ColdFusion Notes

A collection of tips, reminders, and notes collected from all those little scribbled slips of paper lying around.

Development Process (Management)

By Hal Helms

CFSouth Conference, February 3, 2001

The current, typical method:

Requirements → Design → Architecture & Coding → Testing → Delivery

“Requirements Gathering” implies that all we have to do is a little foraging to collect these nuggets of information.

The most elegant, efficient coding will never turn a failed requirements & design job into a successful application.

If you force the client into a hasty set of decisions, their problems & questions will arise at the worst possible time.

You must show the client something in order for them to react.

Wireframes – clickable pages of HTML that show the links and content for each page of a web application. These have NO graphics so the client is forced to focus on the functionality.

The wireframe gives us what we need to build a prototype.

The #1 complaint from clients is that they dobn’t like what they see. When they see it is critical – the sooner they see it, the easier it is to fix.

The prototype will go through many iterations. When it is done, you will see exactly what the application will look like.

We’re done prototyping only when the client says so. The client makes the decision of whether the application should be rough & ready, or spit & polished.

DevNotes is a way of collecting notes on the prototypes and storing them in a central location. The DevNotes are removed when the application goes into “Prototype Freeze.” The client should fully understand the ramifications (financial and otherwise) of making changes after the application enters prototype freeze.

Dynamic PDF Generation

By Neil Giarratana

From CFSouth Conference, February 3, 2001

This process arose from an internal need for dynamic reporting. Crystal Reports was not an option.

Working with PDF

Native PDF code
Acrobat API (commercial)
FDF files
FOP

FOP is by the Apache Project. It is a series of Java classes that use XSL formatting objects to create PDF files. FO Document → FOP Java Server → PDF

Verify JDK is installed.
Install Java XML Parsing Engine (Xalan and Xerces).
Install FOP.

The Classpath is the most critical step.

Formatting Objects

A subset of XSL: XSLT is the first half, FO is the second. FO is similar to CSS.

FO Document Format

Root section – w3.org DTD

Page Template(s) – like a slide master

Page Sequence(s)

Page Regions

region-before
region-after
region-body
region-start
region-end

diagram of the FO document regions

Body overlaps the other regions.

Three elements in a page sequence:

Title – usually you can ignore this.
Static-content – content for every page, like headers and footers.
Flow – regular content

The elements must be in the order listed.

Block tag – like a <div> tag. There is no break tag, so blocks are the only way to get a CF/LF equivalent.

Inline tag – changes styles without a new block (CF/LF).

You can insert GIF and JPEG images, as well as vector graphics.

List-block tags – like HTML lists.

Tables – very like HTML tables, except it actually uses the dimensions you give it.

fo:table
fo:table-column
fo:table-row
fo:table-cell

Out-of-line block – not supported by FOP. Used to add footnotes or floating elements.

Keeps & Breaks

keep-with-next
keep-with-previous
keep-together
break

Hyphenation – automatic hyphenation

Indentation

start-indent
end-indent
text-indent

Character

color
font-family
font-size

Sentence

line-spacing
line-height
text-align

FO Document

The FO document combines these to describe the entire document.

Dynamic PDF using CFML

CFML Template → CF Server → FO Document → FOP Java Processor → PDF Doc

Verify JDK is installed.
Install XML Parser
Install FOP
Copy cfxml.class into FOP directory.
Copy pdf.cfm custom tag into Custom Tags directory.
Use CFML to define the FO document dynamically.

Do your query output, etc. in the page flow section.

Call your FO generator page from another CFM page that sets the cfcontent to the “application/pdf” MIME type, does a CFHTTP call to the FO generator page, and then calls the Create PDF custom tag.

Introduction to FO – http://www.ibiblio.org/xml/books/bible/updates/15.html

Apache XML project – http://xml.apache.com/

IniNet – http://www.ininet.com/

Query of Queries

Introduced: CF5

Use by specifying <cfquery dbtype="query"...>.

There are a few bugs, such as the query language features are not 100% SQL92-compliant in CF5.

You must fully specify the table names - no aliasing.
You must alias the columns of your result set, even if they are unique.
You cannot use INNER JOIN syntax.

Web Application Security

By Raymond Camden

From CFSouth Conference, February 3, 2001

Input Points

URL parameters, form fields, etc. If the user modified the URL or form, they can error out your page. Put in error handling routines to perform existence checks and type checks.

The idea is to identify your page display rules and have a 1:1 relation between display rules and security checks.

Form variables

Never assume that your form variables are safe. Don’t rely on Javascript form validation, since Javascript can be disabled or bypassed. Do your own validations on the back-end.

Check CGI.HTTP_REFERER to be sure that the form is POSTing from the right place.

Check uploaded files to make sure they are what they should be.

Cookie variables

Treat cookie variables just like URL variables. Don’t store them in unencrypted format.

Database considerations

Consider using a stored procedure for validation or a database view to prevent unauthorized data modification.

Consider using UUIDs instead of auto-increment integers.

Security through obscurity is not really security.

Cross-site Scripting

When allowing users to enter data that is later displayed, be sure to use htmlEditFormat() and regular expressions to strip out invalid stuff or turn it into harmless display info.

In CF Admin, turn off path display for errors.

Beware the +.htr and ::$DATA vulnerability on older IIS servers.