16 Apr 2009

3 CFML Engines, a hard choice to choose

With 3 great CFML engines to choose from, the choice for developers can be a painful one. Torn between Adobe ColdFusion, Railo 3.1 and Open BlueDragon? Yeah, me too.

The core CFML tags and functions are well supported by all 3, with mostly the bleeding edge features that separate them along with the support options if you’re concerned with needing expert help if you find a bug or quirk that becomes a showstopper.

The other consideration is the platform you have to host the CFML engine. Adobe ColdFusion is well supported by hosting companies if you’re not hosting it yourself, but the others have limited options at the moment.

Open BlueDragon on Google Apps EngineUPDATE: I just read that OpenBD can run on the Google Apps Engine! Live demo! Look at the appserver value. (It’s not available on there yet… work in progress…)

Most of my projects are self-hosted so I don’t care about the platform, I just need stability, easy-to-get support (free or paid-for), and a promising development roadmap.

I’m not quite finished… each CFML engine have their own unique features. Take Railo with its CFVIDEO tag for example, for someone that could be a deciding factor. Creating YouTube sites could be as easy as pie. Open BlueDragon works natively with Amazon’s SimpleDB and can pull & push files to/from Amazon S3. ColdFusion 8 has built-in MS Exchange support (which is cool) and AJAX stuff which I don’t really care for. jQuery is the way to go. :-) But ColdFusion 9 is scheduled to be released by the end of the year and will arguably leapfrog the other two with a ton of new features.

I haven’t been too happy with the support from Adobe when I discover bugs and their 2-year product cycle means some issues don’t get addressed for a long time, although their intermediate patches are warmly welcomed.

A price to pay…

Then there’s the pricing issue. Sure, £6000/$7500 isn’t a massive price for big companies wanting to run with CF Enterprise, but small companies or personally financed start-ups can’t chuck that sort of money into application software when it costs the same amount to purchase new server hardware and host it for 4 years. Even on the enterprise level if you need to expand a cluster and whack in an extra web server it’s £1000/$1500 for the hardware and then £6000/$7500 on top. A large organisation would still ask why it’s costing that much to pop in an extra server.

The current economic climate has put pressure on many businesses to cancel or scale back on projects and the awful £/$ exchange rate has made CF a lot more expensive in the UK. So maybe now is the time to look closely the open source CFML engines.

15 Apr 2009

Optimal SQL to page through large record set

This is a tip for web application developers who want to page through results coming back from a MS SQL database. If there are 100 or 500 records coming back and you just want to show 25 at a time to the user then you can achieve that through your application code (CFML, PHP, etc). But what if there are 1000’s of records, it’s deeply inefficient to request that many records from your database if you only want to display 25 every time the user requests the next page, or jumps forwards several pages. If you want the results to be ordered by a user-defined column and not by the Row ID then the solution may not be obvious.

MySQL can use limit(start,count) but MS SQL doesn’t support that. Someone suggested using a memory table, someone else suggested a cursor. A bit of Googling revealed MS SQL 2005 onwards has a new function called row_number(). Here’s how it works in this example:

SELECT row_number() over (
order by users.surname, users.firstname
) AS rowNumber, users.id, users.firstname, users.surname
FROM users
) table1
WHERE table1.rowNumber BETWEEN 150 AND 175

It will only return records 150 to 175 and importantly it will order it by surname then firstname. And it’s very, very fast.

13 Apr 2009

AJAXbouncer – limiting Ajax tampering and leeching

Yesterday I mentioned a proof of concept to try to stop script kiddies and data leechers from abusing server-side scripts that are intended to serve XMLHttpRequests (XHR or AJAX). Playing with URL or form parameters can get the server to return all sorts of data, sometimes even data that the developers didn’t intend you to have access to. The problem is that servers can’t tell the difference between a normal web page request and XHR.

Ray Camden blogged about how jQuery adds an extra HTTP header to help the server tell the difference, but headers are very easy to spoof.

My idea is for the server to issue the web page with an encrypted token. The token is the current date/time and must be sent back to the server for each and every XHR triggered by the current page. If the server doesn’t receive the token, or the token is invalid (i.e. it’s be tampered with) or the decrypted token reveals it’s older than, say, 5 minutes then the server returns a 404 error – page not found.

So, anyone who tries to submit data back to the server through dishonest means will find they get a 404 after 5 minutes. If they try to alter the token they get a 404 too. This will baffle script kiddies or hackers and hopefully they will move on to mess with someone else’s website. If they persist they will realise that they can’t generate their own encrypted token but will have to refresh the main web page every 5 minutes to obtain a new token and insert that into their script. That’s the only weakness in this concept, but taking it a step further you could log the IP from the first failed XHR and block serving that IP for the next 30 minutes. Or refuse to issue a new token within the same session or to the same IP.

As for genuine users you can set the web page to auto-fresh every 5 minutes. It will work best on sites where you don’t expect users to linger on the same page for too long, but of course you may prefer a longer token life (like 15 minutes).

Here’s a live demo – many thanks to Ray Camden for hosting it. The demo’s token will expire after just 90 seconds. The POST data is exposed in a grey area at the bottom of the page so you can tamper with the parameters to see what happens. The demo uses jQuery for XHR, of course.

I’ve commented the code so developers using PHP, .NET, RoR, etc can easily adapt the ColdFusion code. Download the demo code here.

If you improve upon it please let me know.

Oh, in case you’re wondering why I called it AJAXbouncer it’s because it offers a deterrent to potential trouble makers but doesn’t provide 100% safety – like bouncers standing outside pubs and clubs.

12 Apr 2009

CFMAIL spool bug in ColdFusion 8.01

After applying a patch to fix a cfmail problem in 8.01 I noticed a new problem. When creating more than 3000 or so emails in one go about 100 ended up in the Undelivr directory. There was nothing wrong with those emails, dropping them into the spool directory by hand sent them quickly on their way.

The exception.log was showing “IOException while sending message”. I reported this to an Adobe engineer in July 2008. In October the engineer found that the issue can be “fixed” by increasing the max session size in the Microsoft SMTP service. Microsoft don’t recommend increasing it too much but the more I increased it the less emails were sent to the Undelivr directory.

The bug is with ColdFusion and it appears to not behave correctly if the SMTP server closes a session because it has reached the maximum size. ColdFusion should react by simply opening up a new session and continue to send emails from where it last left off. But it doesn’t do that. This bug has been affecting a major application for nearly a year and Adobe haven’t been able to fix it.

MS SMTP logs “552 4.3.1 Session size exceeds fixed maximum session size” which is fine, it expects the app at the other end (CF) to continue by opening a new session. I’ve now increased the session limit to a very large amount but as the application is used more the limit is reached and emails stop being sent again. CF is misbehaving and is causing operational headaches.

Has anyone else had similar problems? I’m looking for others who can help add some pressure to get this bug fixed. Please do get in touch. Needless to say I’m very disappointed that CF is unable to send a large amount of (legitimate, non-marketing) emails problems.

AJAX tampering and leeching

Ray Camden blogged about server side security when using AJAX. He discussed a way to detect the difference between normal HTTP requests for normal web pages and AJAX triggered HTTP requests. To the server they look virtually the same.

The problem with using AJAX is that is adds a vulnerability to web applications. People can play around with URL and form parameters to see what else they can extract from your application or database. It can also be used to leech data from your database on a regular basis because, if your data is of any value to someone else, you’re providing it freely in a machine readable format, typically JSON or XML. How can you do something to stop people do that? I mentioned a possible technique when commenting to Ray’s blog and was asked to come up with some code.

I brewed up a demo app and am seeing if I can get the live code hosted (it’s for ColdFusion but the technique applies to any server side language). Stay tuned…

If you want to play with the code on your own CF server you can download it here. No configuration is necessary, just drop the folder into your web root. The code is highly commented so PHP, RoR and .NET coders can easily modify it.

First post is always the toughest

Finally I have a permanent blog after being on the Internet since 1991 and making my first web page in 1994. Finding the best blogging site and tools was a bit of an adventure since there are so many options and not everything does what you want or expect it to.

I’ve settled for Windows Live Writer for composing (I prefer a WYSIWYG desktop app) and Blogger.com for hosting. All I need now is a reliable way to post code snippets in a nicely formatted way – it needs to support CFML as well as JavaScript and HTML. Any ideas?