OpenID And ColdFusion

Recently I wanted to investigate building an OpenID identity provider in ColdFusion. While there are a few OpenID consumer libraries out there, I didn't really find any ColdFusion implementations for an OpenID server. Plus, given that OpenID is an authentication protocol there are heightened security considerations, so I wanted something that was well tested and widely used. This lead me to the OpenID4Java project. Looking at the documentation and source for the project there appeared to be pretty straight forward implementations for both an OpenID provider and consumer via the ServerManager and ConsumerManager classes so I began to port the sample JSP applications over to ColdFusion. That is were my problems began.

[More]

CF No Debug 1.3

The CF No Debug Firefox extension has been updated to work with Firefox 3.6. You can get the latest from RIAForge.

CF Debug Copy for Firefox Update

Just a quick post to let people know my CF Debug Copy for Firefox extension has been updated to work with Firefox 3.6. You can download the latest from RIAForge.

CFBuilder DocShare Support

A few weeks ago Terry Ryan released his Instant Code Review ColdFusion Builder Extension. I realize that the point of the extension was to get people to think of creative uses of CF Builder extensions, but I couldn't help but think that there are much better ways of collaborating using the Eclipse platform, specifically the Eclipse Communication Framework (ECF) DocShare plug-in.

Unfortunately ColdFusion Builder's CFML Editor doesn't support the plug-in out of the box. Fortunately the DocShare plug-in developers did the Eclipse thing and made it easy to extend the plug-in to support other editors. So I put together an Eclipse plug-in that adds DocShare support to the CFBuilder CFML editor. You can check out the CFBuilder DocShare Support plug-in at RIAForge.

A few notes about the plug-in. First, you will need to install ECF, including the DocShare plugin. For update URLs for your version of Eclipse see the ECF site. Second, my plug-in just enables the "Share This Editor With..." context menu item in the CF Builder CFML editor, the actual editor sharing is implemented via the ECF DocShare plug-in. For more info on the DocShare plug-in and its use see the DocShare Plugin site. Finally, I've had I've had hit and miss luck with the DocShare plugin, so be sure you have a backup of the file you plan to work on in shared editor.

Enjoy!

SQL Injection Consideration

Here is something I discovered the other day that surprised me a bit. ColdFusion data sources have an advanced option named "Allowed SQL" which, according to the documentation, defines "the SQL operations that can interact with the current data source." I know some shops use this setting to help protect against SQL injection attacks. For example they may limit a data source to only allow SELECT and Stored Procedures. While you may think that this would go a long way toward protecting the data source against SQL injection, this may not be the case. If the database credentials used for the data source have additional permissions these statements may be executed via SQL injection. For example, consider the following setup:

  • A SQL Server database: TESTDB
  • A table TESTDB.TestTable
  • A database user test_user with SELECT, INSERT, UPDATE, and DELETE permissions to TestTable
  • A ColdFusion data source "test" connected to TESTDB using the test_user credentials and the Allowed SQL option set to only SELECT and Stored Procedures.

Now, consider the following query.

<cfquery name="getItems" datasource="test">
SELECT * FROM TestTable WHERE TestID = #url.testID#
</cfquery>

You may think the above query would be protected against SQL injection because the data source limits the Allowed SQL to SELECT and Stored Procedures, but you would be wrong. Given this setup, the above this code is actually susceptible to SQL injection. Assuming this query were in a template index.cfm, you could easily delete all records in TestTable by issuing a request like index.cfm?testID=1%20DELETE%20FROM%20TestTable.

Now there are a number of ways you could protect against this attack, one of the easiest being the cfqueryparam tag, another being to limit the database user's permissions, but that isn't the point of this post. The point is you can't rely on the Allowed SQL advanced option to protect against SQL injection. You have been warned. (Note: I have only tested this against MS SQL Server so it may not apply to all database engines.)

Data-Centric Development with ColdFusion 9 and Flash Builder 4

The second part of my Data-Centric Development with ColdFusion 9 and Flash Builder 4 tutorial is up on DZone. This tutorial builds on the project introduced in part one of the series and covers the new paging and client-side data management features available in Flash Builder 4.

Data-Centric Development with ColdFusion 9 and Flash Builder 4 - Part 2

If you want to find out even more about these seriously cool features be sure to check out the following links:

JSONUtil 1.1

Last year I put together JSONUtil as a proof of concept solution to the issue of ColdFusion's implicit type conversion during JSON serialization. There were some issues with the 1.0 release, and I've had a few people submit patches, but because I had considered the project an experiment I didn't really take the time to update the official release.

Well, last week I was working on an AJAX project where I was making XHR requests to ColdSpring remote proxies using ColdFusion's built in JSON return format when I began running into issues with implicit type conversion. Specifically I had a method that should have returned a query with string values, however numeric strings were getting converted to decimal numbers. (For example the string "001" was being converted to number 1.0.) Because I was already using ColdSpring to generate the proxies I decided to put together a JSONUtil based ColdSpring advice component to handle the serialization. The advice turned out being so handy I thought I'd package it up and include it in the JSONUtil release.

[More]

Another CFScript Query Gotcha

There have been a few issues reported with using the new Query component from cfscript and today I ran into another. Well actually I had a co-worker ask about it, but it still led me to look into the issue. (Little did I know he was researching his own blog post on this. Sorry for stealing your post Adam.) Anyway, my co-worker was trying to run a Query of Queries in cfscript. Here is an example:

<cfscript>
//create an empty query to work with qryFoo = queryNew("a,b,c","varchar,varchar,varchar");

//add a row and fill it with some data queryAddRow(qryFoo);
querySetCell(qryFoo,"a","aaaaaa");
querySetCell(qryFoo,"b","aaaaaa");
querySetCell(qryFoo,"c","aaaaaa");

writeDump(var=qryFoo, label="qryFoo");

qryFoo2 = new query(dbtype="query", sql="select a, 'bbbbb' as b, 'ccccc' as c from qryFoo");
result = qryFoo2.execute();

writeDump(var=result, label="qryFoo2");
</cfscript>

This code resulted in the following error:

Error Executing Database Query.

Query Of Queries runtime error. Table named qryFoo was not found in memory. The name is misspelled or the table is not defined.

At first I was a bit baffled, but when I thought about it for a minute it actually made perfect sense. The script functions implemented as CFCs are just the plain old CFML tags wrapped in components. That means when the cfquery tag actually executes it does so within the context and scope of the component function, not the calling page. To help illustrate the issue consider the following component:

<!--- sample.cfc --->
<cfcomponent>
<cffunction name="doDump">
<cfdump var="#myVar#" />
</cffunction>
</cfcomponent>

You wouldn't really expect the following code to work and it won't. You will get an error stating that myVar is undefined:

<cfset myVar = "This is a test." />
<cfset CreateObject("component","sample").doDump() />

That is basically what is going on with the query of queries example above. One workaround I thought of would be to put the original query in a scope the CFC can access, say the request scope:

<cfscript>
//create an empty query to work with request.qryFoo = queryNew("a,b,c","varchar,varchar,varchar");

//add a row and fill it with some data queryAddRow(request.qryFoo);
querySetCell(request.qryFoo,"a","aaaaaa");
querySetCell(request.qryFoo,"b","aaaaaa");
querySetCell(request.qryFoo,"c","aaaaaa");

writeDump(var=request.qryFoo, label="qryFoo");

qryFoo2 = new query(dbtype="query", sql="select a, 'bbbbb' as b, 'ccccc' as c from request.qryFoo");
result = qryFoo2.execute();

writeDump(var=result, label="qryFoo2");
</cfscript>

This works, but it is obviously less than ideal. Given all of the issues with the current Query.cfc I'm really hoping Adobe can come up with a better solution for full cfscript support in the next version of CF.

Update

Adam Cameron pointed out another solution in the comments below. Apparently you can use the setAttributes method of the Query object to set arbitrary attributes. I didn't realize this as the documentation states that this method supports "all attributes supported by the cfquery tag." But if you look at the implementation for the method you can see it just adds any attributes to the variables scope of the component:

public void function setAttributes()
      {
         if(!structisempty(arguments))
         {
            structappend(variables,arguments,"yes");
         }
      }

Here is a complete example using setAttributes:

<cfscript>
//create an empty query to work with qryFoo = queryNew("a,b,c","varchar,varchar,varchar");

//add a row and fill it with some data queryAddRow(qryFoo);
querySetCell(qryFoo,"a","aaaaaa");
querySetCell(qryFoo,"b","aaaaaa");
querySetCell(qryFoo,"c","aaaaaa");

writeDump(var=qryFoo, label="qryFoo");

qryFoo2 = new query(dbtype="query", sql="select a, 'bbbbb' as b, 'ccccc' as c from qryFoo");
qryFoo2.setAttributes(qryFoo=qryFoo);
result = qryFoo2.execute();

writeDump(var=result, label="qryFoo2");
</cfscript>

Note that there are thread-safety issues with this approach. If you do use setAttributes make sure you create a new instance of the service component for each service call.

Data-Centric Development with ColdFusion 9 and Flash Builder 4

I just posted the first of a two part tutorial over on DZone which walks through using some of the new data-centric development (DCD) features in Flash Builder 4 with ColdFusion 9.

Data-Centric Development with ColdFusion 9 and Flash Builder 4 - Part I

While Flash Builder is still in beta, the DCD features are very impressive and should simplify many ColdFusion/Flex work flows. Please check out the tutorial and let me know what you think. (And be sure to vote it up if you like it!)

New ColdFusion Builder and Flex Builder Betas

In addition to today's release of ColdFusion 9, ColdFusion Builder Beta 2 and Flex Builder 4 Beta 2 have been released on Adobe Labs.

More Entries

BlogCFC was created by Raymond Camden. This blog is running version 5.8.001.