Re: protection from sql attacks with regex++
Doing that on everything. If you're parametrizing everything on the queries then what is the concern? -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359122 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
CFX_QueryColumns
Does anyone have a copy of this custom tag lying around? We were using it on a server that recently crashed and am having some trouble locating a copy of it. Thanks! -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358845 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CFX_QueryColumns
I was able to locate a copy on our network, please disregard. Thanks! On Thu, Jul 10, 2014 at 6:30 PM, Justin Scott leviat...@darktech.org wrote: Does anyone have a copy of this custom tag lying around? We were using it on a server that recently crashed and am having some trouble locating a copy of it. Thanks! -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358847 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF Builder 3 frustrates!!!
I have never been a fan of the sync in CFB, I have always used Scooters Beyond Compare. ... +1 for Beyond Compare, it's awesome. On an unrelated note, is there something I'm missing during the CF Builder 3 setup process to import settings and projects and such from Builder 2? I have everything there set up the way I want it (custom colors, editor settings, projects, etc) and it would be a pain to have to re-set up everything in Builder 3... did I miss a transfer settings option somewhere? I imported a couple of projects I work on regularly and it didn't even keep the project names in the project list (used the folder name and refuses to let me rename the project with an error). I like Builder, but the move from 2 to 3 could be a lot smoother. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358501 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF11... Live?
I just don't get Adobe at all. I'm so disappointed in them. The tone of the announcement blog entry pretty much sums it up... the new features don't excite me. They list mobile development, language enhancements, new PDF engine, and security enhancements as the big new features. The mobile integration is arguably the big feature for this release. I suppose that will be useful for some people. The big tell, though, is the specific mention of Java 7 Update 55. They mention it's a big important release for Java 7, but it's not included in the initial installers because they're working out some installer integration bug (presumably with Oracle), so Update 51 is included for now and they'll update the installers later. Likewise, The Linux support for the new PDF engine in ColdFusion 11 will be available through an update within the next few weeks. By word count, they actually spend more time talking about what isn't actually in the release yet (Java Update 55 and The Linux PDF update) and that the CF10 / CFB2 installers will only be available for another couple of weeks. It feels like the ColdFusion team just flat ran out of time; that not everything was ready but they had a hard deadline and had to ship regardless. I'm glad Adobe is continuing to support the product, but I've never felt so meh about a release (and I've been using CF since version 4). -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358462 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF11... Live?
Speaking of 10, for anyone who manages a CF server or has a license for Builder 2, go download the installers and put them somewhere safe before they disappear on May 14. http://www.adobe.com/support/coldfusion/downloads.html On Tue, Apr 29, 2014 at 11:58 AM, Russ Michaels r...@michaels.me.uk wrote: it felt that way with CF10 as well, I have not even bothered with CF10, and that was before I moved to Railo. On Tue, Apr 29, 2014 at 4:03 PM, Justin Scott leviat...@darktech.orgwrote: I just don't get Adobe at all. I'm so disappointed in them. The tone of the announcement blog entry pretty much sums it up... the new features don't excite me. They list mobile development, language enhancements, new PDF engine, and security enhancements as the big new features. The mobile integration is arguably the big feature for this release. I suppose that will be useful for some people. The big tell, though, is the specific mention of Java 7 Update 55. They mention it's a big important release for Java 7, but it's not included in the initial installers because they're working out some installer integration bug (presumably with Oracle), so Update 51 is included for now and they'll update the installers later. Likewise, The Linux support for the new PDF engine in ColdFusion 11 will be available through an update within the next few weeks. By word count, they actually spend more time talking about what isn't actually in the release yet (Java Update 55 and The Linux PDF update) and that the CF10 / CFB2 installers will only be available for another couple of weeks. It feels like the ColdFusion team just flat ran out of time; that not everything was ready but they had a hard deadline and had to ship regardless. I'm glad Adobe is continuing to support the product, but I've never felt so meh about a release (and I've been using CF since version 4). -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358468 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
CF-Hour: Thank You!
I listened to the latest (last) CF-Hour podcast this afternoon and wanted to give a big THANK YOU do Dave and Scott for their efforts and time for the CF-Hour podcast. It had its ups and downs, but overall was one of the crown jewels of the CF community. It will be missed. -Justin Scott ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358305 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: MSIE 11 HTTP_USER_AGENT
Hi, I discoverd today that MSIE 11 is putting ... Trident/7.0; rv:11.0 still gives it away as IE 11. If you look for that prior to the Mozilla check then it will still catch it properly. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358249 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
I am picturing a 2-fold system. A web-based scan for common vulnerabilities from outside, and a more detailed scan the system from inside. Hi Jerry, you basically just described HackMyCF.com and their security scanner and monitoring tool. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358177 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CAN THIS PLEASE BE THE END? Re: The long tail of ColdFusion fail
OMG You mean ColdFusion 11 is public :P I'm hearing Stroz in the back of my head... 10.5 10.5 have a great weekend! -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358209 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CAN THIS PLEASE BE THE END? Re: The long tail of ColdFusion fail
Also, QA and debugging are usually paid positions, except for open source software. If Adobe wants to make CF open source, I will be happy to volunteer some time to help fix it. Otherwise, not my job. Bugs happen... as a developer I'm sure you've had clients bring bugs to you and you've asked them to provide additional information so they could be reproduced and fixed. It wasn't their job per se, but it happens to all of us. One of the companies I work with was all geared up to move a fairly large e-commerce network from CF8 to CF10 when we ran into an issue with the 404 handler (see https://bugbase.adobe.com/index.cfm?event=bugid=3488063) which had been previously reported to Adobe, but they were having trouble reproducing it internally. I spent a lot of time setting up test cases and bolting on debugging tools, gathering packet captures, getting traces from IIS, and digging way deeper than I ever thought I would. After lots of rounds of back and forth with Adobe engineering, they will soon be releasing* an update to the Tomcat connector for CF10 and I'm sure it'll make its way into CF11 as well. Anyone who's run into the connection reset issue when using a CF-based 404 handler will soon have a fix for that problem. It wasn't my job to help them troubleshoot this and create a reproduction scenario and work with them to test potential solutions (heck, we even paid for the privilege through a platinum support contract), but we needed that feature to work properly, so we did what was needed to help them fix it. Sorry, I get annoyed whenever I hear people say not my job. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358216 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
The long tail of ColdFusion fail
http://krebsonsecurity.com/2014/03/the-long-tail-of-coldfusion-fail/ Patch your servers people. Follow the lockdown guide while you're at it. CF 10: https://www.adobe.com/content/dam/Adobe/en/products/coldfusion-enterprise/pdf/cf10-lockdown-guide.pdf CF 9: http://www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/91025512-cf9-lockdownguide-wp-ue.pdf -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357961 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
The adobe document which describes what to do is dated Mai 2010, almost 4 years old. Indeed, and yet people still install the base server, run credit card transactions through it without patching the server, following the lockdown guide, or otherwise following good security practices and then when their site gets owned, CF gets the blame. Granted there are occasionally vulnerabilities found, just like there are vulnerabilities in Windows, *nix, and pretty much every other piece of software that faces the Internet. If the system admins, hosting companies, and developers who run the CF servers don't keep up on the security bulletins and apply patches when released/tested, it makes the rest of us look bad and gives CF a bad reputation to non-CF developers. Case in point, my company recently hired a Flash developer to do some work and when he saw the .cfm extension on some of our API calls he actually offered us security consulting services (yeah, from a Flash developer) because obviously we don't know what we're doing if we are running CF on the back-end. His attitude was that if we're running CF we are probably already hacked and don't know it yet. Bah! Developing applications is complicated enough without the tool being constantly berated in the industry. So anyway, that's your homework assignment for tonight. Go find out if your server is patched and locked down. I don't care if you run your own server, have an in-house system admin, or use an outside hosting company. Find out what the patch level is and whether it's been locked down properly. Go use hackmycf.com to find trouble spots if you can. If the server isn't patched, make that your mission. Go patch and lock down your servers people! I don't want to see Brian Krebs featuring your site next week unless it's in the vein of wow, these CF people really got their s*** together!. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357975 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: The long tail of ColdFusion fail
On another hand, why Adobe hasn't change the way CF is installed if its not safe? Layers... it's all about layers. If a vulnerability is found in the CF admin or some other exposed piece, you don't want an attacker to be able to take over the whole operating system. The lockdown guide shows you how to configure everything around CF so that in the event of a breach you're not letting it be a path into your entire server. Many of the vulnerabilities found in CF wouldn't be a big deal if people configured the server CF runs on in a more secure manner. This is the whole reason the credit cards companies bang the PCI-DSS drum so hard... they want multiple layers of security and access controls so that the failure of any one of those layers will not leave the entire system out in the open. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357984 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: what is faster?
First: assuming that you have a finite amount of time - I think that's a safe assumption - you would be far better served optimizing your SQL and your asynchronous processing. I've been working with CF for many years, and I've looked at a lot of applications, and it's very rare that I find one that has really been fully optimized in those two respects. Those are going to get you a lot more bang for your buck, so to speak. +a lot Most of the CF applications I've worked on in my career haven't been run under real load or scale of any kind (lots of back-office stuff and smaller websites) and I've found that in many cases the which is faster doesn't matter in most cases anymore. It mattered a little bit back in CF4 when the server was a single 500Mhz Pentium III, but with modern versions of CF on modern hardware, the differences are negligible. (Sure there are cases where the CF code is just gross and is impacting performance, but that's a far cry from nitpicking whether expressions should include pound signs or not or if you should have one large cfoutput block or wrap each expression independently like some used to bicker about back in 1999). In the past couple of years I've been working on larger public-facing applications that do run at scale, and have found that the database tends to end up being the bottleneck. Learning about the internals of your database engine and optimizing your data structure, indexes, how execution plans are generated and cached, tuning the queries themselves, and so on has had far more impact on performance than anything in the CF code. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357889 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: what is faster?
cfif(serializeJSON(qry1) eq serializeJSON(qry2)) to compare 2 queries or sticking the queries into an array and then cfif #qryArray1.equals(qryArray2)# IS YES TryCF.com is great for stuff like this. Plug this code into TryCF.com and give it a whirl... cfscript qry1 = queryNew(x,y,z); queryAddRow(qry1, 500); qry2 = queryNew(x,y,z); queryAddRow(qry2, 500); timeStart = getTickCount(); for (i=1; i lte 1000; i++) { x = serializeJSON(qry1) eq serializeJSON(qry2); } timeEnd = getTickCount(); writeOutput(pSerialize Time: timeEnd - timeStart ms/p); timeStart = getTickCount(); for (i=1; i lte 1000; i++) { x = qry1.equals(qry2); } timeEnd = getTickCount(); writeOutput(pArray Time: timeEnd - timeStart ms/p); /cfscript ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357863 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF, SmarterMail, and DKIM
I am using SmarterMail to deliver my email from CF. However, emails that are generated don't seem to have the DKIM signing attached. Do you have a username and password entered into the Mail settings in the ColdFusion administrator for the connection to your mail server? -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357852 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: SSL certificate problem with 3rd party
Can anyone provide assistance as to why CF 8.0.1 isn't happy with this certificate? It sounds like they're using a certificate with multiple embedded hostnames (known as alternative names) which is not supported by Java 6. Importing the cert into the java cert cache won't help. You will need to have your CFHTTP call use the hostname that is specified as their primary hostname in the certificate (internetsecure.com in this case). To get it to talk to their test server, you'll need to add an entry in the server's hosts file to override the DNS entry for internetsecure.com to use the IP address for test.internetsecure.com which is 216.98.33.4, so in your hosts: 216.98.33.4 internetsecure.com This will allow your code to talk to the appropriate server (test server) using the hostname of the primary hostname in the certificate. Once you're in production it shouldn't be an issue unless their production URL uses a different hostname than internetsecure.com. We have to do this in production to get CF to talk to the E4 Global Gateway from First Data as their certificate uses alternative names and creates the same problem. The other gotcha is that if you do have to override their DNS entry in the hosts file you'll also need to monitor their DNS entry for changes so you can update your hosts file accordingly if they move something. Loads of fun. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357459 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Windows server 2008 or 2012
I am looking at changing VPS providers to maintain and upgrade CF I have an option of Windows 2008 or 2012 server. Server 2012 is a solid platform though it takes some getting used to the GUI interface updates. It's grown on me since I started dealing with it. Server 2008 still feels new, but it is now pushing six years old so I wouldn't deploy anything new on it unless I had to. If you're using CF10 with Server 2012 there is a known issue (CF Bug 3488063; see https://bugbase.adobe.com/index.cfm?event=bugid=3488063) which impacts custom 404 handlers and anything that relies on the URL Rewrite module, so if your site relies on those features then do some serious testing before deploying live. We are actively working with Adobe engineering (who is working with the Microsoft IIS team) to resolve that one as it's holding us up from upgrading a bunch of CF 8 servers to CF 10 Enterprise, but aside from that everything else should be smooth sailing. -Justin Scott ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357461 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: SSL certificate problem with 3rd party
You will need to import the star (*) certificate into the keystore for the java instance ColdFusion is running upon. Basically ColdFusion doesn't like to speak to *.domain.com certificates (I think CF10 doesn't mind so much), as it is not an exact match to the URL it is attempting to access. In this case it's not a wildcard certificate, it's a standard cert using the subject alternative names extension which isn't supported on Java 6. Importing the certificate into the Java keystore won't help in this case because the primary name on the certificate doesn't match the hostname being called. Java will only check against the primary hostname and not the alternative names listed in the certificate. Calling the primary hostname on the certificate and using a hosts entry to override the DNS entry to direct it to the right IP is the only workaround in this instance. -Justin Scott ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357465 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Windows server 2008 or 2012
OS version matters little with PCI compliance. If anything 2012 should be more up-to-date and secure (HA, Windows joke contained within). I'd add that this will depend on your QSA. Some are beginning to nitpick the SSL cipher sort order which older versions don't allow you to specify. Fortunately most of them are not being ultra-strict about that... yet. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357466 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: SSL certificate problem with 3rd party
FYI, I tried things out on CF 10, and it appears to accept these types of certificates without issue. What's the JVM version you're using on that installation? -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357468 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: cf source code bogarted
It's not a question of 'if', but 'when'. -Ancient Security Proverb On Thu, Oct 3, 2013 at 5:54 PM, John Lyons tyrsbl...@gmail.com wrote: http://krebsonsecurity.com/2013/10/adobe-to-announce-source-code-customer-data-breach/?utm_source=feedburnerutm_medium=feedutm_campaign=Feed%3A+KrebsOnSecurity+%28Krebs+on+Security%29 thoughts? -- Sent from Gmail Mobile ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-jobs-talk/message.cfm/messageid:4630 Subscription: http://www.houseoffusion.com/groups/cf-jobs-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-jobs-talk/unsubscribe.cfm
Re: cf source code bogarted
Excellent time to open source, no? I think there's a better chance of Jesus rising out of the retention pond in my back yard. Companies have had their source code stolen before without a lot of impact. If anything, someone will examine their source code and identify half a dozen new security vulnerabilities and then either sell them and we'll have a new round of CF 0-day attacks which Adobe will fix, or they'll just report them straight to Adobe and we'll get fixes without being exploited. Either way, the product is going to get safer as a result. I'm more concerned about their customer records and possibly passwords and financial info being exfiltrated. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-jobs-talk/message.cfm/messageid:4633 Subscription: http://www.houseoffusion.com/groups/cf-jobs-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-jobs-talk/unsubscribe.cfm
Re: cf source code bogarted
boo, being all logical and stuff :) It's all part of the show folks. :) -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-jobs-talk/message.cfm/messageid:4636 Subscription: http://www.houseoffusion.com/groups/cf-jobs-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-jobs-talk/unsubscribe.cfm
Re: Hack Attempt on our database last night
cfformprotect will help you with stuff like this I'll second that... it's become a standard for me to implement on public-facing forms to prevent automated submissions. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356284 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Hack Attempt on our database last night
In this particular case it's not generating SQL but just filling in space to match the number of columns with the original query. Basically once it executes without an error it allows the attacker to see how many columns the original query is selecting. It's part of an automated attack tool. -Justin On Mon, Jul 22, 2013 at 5:08 AM, Russ Michaels r...@michaels.me.uk wrote: You can run cast function on the hex string to see the actual sql it generates, which I thought was required anyway so not sure that query would even execute otherwise. Russ Michaels www.michaels.me.uk cfmldeveloper.com cflive.net cfsearch.com On 22 Jul 2013 04:45, Justin Scott leviat...@darktech.org wrote: There was some discussion about a very similar injection on Stack Overflow which may be useful: http://stackoverflow.com/questions/4600954/site-has-been-hacked-via-sql-injection -Justin On Sun, Jul 21, 2013 at 1:33 PM, Dave Hatz daveh...@hatzventures.org wrote: We had someone trying to hack our system last night and I would like to know what he was trying to get. Seems one of our new Junior programmers didn't use CFQUERYPARAM and allowed this param into the query string. Needless to say, I will be having a nice long chat with him when he gets into the office tomorrow. How do I decode what this is? Is there a tool or site that will convert this for me? 99.9 /*!3union all select 0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536*/-- ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356266 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Hack Attempt on our database last night
Which brings up another security question. How does other sites handle something like this automatically? I mean, if I see an attack from an IP address, is it even worth blocking at the firewall? What I do is a combination of input sanitizing and using cfqueryparam to the point where it's actually not possible (in theory) to put the application in an unknown or error state and invalid input is always handled in a predictable way (e.g. redirect to the home page, etc.). One of my goals when building an application is to make it so that in theory it shouldn't be possible for the end user to generate a ColdFusion error. When my error handlers get a hit it becomes a Big Deal(tm) and usually leads to a code change to make it so that the error can't happen again. Due to the volume of automated probes and attack tools constantly sweeping the web I generally don't bother trying to block individual addresses and such manually. Our firewall/IDS farther upstream looks for known attack patterns and blocks those for us automatically, but if I see someone probing in the logs I usually don't pay it much attention. If someone is able to trigger a CF error then it does become a top priority to investigate how they were able to do so and patch the code so that the condition can be handled gracefully. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356279 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Hack Attempt on our database last night
There was some discussion about a very similar injection on Stack Overflow which may be useful: http://stackoverflow.com/questions/4600954/site-has-been-hacked-via-sql-injection -Justin On Sun, Jul 21, 2013 at 1:33 PM, Dave Hatz daveh...@hatzventures.org wrote: We had someone trying to hack our system last night and I would like to know what he was trying to get. Seems one of our new Junior programmers didn't use CFQUERYPARAM and allowed this param into the query string. Needless to say, I will be having a nice long chat with him when he gets into the office tomorrow. How do I decode what this is? Is there a tool or site that will convert this for me? 99.9 /*!3union all select 0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536*/-- ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356264 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
diff processor
Hello all, I am curious if anyone has recommendations on a diff system (e.g. pass in two blocks of text/code and it returns a marked up combination showing the differences similar to the edits display on Stack Overflow, change tracker in MS Word, or the output that Beyond Compare shows). Use case is a policy editor where they want to allow people to propose changes to rather long internal policies and then show an administrator the proposed edits and point out where changes have been made to make reviewing easier. My Google-fu must be weak as I'm not finding anything, but I'd take recommendations on a CF-based solution, or even a Java or .Net solution I can import if available. Thanks in advance, and have a great weekend! -Justin Scott ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356183 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CFMail Question
By default the form field will only exist if the checkbox is checked, so you could do: Subscribe to newsletter? cfoutput#yesNoFormat(isDefined(form.mailList))#/cfoutput As an aside, in the anti-spam and e-mail deliverability communities it is generally considered a bad practice to have these sorts of options checked by default. -Justin On Fri, Jun 28, 2013 at 9:16 AM, Robert Sneed robertsn...@rhsneed.com wrote: I hope someone can help me with this. I'm kind of stuck on the conditional. I have a newsletter signup form that includes a check box that is check by default. label for=mailListinput checked=checked id=mailList name=mailList tabindex=14 type=checkbox value=0 width=5px /span class=checkboxI would like to receive your e-newsletter./span/label I'm trying to email the answer, yes or no, based on whether or not the box is checked. Here is the conditional code between my cfmail/cfmail tags. Subscribe to e-newsletter? cfif isDefined(form.mailList) AND Len(form.mailList)cfif NOT Compare(#form.mailList#,0)yescfelseno/cfif/cfif If someone checks the box I get the sentence Subscribe to e-newsletter? Yes in an email. If someone does not check the box I get Subscribe to e-newsletter? I can't figure out how to get the No to show up in the email when the box is not checked. I feal like I'm close here but just can't seem to get the No answer emailed when the box is not checked. Thanks a lot for your help!! ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356091 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CFIMAGE .... Nearly Worthless?
What do you mean? You mean like variables.thevalue... or do you mean like thisinstance.thisvalue, so each subsequent run has different values? The info that Ray pointed to gives a lot of great information. The short version is that you can define those variables to be private and local to the function which instructs the runtime to throw them away when the function is done rather than holding them in memory for a long period. In your case: cfset tempImage_path=#rootpath#\assets\project_gallery\temp Would become: cfset var tempImage_path=#rootpath#\assets\project_gallery\temp That extra var attribute after cfset tells the runtime that this is a private local variable and safe to discard once the function exits. In older versions of ColdFusion all of the var type variables had to be defined immediately after any cfargument tags at the beginning of the function. Once defined you refer to them normally within the function code. In newer versions (9 and 10) you can use the local scope within the function instead, such as: cfset local.tempImage_path=#rootpath#\assets\project_gallery\temp This will accomplish the same thing as using the var attribute. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355894 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Oracle discontinues free timezone updates for Java
http://developers.slashdot.org/story/13/06/08/051235/ Not directly CF-related, but could impact those that rely on accurate time information around the world. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355880 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
SFTP with key AND password
Hi all, I have used the built-in SFTP support in the past with a public key and separately with a username and password. I am now running into a situation where a server I need to connect with uses a username, key, AND password to authenticate. (ColdFusion 9) Unfortunately, the key and password arguments for CFFTP are mutually exclusive, so it will allow one or the other but not both at the same time. When connecting to said server with a utility such as WinSCP it connects with the username and key and then gives a note about additional authentication required and prompts for a password (or uses the saved password from settings). I've also been attempting to use the jsch.cfc wrapper for the Java JSch class (which ColdFusion uses under the hood anyway) without much success (can't get that to connect at all, just gives a packet corrupt error on the .connect() method). So, I am curious if anyone else has had any experience using JSch to connect to a server using a key and a password, or alternatively, if someone might have code they're willing to share to script WinSCP from ColdFusion (basically to push a file up and then get a directory listing to verify it's been uploaded successfully)? -Justin Scott ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355848 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: SFTP with key AND password
Are you sure, this is from cf8 docs showing key and passphrase in one call... Thanks, the passphrase argument goes with the private key (e.g. if the private key file itself is protected with a password, this would be the password to unlock the key file so CF can read and use it). This is different from the password argument which would be sent to the remote server. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355850 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Form Fields suddenly self validating? Now required?
You'll want to check what mode your page is being rendered in and which version of HTML it's applying. In HTML 5 the required attribute is binary meaning that if it's present, the field will be treated as required regardless of the attribute's value (e.g. require=no doesn't make the field optional, its mere presence will make the field required). The required attribute wasn't valid in previous versions of HTML, so if you're passing it within a direct input or other form tag it would have been previously ignored by the browser, but if it's now rendering your page as HTML 5 then it has meaning and will enforce an input requirement if present. -Justin On Tue, May 21, 2013 at 6:30 PM, Jeff F cftalk_l...@fongemie.com wrote: Hey everyone, I have a very old site that has a basic form. All of a sudden, the form is requiring all form form fields to be filled out? The form is a basic form action=, and I've got required=no on the fields. What's interesting is that the validation results are quite nice looking, almost Jquery-ish. The form fields get a slight red glow around the edges, and the little bubbles that show on the page look great, however I don't want any of it. I did read about newer versions of CF server validating, so I tried disabling that by adding serverSideFormValidation=no to the cfapplication. What the heck is this? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355818 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Large amounts of CF email
The current concept is for me to get another server specifically for their email delivery, and to move their app to my CF machine... First, the volumes of e-mail you're talking about may sound like a lot, but they're really not. We have CF apps that do close to half a million messages a day during peak times. (Marketing around holidays, primarily) We use the IIS SMTP service for outgoing delivery. If their e-mails are pretty spread out, 300k/mo would work out to about 830/hour if spread out over 12 hours a day. The IIS SMTP service won't even notice load like that. Install the IIS SMTP service on a server that doesn't already have mail services, ensure it has reverse DNS configured, add its IP to any SPF records you may have for domains you're sending for, configure it to allow relay from your localhost and any other IPs you control, and point ColdFusion at it for e-mail delivery. Simple and no extra hardware needed. All of this assumes you're running Windows, of course. If you're on a *nix platform look at Exim as it can also handle low volume like that without breaking a sweat. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355379 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Large amounts of CF email
The iis smtp service is ok for absolute no frills, don't care at all what happens to the emails. But the logging is pretty rubbish, so tracking down causes of failures is often very hard or impossible. That hasn't been my experience, though I agree the logs could use some improving. I don't have recent experience with SmarterMail, so perhaps it's improved with time, but when I tested it a few years ago it promptly fell over under the loads that we put our servers under while IIS SMTP kept up without any trouble. Your mileage may vary. :) We're in the process of moving delivery to Exim on CentOS because it gives us better control of outgoing mail, routing, etc. than IIS does and still keeps up. For 100k messages a month though it's probably overkill. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355392 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Has anyone dealing with PCI-Compliance seem this?
but aren't they scanning the interface from a public network? If so, you should have a very small number of listening ports. Maybe just two: TCP/80 and TCP/443. There is no reason why you'd expose TCP/135 to a public network (especially if you're running Windows). Good advice; in my experience the scan vendors require you to open your firewall to their scanner IPs so they can get a more complete picture of vulnerabilities that may be lurking behind it. One of my clients ran into problems with this a while back because while 80/443 were the only things open to the public, they had an older version of Veritas Backup Exec running on the network which had known vulnerabilities that the QSA complained about. PCI is a pain in the arse. I generally refer people to use Stripe or Braintree Payments for processing for just these reasons. The extra per-transaction costs are usually less than the costs of dealing with all the network/server security and maintenance required to satisfy the compliance requirements. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355219 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: PCI-Compliance Ding for Non-Random CFID's
Most (if not all) PCI scanning vendors will remove it from your report if you explain that the session is based on BOTH the CFID and CFTOKEN values, not just one, as long as you have Use UUID for CFTOKEN enabled (which in CF9/10 is more than just a UUID). I can second that, we've run into this before and any QSA who knows what they're doing will put an exception in place for this scenario. Frankly I'm surprised more of them haven't built this in as a rule by default when cfid and cftoken are both present. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355203 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Curmudgeon painted in a corner
... Problem: new ones all come with Windows 8 so it looks like I'll be buying (unless I can find freebies) some new development tools. If you poke around on eBay you can find new surplus and business systems that come with Windows 7 Pro. I bought a brand new Dell Vostro 270s for my parents, one for a friend of theirs, and one for myself as new home computers last month for $529 each (http://www.ebay.com/sch/trepachka/m.html is the seller's page, he still has one up right now). I've switched to using CF Builder as my primary development tool for working on sites locally, but for some older remote sites I still use Homesite+ in Windows XP mode without any trouble. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355055 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CF running out of steam
... You can do anything with anything. There's nothing I can build in one that I can't build in another. At that point, it largely becomes a matter of personal preference. I largely agree with your assessment. From many that I've spoken with the biggest challenge facing CF isn't that the language or platform is running out of steam but that newer/younger developers are not picking it up and running with it. Companies seem to be having trouble finding enough CF developers to meet demand. That, I believe, is the greatest threat to the platform. I've pitched clients on projects in CF and have lost out to developers on other platforms because the business fears that it won't be able to find anyone to support the finished product if something happens to me, or that if their business takes off they won't be able to build a large enough team to support the growing application. If anything, it's just not popular with newer developers or they've heard rumors of it being dead and don't want to waste their time. I don't have a solution to that problem, and it's a tough nut to crack, but unless the perception is changed I think that trend will continue. Having said all that, there is no shortage of CF work out there to be done. Adding other tools and technologies to your toolbelt can create new opportunities and provide a safety net as well, but for the time being CF is still my primary source of income and probably will continue to be for many years to come. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354995 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: (ot) .NET vs. CF
For those of u on this list that have experience with both, can I please get your feedback on the Pros and Cons of going to the .NET framework from ColdFusion? Hi Dave, that will depend on what you're doing with it. I don't have anything against .NET and have done some coding with it. The biggest headache about .NET is that it's a fully object-oriented language and everything is based around that. It's a lot harder to throw something together quickly with .NET than it is with ColdFusion. If you're building large well-designed applications that will be OO from the beginning regardless of the language, then it's mostly a matter of syntax. .NET has a wealth of libraries behind it, but navigating that world is on-par with Java in complexity (strong typing, lots of long paths to method calls, etc.). CF is more akin to PHP in that regard. Not to get too far off-topic, but I'd be happy to see a project like OpenBD or Railo that created a CFML engine on top of .NET rather than Java so that we could just switch the engine out and say okay, we're doing .NET now, wink wink. If you're doing simple web applications, .NET may just get in the way and add time and complexity that isn't needed. If you're doing PDF generation, I haven't seen anything that beats the simplicity of CFDOCUMENT (though it has its limitations). So, as with anything in IT... it depends. But as has already been mentioned, switching platforms just because someone read an article in a magazine about something another company did is pretty short-sighted. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354949 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: (ot) .NET vs. CF
With regard to a CFML engine running on .NET, New Atlanta has a BlueDragon .NET edition that does exactly that. Thanks Carl, I knew they had a Java version but wasn't aware of the .NET edition. Good to know if I ever run across one of those types of clients. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354954 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Adding Salt and Password Hash to existing acocunts
When I performed this same task a few months ago, I basically wrote a page that did all the salting and updating as a loop. Obviously I had decided on the actual process for login and tested it to make sure it worked. I just increased the size of the password column, added a salt column and ran all users through the salting processing page. I can find the code if you are interested. This would imply that you're storing the user's plaintext passwords which defeats the whole point of hashing them (e.g. you add the salt to the password before you run the hash alogrithm [e.g. hash(pw+salt) ]). The only way to add salt to the hash after the fact is if you have the plaintext passwords. This is why adding salt after accounts are established is hard, you have to wait for people to log in again to get the plaintext password to work with. If you just appended a salt value to the end of the hash value stored in the database (e.g. hash(pw)+salt) then it is not adding any additional security. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354821 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Adding Salt and Password Hash to existing acocunts
I guess I didn't make myself clear. I wrote a routine that salted and hashed all of the plain text passwords that were in the system. Ah, that is a good thing then. I took it that you were adding salts to an existing hash like the original poster. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354846 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Adding Salt and Password Hash to existing acocunts
The original poster never said they were adding salts to existing hashes. They laid out the same scenario of converting plaintext passwords to salted hashes. I'm just on a roll of misreading today. When she said adding salt my brain stopped there and didn't register the /hash after that. Coffee. Yes, more coffee is the solution. Coffee shall make it all better. :) -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354848 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Coldfusion 7 and JVM
I tried updating the JVK to version 7, latest available. After changing the JVM path the CF server would not start, so I am wondering which is the latest version of the JDK that Coldfusion 7 will support, please? Java 7 support for ColdFusion 9 and 10 was just announced with a patch released a few days ago (thanks, Adobe, for giving us all of a couple of days of lead time before Java 6 was EOLed before announcing official support for 7... sheesh). ColdFusion 8 can run on Java 6 releases right up to the last patch released a few weeks ago (I haven't tested CF 8 with Java 7). For CF 7, the two I have in production show JVM 1.4.2_17 without any issues. It's been a while since those have been updated though, so if someone else is running 7 on a newer JVM I'd like to know as well as I don't see these two servers going away for a while even though they are getting somewhat long in the tooth. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354776 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: EXF Photo Information
It's great to see this in CF8, but unfortunately it doesn't provide all the metadata I would need, If you have ever used Photoshop or Lightroom, you can edit the File Info. This means the photog can add a lot of information to the image, such as Description, keywords, copyright, etc. When the file is uploaded to Flickr, for example, this information is read and it saves any need to rekey. It means where ever the image lands up, this information doesn't get detached. In that case you would use imageGetIPTCMetaData() instead (on CF8 and above, of course). -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354725 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: EXF Photo Information
Not looking to spend on a CF upgrade over one site :) I'd normally say there's always Railo it cost is an issue, but it looks like Railo has implemented imageGetEXIFMetaData() but not imageGetIPTCMetaData() (it's not listed in their documentation, haven't actually tested code on Railo to check). Ah well! -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354734 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: EXF Photo Information
even if you upgraded not sure you'd get a whole lot of EXIF data out of imageInfo anyway beyond the very basics (height, width, etc.). if you don't mind dipping down into java can add a java lib to your cf classpath that's probably your best bet. maybe: http://drewnoakes.com/code/exif/ ColdFusion 8 (sorry Jenny, this won't help you on CF7) introduced a function specifically to extract EXIF data called ImageGetEXIFMetaData(). You basically read in a JPEG image and pass it to the function and it returns a structure of whatever it can extract. Pete Freitag has a blog post with an example at http://www.petefreitag.com/item/657.cfm. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354691 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Apostrophes in email addresses
100% of the time this little bit of regex has served me well until now. ^[\w\.-]{1,}\@([\da-zA-Z-]{1,}\.){1,}[\da-zA-Z-]+$ Is there a reason you're not using the built in isValid(email, variable) function instead of a regex? -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354663 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Apostrophes in email addresses
Pretty sure isValid() incorrectly flags emails with apostrophes as invalid. Nope, at least not with CF9 (checked last night before I posted). There are two or three bugs with isValid() and emails. I was about to ask if anyone had details on where isValid() might fail on e-mail addresses when I saw that Adam wrote up a blog entry in reference to this thread at http://adamcameroncoldfusion.blogspot.com/2013/02/email-address-validation-1-in-series.html which outlines a bunch of possibilities with tests run on CF10. As noted isValid() will work with the most common special characters I see in the wild (notably + and '). He points out a slew of others that fail though I don't recall ever seeing most of those in use after more than a decade in the industry (not to say they aren't out there, just very, very rare). He notes that there is a bug open on this with a will fix note so it'll just get better in future patches/versions. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354667 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: decryption question
cfif len(editUser.CreditCardNumber) cfparam name=form.decrypted default= cfset theKey = GenerateSecretKey(AES, 256) cfset decrypted = decrypt(form.CreditCardNumber, theKey, AES, UU) /cfif Since the only place where the decrypted variable is being set is within the CFIF block, I'd check to ensure the editUser.CreditCardNumber field wasn't blank as a first step. If you want it to default to a blank value if nothing is present in the database, you'll need to move your CFPARAM tag above the CFIF block so it's not contained within that logic and always gets a default value to work with. As an aside, you shouldn't be generating a new key just before you run the decrypt() call. You would need to use the same key that was used with the encrypt() call when the number was first encrypted in order to decrypt successfully. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354577 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: decryption question
Hmm. I am still getting error Variable DECRYPTED is undefined. which is weird since I have defined it -- in scope FORM. Hi Eric, I'd recommend throwing the whole file up to somewhere like pastebin and posting a URL so we can see what all is going on in there (make sure to remove any sensitive information before posting, but seeing the whole file will help troubleshoot). -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354579 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: decryption question
http://pastebin.com/3xtt3b8k At first glance I'm not sure why it wouldn't find the form variable. You might try explicitly setting the scope in all instances of that variable. Also, why are you paraming it in the form scope? Your form doesn't have a variable called decrypted so it will always start out blank. I'd just set a blank variable in the variables scope and then set that if you decrypt a card number and use it that way so they're all in the same scope. Also, regarding your encryption keys, you're generating a new key just before the encrypt() call, so it'll go into the database encrypted. However, you're not storing the key anywhere so you won't be able to decrypt on subsequent page loads (since the key is changing every time the page loads). Generally you would generate an AES key and then store it somewhere secure (key management is another whole topic) and then fetch that stored key when you need to use it for encryption and decryption calls. In your case, as a place to start, set up a separate temporary script which generates a key, then take the generated key output and put it in a variable in the request scope in your application.cfc file. Then use request.theKey (or whatever you call it) as the key whenever you make an encrypt() or decrypt() call. That will allow you to use the same key for data going into and coming out of the database. Use that as a place to start, but do some reading on encryption key management before you put it into production. Finally, do not store the CVV in the database. It's against the contract rules for every major credit card processor, the PCI-DSS standards, and will create a lot of headaches if your site is ever hacked. CVV codes are meant for online live transactions only and should not be stored anywhere ever (lots of clients will complain that they need it for offline processing to save some processing fees; tell them too bad and don't store it, no good can come of it). If you aren't familiar with the PCI-DSS, please go to https://www.pcisecuritystandards.org/security_standards/ and look over the information there. Storing credit card data is serious business and not to be taken lightly. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354581 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Problem with Hackers on Donation form through Authorize.net
We had another run of someone trying yesterday.. I detected it on the 3rd attmept (all of which failed).. then he (or she) tried about 30 more times where I just sent the fake failure notice without letting it hit the credit card processor. I like this approach on two fronts. First it protects you and your merchant account, and second it gives the attacker a false negative on card numbers that may have been otherwise valid which could help save the cardholder from a lot of bogus charges down the line. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354481 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Problem with Hackers on Donation form through Authorize.net
Forget the form page the bots/humans are not even seeing it they are attacking your processing cfc directly. Your protection has to be server side since any JavaScript on the form page is ignored. They are submitting form data directly to your CFC processing page. Part of the verification in the processing can be reliant upon something executing in JavaScript and being passed in with the form submission. This is how CFFormProtect works (looks for and tracks timing, keystrokes, mouse movement, etc.). This data is tracked and passed in to the form and the server runs checks against it to determine whether the script ran and events occurred that you would expect to see in a real environment vs. an automated script (it does have some server-side checks as well such as Akismet lookups, etc.). It is true that an attacker could capture one real submission between the browser and the server and modify their scripts to submit the appropriate data to make it appear as though a script ran and those form fields were populated naturally when they actually weren't, though an attacker would need to be pretty persistent to go through all that trouble. The idea with these kinds of protections is to make it sufficiently inconvenient for an attacker to go to the trouble and move on to the next guy who is easier to exploit. One of the sites I ran years ago had a problem with people scripting the signup process to generate accounts (even to the point of generating e-mail accounts to use for the e-mail validation process). We really didn't want to use a CAPTCHA, so we ended up randomizing the form field names (and creating a map of the random names to the real names as a session variable when the form was generated so we could match them back up when it was submitted). This prevented the process script from being hit directly and would have forced them to load the actual signup page first, parse all the fieldnames out, and then run the submission again. They could have automated this as well, but never did (perhaps because it was too inconvenient and there were easier targets to go after). The earlier idea of automatically rejecting transactions and transparently showing a reject notice after a couple of failures is a good anti-abuse measure in this instance. If logs are being kept, they can be reviewed periodically and anyone who looks like they may have been accidentally rejected can be contacted again later to recapture their donation if needed. Abuse can be a hard problem to solve. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354487 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
SOT: IP Geolocation APIs
Good morning/afternoon, one of the companies I work with is interested in integrating some IP geolocation information. I am seeking recommendations for a service with a decent API that others have used. There are so many to choose from. This will be for commercial use so a paid service is fine, though a free one that allows commercial use can be considered as well. Specifically they're looking to take a group of IPs, get a location, and then put markers on a map via the Google maps API. Any recommendations would be appreciated. Thanks! -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354303 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: SOT: IP Geolocation APIs
I'm confused - what kind of service are you looking for? The browser itself supports geolocation. Google Maps is its own API. What else are you looking for? A service where you take any IP address as input and it passes out location (and possibly other) information. For example, if we have a table of comments and we collect the IP addresses where those comments were posted from and later want to put them all up on a map. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354306 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: SOT: IP Geolocation APIs
If you're doing it later rather than real time you can probably get that information from Google Analytics. That isn't applicable to the situation we're working with. If anyone has experience with a IP-to-location services that I can pass an IP into and get location information back, I'd appreciate any feedback on experiences with those services. There are a number of them out there and I'm looking for specific recommendations on which ones are good, bad, etc. before I go out and try all of them. Hopefully that will clarify my request a bit. Thanks! -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354309 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: SOT: IP Geolocation APIs
What about using geolocation on the client itself? Roughly 82% of your audience will support it. The situation I'm working with is dealing with historical data. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354310 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: SOT: IP Geolocation APIs
If you have a budget available I would recommend http://www.maxmind.com/en/geolocation_landing. We use the downloadable database. Thanks Donnie, that is exactly the kind of service I am looking for. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354317 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: SOT: IP Geolocation APIs
I'd argue that Google's Geocode API (...) would provide it for a user along with geolocation if you wanted it for the current user. Indeed, we are actually using the Google Geocoder for getting lat/long info for street addresses so that they can be mixed in where available as well. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354341 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Porting password hash mechanism from C#
p.p.s. here's the (psuedo) C# code that i need to replicate that I've been given, along with the comment pay specific attention on how the base 64 string are directly converted to byte arrays. I'd recommend pasting that code into pastebin or other code-sharing site which can retain formatting and provide for color coding and such and share the link back here. Unfortunately the sample would require a lot of reformatting to be useful as-is. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354278 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: sql injection attempt
Ah so they were just checking to see if they could get something to work before possibly trying anything real. That's a pretty standard approach. If they can get the response to delay then they can mark that URL as a potential entry point to come back and explore more later. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354001 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Secure Login w/ CF and Application.cfc
cfif not IsDefined(LoggedIn) !--- this logic added to --- This line is getting triggered on every page load, so when it redirects and reloads the page it's getting triggered again in an endless cycle. You'll need to add logic to tell it not to redirect when you're actually loading the login page: cfif not IsDefined(LoggedIn) and cgi.script_name is not /login.cfm !--- this logic added to --- Adjust that as needed and it should stop redirecting when you're viewing the login page. Having said that, there are a number of other issues with this code (login protection is only running in the onApplicationStart method so would only be run on the very first request to the app, for one). There's a SQL injection vulnerability in there, variable scoping issues (e.g. as written someone could pass ?loggedin=1 on the url and it would bypass this. I understand you're learning but would recommend finding a different login example to work with as this one is going to lead you places you really don't want to go. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353861 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Looking for affordable Colocation
I am looking for 2 to 4 rack-spaces of affordable co-location on the east coast, with decent quality transit. East Coast is a lot of territory. Do you have any more specific requirements? Bandwidth, IP addressing, electrical, firewall, remote hands-on needs? Most data centers I have worked with will ask for a contract for at least half a rack but I know of a few smaller players in the Tampa market who can handle individual servers for co-location. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353847 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: New Security Issue with CF
The file itself is some tool designed to be used by developers, probably not developed by rhe hacker himself. He just found a way to store it on servers. I've seen this tool make the rounds before through other attack vectors. It's been around since at least ColdFusion MX 6. The undocumented servicefactory it's calling to get datasources only works on CF 6 but was deprecated in 7, if I remember correctly, which is why the datasource list is blank on more modern versions where this is dropped in. The script is old, but the insertion method is new. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353781 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: searching between 2 date fields with where in cfquery
i have a table that has two date fields (dateinx and dateoutx) and i need to find all the results for todays date that both fall between and on that date for a given customer: cID. This should be fairly simple to add to your existing query... AND GETDATE() BETWEEN dateinx AND dateoutx database is msSQL2005 ... i am using smalldatetime in msSQL2005 and also would like to create a mask so that only date: 1/1/2012 would be saved. same for time: 1:30AM in a seperate field. msSQL is saving now as 1/1/2012 01:30:00AM or some such... SQL Server has different data types for date and time which would store these values on their own (internally I believe they're still stored as a smalldatetime with static values for the unused portion. You can also look up the datepart() T-SQL function to break out a datetime into its component parts when needed. WHERE (cID = #cID#) AND Also make sure you put a CFQUERYPARAM tag around that cID variable as well to prevent SQL injection, among other benefits. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353335 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Where is information used by the Scheduler?
I suppose all the information about scheduled tasks is stocked in some XML file, but where? Take a look in the neo-cron.xml file in the lib folder for your ColdFusion instance. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353287 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: SQL Express and CF
Oh, and I don't think you can run scheduled backups either. Which is an issue when using it in production. We use Tomahawk Backup on some of our web servers to back up the website code and images to both local and off-site storage. Tomahawk (and many other backup utilities) will interface with SQL Server (even the Express edition which we have deployed in production in a few places) and back up your databases locally and off-site as well. Works out pretty well. -Justin Scott ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353202 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Anybody seen this hack/exploit?
...lax server security. We've got a boatload of stuff on this site to prevernt SQL injection, including Justin D. Scott's application script, carefully checking anything to goes into the database, ... I haven't looked at the rest of the thread yet, but I would note that the script I wrote is pretty old, was meant as a stop-gap measure while developers added cfqueryparam to their queries (and otherwise fixed their code), and that some newer SQL injection methods will slip right by it undetected. It was never meant as a permanent solution. If you are at all unsure about whether or not part of your code might be letting something through, investing in a couple of hours of time from someone with lots of experience dealing with web application security would be money well spent to get a second pair of eyes on it. Without knowing anything about your application I'd be thinking SQL injection just based on your initial post. I suppose I should read the rest of the thread before I go on too long though. :) -Justin Scott ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353154 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: question on cfhtmlhead
Also I am inserting the above tag through cfhtmlhead. My question is if search engine would recognize this meta tag that is inserted into head later in the page. Hi there, the CFHTMLHEAD tag will inject the content into the HEAD section of the HTML before any of it is flushed out to the client, so when a search engine sees the content it will show up in the HEAD section regardless of where in the code you make the call to CFHTMLHEAD. -Justin Scott ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352248 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: 500 - Internal server error
... So this brings up the question now of what's the full purpose of the CFAdmin setting and it's use with the IIS setting for Details vs Custom IIS error pages? Basically IIS is looking at the response codes from an application and when it sees anything other than normal 200 (OK) code (and some others, such as 30X redirects), it will look at the error handling settings to see how it should respond to the user. If the custom errors are enabled for the visitor in question, then it will use whatever is set in the IIS settings (e.g. display a static HTML file, a generic error code, redirect to a page, etc.). This is to prevent any sensitive information from leaking out of the server in the case of an error (such as the info that would normally come from a robust error handling exception in ColdFusion). IIS is helping to protect the security of the application and handle error conditions for you. The setting in the CF admin controls what status code is sent out when there is an error. Normally when CF encounters an error it will send a 500 (Internal Server Error) code which IIS then intercepts and handles as described above. If you change this setting, you can have CF send a 200 (OK) code even in the event of an error which bypasses the IIS error handling routines and allows whatever output CF generates (page, error page, custom error handler output, etc.) to get through just like any other regular content. IIS just sees it as a normal response at that point and allows it through. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351795 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: 500 - Internal server error
Not sure about CF10 but on Railo I think you have to set Error Reporting to Detailed in IIS7 to get the error. In IIS 7 this setting would be in the site properties, Error Pages under the IIS settings category, then the Edit Feature Settings... link on the right side menu. From there you can set it to Detailed (for all users) or the option to show detailed to local only and Custom to remote users (which is the default I believe) depending on how you're set up. IIS is essentially seeing that there was a 500 error and showing a custom error to prevent presumably sensitive server information from leaking out. If you're using a custom error handler in CF then you could set this to Detailed and let that content through. Alternately, you could create an HTML file and configure IIS to use a Custom error page and let it know where that HTML file lives so it can handle displaying that for you. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351779 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Best practices
I recently had to help with some code with really outlandish variable and field names. cfset mawkishbbt = GNOME.barakish (not really, but a good paraphrase) That reminds me of my days writing vScript for the Virtual Advanced BBS (way back in 1995) where all of the variables were predefined based on letters and numbers, so: a0, a1 ... z8, z9. Talk about torture... and you'd better not need more than 260 of them in any one script either. Shudder. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351639 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Best practices
Everything between cfoutput tags needs to be parsed. So a big page would slow performance, by how much is prob negligible but worth testing to find out. Remember that this would only be a hit once each time the file was changed, as once it's compiled down to bytecode it doesn't have to be parsed again. Back in the CF5 days the code was parsed with each page view, but that hasn't been the case since CFMX 6. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351623 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Best practices
While the general statement you made about bytecode is true, the conclusion you draw from it is one that I'd be reluctant to make without load testing. Indeed, I had this debate with someone a few years ago and we beat a server into the ground for a few hours with both scenarios and the results were essentially the same either way. I don't have the exact numbers anymore, but it was along the lines of a difference of less than 10ms when the results of millions of iterations were averaged out (that was on ColdFusion 8 Enterprise on a Dell PowerEdge 2850 server if memory serves). I remember this being a big deal back in 1999 under CF4, but in current versions it doesn't appear to matter from a performance standpoint which cfoutput approach is used. -Justin Scott ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351626 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Holy sweet mother of Jeremy Allaire...
well considering it was not announced it seems it was perhaps not an official release, as it was ust found by accident, ... When I first posted, it wasn't an accident. Ben Forta had posted an announcement on his blog and I happened to see it within a few minutes in my RSS news reader and decided to pass along the good news. Word travels pretty quickly within the CF community... as previously mentioned the buzz has been here, on Twitter, Facebook group, lots of blog activity, etc. Anyone who watches any CF-related community will know within a couple of days (not to mention their presence at cf.Objective() which is going on now). Those are the people who really matter, in my opinion, as they will continue to spread the word far and wide. I'm not sure what people are expecting from Adobe on the marketing or advertising front around the release. As excited as I am to see ColdFusion evolve, I also realize that Adobe is a huge company with a lot of products to tend to, many of which are more important to them from a marketing standpoint than ColdFusion is (Creative Suite sales are probably an order of magnitude greater than CF sales, so while CF is profitable, it's likely a drop in the bucket compared with the heavy hitters that have a broader market appeal). A mention on the homepage would be nice though. :) -Just ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351226 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
CF8/CF9 installers with Verity going away
This is a post from the CF Server Team Blog that I thought worthy of passing along. If you believe you will need to install CF8 or CF9 with Verity bundled in the future and do not already have the installers, go grab them now... --- From: http://blogs.coldfusion.com/post.cfm/availability-of-coldfusion-9 Our contract with Verity will soon end and we will no longer be able to allow downloads that have Verity in it (CF9/CF8 installers have Verity) post 31st of May. For this reason, we are coming out with a CF 9.0.2 without Verity. Post 31st May, anyone who wants to get hold of CF9 bits will be given access to CF9.0.2 as we can no longer provide the CF9 bits. CF9.0.2 will be made available on the website as well post 31st May. But if anyone needs the CF9 bits with Verity, they need to download now (before 31st of May) from the website here: http://www.adobe.com/support/coldfusion/downloads.html The same rationale applies to CF8. Anyone who needs CF8 bits can reach out to Adobe support and get access to the CF8 installer before 31st of May. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351235 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: High school algebra problem
Problem is, I don't have access to the server other than to reference it. They have a server that hosts the photographs, and another server that hosts the html. So I can only reference the photos using a full URL from another server entirely. Sounds like MLXchange if that's the provider... pain... bad memories. Hopefully it's improved since I had to work with it several years ago. Good luck! -Just ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351145 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Holy sweet mother of Jeremy Allaire...
ColdFusion 10 has been released... http://www.adobe.com/products/coldfusion-family.html -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351154 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: encrypting with initialization vectors
I can't seem to get the encrypt function to take an initialization vector. It doesn't matter what I put there. It returns the exact same result as if there is no initialization vector. Hi there, please post the line of code where you're calling the encryption function as that will help with troubleshooting. What encryption algorithm are you using? Not all of them will use an IV. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351105 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: encrypting with initialization vectors
You need to use a feedback mode other than ECB (the default when you omit it from the algorithm) to use an IV, try using AES/CBC/PKCS5Padding for your algorithm. This KB article has a lot of info about this stuff: http://helpx.adobe.com/coldfusion/kb/strong-encryption-coldfusion-mx-7.html As usual I get a phone call and Pete beats me to the punch. :) An IV is only used when AES is using a block cipher. CBC is Cipher Block Chaining Mode, so it would use an IV (algorithm = AES/CBC/PKCS5Padding); ECB is the default mode and doesn't use an IV (algorithm = AES). Also, the IV you pass in must be the same length as the block mode of the algorithm (e.g. the same as the key length), so in the original sample code, encrypting the anotherkey value and using that as the IV probably won't work. You can generate another key and use a hash of its value to the appropriate length to get a similar result (e.g. cfset useasiv = left(hash(anotherkey), 16)). -Justin Scott ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351109 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: (ot) Blocking IPs
The problem with IP blocking is that 99% of the time the IP is a fake IP, and that means that legitimate IP's are and do get blocked for no good reason. It really depends on the type of attack. If they're just flodding as part of a DDOS attack then spoofing is viable, but for something like a SQL injection attack the IP can't be spoofed per se. In those cases the biggest problem, in my opinion, is that it is ridiculously easy to reroute (think TOR) and come from a different, unrelated IP in a matter of seconds. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350960 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Problems verifying integers
I would think there would be some way these functions would work to prevent passing invalid data to a cfsqlparam with type cf_sql_integer but I couldn't find a way that didn't allow something illegal through. If I know a variable is supposed to be an integer (usually a primary key), I will do: cfparam name=url.id default=0 cfset url.id = abs(val(trim(url.id))) This will force the value to a positive integer or zero. If you just want to test the variable to see which search type should be triggered: cfif abs(val(trim(url.id))) eq url.id) !--- Is positive integer --- cfelse !--- Not so much --- /cfif If people are entering values that could include dollar signs and commas that need to be considered, a regex to remove non-numeric characters (expect perhaps a period) would probably be the better choice, or at least a replaceList() to remove the commonly used but undesired characters before passing it through a sanitizer. At one point (years ago) Google was hitting pages and throwing very large numbers into some integer URL variables which caused an out-of-range error and I even added a min() function with the resulting sanitized value and 20 as the parameters to keep the value in range, though I haven't seen that for a while, but something to keep in mind if you see an error like that come up. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350780 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Problems verifying integers
I just find it weird that isValid(integer) would consider $123,123 as a valid integer valuesuch that I have to fix it in the first place! I agree that seems a little wonky. I ran the code below to test some values with ColdFusion 9 and the results are included in the inline comments: cfoutput $123,123.00 = #isvalid(integer, $123,123.00)# !--- NO --- br 123,123.00 = #isvalid(integer, 123,123.00)# !--- NO --- br 123,123 = #isvalid(integer, 123,123)# !--- YES --- br $123,123 = #isvalid(integer, $123,123)# !--- YES --- br 4,123,123 = #isvalid(integer, 4,123,123)# !--- YES --- br 4,123,123,123 = #isvalid(integer, 4,123,123,123)# !--- NO --- br 123,,123 = #isvalid(integer, 123,,123)# !--- YES --- br /cfoutput It will accept the dollar sign ($) and even a double comma (,,) as part of an integer value, but not a decimal point (.00). I can see how that would be frustrating as I would expect it to handle some of those differently. I've been sanitizing integers on my own since ColdFusion 4, so this isn't something I've really bumped into. I do use isValid() for verifying e-mail address formats in some places, so I'm beginning to wonder what problems exist in that algorithm, if any. Hmm... -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350784 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Problems verifying integers
Yeah unfortunately IsValid(integer) ignores non-numeric characters. It seems more complex than that, as some it will ignore and others it won't. Dollar signs and commas appear to be ignored but others are not (results as run on ColdFusion 9). cfoutput 123,,123 = #isvalid(integer, 123,,123)# !--- YES --- br x123,,123 = #isvalid(integer, x123,,123)# !--- NO --- br 123,x,123 = #isvalid(integer, 123,x,123)# !--- NO --- br 123,,123 = #isvalid(integer, 123,,123)# !--- NO --- br *123,123 = #isvalid(integer, *123,123)# !--- NO --- br $123,123 = #isvalid(integer, $123,123)# !--- YES --- br /cfoutput Personally, I don't consider either to be part of an integer value and I don't think it should ignore any non-numeric characters, but I suppose they have their reasons for implementing it this way (unless it's a long-standing bug that too much code is dependent upon to fix). -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350785 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Thank God for query params. ;)
An IP from the Ukraine was attacking my contact form with name values like: John 1) declare @q varchar(8000) select @q = 0x57414954464F522044454C4159202730303A30303A313527 exec(@q) -- Indeed, this looks like an initial reconnaissance injection to see if other commands would work (that hex value decodes to WAITFOR DELAY '00:00:15'). This would cause a page load to be delayed a short period so they know the command executed on the database server before moving on to more interesting attacks. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350345 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Failed PCI Compliance test on CF9.01
It's a video streaming site for members. I can't believe my only option is to stream video across ssl. There must be another solution. There is: take the main site out of scope for compliance. The only parts of a system that have to be PCI compliant are the ones that handle credit card information, usually an online store or subscription system. There is no technical reason I can think of that would require your billing system and video streaming servers to share infrastructure. Separating the billing system out on to its own infrastructure means the rest of the system goes out of scope and then you can do whatever you want with your cookies on the main part of the site. Keep the billing system isolated and your headaches will be greatly reduced. -Justin Sco ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350252 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Failed PCI Compliance test on CF9.01
Justin, thanks for the reply, and I get your point, but I can't break out the registration process into a standalone site quickly. There must be a fairly quick solution to this problem. Surely, I can't be the first to deal with this. Another option might be to ask your scanning vendor for an exception to that scanning rule. If you can demonstrate to them that no credit card information is accessible through the user's account (e.g. the card number isn't visible anywhere, etc., and it really doesn't matter if the session is hijacked from the standpoint of credit card security) and explain the situation, they are generally willing to work with you on this kind of thing. Remember, their scanning rules are designed to cover the widest possible threat model. If you have specific needs that don't fit into that model but have compensating controls in place, it shouldn't be a problem (e.g. this used to be an issue with the incremental session IDs which the scanners check for, but paired with the random session token as a compensating control they would always make an exception for this rule when asked). -Justin Sco ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350258 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Failed PCI Compliance test on CF9.01
Justin, I don't think that would work though, depending on the level of compliance and the SAQ being completed I don't think any vendor will allow that exemption regardless of if credit card information is visible or not. If an attacker is allowed any access to a user session and can harvest any personally identifiable information it could affect security of any credit card entered into the site. Perhaps, though you'd be surprised what they will sign off on with proper compensating controls in place. It can't hurt to ask, in any case. Ultimately, my advice in this situation is to isolate the billing system so that the rest of the system isn't in scope for compliance. Trying to find a quick fix when it comes to PCI compliance is just asking for problems. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350262 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: (ot) Places to post a CF opening
I know that there is the CF-Jobs list but where else can we post for free that will get us more coverage? There is the HoF CF-Jobs mailing list, as mentioned. I would also recommend contacting Ricardo Parente at http://cfdevelopers.net/ as he runs a ColdFusion job site/blog that gets pretty good coverage. -Justin Scott ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350263 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Failed PCI Compliance test on CF9.01
On a related subject: is there a way to make the jsessionid cookie secure without making the jrun change? I ask because doing so affects all sites on the server, and I had planed to run other sites on this particular server. Be careful with this... if your billing system is on this server and other sites share the same server and aren't properly sandboxed, they are technically in-scope for compliance as well as they offer other roads into the server which could lead to the compromise of your billing system. All the more reason to isolate it now while you still can. :) -Just ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350288 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Difference between cfcontent and cfheader in terms its usage?
Difference between cfcontent and cfheader in terms its usage? Generally, cfcontent is used to serve up a file from the server through ColdFusion (could be a generated PDF document, tracking image, or any other file you want to have ColdFusion serve up for you through the code). You can also use cfcontent to specifically set the content-type header through the type attribute (usually in conjunction with a file to be sent with the file attribute). It can also be used to reset the output buffer as long as output hasn't been flushed back to the server yet. The cfheader tag is used to set specific response headers or status codes for the HTTP request. This can be used to set the status code and one or more response headers as needed. It's commonly used to set a Content-Disposition header in conjunction with the cfcontent tag when serving up a file to give the client a hint as to what filename it should use for the file being served. It can be used to set a Location header (which was common in conjunction with a 301 status code in earlier versions of ColdFusion, or in conjunction with setting a cookie way back before the cflocation tag was fixed in this regard). -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:349908 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Video Processing?
@Mack - Thanks for the confirmation, that lets me know it's possible which is a good start. @Steve - Interesting, I will take a look at that as soon as I can. If it's just a wrapper for ffmpeg I can probably extend it to handle stitching if needed. @Ray - Thanks for the suggestion. I had e-mailed their sales team around the same time I posted my original note here and they've since responded that their service doesn't do stitching, just conversion. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:349754 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Video Processing?
Hi all, I am curious if anyone has hands-on experience with processing video that they might be willing to share? I have a potential project which will need video transcoding services as well as stitching parts of videos together to form new videos. From looking around I saw the ffmpeg library though it's not immediately clear if this will meet my needs. I also see that Railo has a plugin which enables a CFVIDEO tag which may do what we're looking for. Anyone have experience with either of these that they'd be willing to share? Thanks! -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:349690 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: SOT: PHP The Anthem
Highlighted on the YouTube homepage, they trash CF in the first line of the song... Yeah, sometimes the code looks a little trashy, but this ain't ColdFusion so stop talkin' sassy. Sounds like a compliment to me (e.g. ColdFusion code looks less trashy than PHP). I'm with Dave on this one. :) -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:349648 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: This actually works!
I don't think that is accurate. Yes you can use array/struct functions on them, but they are not array/structs. Consider this example: I saw your post and ran the code, and you are correct, CF is representing them as an xml document rather than arrays and structs. It's been a while since I have done a lot of XML parsing and remembered this detail incorrectly. That's what I get for posting late at night after driving for six hours. :) -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:349576 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm