Brad Melendy

This month Richard Brain of ProCheckUp Ltd reported a directory traversal exploit to Adobe. Details can be found here on the ProCheckUp website. Adobe has released a hotfix for versions 8.0, 8.01, 9.0 and 9.01. No word if there will be a patch for 7.x or older. I suspect there will not be since those versions have gone beyond End of Life. This means you should surely patch your servers (I’m doing mine this week) and if you have an older server that is 7.x or older, try to get that thing upgraded.

Ran into this today, strange setup but I’m running Coldfusion 9 with Apache (WAMP Server) 2.2.11. The short story is that I installed and configured CF just fine, but when it came time to execute CFML pages, nothing would happen unless I put the name of the file at the end of the URL? So in the case of index.cfm, I had to actually type that on the end of the URL?

Initially I figured I forgot to add index.cfm to the DirectoryIndex in httpd.conf. I did that and restarted apache and still no execution of index.cfm?? After googling a bit and finding nothing, I examined the only other portion of apache I thought could be responsible. The spot where JRun gets loaded as an Apache module. Sure enough, the following line was at the bottom:

AddHandler jrun-handler .jsp .jws

It was obvious I needed to add .cfm to that list in order to have Apache pass any CFML page along to the module for execution by Coldfusion. So I made the following change:

AddHandler jrun-handler .jsp .jws .cfm

After that, Apache happily referred index.cfm to JRun for processing. Why the installer didn’t get that setup correctly in the first place I don’t know. The Web Server Configuration Tool said everything was great when I set the server up. Something to watch for and hopefully not waste too much time with next time.

I’ve had this happen on multiple occasions and it isn’t after 30 days either. Most recently, (about 30 minutes ago I might add) a production enterprise server that has been running as with an Enterprise License for two years, crashed and when it restarted, it was a developer edition.

Ok, so now my public facing server has a limit of three concurrent IP addresses, not good. I quickly grab my list of Enterprise serial numbers but uh oh, I can’t log in to the administrator because the rest of the world is trying to hit the server! So I must restart CF and refresh my browser over and over until I beat the rest of the planet to acquire one of my three precious IP slots. Lucky for me I get in, re-apply my serial numbers and I’m back in business.

As to why this happens, I have no idea. I googled and didn’t come up with much (or every time I used the phrase “reverts to developer edition” I got entries talking about what happens after a 30 day trial. At any rate, it seems to happen to me about once every 1-2 years. It always annoys but not enough to make me say things like, “I’m switching to .NET or J2EE”. I suppose those servers have their own issues just as CF has, but the spontaneous reversion to developer edition is indeed a bad one because it renders your server useless.

We are finally upgrading to version 9 of Adobe Coldfusion and I was pleasantly pleased to find out thaasdft we no longer need to purchase additional enterprise licenses for our development and test servers. According to the new license agreement distributed with Coldfusion 9, if you buy a license you can apply the license for an internal development, test or staging instance server:

3.1.3 If Licensee purchases one or more Production Software licenses, then Adobe also grants Licensee the right to install and use the Software as Development Software for internal development, testing and staging.

This is great because in the past, we had practiced buying a full license for our development environment even though we only ever hit the server with a dozen or so developers. Occasionally we would perform some load testing and fake lots of users with software, but still it was always on an enterprise server that resided behind the firewall (not accessible by the outside world).

Adobe will surely lose a little money here, but hopefully it attracts more customers with this improved pricing which will make up the difference and then some, not to mention the added benefit of expanding the user base of ColdFusion.

So something I’ve done for a number of years now is to parse the FIELDNAMES variable from the FORM scope to process a form submission.  I thought I’d blog about it after a co-worker heard me talking about it and didn’t really know what it was. The FIELDNAMES variable is a built-in variable available in Coldfusion on any form’s ACTION page.  It holds a comma delimited list of all the form fields that were submitted from the form.

Parsing the FIELDNAMES variable can be a good way to process form data dynamically.  It is especially useful for very long forms or forms that change frequently and keeps you from having to update your action page.  In the following example, we take a standard form and submit to an action page that inserts our form data into a database:

We need our database with a defined table, a form and an action template.  My sample table in MySQL looks like this:

DROP TABLE IF EXISTS `bradtest`.`users`;
CREATE TABLE  `bradtest`.`users` (
`id` int(10) unsigned NOT NULL auto_increment,
`fname` varchar(45) NOT NULL,
`lname` varchar(45) NOT NULL,
`email` varchar(45) NOT NULL,
`password` varchar(45) NOT NULL,
PRIMARY KEY  (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1;

Remember the column names, as we will use those for our form field names.  This is because for this to work right, you must use your database column names as your form field names.  So create yourself a form, or use mine below.  It doesn’t matter how many form fields you have as long as you have a matching column in your table:

<cfform action=”form_process.cfm” method=”post”>
<table>
<tr>
<td>First Name:</td><td><cfinput type=”text” name=”fname” ></td>
</tr>
<tr>
<td>Last Name:</td><td><cfinput type=”text” name=”lname” ></td>
</tr>
<tr>
<td>Email:</td><td><cfinput type=”text” name=”email” ></td>
</tr>
<tr>
<td>Password:</td><td><cfinput type=”password” name=”password” ></td>
</tr>
<tr><td colspan=”2″><input type=”submit” value=”Submit”></td></tr>
</table>
</cfform>

For the last step, just need only parse our results on the action page.  The first step is only needed if you are going to insert into a database.  I’m going to calculate the number of commas I need seperate items in my SQL statement:

<cfset commas = #ListLen(form.fieldnames)#>

We actually need one less comma than this value, and it doesn’t come into play until later.  Next I’m going to duplicate some code just for the purpose of displaying our results.  We will use this CFLOOP routine again in our CFQUERY tag:

<cfloop from=”1″ to=”#ListLen(form.fieldnames)#” index=”fieldCount”>
<cfoutput>
#ListGetAt(form.fieldnames,fieldCount,”,”)# =
#Evaluate(ListGetAt(form.fieldnames,fieldCount,”,”))#
<br>
</cfoutput>
</cfloop>

Notice we are just displaying the raw value of the fieldname element and then we must EVALUATE the same thing to pull the value from the form field posted to our action page.  In fact, you can run the template at this point and you should see a list of the form fields, and equal symbol followed by the value submitted in said form field.

To insert the record, we just need to loop our results inside a CFQUERY tag like so:

<cfquery name=”qInsert” datasource=”MyDSN”>
insert into users
(<cfloop from=”1″ to=”#ListLen(form.fieldnames)#” index=”fieldCount”>
#ListGetAt(form.fieldnames,fieldCount,”,”)#<cfif fieldCount lt #commas#>,</cfif>
</cfloop>)
values
(<cfloop from=”1″ to=”#ListLen(form.fieldnames)#” index=”fieldCount”>
‘#Evaluate(ListGetAt(form.fieldnames,fieldCount,”,”))#’<cfif fieldCount lt #commas#>,</cfif>
</cfloop>)
</cfquery>

Notice I’m running the loop twice, once for my list of column names (remember we made sure that our table has the same column names as we used for our form field names) and then once for the corresponding values.  Also key here is the CFIF blocks in each loop to determine if we need a comma.  I know I need one less comma than I have form fields so I place one as long as our loop count is less than the number of elements in the FIELDNAMES array.

That’s it, you now have an action form that can process any number of form fields and any changes you make will automatically be accomodated for.  Just remember any changes to your database table must be reflected in your form.  Here is our working sample:

http://brad.melendy.com/projects/coldfusion/fieldnames/form_data.cfm

I’d been looking all over for a good Coldfusion Object Oriented tutorial and I finally found it.  Roy Martin has a really exceptional video tutorial online here.  What makes his unique is that it has been developed specifically for Coldfusion programmers who have little or no object oriented experience.

He does this by taking a small CRUD application written in an “old school” style (non-object oriented) and he converts it before your eyes to an object oriented version.  The source files are available for download and you can actually work along side the video as it progresses, pausing as needed to execute your code changes.  I found I understood what was going on so much more because I could see it translated to how I have coded CF for so many years.

I didn’t have to try and wrap my brain around a bunch of abstract ideas concerning apples and oranges, I could instead see my database queries and screens transform from inline spaghetti code to a modern MVC/OOP implimentation of Coldfusion.  Thanks Roy Martin!