September 2, 2009
Alert : Confirmation
This script goes before the body tag:
<script type=”text/javascript”>
<!—
function confirmation() {
var answer = confirm(“Run this sucker!”)
if (answer != 0){
alert(“This sucker is running!”)
document.myformname.submit();
}
else {
alert(“This sucker canceled!”)
}
}
//–>
</script>
This script is launched when the user clicks the “Submit” button on a form. The user is presented with a pop-up box. If “yes” in responst to “Run this Sucker!”, then the form is submitted by the document.reports.submit() function, where “reports” is the name of the form. The statement is what kicks off the action “myquery.cfm”. Otherwise, nothing happens.
Here’s what the cfform tag looks like:
<cfform name=”myformname” action=”myquery.cfm” method=”post” id=”myForm” onsubmit=”confirmation();return false;”>
Finding a file path
I found the easiest way to check a file path is to use:
<cfoutput>#GetTemplatePath()#</cfoutput>
This really helpful for upload utilities because the above command will return the exact path to the upload directory.
Reusing code with CFINCLUDE
Reusing code with CFINCLUDE
The CFINCLUDE function is a great way to share code throughout your application. I usually use this code to share buttons throughout forms within applications. That way if I need to make a change to a button’s link, I only have to change the code in one place and the change is shared throughout my application wherever the buttons are needed.
Here’s the code for BTNS_ADMIN.html.
<input value=”Sponsored Progs”/>
<input value=”William and Mary”/>
<input value=”Places to Stay”/>
When this code runs, three buttons are displayed. Each button has an “onclick” attribute set to a particular location.
Now, CFINCLUDE is used to call BTNS_ADMIN.html on the form
FRM_Show_buttons.cfm:
<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>
<html xmlns=”http://www.w3.org/1999/xhtml”>
<head>
<meta http-equiv=”Content-Type” content=”text/html; charset=iso-8859-1″ />
<title>Untitled Document</title>
</head>
<body>
<cfinclude template=”BTNS_Admin.html”>
</body>
</html>
And that’s it!!!
August 31, 2009
Prevent sql injection attacks in Coldfusion
Ben Forta, my guru, has a fantastic article on the prevention of SQL Injection attacks. In case you don’t know what what a SQL Injection attack is, it is a very insidious code injection technique that allows someone to embed sql statements within your code.
I like to check my parameters before passing them to the database as suggested by Ben. Here’s an example that validates a paramater being passed by a URL:
SELECT *
FROM Customers
WHERE CustID=<cfqueryparam value=“#URL.CustID#” cfsqltype=“CF_SQL_INTEGER”>
</cfquery>
Prevent Session Hijacking in ColdFusion
Session Hijacking is the exploitation of a valid computer session to gain unauthorized access to information or services in a computer system. This is a vulnerability for all web applications, not just those written in CF.
They can access thisinformation:
- Direct access to the user’s computer to access their cookies.
- Packet sniffing to intercept the cookie being passed back and forth from client to server.
- SSL on login pages can prevent sniffing the cookie at that time, but other pages thata are not encrypted will stillsend this data.
- Directly from a user who may have posted/sent a URL with the session identifier in the URL.
- Cross Site Scripting attack.
To prevent , log on to the Coldfusion Administrator, then:
Check the box beside “Use J2EE session variables”. By default this is not checked.
Quickest and easiest way to prevent session hijacking is to enable J2EE session variables in the Coldfusion Administrator.
- Enabling J2EE session variables limits the effectiveness session hijacking.
- It uses the variable jessionid rather than DVID and CFTOKEN.
- J2EE Sessions have other advantages as well:
- You can share session variables between ColdFusion and JSP pages.
- The session ends for the user when all browser windows are closed. However, the session remains open on the server.
- The session is serializable – used in clusters.
Cross Site Scripting : to prevent, log on to the ColdFusion Administrator, under “Server Settings” click “Settings”. Then check “Enable Global Script Protection”.
Use error handling. Sites should never show ColdFusion error page.
- Errors can be handled using a variety of methods (usually more than one at a time)
- Try/catch blocks
- onError method of Applciation.cfc
- Specifying a site wide error handler in ColdFusion Administrator
- Specifying a missing template handler in ColdFusion Administrator
Turn off robust exception information.
- If an error happens to get through, you do not want the information displayed with robust exception information falling into the hands of a hacker (or any user for that matter)
- A hacker can gain information about:
- Server operating system
- File structure
- Database structure
Remove unneeded permissions from datasources.
- When deploying to production environments, remove any unnecessary permissions in the CF Administrator, from your datasources, such as:
- Create
- Drop
- Alter
- Grant
- Revoke
Having these permissions might be O.K. for development, but probably not needed for production.
Create a database user specifically for ColdFusion.
- You should never use the ‘sa’ or ‘root’ user for database access in production environments
- Give the user the lowest level of permissions needed to run your application.
August 28, 2009
Php: How to find out what version your server is running
Decided to toy around with the idea of using Php to send email messages but am having trouble. The “mail” fundtion is not recognized. So figured I needed to find out what version of Php is running on my server. You might find it useful too and it is really simple:
<?php phpinfo(); ?>
August 21, 2009
William and Mary/VIMS re.web project
In 2007, the College of William and Mary created a committee charged with assessing and revamping the web presence of the college including the Virginia Institute of Marine Science. After a comprehensive search, mStoner was selected as the architecture and design consultant for the project.
A web content management system (CMS) called Cascade is used to facilitate the migation of the schools old web pages to a new format.
For help on “How to do stuff in Cascade” visit Cascade Help.
Dynamically populate select boxes
Don’t hard code values into select boxes! Learn how to populate them using database values and you ‘ll never have to hard code again!
August 20, 2009
Getting started! What do I need?
What I’m using:
- DreamWeaver CS3
- Coldfusion 8 (Developer)
Depending on the database, I’m also using:
SQL Server 2008, Express Edition and MySQL are available free of charge.
Dynamic Check Boxes
Dynamically create check boxes using database values. This example pulls a list of people from the database, and allows them to be selected for delete by clicking in the checkbox next to the desired name or names. It is important to note that the_id from tbl_people is a primary key:
First, the query:
<cfquery name=”get_email” datasource=”my_people”>
SELECT the_id, the_name, pi_email
FROM tbl_people
</cfquery>
Now, output the list:
<cfoutput query=”get_email”>
#the_name#
<cfinput type=”checkbox” name=”chk_for_removal” value=”#the_id#”></br>
</cfoutput>
This is what the output looks like:
John Doe
Jane Brown
Steve Greene
The checkboxes beside each name have the value of the person’s unique identifier, which is the_id. One or more of these values (depending on how many items are checked) will be passed to the “action” form where the record will be deleted from the database.
In this example, the action form is called “delete_people.cfm”:
<!— See if the field chk_for_removal exists. It only exists if a check box is checked —>
<cfif IsDefined(“form.chk_for_removal”)>
<cfquery datasource=”my_people”>
delete * from tbl_people
where the_id in (#form.chk_for_removal#)
</cfquery>
</cfif>
