One of the new features I am excited to see in ColdFusion 9 is support for anonymous arrays. I’ve used these before in PHP, Perl, and other languages, and I’m glad to see them added to ColdFusion.

I blogged about this issue in 2007. I was trying to add a column to an existing array that I knew only had one row. QueryAddColumn() accepts an array of values to add to an existing query – one element for each row. So I only needed an array with one element. So I thought I could use CF8’s new inline array syntax and just pass it in like this:

<cfset QueryAddColumn(existingQuery,
                     ["single new value"])>

This would throw an error in CF8, but works just fine in CF9!

By the way this also works just fine in the current version of Railo.

Did you know there is a “format” attribute for the cfdump tag? The default format is html, but you can also pass in a format of “text”. I’ve found this useful for putting data structures into plain text emails, logs files, and other things.

For example, this code:

<cfset tmp.fname = "John">
<cfset tmp.lname = "Smith">
<cfset tmp.age   = 26>
<cfset  = "Omaha">
<cfset tmp.state = "Nebraska">
<cfdump var="#tmp#" format="text">

Produces this output:

AGE: 26
CITY: Omaha
LNAME: Smith
STATE: Nebraska

It works for complex structures, too:

<cfset tmp.person1.fname = "John">
<cfset tmp.person1.lname = "Smith">
<cfset tmp.person1.age   = 26>
<cfset  = "Omaha">
<cfset tmp.person1.state = "Nebraska">
<cfset tmp.person1.pets  = ['Fluffy','Mr. Jingles','Bambi']>

<cfset tmp.person2.fname = "Mary">
<cfset tmp.person2.lname = "Doogan">
<cfset tmp.person2.age   = 32>
<cfset  = "Kansas City">
<cfset tmp.person2.state = "Missouri">
<cfset tmp.person2.pets  = []>
<cfdump var="#tmp#" format="text">

Produces this output:

PERSON2 Struct
	AGE number 32 
	LNAME string Doogan 
	PETS Array
	STATE string Missouri 
	CITY string Kansas City 
	FNAME string Mary 

PERSON1 Struct
	AGE number 26 
	LNAME string Smith 
	PETS Array
		1 string Fluffy 
		2 string Mr. Jingles 
		3 string Bambi 
	STATE string Nebraska 
	CITY string Omaha 
	FNAME string John

Railo also supports the “format” attribute, but BlueDragon does not. In fact Railo supports a bunch of interesting attributes to the cfdump tag.

There have been some attacks recently against ColdFusion servers that allow users to upload files. This is a common feature on many sites – uploading your profile photo, classified ad pictures, etc. Here is my take on handling file uploads securely.

First, make sure you are not uploading files directly into your webroot. For example if you store your user’s profile photos in /images/profilePhotos, don’t upload your file right into there. You need to put it somewhere safe first and verify that it really is an image file. Adding accept=”image/jpeg” to your cffile tag doesn’t save you here either. There are attacks where the mime type is spoofed, making ColdFusion think an image file is being uploaded, when really its a .cfm file.

So, you need to place the file somewhere outside your webroot. A convenient place to use is your server’s temp directory. You can get the path to a temp directory by calling the built-in getTempDirectory() function. For example:
Continue reading ‘Secure image uploading with ColdFusion’ »

If you are developing a ColdFusion application, or even just a stand alone CFC that you plan to distribute, you might want to make sure it runs on all three major CFML engines – Adobe ColdFusion, Railo, and Open BlueDragon. It can be tedious to always copy code around between your three test sites, but there is an easier way. You can have the same code base run through all three CFML engines at once.

There are a few caveats: Continue reading ‘Running your CFML code through Railo, OpenBD, and Adobe CF all at once’ »

I have been working on an project in my spare time that will eventually be deployed on Open BlueDragon. I ran into an error the other night after adding some methods to one my CFCs. I run all three CFML engines side by side (another blog post about that is coming soon), so I was easily able to see and compare the error messages in all three.

This was my error message in OpenBD:
Continue reading ‘Error messages on Railo, OpenBD and ColdFusion 8 compared’ »

We had an issue recently where one of our Excel import routines was putting garbled data into the database. By “garbled” I mean the field contained a few normal words then broke into a bunch of strange characters. This Excel file was read in using an ODBC datasource.

If you are not familiar with this method of reading Excel files, here is a short summary.
1) Create a system ODBC DSN using the MS Excel driver in your Windows ODBC control panel. Point it to an empty .xls file somewhere on your drive.
2) Create a datasource in ColdFusion (driver: “ODBC Socket”) and select your Windows ODBC DSN from the drop down.
3) Copy the XLS file you want to read on top of the empty file you setup in your ODBC DSN.
4) Use it like this in your CFML:

<cfquery name="myQuery" datasource="XLSPassThroughDSN">
FROM [Sheet1$]

This usually works well but for some reason we were having problems. Digging through the Excel file turned up nothing out of the ordinary, except some rows (and not the ones causing problems) looked like they were double byte encoded (unicode).

Turns out this XLS driver determines the data type of each column in the spread sheet by looking through the first couple of rows and guessing a data type based on that data. In our case column B only contained values with less than 100 characters in the first few dozen rows. So the driver assumed it was a varchar type of some length. But much further down in the spread sheet, in a different row, that same column contained a value that was several hundred characters, thus overflowing the data type.

Normally this only results in truncated data. If that would have been the issue I probably would have found the fix much sooner. But instead we were ending up with garbled data, which was truncated as well but it was impossible to tell.

The fix is to adjust your registry to tell the driver to scan through more, preferably all, of the rows before guessing at a data type. In your odbc control panel you’ll notice a setting for this:
ODBC DSN screen shot

But, that doesn’t work! You need to change the registry value manually. I set mine to 1000, since that will cover the length of any of the spreadsheets we upload.

The registry keys are located at:

For Excel 97:
For Excel 2000 and later versions:

Here is the MS knowledge base article for more detail:

Now the driver scans through all the rows before determining a data type, and probably uses something like a “text” type for column B. I think our data may have been getting garbled, instead of just truncated, because of the double byte data.

After installing Open Blue Dragon on Tomcat and hooking it up to Apache, I did some poking around and found I was able to pull up my bluedragon.xml configuration file directly in my browser. Now, this may not happen in all configurations (there are many ways to setup a J2EE web application), but it my case, running through Apache and having copied Blue Dragon’s WEB-INF directory to my webroot, I was able to browse this file. In case you didn’t know, all OpenBD’s settings are stored in a single xml file (which I find very convenient, by the way).

It didn’t work when going directly through Tomcat, i.e. browsing on port 8080 would not pull it up, I think Tomcat is smart enough to know not to serve files from the WEB-INF directory. But browsing through Apache on port 80 bypasses Tomcat for anything thats not a .cfm or .cfc file, so it would happily return the xml file. Datasource passwords are stored encrypted but the administrator password is clear text. Its easy to lock this down, just add this to your Apache config file:

<location "/WEB-INF/">
deny from all

A while back I had to implement a captcha on a client’s site. The site owner wanted a simple small captcha (that ruled out reCAPTCHA). We decided to try the new captcha features of ColdFusion8. What you may not realize is that the new captcha feature does not provide the whole captcha system, instead it merely can create captcha images. Its up to you how you implement your captcha system.

Before I get too far just let me state for the record that I dislike captchas and will be happy when they are looked upon like we look at the <blink> tag now. So you don’t need to leave comments telling me how I shouldn’t be using a captcha in the first place. 🙂 The client specifically wanted this feature at this point in time.

I’ve seen some approaches that place the clear text value of the captcha in a hidden field. Then when the form is submitted they compare that value against what the user had typed in. I don’t feel this way is very secure. It will stop simple bots, but you need to guard against more than just that. Sometimes spammers code their bots to work against a specific site. If they find your hidden clear text captcha value, they will easily grab it and use it to submit your form. If this is a simple contact form then you might not have much to worry about, but if its a “send to a friend” feature – watch out, those are high value targets.

Encrypting the hidden value doesn’t help much either. That adds one more step to what the spammer needs to do. They will have to manually read one of your captcha images – then they have the clear text and encrypted values to your captcha system. Now they can just submit that encrypted/plain text pair over and over again to your form.
Continue reading ‘A secure, ajaxy captcha with cfimage’ »

I came across a web hosting company that not only offers Railo 3.1 but has a free 60 day trial. So if you wanted to give Railo a whirl on something other than your own local machine, here is a simple way to do it. The free trial account comes with 100mb of space and 1GB of transfer, and a MySQL database so it seems pretty usable. You’ll have PHP and Ruby on Rails enabled in your account, too.

If you didn’t know, Railo has a separate Server administrator and one or more Web Administrators. This means Railo is ideally suited for CFML hosting since you get your very own administrator where you can setup datasources, mappings, etc.

The site is

The Founder is Peter Amiri, here is his blog and on twitter: @peteramiri

Peter told me that you don’t need a credit card for the free trial, either.

If you’ve ran into this error when consuming a web service in Open BlueDragon, this may help you. Here is what my error looked like:
Continue reading ‘java.lang.NoClassDefFoundError error on OpenBD when consuming a webservice’ »