ColdFusion asynchronous calls (event gateway)

Do you have some methods that require lots of processing, but don’t want the customer to have to wait for the result?

Securing ColdFusion (tips)

I’ve started to write a document for OWASP about ColdFusion security which I hope will be included on the site when I finish it.

Any feedback is more than welcome, if you’d like to see anything included about ColdFusion Security, let me know and I’ll do my best to include it.

Some of the items covered are:

1. SQL Injection
2. Database Logins
3. Logging
4. XSS (Cross Site Scripting)
5. Cookie Hijacking
6. Proper Error Handling
7. Input Validation
8. Securing Protected Areas
9. Forms being submitted outside of your domain
10. Automated data mining

The document about ColdFusion security can be downloaded here. Please note that the document is still a work in progress.

This document is sponsored by www.clickfind.com.au

ColdFusion Security

Create a Google Webmaster Sitemap (free code)

Want to know how to easily create a Google sitemap without having to use any other external tools?

It’s easypeasy if you use MS SQL and ColdFusion!

Let’s assume you have a database full of products (11,000 or more) and you need to generate a sitemap so google knows what to index. You wouldn’t want to do that by hand! 

The SQL is very simple

DECLARE @year CHAR( 4 ), @month VARCHAR( 2 ), @day VARCHAR( 2 ), @lastModified CHAR( 10 )SET @year = CONVERT( CHAR( 4 ), YEAR( GETDATE() ) )
SET @month = CONVERT( VARCHAR, MONTH( GETDATE() ) )
SET @day = CONVERT( VARCHAR, DAY( GETDATE() ) )
SET @lastModified = @year + ‘-‘ + REPLICATE( ‘0’, 2 – LEN( @month ) ) + @month + ‘-‘ + REPLICATE( ‘0’, 2 – LEN( @day ) ) + @day

SELECT 1 AS tag
, NULL AS parent
, NULL AS [url!1]
, ‘http://www.clickfind.com.au/product/listing.cfm?productIdentity=’ + CAST( identity AS VARCHAR( 10 ) ) AS [url!1!loc!element]
, @lastModified AS [url!1!lastmod!element]
, ‘monthly’ AS [url!1!changefreq!element]
, 1 AS [url!1!priority!element]
FROM product
FOR XML EXPLICITHow easy is that? Just transfer it to ColdFusion, wrap the
<urlset xmlns=”http://www.google.com/schemas/sitemap/0.84“></urlset> tag around it, safe it as a file with cffile.

Obviously you need change the date last modified variable and base that on the change frequently of each individual product.

You’re more than welcome to copy the code and use it, just be courteous and reference back to this article 😉

Sponsored by www.clickfind.com.au

A secure search engine in ColdFusion

Well, it’s official! We’ve got a hacker safe site… (for now anyway)

I’ve always been pretty careful in regards to security when it comes to programming, web server setup etc.

We’ve had our site checked by members of CFAUSSIE before we launched it. There were two issues that came up. One was reported by Steve Bentley who really did an awesome job in discovering the hole.

We’re not scared to put our site out there and let people try and break it, I believe it’s the only way to go if you want to run a successful and high traffic Australian Search Engine. It’s better to discover the security holes before launch and fix them, than discover them after launch and get a bad name.

OK, even though we had the site checked by members of the ColdFusion community, I still did not feel a 100% safe about it all. So, we’ve become a member of www.scanalert.com and had our site and server scanned for thousands of vulnerabilities. It’s not cheap becoming a member of ScanAlert, but I reckon it is well worth the money if you want to be notified about potential security holes (if any) before anyone else discovers them.

Everything went as planned, even our own methods of securing the site and reporting worked, the scan was requesting a high number of pages within a time frame that can only be automated. This gets detected by our application, we get notified, the IP gets logged and also banned from accessing further content. We’re planning to eventually integrate this with the web server so it puts the IP in the access denied list.

The scan report from ScanAlert is pretty comprehensive, if they find something they’ll also help with explaining and fixing the hole. It so happens we had a couple of low alerts. The alerts range from Low to Urgent and in between is Medium, High and Critical. The low alerts were things like allowing ICMP request, which we have to; because we also have the site monitored externally, if and when it goes down we like to be notified! 😉

Another alert had something to do with cookies not being set over a secure channel. I will have to read up a bit more about that one. Not sure how that would work since we can’t put SSL over the whole site.

 I’ll report more about this when information becomes available.

ColdFusion tutorial to create same hash as CF, but in MS SQL!, directly in the MS SQL RDMBS?

How cool would it be, being able to create the same MD5 hash as ColdFusion, directly in the MS SQL RDMBSH?
 
I know there’s been quite some demand for this function, most people create the MD5 hash in ColdFusion and then pass it the Database, this mean a couple more round trips to the db, which we prefer to avoid at anytime.
 
We’ll make some assumptions in this article to make things easier, and they are;
–          you are running MS SQL 2005
–          you are running ColdFusion
 
 
Ready to get started?
 
The first thing to do is go into your MS SQL database and create the following function that creates the hash and return a string value…..

Because our blog doesn’t maintain formatting and colour coding, we’ll just make this tutorial available in a Word document 😉

You can download the document on the following link: ColdFusion tutorial to create same hash as CF, but in MS SQL!, directly in the MS SQL RDMBS?.

ColdFusion tutorial to export from database to RSS

Always wanted to export items from your existing database into RSS with ColdFusion and syndicate it, but don’t know how?

Well, this is your lucky day! We’re going to show you how you can easily export your database records to RSS.

ColdFusion CFC for Google Base

We’ve created a ColdFusion CFC that interacts with Google Base. We’ve decided to make the code freely available to all on http://code.google.com/p/google-base-coldfusion-cfc/