tinyint or
cf_sql_bit be best to use? If using cf_sql_bit what does cfqueryparam do
in that case with values such as -1 or 3 - will it cast them to 1/0,
or will it
Although it really depends on what you're doing with it (for instance,
if you
need to redistribute a CF server bundled with your closed-source
application,
you can't use OpenBD).
I've not worked with OpenBD yet, but in my experience with BD in the past, and
with Railo, BD seems to
I'm sure someone with mySQL experience (more recent than a decade) can chime
in with reviews/recommendations. those were just from a quick google search
and vague recollections of hearing about those tools in the past.
I'm a big fan of Navicat, and use it fairly exclusively. But if you want a
, with a very minimal amount of stuff needing to be kept in
the session and/or cookies.
So a lot depends on how simple you intend the cart to be, and the likelihood of
it becoming more complex over time.
Mary Jo Sminkey
mar...@dogpatchsw.com
Author of CFWebstore, CF-based E-commerce
http
information to a temp
table, again, so it is available if I want to view that information on the
merchant end, but otherwise I don't tend to use something like client scope for
things like this that I don't need to persist for any length of time. But
either will certainly work fine.
Mary Jo
IMHO kickassvps.com offers the best bang for the buck I have seen to date in
that price range (however cloud hosting is starting to look very
attractive).
Another vote for KickAss. I have one client running Railo on their Windows VPS
and haven't had any problems since setting it up about 6
Assuming you're not opposed to books, www.protonarts.com (when the site's
working :-( ) has two books you should purchase: Fusebox 5 FLiP:
Master-Class ColdFusion Applications and How to Drive Fusebox 5.5 both by
Jeff Peters (www.grokfusebox.com).
I'm not really sure I'd recommend the Fusebox
. Is there any reasonably
easy way to do this in CF7 (or even CF6)? I have a LOT of customers still on
CF7 and AuthNet is by far the most popular gateway, and I need to find them a
solution, as upgrading to CF8 may not be a viable solution for many of them.
---
Mary Jo Sminkey
CFWebstore
recommend reviewing the white paper Analysis of the SSL 3.0
Protocol.
If you have any questions, please contact develo...@authorize.net.
Sincerely,
Authorize.Net
---
Mary Jo Sminkey
CFWebstore, ColdFusion-based Ecommerce
http://www.cfwebstore.com
of the
cfhttp tag. But as for how to test and know if this is working, you've got me
stumped! I see nothing in the Authorize.Net settings, or anything whatsoever in
the documentation that tells where to get the certificate, how to test it, etc.
---
Mary Jo Sminkey
CFWebstore, ColdFusion-based Ecommerce
problems with it. In corresponding
with AuthNet, they did say that they will try to roll out the requirement on
the test server first so we can check our sites and make sure they are still
working, but I don't have a date from them yet on when they expect to be able
to do that.
---
Mary Jo Sminkey
to determine exactly
*which* versions of CF do support SSL v3.0 by default. Like you, I'm hoping
they get the test server ready sooner rather than later so we can run some
tests with different versions and see what works and what doesn't and go from
there.
---
Mary Jo Sminkey
CFWebstore, ColdFusion
will be okay.
---
Mary Jo Sminkey
CFWebstore, ColdFusion-based Ecommerce
http://www.cfwebstore.com
~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http
something from scratch, depending on the level of functionality
you needed.
---
Mary Jo Sminkey
Author of CFWebstore, ColdFusion Ecommerce
http://www.cfwebstore.com
~|
Adobe® ColdFusion® 8 software 8 is the most important
I tried leaving emailServer blank in the cffp.ini.cfm file and email
is not delivered.
You would probably have to modify any cfmail tags in the code to not include
the server attribute. Otherwise, CF will complain if it's left blank.
--- MJS
Are you guys saying that I should force my client to require their client to
create a user account? Or am I missing something here in the symantics.
Because I don't see another solution.
If they want to view order history, yes, that's the easiest way to ensure
security for viewing the
China, as all these attacks do seem to originate there.
---
Mary Jo Sminkey
Author, CFWebstore - ColdFusion Ecommerce
http://www.cfwebstore.com
~|
Want to reach the ColdFusion community with something they want? Let them know
Of course, this approach will require some method for them to unlock
their account.
A couple options for thisone is to add a timestamp to the users table as
well for last login attempt, and reset the counter if the account is locked
once a certain time is up (I usually use an hour). If
Of course, this approach will require some method for them to unlock
their account.
A couple options for thisone is to add a timestamp to the users table as
well for last login attempt, and reset the counter if the account is locked
once a certain time is up (I usually use an hour). If
Of course, this approach will require some method for them to unlock
their account.
A couple options for thisone is to add a timestamp to the users table as
well for last login attempt, and reset the counter if the account is locked
once a certain time is up (I usually use an hour). If
I have about 6 sites that run CF and need to move them to a new host.
any recommendations? I see that godaddy offers CF for $1.99 a month. Has
anyone used them. Or does anyone have any recommendations.
Personally I would get a VPS from Kickass and stick Railo on it and that will
run all your
I do declare that keyword matching alone has issues :-)
Yeah, that can really bite you in the butt!
We've been having pretty good results with the tool that is posted over at my
site. It does a fairly decent job of catching most injection and XSS attacks
and with some recent updates that I
CF8 (64 bit)/Vista Professional (64 bit)/IIS7 This is my development
workstation and I am using localhost.
For some reason, debug output isn't showing up; I've tried any number of
options in CF Administrator settings -- classic and AJAX both, to no avail.
I am not using cfsetting to restrict
Try adding the IPv6 address or disabling IPv6. The local loopback uses
it.
Also look through the code for any cfsetting showdebugoutput=no
Thanks for the ideasdefinitely nothing in the code that is turning the
debug off, that was the first thing I checked. ;-) I was going to try your
I know its the obvious, but Vista has many ways of preventing services from
accessing critical processes, make sure the built in Firewall is not
blocking the ports or the JVM.
Thanks for the thoughts, but nope, nothing that I can find that would seem to
be an issue. I did end up reinstalling
I just tested this on my laptop (CF 9 multiserver, Windows 7 64-bit)
and didn't get any debug output initially through IIS, but did get it
through the built-in JRun web server.
I'm currently just using the built-in web server, so it's not an IIS issue.
It definitely is only effecting my CF8
Yes Maureen - I know this. What we are asking is - What if the customer
DOESN'T WANT TO USE THOSE - What if they want you to store the credit card
anyway... regardless of compliance. (Compliance isn't law...) What if that
is your option?
Actually, there *are* states that have made compliance a
Not sure where my earlier reply to this went, but the list (online at least)
was being a little wonky yesterday so I'll try again...
I wonder if you have the right check boxes checked (They are different between
the 2). In CF7 it's enable debugging but in CF 8 It says enable request
debugging
So how does everyone upload data to their shared hosting remote databases??
I don't know of anything to do this specifically built just for MSSQL but I've
become a big fan of the convert/sync tools made by the folks at dbconvert.com,
and they do have ones that could handle this type of thing.
I'll try a delete and re-install, too. Anyone know of any issues running
CFB on 64-bit Win7?
Yes, a lot of us saw a lot of crashes on this latest build, particularly on
Win7 64. I was lucky enough to have one of the CFB team get in touch with me
and have been able to work with a later build
I'm looking for a shopping cart that I can use to take order that are
subscription based on reoccurring purhases. I've looked at Google's
offering which is EXPERIMENTAL and Authorize.net's service. Can
anyone recommend a service that easy to manage? Both Google and
Authorize.net
The cost has to do with Adobe being a publicly traded company needing to
generate revenue and hopefully post a profit. The cost would therefore more
likely be based on the amount of effort (time/money) involved in developing
(research, planning, developing, testing, marketing) the product.
A
If your last experience with CFB was the last public beta, then you
are really not giving CFB a fair shake.
Actually, I have been using a later build than the last beta, so I do know of a
fair number of issues that were fixed. But I am assuming that the bug database
is correct in terms of
I'm not sure what I wrote that triggered that, but no, that's not what
I mean at all...I just meant that if Adobe charges $300 for an original
product, then a product that derives so much benefit from other currently
functioning and successful programs should sell for less.
For what it's worth,
Lets be fair Rick, ColdFusion Builder can and will be installed as a stand
alone product in a very large number of cases.
Truebut I wonder if that will continue to be an issue when installing
updates, as it was with the betas. Normal Eclipse plugins update much more
elegantly than CFB
Is the ColdFusion Server actually going to be free to
education systems? I had not heard that.
Yes, CF 9 is free for educational use, but good luck finding information on
their website about it, it's pretty well hidden! I think you have to go into
the product FAQs to even find mention of
ColdFusion 9 / ColdFusion Builder / Flash Builder 4, free for education at
http://freeriatools.adobe.com
That's nice, but why isn't the information *clearly* outlined on the main Adobe
CF9/CFB pages? Or at least, an obvious link in the informational links on the
right? If you go to the
to allow it to run inside another application with minimal effort,
and will hopefully be moving into testing fairly soon. I've specifically been
working with Mura as the testing platform, but the changes should typically
allow you to run it in a variety of other CMS products as well.
---
Mary Jo
links to work properly).
If you're interested in following the progress, and/or helping test it out,
feel free to contact me off-list.
---
Mary Jo Sminkey
mar...@dogpatchsw.com
CFWebstore, ColdFusion Ecommerce
http://www.cfwebstore.com
to sort out (like getting SES links to work properly).
If you're interested in following the progress, and/or helping test it out,
feel free to contact me off-list.
---
Mary Jo Sminkey
mar...@dogpatchsw.com
CFWebstore, ColdFusion Ecommerce
http://www.cfwebstore.com
Before I go writing my own CAPTCHA generating method I just want to check to
see if CF has something to offer along those lines.
Frankly, I'd dump the user-unfriendly captcha and use cfformprotect
http://cfformprotect.riaforge.org/
--- Mary Jo
Again, I must make the argument why CF and not ASP.NET.
Brand New - In Defense of CF:
http://www.terrenceryan.com/blog/post.cfm/dear-coldfusion-skeptic
--- Mary Jo
~|
Order the Adobe Coldfusion Anthology now!
With the limitations on budget in today's economic, few companies can
afford money for both. I'd much rather the money be spent on
development. Frankly, if I get another overpriced glossy marketing
packet from Abode when they are cutting staff in product development,
I'm gonna barf.
As someone
Saying that the USD 200,- that Mary Jo asks for her CFWebstore is too
much seems like an oddity to me. If the customer cannot pay USD 200,-
for the licence, how on earth is the customer able to pay for the
consultant/developer fees for installing and modifying the webshop if
needed?
I've run into a frustrating issue while trying to use Solr search in CF9. I'm
not sure if the Verity has the same problem, but basically the problem is that
I have 3 different queries I want to index into a single collection and if I
purge the collection first, it is refusing to index all
When you cfdump an ORM entitiy, it tries to show _everything_. You can
control how many levels are displayed by using the top attribute.
I agree that writedump really can be problematic when working with ORM
objects...but I've not seen that the top attribute helps. According to the
docs, it
I posted this over on the CF-ORM list on google, but not much luck, so thought
I'd see if any of you smart HOF folks know. ;-)
According to the CF 9.01 release notes, you can now use a structure
for setting the application.datasource setting. I really would like to
do this for an ORM
The CF documentation is a good place to start:
http://help.adobe.com/en_US/ColdFusion/9.
0/CFMLRef/WSd160b5fdf5100e8f790124b112a3b8b2adb-8000.html
this.datasource={name='cfartgallery', username=user,
password=passwd}
Believe me, I *looked* long and hard in the docs and never found
What I like about git is the ability to work offline and still commit
changes, the lightweight branches and generally easier merging.
I also like that you have a copy of the entire repository, if you use hosting
it makes it very easy to change hosts.
Currently though I am using the hosted
Is anyone using the JRocket JRE (with Mission Control) on ColdFusion 9.01 (I'm
on Win 7 64-bit, standalone)? I'm having trouble getting ColdFusion to start up
when I point it to the JRocket JRE and not sure what the problem is. I'm
leaving out the mission control config in the args just to
What is in the log file? CF needs a JDK, not a JRE.
JDK?? Are you sure about that?? I'm not sure what it would do with the JDK.
I'm basically trying to follow the instructions in this blog post to track
memory leaks in the JVM:
What is in the log file? CF needs a JDK, not a JRE.
Oh, and I don't get anything in the log file(s) it doesn't get anywhere close
to logging anything.
MJS
~|
Order the Adobe Coldfusion Anthology now!
The JDK seems to be required because the stock JRE doesn't come with
all the components need to run the services. There's a JRE inside the
JDK, which is all you'll really need once you've extracted/installed
it. I've found this to be the case with all of the SUN builds as well.
Hhm, okay
Yes, CF requires the JDK because it includes the server-specific
version of jvm.dll. I don't remember enough about JRockit to know
whether it has the same sort of JVM/JDK division.
Ah okay, thanks for the info. This does appear to be part of the jrocket
install that I have.
--- Mary Jo
I usually have to try a couple different directories before I find the right
one... and make sure your slashes are pointed the right direction :)
I'm not really seeing much in the way of choices to point to, but I did try
both the top level directory as well as the JRE one (which is what seems
I usually have to try a couple different directories before I find the right
one... and make sure your slashes are pointed the right direction :)
Just to verify I have the right install, for CF9 on a Win 7 64-bit, I *would*
use the 64-bit for Java 6, right? Seemed obvious, but just in case I'm
I usually have to try a couple different directories before I find the right
one... and make sure your slashes are pointed the right direction :)
Just to verify I have the right install, for CF9 on a Win 7 64-bit, I *would*
use the 64-bit for Java 6, right? Seemed obvious, but just in case I'm
I don't want to be contrary - but your error almost has to be related to not
finding the jvm.dll right? If it were args wouldn't it be some other sort of
error? Something more related to GC or whatever that would show up in the
out log?
Well, I'm just guessing, I really don't know enough about
That depends on whether you are running the 32-bit or 64-bit CF9.
Oops, sorry yes I am indeed using the 64-bit CF9.
--- Mary Jo
~|
Order the Adobe Coldfusion Anthology now!
I have an unusual request from my client, they want to be able to have their
people in the field put tags in their reports that they can search on, using
some kind of special character to tag a word as being one of these special
search phrases. They wanted to use asterisks to do this (such as
You might have them tag like this ~word~, then parse for that when
building your search.
Not sure what you mean by parsing for it? When I use a word like this in my
data (with tildes around it), and then search for it (including the tildes), I
get no results back from Solr. It does match
I'm confused - why not just add a form field to their content editor
where they can enter the tags there?
Unfortunately, we have no access to that system, I can only pull the data that
has been entered into it.
--- Mary Jo
Ok - so then if you use tildes like Muareen suggested, you can parse
for them when you index the data. Do you have control over the code
that does the indexing?
Yes, I'm pulling all the data and then indexing it to make it available for my
client to search, so they can find the specific records
What I mean by parsing is that you use the tildes to determine what
to
search for by extracting what is between them and using that to build
your search.
That's not going to give me what I need, because I need to find *only* the
results that use the tildes, not the records that might just
Right, so parse the text for the ~ words. You can use rematch to get
them easily enough. You can then use that list of words as your body
when you add it to your index.
Well, that would work I guess if they *only* wanted to search for those words,
but they want to be able to search on any of
cfset city = model(Cities).findOne(where=id=#id# AND
some_other_param=#param#)
If you know it should only accept a numeric value, you can just throw in a
Val() function and that will ensure nothing but numbers get passed ( e.g.
id=#Val(id)# ). If you need to allow strings, and can restrict to
(changed the ftp password for the umpteenth time today as well).
Hhm, if they are getting in via FTP, which is certainly a strong possibility as
well, you might want to try turning it off for that site, or at least
restricting it to only the IP addresses that use it. I have seen numerous
Anything and everything received from external, untrusted sources must
be considered suspect.
I'd add that even if you might not have to worry about a security breach, you
still probably want to scrub such variables to prevent errors from being
generated (if for instance you expect it to be
Well, this sure was a fun thread to scan through (ha!) It's funny how adamant
people can be about defending their position. Well, here's my two cents, for
what it is worth.
I've used both CFBuilder and CFEclipse, and I personally decided not to put the
money out for a copy of CFBuilder at
Can anyone recommend a decent yet cheap web host for ColdFusion?
Right now I'm hosting my site at DreamHost (Simple wordpress as CMS site).
I didn't see anyone mention this, but for cheap hosting, but good service, you
may want to consider looking at Railo hosting through Alurium.com.
Perhaps, but I think there needs to be a serious discussion about this.
Adobe went about a weird way in announcing it and I guess hoped it
wouldn't get much notice as a result. This is one of the biggest
decisions they have made with ColdFusion in several years.
I find it comical how
I'm having a really frustrating issue with an application and cannot figure out
where the problem is. The client is getting randomly logged out of the system,
basically the session is getting reset. So far, not all that unusual, I've
certainly seen this kind of issue before. But the weird
Check the CF Administrator under memory variables and see what the MAX
timeout is for Application Session. Also, check the value on your
CFAPPLICATION tag. Make sure you didn't change the session timeout
there to something smaller than what you wanted.
No, those are all fine. And if
If that checks out, I'd try to track their session through the web logs. We
recently had the same issue with randomly expiring sessions. It turned out
that the client had a proxy that was changing their IP every minute or so;
that, combined with or custom anti-session hijacking checks, was the
How about dropping a cflog tag with some useful info into
OnSessionStart
to see if the sessions is actually restarting or not?
Hhm, currently it uses application.cfm so that isn't available, I'd have to
look at how easy it would be to switch it if this really becomes necessary to
debug
Separate domains?
www.domain.com vs domain.com ?
I've been caught by that before, and as far as cookies go, they see them as
totally separate.
No, no changes in the domain. Also not using SSL. I can reload the same page
and get the session to drop (just takes a few tries sometimes).
MJS
shot in the dark, but just had issues w/some IE7 browsers (not FF, chrome,
etc.)
losing sessions after applying latest hotfix which seems related to this:
* A JVM property was added in case you want to completely switch off the fix
for the Session Fixation issue ( Bug 86378) which prior to
in our case it was. client had a console page with secure/un-secure bits mixed
together it was throwing off users w/IE7 after the hotfix was applied. while
they work out what is actually wrong, adding that JVM argument fixed that
issue.
Cool, I'll see if my host can apply this, or I do have
301 - 400 of 458 matches
Mail list logo