<script type=”text/javascript”>

<!—

function confirmation() {
 var answer = confirm(“Run this sucker!”)
 if (answer != 0){
    alert(“This sucker is running!”)
    document.myformname.submit();
}
else {
           alert(“This sucker canceled!”)

          }
}
//–>
</script>

This script is launched when the user clicks the “Submit” button on a form.  The user is presented with a pop-up box.  If “yes” in responst to “Run this Sucker!”, then the form is submitted by the document.reports.submit() function, where “reports” is the name of the form.  The statement is what kicks off the action “myquery.cfm”.  Otherwise, nothing happens.

Here’s what the cfform tag looks like:
<cfform name=”myformname” action=”myquery.cfm” method=”post” id=”myForm” onsubmit=”confirmation();return false;”>

<cfoutput>#GetTemplatePath()#</cfoutput>

This really helpful for upload utilities because the above command will return the exact path to the upload directory.

 The CFINCLUDE function is a great way to share code throughout your application.  I usually use this code to share buttons throughout forms within applications.  That way if I need to make a change to a button’s link, I only have to change the code in one place and the change is shared throughout my application wherever the buttons are needed.

 Here’s the code for BTNS_ADMIN.html. 

<input value=”Sponsored Progs”/>

<input value=”William and Mary”/>

<input value=”Places to Stay”/>

 When this code runs, three buttons are displayed.  Each button has an “onclick” attribute set to a particular location.

 Now, CFINCLUDE is used to call BTNS_ADMIN.html on the form

FRM_Show_buttons.cfm:

 <!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>

<html xmlns=”http://www.w3.org/1999/xhtml”>

<head>

<meta http-equiv=”Content-Type” content=”text/html; charset=iso-8859-1″ />

<title>Untitled Document</title>

</head>

 <body>

<cfinclude template=”BTNS_Admin.html”>

</body>

</html>

 And that’s it!!!

I like to check my parameters before passing them to the database as suggested by Ben.  Here’s an example that validates a paramater being passed by a URL:

They can access thisinformation:

• Direct access to the user’s computer to access their cookies.
• Packet sniffing to intercept the cookie being passed back and forth from client to server.
  • SSL on login pages can prevent sniffing the cookie at that time, but other pages thata are not encrypted will stillsend this data.
• Directly from a user who may have posted/sent a URL with the session identifier in the URL.
• Cross Site Scripting attack.

 To prevent , log on to the Coldfusion Administrator, then:

Check the box beside “Use J2EE session variables”.  By default this is not checked.

Quickest and easiest way to prevent session hijacking is to enable J2EE session variables in the Coldfusion Administrator.

• Enabling J2EE session variables limits the effectiveness session hijacking.
• It uses the variable jessionid rather than DVID and CFTOKEN.
• J2EE Sessions have other advantages as well:
  • You can share session variables between ColdFusion and JSP pages.
  • The session ends for the user when all browser windows are closed.  However, the session remains open on the server.
  • The session is serializable – used in clusters.

Cross Site Scripting : to prevent, log on to the ColdFusion Administrator, under “Server Settings” click “Settings”.  Then check “Enable Global Script Protection”.

 Use error handling.  Sites should never show ColdFusion error page.

• Errors can be handled using a variety of methods (usually more than one at a time)

• Try/catch blocks
• onError method of Applciation.cfc
• Specifying a site wide error handler in ColdFusion Administrator
• Specifying a missing template handler in ColdFusion Administrator

 Turn off robust exception information.

• If an error happens to get through, you do not want the information displayed with robust exception information falling into the hands of a hacker (or any user for that matter)
• A hacker can gain information about:
  • Server operating system
  • File structure
  • Database structure

Remove unneeded permissions from datasources.

• When deploying to production environments, remove any unnecessary permissions in the CF Administrator, from your datasources, such as:
• Create
• Drop
• Alter
• Grant
• Revoke

Having these permissions might be O.K. for development, but probably not needed for production.

 Create a database user specifically for ColdFusion.

• You should never use the ‘sa’ or ‘root’ user for database access in production environments
• Give the user the lowest level of permissions needed to run your application.

<?php phpinfo(); ?>

A web content management system (CMS) called Cascade is used to facilitate the migation of the schools old web pages to a new format.

For help on “How to do stuff in Cascade” visit Cascade Help.

• DreamWeaver CS3
• Coldfusion 8 (Developer)

Depending on the database, I’m also using:

• MS Access
• SQL Server 2008 (Express Edition with Tools)
• MySQL

SQL Server 2008, Express Edition and MySQL are available free of charge.

First, the query:

<cfquery name=”get_email” datasource=”my_people”>

SELECT the_id, the_name, pi_email
FROM tbl_people

</cfquery>

Now, output the list:

<cfoutput query=”get_email”>
#the_name#
<cfinput type=”checkbox” name=”chk_for_removal” value=”#the_id#”></br>
</cfoutput>

This is what the output looks like:

John Doe 
Jane Brown  
Steve Greene 

The checkboxes beside each name have the value of the person’s unique identifier, which is the_id.  One or more of these values (depending on how many items are checked) will be passed to the “action” form where the record will be deleted from the database.

In this example, the action form is called “delete_people.cfm”:

<!— See if the field chk_for_removal exists.  It only exists if a check box is checked —>
<cfif IsDefined(“form.chk_for_removal”)>
<cfquery datasource=”my_people”>
delete * from tbl_people
where the_id in (#form.chk_for_removal#)
</cfquery>
</cfif>