http://blogs.coldfusion.com/post.cfm/updates-for-coldfusion-2016-and-coldfusion-builder-2016-is-available-now
ColdFusion 2016 Update 3 is now live. There were quite a few bugs fixed. https://helpx.adobe.com/coldfusion/kb/bugs-fixed-coldfusion-2016-update-3.html
Monday, October 3, 2016
Boolean Girl - STEM Teaching With RaspberryPi
I should have shared this last week when I saw it. STEM education, especially when it comes to bringing more young girls into the dev community, is one of my soap boxes. And as a geek (and lover of Erector sets and those old "Build Your Own Radio" kits with springs and wires from the 80s), the RaspberryPi is one of the coolest inventions of my lifetime. So when I saw the Kickstarter for the Boolean Box, I ordered one for my niece (and to be honest, one for myself, too). Please, if this interests you, back it.
Boolean Box Kickstarter (https://www.kickstarter.com/projects/71092263/boolean-box-a-technology-discovery-kit-for-girls)
Boolean Girl Website (http://www.booleangirl.org/)
DON'T PANIC!
Before I was a code monkey, I flew airplanes. I never realized how the lessons I learned then could apply to regular life. I've always said I can teach someone to fly a plane in just a few hours; it's the hours after those first few that teach you to be ready for the unexpected. You learn early that when things go sideways, you only make it worse if you panic.I was driving back to North Carolina from Nashville on Sunday, and I had a tire-disintegrating blowout. I drive a Silverado, so it wasn't a small tire. I was in traffic, doing about 75 mph, when my front passenger tire decided it was time to let go. I'm sure anyone who's ever had a blowout can attest that it's somewhat of an adverse situation. And I know we've all seen news reports of serious road accidents caused by a high-speed blowout.
So how does this relate to piloting? First and foremost, as I said above, when bad things happen, you learn to stay calm and deal with the problem. More directly, when flying multi-engine aircraft, one of the first things you learn is how to deal with an engine failure and the resulting tendency to "pull" to one side. When bad things happen, like an engine failure or a blowout, they don't usually give you a lot of warning. So you learn that, rather than be surprised, you STAY CALM and KEEP OPERATING YOUR VEHICLE.
When my tire blew, my truck immediately started pulling me to the right. But there was a car there who probably wasn't too keen on sharing space with me. So I couldn't let my truck take me there. I let off the gas and, when I was clear, moved over to the shoulder. I didn't panic.
As I write this, I'm sitting in NTB having a new tire mounted. This isn't how I wanted to spend my lunch break today, but it could have been much worse. I could have been one of those stories on the nightly news. But instead, when a bad situation suddenly developed, I kept my head and dealt with the problem. My old training (even though it was in airplanes and not cars) kicked in.
A quick Google search shows that my lessons weren't exactly unique to piloting. They were based in some common sense steps for disaster preparedness found in many fields. Operate, Communicate, Mitigate. In that order. Whether you're flying a plane, driving a car, or dreaming peacefully in bed, you should be prepared for the engine failure, the blowout, or the 3am call that lets you know the website is down. If you know what you're going to do when a problem happens, you won't have to think about how to handle it when it finally does.
NOTE TO OTHER DRIVERS: If you see someone on the side of the road, PLEASE PLEASE PLEASE show a little bit of courtesy and move over. It's rather unsettling to have a car zip past you at 70+ mph. Especially when they're only a few feet from you.
Sunday, September 25, 2016
NCDevCon 2016
http://ncdevcon.com/
Saturday and Sunday, Sept 17-18, 2016
I got home from NCDevCon last Sunday night. It's been a week, and they've already released the videos online (https://textiles.online.ncsu.edu/online/Catalog/catalogs/ncdevcon-2016). I've procrastinated long enough, so here's my write up.
First off, I want to say a big THANK YOU to the organizers and the sponsors. This was the first year I've attended. I've heard before that it was a great conference, and I definitely wasn't disappointed. It was good to see some of the people that I met before, and it was also good to meet new people. There are some very bright individuals in this community.
As always seems to be the case at conferences, I run into a conflict of having multiple talks scheduled at the same time. I'm glad these sessions were recorded. When they're released, I'll definitely be going back to watch some of the ones I missed.
Anyway, off I go...
I arrived in Raleigh, NC on Friday night. It's only supposed to be about a little less than 3 hour drive from Charlotte, but traffic was HORRIBLE. It took over 4, and I got there later than I expected. But I was still able to meet up with a few others at the hotel, with enough time for a cold beer. Thank you, Dan! After an hour or so of catching up and general yapping, it was time to hit the sack for the conference the next day.
The conference was at NC State University Centennial Campus, College of Textiles (THANKS TO YOU, TOO!). The conference hotel was the Sheraton, right downtown, where quite a bit was going on. I was cheap, and stayed down the road at the Red Roof Inn. All I can say is Thank Goodness for Uber and Lyft. Next year, I think I'll stay closer to everyone else.
DAY 1
Registration began at 8am. I got there around 815, still somewhat sleepy-eyed. Time for a quick, simple breakfast and more yapping, before Adobe's opening remarks.
Elishia Dvorak from Adobe spoke a bit about the recent rise of APIs. Though it wasn't really the focus of her opening, it should be noted that ColdFusion 2016 includes a new API Manager feature, which makes it very convenient for API development. I don't do a lot of API development, but I probably should focus a bit more attention on it.
For my first session, I attended Dependency Injection 101 by Anant Pradhan. He went over the basics of what it is. How the concept is framework and language agnostic. The difference between the "normal" way of an object finding its dependencies and calling them vs inversion of control, with an object being provided with the objects it needs. He talked about a couple of the main frameworks used in ColdFusion, DI/1 and Wirebox. I don't currently do a lot of direct, DI. It's definitely something I need to learn more about.
Session 2 - Taking Your Searches to the Next Level with Solr and Elastic Search by Mary Jo Sminkey
Solr and ES are both full text search engines. ES is better at analytics (like log analysis) and Solr is very good at text search. Solr has been a part of CF since CF9, and is based on Apache Lucene. With CF11, Adobe upgraded Solr to V3, and then again in CF2016 to v5. For a good breakdown, look at solr-vs-elasticsearch.com. Things to watch out for with Solr: searching multiple documents, standard issue with CF serializing a number string like "0123" as a numeric value like 123, and "sea biscuit" problem (multi-term synonyms). Results can be returned in multiple formats with JSON and CSV being most common. Filters are the most basic way of restricting the documents to search. fq = filter query. A simple search => /select?q=front+bumper.
After Session 2, we broke for Lunch (thanks Adobe for sponsoring). The lunch breaks were a bit too long, but the food was very good. Now that we're all fed, time to start the afternoon sessions.
Session 3: MVC With and Without a Framework by Nolan Erck
I first saw this Nolan's presentation at CFSummit 2015, and this is by far one of my favorite presentations I've seen at any conference. If you get the opportunity to see this live, DO IT. Otherwise, check a recording of it. It's definitely worth it.
Nolan demonstrates a good use case for the MVC Pattern by taking common spaghetti code and demonstrating how MVC can benefit it. He starts with some basic definitions:
Design Pattern = "$6 word for 'a common problem solved by organizing objects in a certain way".
View = The App that users see; minimal CF logic; NO business logic or SQL. "Like the Menu at a Restaurant".
Model = Sorta short for "data model"; where ALL of your SQL lives; business logic. "Like the Kitchen / Chef at a Restaurant".
Controller = Sits between Model and View; No HTML output or SQL; Small bits of logic controlling the app flow. "Like the Waiter in a Restaurant".
View <> Controller <> Model
Factory Design Pattern = solves the problem of a change in database ( ie MS SQL to Oracle ).
MVC Pros:
- Promotes code reuse
- Allows multiple people to work on code at the same time
- Pattern is non-framework and non-language specific
- Very common pattern / nomenclature (things mean the same thing in other languages)
MVC Cons:
- Learning curve
- "more typing" (just use hotkeys then)
Use a Framework
- Same design patterns
- FW/1, ColdBox, ModelGlue, MachII, etc
- FW/1 uses a naming pattern of folders to find files
Open Session Sponsored by StrongLoop - Building APIs
I am not even remotely familiar with StrongLoop, so I skipped this one.
Session 4: Less Hate, More Love With ColdFusion ORM by Masha Edelen
She recommended www.coldfusionORMBook.com
ORM = Hibernate first introduced in CF9.
It reduces time by eliminating CRUD and reducing about 95% of common data tasks.
To setup, in Application.cfc >> this.ormenabled=true; then map tables to objects.
IT'S ALL ABOUT RELATIONSHIPS.
Entity names are CASE SENSITIVE.
Watch out for SQL Injection in HQL.
ORMExecuteQuery(hql,params[,unique][,query options]);
To be honest, I don't currently use a lot of ORM. I'm also a fan of letting the database do its job rather than coding the job for the database. I know it's almost a religious debate, but I'm not overly fond of ORM. But that's likely because I just don't know a whole lot about it.
Session 5: ES6 Web Components by Ben Farrell
By two biggest takeaways from this one:
1) I don't know a whole lot about ES6 or Web Components.
2) Ben Farrell is a WONDERFUL presenter! He was very entertaining and engaging, even though most of his preso flew over my head.
As Day 1 drew to a close, Adobe sponsored a networking event for attendees. They catered it with some good finger foods, and drinks with beer provided by a local brewery, Raleigh Brewing Company. What can I say, the brew was excellent!
Several of us headed out for some dinner. Apparently Chicken and Waffles at Beasley's downtown is a conference tradition. The food was excellent, and the company was great. I'm glad I participated.
DAY 2
Session 1: CFML Features For More Modern Coding by Dan Fredricks
This is another one that I saw previously at CFSummit 2015. It too is an excellent presentation and definitely one with some good, applicable content. Dan updated this with some of the new features in CF2016.
Session Notes:
As of CF11, we have full script support for the language.
"Do what is best for you, but try to be CONSISTENT."
Some of the tags have multiple implementations ( ie thread() and cfthread() ).
QueryExecute() is liked much more than previous implementations of script queries. queryExecute(sql[,queryParams][,queryOptions])
MEMBER FUNCTIONS!!! Added as of CF11 and make things more oriented to OOP.
Old: ArrayAppend(empArray[],empID) ;
New: empArray.append(empId) ;
This allows method chaining.
Watch out because some member functions may drop into underlying Java if build incorrectly.
Elvis Operator added in CF11 ?:
Like a ternary operation: isNull(x) ? y : x and x?:y
Closures: Added in CF10 with more added in CF11 and 2016
== functions that bind variable references at declaration-time instead of use-time. Callbacks are not closures. The inner function has access to outer function variables.
There are several closure functions built into CF.
Testbox uses closures (that's why it requires CF10).1
Mark Mandel = Sesame ; Adam Tuttle (fusiongroker.com) = preso on closures.
Map, Reduce, Each and Filter
Map() iterates over a collection and returns the whole collection with values changed (not key/index)
Reduce() more complex than map(). Iterates over a collection and from each element derives one value as the result.
Filter() similar to map() and reduce(). Iterate over object and return a new object without affecting the original.
Each()
In CF2016, map() and reduce() can be used on queries.
First Class Functions == object that could be passed as an argument. (see list of available functions = arrayLen, lcase, etc) First introduced in CF11.
Callback functions = function passed into another function.
2016 Additions:
Safe Navigation Operator (?.)
Used to access members of a struct when one of them is NULL or not defined.
writeOutput(employee?.name?.firstName?.lcase());
Ordered collections = structNew("ordered") >>
ArrayPassByRefence -- speed up passing arrays. Used to be passed by value.
Application.cfc = PassByReference='true'
SearchImplicitScopes -- Don't scope hunt unscoped variables.
There was a lot of good info in this presentation.
Session 2: Git Source Control For The Rest Of Us by Nolan Erck
I noticed during this presentation, that this was actually the first one I attended that wasn't part of the ColdFusion track. That was totally unintentional; I just saw more applicable sessions in that track, I guess.
Nolan has some good presentations, and this one is another. He covered some of the basics of using a source control system, particularly Git on a Windows system through the SourceTree gui client. He talked about some of the more common commands (like "add", "commit", "revert", "branch", etc) and why you should use a Master branch to be your source for Production-ready code. He recommended Brad Wood's presentation on What's a Pull Request, which is available at https://experts.adobeconnect.com/_a204547676/p7dwzsxehq1/?launcher=false&fcsContent=true&pbMode=normal or https://vimeo.com/175768635 or https://www.youtube.com/watch?v=dTlEFQxlrrQ He also recommended Tim Cunningham's CFHour (118) preso.
Session 3: ......
It was supposed to be W3C Content Security Policy & HTTP Headers for Security by David Epler. I attended his and Pete Freitag's Security session at CFSummit2015, and it made a bit of an impression. I really wanted to attend Dave's talk about Content Security Policy, but I have to admit, I missed it. I sat outside his door yapping with Nolan and a couple of other people about Git. Sorry I missed it, Dave. That'll top my list of preso videos to watch this evening.
Which brings us to Lunch time, catered by Moes!
Session 4: CFML: Code Security Best Practices by Trip Ward
This presentation was supposed to be given by Denny Springle, but due to some unfortunate issues with Denny getting to Raleigh, Trip stepped in very late in the game to give this preso, and it's good that he did. There was a ton of good information in this talk.
Session Notes:
Who writes these insecure apps? Us.
Real threats are silent.
We must protect PII.
When it comes to data protection, you can have too much of a good thing. Do not hash and encrypt everything. Pick and choose the important data.
Hash() KEYS and Encrypt() VALUES before looping.
However, remember that it's better to have SOME security than NONE. If you have to, fall back to ECB/128bit keys if performance is an issue.
Attack vectors: SQL Injection, XSS, CSRF, Cookies, Tidbits (cflocation, file upload validation, form methods, file injection, application naming...)
Code Curmudgeon site.
Cookies >> httponly="true" secure="true"
HTTP Headers >> Check your headers (cyh.herokuapp.com/cyh). Check Dave Epler's Content Security Policy preso.
Security Objects >> This is the first thing you should implement in a new project.
If you have to create your own, cache it in the Application scope.
Hide all errors on external apps.
HPP = HTTP Parameter Pollution.
Final Group Session: Virtual Reality Wants You: How developers fit into the new VR landscape by Jason McGuigan and Jason Cooper
Once again, I was yapping with other conference attendees and missed this last session. I don't currently work with VR, but it seemed to be well-liked: it was in the same room as the Closing Remarks, and there were still long lines waiting to check out the VR headsets.
And NCDevCon2016 comes to a close. The organizers drew for some prizes and made some closing remarks. Again, it was great to see some of the people I previously met, and I really enjoyed meeting some new people. NCDevCon was a blast. There were very good presentations. The presentations were recorded, so I'll be going back to watch the presos that I missed.
Once again, thank you to the organizers and the sponsors. I'll see everyone again at NCDevCon2017.
Saturday and Sunday, Sept 17-18, 2016
I got home from NCDevCon last Sunday night. It's been a week, and they've already released the videos online (https://textiles.online.ncsu.edu/online/Catalog/catalogs/ncdevcon-2016). I've procrastinated long enough, so here's my write up.
First off, I want to say a big THANK YOU to the organizers and the sponsors. This was the first year I've attended. I've heard before that it was a great conference, and I definitely wasn't disappointed. It was good to see some of the people that I met before, and it was also good to meet new people. There are some very bright individuals in this community.
As always seems to be the case at conferences, I run into a conflict of having multiple talks scheduled at the same time. I'm glad these sessions were recorded. When they're released, I'll definitely be going back to watch some of the ones I missed.
Anyway, off I go...
I arrived in Raleigh, NC on Friday night. It's only supposed to be about a little less than 3 hour drive from Charlotte, but traffic was HORRIBLE. It took over 4, and I got there later than I expected. But I was still able to meet up with a few others at the hotel, with enough time for a cold beer. Thank you, Dan! After an hour or so of catching up and general yapping, it was time to hit the sack for the conference the next day.
The conference was at NC State University Centennial Campus, College of Textiles (THANKS TO YOU, TOO!). The conference hotel was the Sheraton, right downtown, where quite a bit was going on. I was cheap, and stayed down the road at the Red Roof Inn. All I can say is Thank Goodness for Uber and Lyft. Next year, I think I'll stay closer to everyone else.
DAY 1
Registration began at 8am. I got there around 815, still somewhat sleepy-eyed. Time for a quick, simple breakfast and more yapping, before Adobe's opening remarks.
Elishia Dvorak from Adobe spoke a bit about the recent rise of APIs. Though it wasn't really the focus of her opening, it should be noted that ColdFusion 2016 includes a new API Manager feature, which makes it very convenient for API development. I don't do a lot of API development, but I probably should focus a bit more attention on it.
For my first session, I attended Dependency Injection 101 by Anant Pradhan. He went over the basics of what it is. How the concept is framework and language agnostic. The difference between the "normal" way of an object finding its dependencies and calling them vs inversion of control, with an object being provided with the objects it needs. He talked about a couple of the main frameworks used in ColdFusion, DI/1 and Wirebox. I don't currently do a lot of direct, DI. It's definitely something I need to learn more about.
Session 2 - Taking Your Searches to the Next Level with Solr and Elastic Search by Mary Jo Sminkey
Solr and ES are both full text search engines. ES is better at analytics (like log analysis) and Solr is very good at text search. Solr has been a part of CF since CF9, and is based on Apache Lucene. With CF11, Adobe upgraded Solr to V3, and then again in CF2016 to v5. For a good breakdown, look at solr-vs-elasticsearch.com. Things to watch out for with Solr: searching multiple documents, standard issue with CF serializing a number string like "0123" as a numeric value like 123, and "sea biscuit" problem (multi-term synonyms). Results can be returned in multiple formats with JSON and CSV being most common. Filters are the most basic way of restricting the documents to search. fq = filter query. A simple search => /select?q=front+bumper.
After Session 2, we broke for Lunch (thanks Adobe for sponsoring). The lunch breaks were a bit too long, but the food was very good. Now that we're all fed, time to start the afternoon sessions.
Session 3: MVC With and Without a Framework by Nolan Erck
I first saw this Nolan's presentation at CFSummit 2015, and this is by far one of my favorite presentations I've seen at any conference. If you get the opportunity to see this live, DO IT. Otherwise, check a recording of it. It's definitely worth it.
Nolan demonstrates a good use case for the MVC Pattern by taking common spaghetti code and demonstrating how MVC can benefit it. He starts with some basic definitions:
Design Pattern = "$6 word for 'a common problem solved by organizing objects in a certain way".
View = The App that users see; minimal CF logic; NO business logic or SQL. "Like the Menu at a Restaurant".
Model = Sorta short for "data model"; where ALL of your SQL lives; business logic. "Like the Kitchen / Chef at a Restaurant".
Controller = Sits between Model and View; No HTML output or SQL; Small bits of logic controlling the app flow. "Like the Waiter in a Restaurant".
View <> Controller <> Model
Factory Design Pattern = solves the problem of a change in database ( ie MS SQL to Oracle ).
MVC Pros:
- Promotes code reuse
- Allows multiple people to work on code at the same time
- Pattern is non-framework and non-language specific
- Very common pattern / nomenclature (things mean the same thing in other languages)
MVC Cons:
- Learning curve
- "more typing" (just use hotkeys then)
Use a Framework
- Same design patterns
- FW/1, ColdBox, ModelGlue, MachII, etc
- FW/1 uses a naming pattern of folders to find files
Open Session Sponsored by StrongLoop - Building APIs
I am not even remotely familiar with StrongLoop, so I skipped this one.
Session 4: Less Hate, More Love With ColdFusion ORM by Masha Edelen
She recommended www.coldfusionORMBook.com
ORM = Hibernate first introduced in CF9.
It reduces time by eliminating CRUD and reducing about 95% of common data tasks.
To setup, in Application.cfc >> this.ormenabled=true; then map tables to objects.
IT'S ALL ABOUT RELATIONSHIPS.
Entity names are CASE SENSITIVE.
Watch out for SQL Injection in HQL.
ORMExecuteQuery(hql,params[,unique][,query options]);
To be honest, I don't currently use a lot of ORM. I'm also a fan of letting the database do its job rather than coding the job for the database. I know it's almost a religious debate, but I'm not overly fond of ORM. But that's likely because I just don't know a whole lot about it.
Session 5: ES6 Web Components by Ben Farrell
By two biggest takeaways from this one:
1) I don't know a whole lot about ES6 or Web Components.
2) Ben Farrell is a WONDERFUL presenter! He was very entertaining and engaging, even though most of his preso flew over my head.
As Day 1 drew to a close, Adobe sponsored a networking event for attendees. They catered it with some good finger foods, and drinks with beer provided by a local brewery, Raleigh Brewing Company. What can I say, the brew was excellent!
Several of us headed out for some dinner. Apparently Chicken and Waffles at Beasley's downtown is a conference tradition. The food was excellent, and the company was great. I'm glad I participated.
DAY 2
Session 1: CFML Features For More Modern Coding by Dan Fredricks
This is another one that I saw previously at CFSummit 2015. It too is an excellent presentation and definitely one with some good, applicable content. Dan updated this with some of the new features in CF2016.
Session Notes:
As of CF11, we have full script support for the language.
"Do what is best for you, but try to be CONSISTENT."
Some of the tags have multiple implementations ( ie thread() and cfthread() ).
QueryExecute() is liked much more than previous implementations of script queries. queryExecute(sql[,queryParams][,queryOptions])
MEMBER FUNCTIONS!!! Added as of CF11 and make things more oriented to OOP.
Old: ArrayAppend(empArray[],empID) ;
New: empArray.append(empId) ;
This allows method chaining.
Watch out because some member functions may drop into underlying Java if build incorrectly.
Elvis Operator added in CF11 ?:
Like a ternary operation: isNull(x) ? y : x and x?:y
Closures: Added in CF10 with more added in CF11 and 2016
== functions that bind variable references at declaration-time instead of use-time. Callbacks are not closures. The inner function has access to outer function variables.
There are several closure functions built into CF.
Testbox uses closures (that's why it requires CF10).1
Mark Mandel = Sesame ; Adam Tuttle (fusiongroker.com) = preso on closures.
Map, Reduce, Each and Filter
Map() iterates over a collection and returns the whole collection with values changed (not key/index)
Reduce() more complex than map(). Iterates over a collection and from each element derives one value as the result.
Filter() similar to map() and reduce(). Iterate over object and return a new object without affecting the original.
Each()
In CF2016, map() and reduce() can be used on queries.
First Class Functions == object that could be passed as an argument. (see list of available functions = arrayLen, lcase, etc) First introduced in CF11.
Callback functions = function passed into another function.
2016 Additions:
Safe Navigation Operator (?.)
Used to access members of a struct when one of them is NULL or not defined.
writeOutput(employee?.name?.firstName?.lcase());
Ordered collections = structNew("ordered") >>
ArrayPassByRefence -- speed up passing arrays. Used to be passed by value.
Application.cfc = PassByReference='true'
SearchImplicitScopes -- Don't scope hunt unscoped variables.
There was a lot of good info in this presentation.
Session 2: Git Source Control For The Rest Of Us by Nolan Erck
I noticed during this presentation, that this was actually the first one I attended that wasn't part of the ColdFusion track. That was totally unintentional; I just saw more applicable sessions in that track, I guess.
Nolan has some good presentations, and this one is another. He covered some of the basics of using a source control system, particularly Git on a Windows system through the SourceTree gui client. He talked about some of the more common commands (like "add", "commit", "revert", "branch", etc) and why you should use a Master branch to be your source for Production-ready code. He recommended Brad Wood's presentation on What's a Pull Request, which is available at https://experts.adobeconnect.com/_a204547676/p7dwzsxehq1/?launcher=false&fcsContent=true&pbMode=normal or https://vimeo.com/175768635 or https://www.youtube.com/watch?v=dTlEFQxlrrQ He also recommended Tim Cunningham's CFHour (118) preso.
Session 3: ......
It was supposed to be W3C Content Security Policy & HTTP Headers for Security by David Epler. I attended his and Pete Freitag's Security session at CFSummit2015, and it made a bit of an impression. I really wanted to attend Dave's talk about Content Security Policy, but I have to admit, I missed it. I sat outside his door yapping with Nolan and a couple of other people about Git. Sorry I missed it, Dave. That'll top my list of preso videos to watch this evening.
Which brings us to Lunch time, catered by Moes!
Session 4: CFML: Code Security Best Practices by Trip Ward
This presentation was supposed to be given by Denny Springle, but due to some unfortunate issues with Denny getting to Raleigh, Trip stepped in very late in the game to give this preso, and it's good that he did. There was a ton of good information in this talk.
Session Notes:
Who writes these insecure apps? Us.
Real threats are silent.
We must protect PII.
When it comes to data protection, you can have too much of a good thing. Do not hash and encrypt everything. Pick and choose the important data.
Hash() KEYS and Encrypt() VALUES before looping.
However, remember that it's better to have SOME security than NONE. If you have to, fall back to ECB/128bit keys if performance is an issue.
Attack vectors: SQL Injection, XSS, CSRF, Cookies, Tidbits (cflocation, file upload validation, form methods, file injection, application naming...)
Code Curmudgeon site.
Cookies >> httponly="true" secure="true"
HTTP Headers >> Check your headers (cyh.herokuapp.com/cyh). Check Dave Epler's Content Security Policy preso.
Security Objects >> This is the first thing you should implement in a new project.
If you have to create your own, cache it in the Application scope.
Hide all errors on external apps.
HPP = HTTP Parameter Pollution.
Final Group Session: Virtual Reality Wants You: How developers fit into the new VR landscape by Jason McGuigan and Jason Cooper
Once again, I was yapping with other conference attendees and missed this last session. I don't currently work with VR, but it seemed to be well-liked: it was in the same room as the Closing Remarks, and there were still long lines waiting to check out the VR headsets.
And NCDevCon2016 comes to a close. The organizers drew for some prizes and made some closing remarks. Again, it was great to see some of the people I previously met, and I really enjoyed meeting some new people. NCDevCon was a blast. There were very good presentations. The presentations were recorded, so I'll be going back to watch the presos that I missed.
Once again, thank you to the organizers and the sponsors. I'll see everyone again at NCDevCon2017.
Sunday, July 3, 2016
About Application.cfc
Pet Peeve: Proper Capitalization Of Application.cfc --- It's kinda nitpicky, but I hate seeing people write application.cfc/cfm. On a windows machine, it won't hurt. But putting that on a case-sensitive system, like Linux, will quickly teach you the difference between application.cfc and Application.cfc. I'm all for consistency. If you make it a habit to write Application.cfc, even when you don't have to, you won't accidentally mis-name the file when you create it.
That said, this is a topic that has been written about ad nauseam over the years, but it's VERY important to grasp the underlying framework of the Application.cfc file.
https://helpx.adobe.com/coldfusion/cfml-reference/application-cfc-reference/application-variables.html
/**
@title "Application.cfc reference in CFScript for Coldfusion 9"
@description "This component includes all Application.cfc methods and variables, set to their default values (if applicable). Please note that default values are not always desirable, and some methods or variables should be modified or removed depending on the situation."
@author "Russ S. (http://cfruss.blogspot.com)"
@dateCreated "November 29, 2009"
@licence "This work is licensed under the Creative Commons Attribution 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by/3.0/us/ or send a letter to Creative Commons, 171 Second Street, Suite 300, San Francisco, California, 94105, USA."
@hint "You implement methods in Application.cfc to handle ColdFusion application events and set variables in the CFC to configure application characteristics."
*/
component output="false" {
/* **************************** APPLICATION VARIABLES **************************** */
// The application name. If you do not set this variable, or set it to the empty string, your CFC applies to the unnamed application scope, which is the ColdFusion J2EE servlet context.
THIS.name = "";
// Life span, as a real number of days, of the application, including all Application scope variables.
THIS.applicationTimeout = createTimeSpan(0, 1, 0, 0);
// Whether the application supports Client scope variables.
THIS.clientManagement = false;
// Where Client variables are stored; can be cookie, registry, or the name of a data source.
THIS.clientStorage = "registry"; //cookie||registry||datasource
// Contains ColdFusion custom tag paths.
THIS.customTagPaths = "";
// The Google Maps API key required to embed Google Maps in your web pages.
THIS.googleMapKey = "";
// Name of the data source from which the query retrieves data.
THIS.datasource = "";
// Whether to store login information in the Cookie scope or the Session scope.
THIS.loginStorage = "cookie"; //cookie||session
// A structure that contains ColdFusion mappings. Each element in the structure consists of a key and a value. The logical path is the key and the absolute path is the value.
THIS.mappings = {};
// Whether to enable validation on cfform fields when the form is submitted.
THIS.serverSideFormValidation = true;
// Whether the application supports Session scope variables.
THIS.sessionManagement = true;
// Life span, as a real number of days, of the user session, including all Session variables.
THIS.sessionTimeout = createTimeSpan(0, 0, 30, 0);
// Whether to send CFID and CFTOKEN cookies to the client browser.
THIS.setClientCookies = true;
// Whether to set CFID and CFTOKEN cookies for a domain (not just a host).
THIS.setDomainCookies = false;
// Whether to protect variables from cross-site scripting attacks.
THIS.scriptProtect = false;
// A Boolean value that specifies whether to add a security prefix in front of the value that a ColdFusion function returns in JSON-format in response to a remote call.
THIS.secureJSON = false;
// The security prefix to put in front of the value that a ColdFusion function returns in JSON-format in response to a remote call if the secureJSON setting is true.
THIS.secureJSONPrefix = "";
// A comma-delimited list of names of files. Tells ColdFusion not to call the onMissingTemplate method if the files are not found.
THIS.welcomeFileList = "";
// A struct that contains the following values: server, username, and password.If no value is specified, takes the value in the administrator.
THIS.smtpServersettings = {};
// Request timeout. Overrides the default administrator settings.
THIS.timeout = 30; // seconds
// A list of ip addresses that need debugging.
THIS.debugipaddress = "";
// Overrides the default administrator settings. It does not report compile-time exceptions.
THIS.enablerobustexception = false;
/* ORM variables */
// Specifies whether ORM should be used for the ColdFusion application.Set the value to true to use ORM. The default is false.
THIS.ormenabled = false;
// The struct that defines all the ORM settings. Documentation: http://help.adobe.com/en_US/ColdFusion/9.0/Developing/WSED380324-6CBE-47cb-9E5E-26B66ACA9E81.html
THIS.ormsettings = {};
// note: THIS.datasource applies to cfquery as well as ORM. It is defined on line 31.
/* **************************** APPLICATION METHODS **************************** */
/**
@hint "Runs when an application times out or the server is shutting down."
@ApplicationScope "The application scope."
*/
public void function onApplicationEnd(struct ApplicationScope=structNew()) {
return;
}
/**
@hint "Runs when ColdFusion receives the first request for a page in the application."
*/
public boolean function onApplicationStart() {
return true;
}
/**
@hint "Intercepts any HTTP or AMF calls to an application based on CFC request."
@cfcname "Fully qualified dotted path to the CFC."
@method "The name of the method invoked."
@args "The arguments (struct) with which the method is invoked."
*/
public void function onCFCRequest(required string cfcname, required string method, required string args) {
return;
}
/**
@hint "Runs when an uncaught exception occurs in the application."
@Exception "The ColdFusion Exception object. For information on the structure of this object, see the description of the cfcatch variable in the cfcatch description."
@EventName "The name of the event handler that generated the exception. If the error occurs during request processing and you do not implement an onRequest method, EventName is the empty string."
note: This method is commented out because it should only be used in special cases
*/
/*
public void function onError(required any Exception, required string EventName) {
return;
}
*/
/**
@hint "Runs when a request specifies a non-existent CFML page."
@TargetPage "The path from the web root to the requested CFML page."
note: This method is commented out because it should only be used in special cases
*/
/*
public boolean function onMissingTemplate(required string TargetPage) {
return true;
}
*/
/**
@hint "Runs when a request starts, after the onRequestStart event handler. If you implement this method, it must explicitly call the requested page to process it."
@TargetPage "Path from the web root to the requested page."
note: This method is commented out because it should only be used in special cases
*/
/*
public void function onRequest(required string TargetPage) {
return;
}
*/
/**
@hint "Runs at the end of a request, after all other CFML code."
*/
public void function onRequestEnd() {
return;
}
/**
@hint "Runs when a request starts."
@TargetPage "Path from the web root to the requested page."
*/
public boolean function onRequestStart(required string TargetPage) {
return true;
}
/**
@hint "Runs when a session ends."
@SessionScope "The Session scope"
@ApplicationScope "The Application scope"
*/
public void function onSessionEnd(required struct SessionScope, struct ApplicationScope=structNew()) {
return;
}
/**
@hint "Runs when a session starts."
*/
public void function onSessionStart() {
return;
}
}
That said, this is a topic that has been written about ad nauseam over the years, but it's VERY important to grasp the underlying framework of the Application.cfc file.
https://helpx.adobe.com/coldfusion/cfml-reference/application-cfc-reference/application-variables.html
/**
@title "Application.cfc reference in CFScript for Coldfusion 9"
@description "This component includes all Application.cfc methods and variables, set to their default values (if applicable). Please note that default values are not always desirable, and some methods or variables should be modified or removed depending on the situation."
@author "Russ S. (http://cfruss.blogspot.com)"
@dateCreated "November 29, 2009"
@licence "This work is licensed under the Creative Commons Attribution 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by/3.0/us/ or send a letter to Creative Commons, 171 Second Street, Suite 300, San Francisco, California, 94105, USA."
@hint "You implement methods in Application.cfc to handle ColdFusion application events and set variables in the CFC to configure application characteristics."
*/
component output="false" {
/* **************************** APPLICATION VARIABLES **************************** */
// The application name. If you do not set this variable, or set it to the empty string, your CFC applies to the unnamed application scope, which is the ColdFusion J2EE servlet context.
THIS.name = "";
// Life span, as a real number of days, of the application, including all Application scope variables.
THIS.applicationTimeout = createTimeSpan(0, 1, 0, 0);
// Whether the application supports Client scope variables.
THIS.clientManagement = false;
// Where Client variables are stored; can be cookie, registry, or the name of a data source.
THIS.clientStorage = "registry"; //cookie||registry||datasource
// Contains ColdFusion custom tag paths.
THIS.customTagPaths = "";
// The Google Maps API key required to embed Google Maps in your web pages.
THIS.googleMapKey = "";
// Name of the data source from which the query retrieves data.
THIS.datasource = "";
// Whether to store login information in the Cookie scope or the Session scope.
THIS.loginStorage = "cookie"; //cookie||session
// A structure that contains ColdFusion mappings. Each element in the structure consists of a key and a value. The logical path is the key and the absolute path is the value.
THIS.mappings = {};
// Whether to enable validation on cfform fields when the form is submitted.
THIS.serverSideFormValidation = true;
// Whether the application supports Session scope variables.
THIS.sessionManagement = true;
// Life span, as a real number of days, of the user session, including all Session variables.
THIS.sessionTimeout = createTimeSpan(0, 0, 30, 0);
// Whether to send CFID and CFTOKEN cookies to the client browser.
THIS.setClientCookies = true;
// Whether to set CFID and CFTOKEN cookies for a domain (not just a host).
THIS.setDomainCookies = false;
// Whether to protect variables from cross-site scripting attacks.
THIS.scriptProtect = false;
// A Boolean value that specifies whether to add a security prefix in front of the value that a ColdFusion function returns in JSON-format in response to a remote call.
THIS.secureJSON = false;
// The security prefix to put in front of the value that a ColdFusion function returns in JSON-format in response to a remote call if the secureJSON setting is true.
THIS.secureJSONPrefix = "";
// A comma-delimited list of names of files. Tells ColdFusion not to call the onMissingTemplate method if the files are not found.
THIS.welcomeFileList = "";
// A struct that contains the following values: server, username, and password.If no value is specified, takes the value in the administrator.
THIS.smtpServersettings = {};
// Request timeout. Overrides the default administrator settings.
THIS.timeout = 30; // seconds
// A list of ip addresses that need debugging.
THIS.debugipaddress = "";
// Overrides the default administrator settings. It does not report compile-time exceptions.
THIS.enablerobustexception = false;
/* ORM variables */
// Specifies whether ORM should be used for the ColdFusion application.Set the value to true to use ORM. The default is false.
THIS.ormenabled = false;
// The struct that defines all the ORM settings. Documentation: http://help.adobe.com/en_US/ColdFusion/9.0/Developing/WSED380324-6CBE-47cb-9E5E-26B66ACA9E81.html
THIS.ormsettings = {};
// note: THIS.datasource applies to cfquery as well as ORM. It is defined on line 31.
/* **************************** APPLICATION METHODS **************************** */
/**
@hint "Runs when an application times out or the server is shutting down."
@ApplicationScope "The application scope."
*/
public void function onApplicationEnd(struct ApplicationScope=structNew()) {
return;
}
/**
@hint "Runs when ColdFusion receives the first request for a page in the application."
*/
public boolean function onApplicationStart() {
return true;
}
/**
@hint "Intercepts any HTTP or AMF calls to an application based on CFC request."
@cfcname "Fully qualified dotted path to the CFC."
@method "The name of the method invoked."
@args "The arguments (struct) with which the method is invoked."
*/
public void function onCFCRequest(required string cfcname, required string method, required string args) {
return;
}
/**
@hint "Runs when an uncaught exception occurs in the application."
@Exception "The ColdFusion Exception object. For information on the structure of this object, see the description of the cfcatch variable in the cfcatch description."
@EventName "The name of the event handler that generated the exception. If the error occurs during request processing and you do not implement an onRequest method, EventName is the empty string."
note: This method is commented out because it should only be used in special cases
*/
/*
public void function onError(required any Exception, required string EventName) {
return;
}
*/
/**
@hint "Runs when a request specifies a non-existent CFML page."
@TargetPage "The path from the web root to the requested CFML page."
note: This method is commented out because it should only be used in special cases
*/
/*
public boolean function onMissingTemplate(required string TargetPage) {
return true;
}
*/
/**
@hint "Runs when a request starts, after the onRequestStart event handler. If you implement this method, it must explicitly call the requested page to process it."
@TargetPage "Path from the web root to the requested page."
note: This method is commented out because it should only be used in special cases
*/
/*
public void function onRequest(required string TargetPage) {
return;
}
*/
/**
@hint "Runs at the end of a request, after all other CFML code."
*/
public void function onRequestEnd() {
return;
}
/**
@hint "Runs when a request starts."
@TargetPage "Path from the web root to the requested page."
*/
public boolean function onRequestStart(required string TargetPage) {
return true;
}
/**
@hint "Runs when a session ends."
@SessionScope "The Session scope"
@ApplicationScope "The Application scope"
*/
public void function onSessionEnd(required struct SessionScope, struct ApplicationScope=structNew()) {
return;
}
/**
@hint "Runs when a session starts."
*/
public void function onSessionStart() {
return;
}
}
Tuesday, June 14, 2016
CF_PublicServiceAnnouncement: Updates Galore!
First off, Adobe has released new patches for the ColdFusion products.This includes a Security Hotfix for CF2016, 11 and 10 for a potential XSS issue, so it would probably be a good idea to update.
http://blogs.coldfusion.com/post.cfm/updates-for-coldfusion-2016-coldfusion-builder-2016-coldfusion-11-and-coldfusion-10-released
Also today, Lucee 4.5.3 has been released with a heap of fixes.
http://lucee.org/blog/lucee-4-5-3-release.html
http://blogs.coldfusion.com/post.cfm/updates-for-coldfusion-2016-coldfusion-builder-2016-coldfusion-11-and-coldfusion-10-released
Also today, Lucee 4.5.3 has been released with a heap of fixes.
http://lucee.org/blog/lucee-4-5-3-release.html
Wednesday, June 8, 2016
ColdFusion Scopes: Part Deux - "Mutually Exclusive" LOCAL and ARGUMENTS
While playing with LOCAL and ARGUMENTS scopes and the scope order bug, I also came across a behavior that I didn't really know about - LOCAL and ARGUMENTS scopes in a CF function are supposed to be "mutually exclusive".
Maybe I misunderstand what that phrase means.
https://gist.github.com/shawnoden/ef494ef92ccd3821a189 http://help.adobe.com/en_US/ColdFusion/10.0/Developing/WSc3ff6d0ea77859461172e0811cbec09af4-7ff1.html http://help.adobe.com/en_US/ColdFusion/10.0/Developing/WSc3ff6d0ea77859461172e0811cbec0a66e-7fe2.html http://help.adobe.com/en_US/ColdFusion/10.0/Developing/WSc3ff6d0ea77859461172e0811cbec09af4-7fdf.html
https://gist.github.com/shawnoden/ef494ef92ccd3821a189 http://help.adobe.com/en_US/ColdFusion/10.0/Developing/WSc3ff6d0ea77859461172e0811cbec09af4-7ff1.html http://help.adobe.com/en_US/ColdFusion/10.0/Developing/WSc3ff6d0ea77859461172e0811cbec0a66e-7fe2.html http://help.adobe.com/en_US/ColdFusion/10.0/Developing/WSc3ff6d0ea77859461172e0811cbec09af4-7fdf.html
Subscribe to:
Posts (Atom)