Hello muse readers. I apologize for my long hiatus (which means a stretch of time where I was absent - it's not a size joke).  I have been swamped with closing out the old year and implementing plans for the new year. I'm afraid our little chats were put on the back burner temporarily. However, now that new year has begun I am committed to continuing our friendship. I'd like to start out with something simple. Indeed, some of you may find this to be ColdFusion 101.

This post is going to discuss Boolean values. A Boolean is one of those datatypes more defined by how it is evaluated than by what it contains. The muse definition is that if something can return a "true" or "false" in the context of a logic statement (cfif) it is a Boolean. It may be other things as well, but it has the properties of a boolean and returns one of 2 states - true or false. Interestingly, every language handles Booleans differently and many of them use the same wild west sort of approach that ColdFusion uses - where several things can be used as Booleans.

Even if you don't know it, you use Booleans every time you create a cfif statement. Still, it's surprising how many advanced developers do not fully grasp all the ways that ColdFusion has of evaluating something as True or False. And having said that I am fully aware that some smarty-pants developer will immediately inform me of some new way I haven't seen before of evaluating true or false (thank you sir, may I have another).

Anyway, I'd like to take a little journey into the world of Booleans to start off my 2010 blogging. Note: this post has a number of neat "tips and tricks" that you may have not seen before. Whether you choose to use them can depend greatly on your environment, the structure of your code and the standard you are using (especially in a team environment). I'm not advocating for or against, although I have my own preferences. I'm only putting it out there as another arrow in your quiver. So with that caveat taken care of, let's begin.

[More]

Well only the brave soul (other than me) made it to the office today. That would be hardy stalwart and compadre Guy Rish. Everyone else is working from home. The final tally looks like 12 to 14 inches and the drive in was pretty daunting. Here are some photos of the final damage.

Here's what it looked like at the office driveway.

Near my local Starbucks

The parking lot.

My back and arms are killing me from shoveling (and I even had my 2 teenage sons to help - yikes I'm getting old).

Every time someone hears I'm from Nebraska they ask about the cold and snow - followed by corn, cows, "do you have a Gap" and "how long before you get electricity and indoor plumbing". As I've documented here and elsewhere Omaha is a high tech thriving economy. Although I live within a few hundred feet of a corn field, I also live within a few miles of excellent shopping, theatre, music and the arts. Still, it actually does get cold and snowy in Nebraska. We are in the middle of a blizzard today.

9:00 a.m.

Here's what it looked like outside my office door at 9:00 this morning.

11:00 a.m.

And here's the progress after about 2 hours.

I'll post another update when it gets deeper. :)

I know there are those of you out there who are simply dying to come work for me. Here is your big chance. If you feel like you have what it takes to join our crack development team drop me your resume at jobs@cfwebtools.com. This is a full time position on site in Omaha NE (America's best kept secret). CF Webtools offers excellent pay and benefits and a great work environment. If you think you have what it takes, here is the job description. If you a recruiter please don't call or send emails (please... I'm begging you).

---

CF Webtools is seeking a full-time, experienced Flex Developer. The candidate must be proficient in Flex 2.0 and also familiar with calling ColdFusion CFC's, the Cairngorm framework, Linux and Apache are HUGE pluses. This person needs to be able to work at the highest technical level of all phases of application analysis and design.

JOB REQUIREMENTS

• 2-3 years experience with Flex 2.0
• An eye for designing appealing pages that seamlessly integrates with the rest of the product.
• Experience with MSSQL, MySQL or Oracle.
• Bachelor's Degree or equivalent work experience
• Understanding of and experience with UI architectures (e.g. Cairngorm)
• Self motivated and manage own time/work
• Excellent work ethic and a team player.
• Comfortable multitasking, resolving competing priorities, and meeting project deadlines.
• Excellent interpersonal communication skills and of exceptional character.
• Decisive, action-oriented individual who learns quickly, works independently, and creates solutions.
• Must be authorized to work in the United States on a full-time basis for any employer.

Wish List

• Experience with Flex 3.0
• Experience with ColdFusion a HUGE plus
• Experience with Linux
• Experience with Java or Flash
• Experience with financial data is a bonus

Among the things that can befuddle even experienced developers, domain resolution ranks up at the top. Usually this is because we don't spend a lot of time worrying about resolution on our desktop or laptop or Iphone. DNS is an extremely mature technology and for the most part it just works with few issues. When it comes to a server however, there are several things that can trip up resolution. Without an understanding of exactly what is going on under the hood, you will find yourself destroying yet another keyboard with the ball of your fist as you shout "why won't you just work!"

Domain resolution comes into play on most ColdFusion applications, even if you don't think so. Among other things, resolution is important for:

• Data Sources - how do you connect to an external server?
• Ecommerce - how do you connect to a Gateway?
• Web Services - how do you create your stub class?

So let's take a short journey down this path and see if we can uncover some of the general principles that will help us troubleshoot domain resolution issues.

[More]

I confess I can't live without RDP (Remote Desktop Protocol). Coupled with a VPN it is an effective way to work from home on my high powered office workstation. In fact, on a recent road trip to St. Louis while my wife was driving, I used my Verizon Blackberry tethered to a laptop to connect to my VPN and RDP to my desktop at work. I managed to handle email and write most of an 8 page document. Such things were not even possible 3 or 4 years ago. Telling this to my mom and dad makes them think I'm Captain Kirk (I keep telling them that Picard is better - Kirk's screens and dials were all analog). I prefer RDP to everything else I've tried - including log me in, go to my pc, pcanywhere and VNC.

Anyway, Nicole (our creative director) and I had a similar problem. Her RDP stopped working completely after a windows update. For her, the login screen would not even appear - and no error either. It would just return to the host name box immediately. For me the login would appear and I enter my password to login - but then the process would lock up and I would have to wait a few minutes for the whole thing to time out without ever successfully getting in.

Googling around I found that a lot of folks had problems like this and their solutions seem to focus on display drivers (NVidia in particular). I have a 3 monitor setup and I use 2 NVidia cards - so this seemed likely to me. Checking with Nicole she too was using Nvidia drivers. To fix it, she downgraded her recent drivers one version. I took the opposite approach and simply "upgraded" my drivers to the next version - and that solved my issue.

When you think about it I suppose it makes sense that display drivers can cause RDP issues - since RDP renders the desktop for you. But it was not something on my radar. Now I have something to look for if it happens again.

We had a ticklish issue arise with a customers recently. We host an application for them that allows them to upload files. As they began to use the application more heavily they noticed that file uploads above a certain size were failing. The size was fairly modest. Uploads sized between 1 and 4 megs were simply timing out. We eventually came up with a solution, but not before some head scratching. Here is the play-by-play.

[More]

When I arrived at work this morning I found more than 280 spam links posted as comments to various entries on my blog. They were all for certain articles of clothing which shall remain nameless (but some of them are made for walking). Now occasionally, about 3 or 4 times a week, I'll see a single spammy comment posted and I just kill it - cased closed. The Captcha keeps out most automated spam, so I figure any spam I get is individuals paid to labouriously post links. This seemed like more than that - both in volume and in the systematic way it was perpetrated. I will be keeping a close eye on it - but it makes me wonder if there is a bot out there that has cracked my captcha.

Meanwhile, my sincerest apologies to anyone subscribed to any post of mine who had to suffer through these emails. The Muse will do what he can to make sure it is not a commmon occurance.

I have been looking forward to Google Wave and I was excited to at last have my invite. I got signed up and imported my contact list and created a wave and then.... then.... well... in the words of the dinosaur in the animated movie Meet the Robinsons, "I've got tiny arms and a huge head... I'm not sure you thought this plan through very well." Ok, not the tiny arms part, but this whole invitation thing, while a neat way to create Internet buzz in the lighting world of social media, doesn't really lend itself to useful testing - at least not for a company.

Sure, I'm seeing a few folks in my contact list who have a wave account. They are mostly tech savvy developers. I know I could create a wave and collaborate with them. But what I really need is to be able to roll my company developers and select customers into a wave for testing. I'm not trying to chat about the weather or review movies. If I want to waste time I can Facebook or Twitter. Instead I'm trying to see if the new wave paradigm can enhance my current project management processes (maybe even supersede some of them). I sent out a passel of invites but I've yet to have any of them approved. I guess until I get the right folks on the inside I will sit here and wave to myself. If I ever do get a legitimate test going - and more importantly if I can figure out how to tie Wave into my tracking and billing system - I will make sure and post a full report.

I have a few Win2008 servers under management and I had to renew a cert for one of them today. Now I confess this is the first time I had to do this particular task so there was some head scratching involved. I learned a number of things that might be of some use to you if you are up against this task. In this case I was renewing a Verisign cert. Here's what I learned.

[More]

Client Variables and the Registry

Ask any experienced ColdFusion troubleshooter and he will tell you the same thing, "Don't store client variables in the registry." In fact, when examining a sick server one this is one of the first items I look at. If the customer says "It seems like the server stops about every hour" it's a safe bet that the default storage is set to Registry and the default purge interval has been left alone at 1 hour and 7 minutes (which is kind of an odd interval - probably some Adobe employee's anniversary in binary).

In many cases this is a "hidden" problem waiting to burst onto the scenes and bite some poor site owner in his nether regions. The owner launches his or her site and begins to gather traffic with the default settings for client variables. By default ColdFusion stores 90 days worth of client variables in the Registry - so the site can actually perform well for a few months. But then, out of no where, the server starts to drag and even stop every hour or so. Under the hood the purge operation is starting to find client vars that are 90 days old or more and it is taking quite a long time to delete them. The OS sees the registry keys being deleted and (sometimes) attempts to shrink the registry size. This affects a sort of "locking" on the registry where new keys are not being written - meaning requests are queuing and the server is slowing to a crawl. Now you might think that fixing this is as easy as switching from the registry to a datasource or cookie storage as the default, but there are some nuances to this fix that bear mentioning.

[More]

Last night my wife and I attended an early evening bash thrown by the local chamber of commerce. These shindigs are usually pretty good with door prizes and drinks and fancy-pants hors d'oeuvres. I was milling about feeling uncomfortable as I often do in a "non technology" crowd. I'm a talker by nature but in these crowds the conversation usually goes something like this:

• Bob (who owns a car dealership): So what does your company do?
• Muse: We are a web application development company specializing in complex applications.
• Bob: Oh I see... you design web sites.
• Muse: Well yes, but that's really a small part of what we do. We are really more on programming and problem solving side of the equation.
• Bob (glibly moving on): Hey, you work with computers let me ask you something.
• Muse (heart sinking): Ok
• Bob: When I try to print sometimes I get this error. Why is that?
• Muse (wishing a fight would break out and distract Bob): Well... (small sigh) ... I'm not sure. What does the error say?
• Bob: I don't know I click OK and it goes away. But when I try to print again it comes back.
• Muse: And what does it say the second time?
• Bob (Unaware of the Pavlovian Cycle he is in): I don't know I click OK and it goes away. What do you think it means?
• Muse: I'm afraid I have bad news. It might be time for a new printer.
• Bob: Rats... I knew it.
• Muse: Bob, let me ask you something... you work with cars right? I have this little chirping sound coming from the trunk of my 78 Nova every time I turn left on a Tuesday.... What do you think that means?

And on it goes. It's amazing how regular folks always boil down any technology job to "Oh... you work with computers" - by which they mean you tinker with hardware all day long. They automatically equate your skills to that of the local Best Buy Geek Squad. Not that there's anything wrong with being on the geek squad... some of my best freinds are hardware people.

Anyway, yesterday I was sort of not in a mood to mingle. Ann and I were in a line for some little mini roast beef sandwiches (thank you Brandeis catering) and we were chatting to ourselves waiting for the door prize drawings. A man who was working the room came up to me and said, "How are you this evening?" I turned and said fine and shook his hand and said "I'm Mark Kruger". He shook my hand with a practiced grip and said, "Nice to meet you I'm Jim Suttle". I nodded and made a comment about the food and then turned away.

Something was tickling the back of my mind... nagging at me like bad mayonnaise in the back of the fridge. Finally I got it (Ann's poking me helped a little too). Jim Suttle is Omaha's new mayor. I turned back and said "I'm sorry I guess I didn't put two and two together. It's really nice to meet you Mr. Mayor." He laughed and I laughed and Ann laughed and the waiter (a charming fellow with half an ounce of gold in his mouth) laughed. I could think of little else to say other than "You are shorter in person than on TV" - which I thankfully kept to myself. Anyway, it was an awkward moment for me and funny for everyone else. Sometimes I wonder about the Muse... I have no lack of confidence yet I seem so inattentive at times. I wish I had brought my good friend Tom Long with me. He's got a sales radar like an Ageis cruiser. I bet he could have held the mayor's attention for 5 minutes or more. Anyway, now that the mayor and I are on speaking terms I'll have to invite him to one of my candelight suppers.

Occasionally someone asks me this question about CFQUERYPARAM. "Must I use it here or there? In a boat? With a goat?" Yes Sam-I-Am you should make it a habit to use it everywhere. It should be a common part of your best practice guidelines. There are even reasons to use it that go beyond security. Do a quick search for CFQUERYPARAM on this blog and you will find all sorts of information about why to use it and the very rare exceptions (FYI in case you missed the tone here, there is rarely a good reason not to use it).

As for your specific question, I can think of no way to inject the query above. If you moved the query to a MySQL server you might run afoul of the alternate way of escaping single quotes, but on an MSSQL server the query above is safe as far as I know. Just remember, right now some clever hacker in Elbonia is experimenting with ancient character sets, time travel, and a dead cat which he swings over his head while chanting "...one ring to rule them all..." - all in an effort to try and crack into a query like the one above. So I reiterate, there is no way as far as I know. It's what I don't know that keeps me up at night. You really should just use the tag as a matter of course and stop looking for places to not use it. Let me illustrate with a little story my Dad used to tell me.

[More]

If you read my post on the script injection attack that has been going around you will note that I suggest four solutions or remedies to protect your server (upload off the web root, use cfcontent, disable script and execute permissions on certain directories, and remove superfluous handlers). A fifth solution was pointed out to me that is somewhat related to uploading off of the web root.

The idea would be to create a subdomain just for user resources. So, for example, you could have "www.ilovemoles.com" and "pics.ilovemoles.com". User uploads would go the share for the "pics" subdomain and be served from there. You would still vet the content to make sure it was ok, but the "pics" domain would not allow ColdFusion (or PHP or ASP or any scripts or executable at all). I can see some issues that you might run into - chiefly that you are not really "securing" the content from unauthorized access. I believe that still makes it suitable for public resources, but not able to be fully integrated into an application without a lot of run around. Still it seems an elegant solution.