Re: CFQueryParam and Unicode mixing [spamtrap heur]
On 7/25/2010 4:53 AM, Igor Ilyinsky wrote: > > Someone correct me if I am wrong, but if you enable "non-latin" text > for a datasource, cfqueryparam will treat ALL cf_sql_varchar data as > unicode. Meaning there is no way to specify a non-unicode (ansi) > string other than to NOT use cfqueryparam? depends on the db driver, as far as i can remember its datadirect's JDBC driver for sql server. > I'm trying to weigh the value of enabling the "non-latin" option > versus the "N" hinting, but I can't find a way to enter single-byte > strings with cfqueryparam once the option is checked, and I think > it's silly to sacrifice 50% of my storage space for this > convenience. that's not the issue, its the hit the query takes converting non-unicode strings back & forth. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:335710 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Downside of CFQueryParam and Unicode mixing
> Someone correct me if I am wrong, but if you enable "non-latin" text for a > datasource, cfqueryparam will treat ALL > cf_sql_varchar data as unicode. Meaning there is no way to specify a > non-unicode (ansi) string other than to NOT use > cfqueryparam? I believe this is correct. At least with MS SQL Server, I believe this is correct. I don't know enough about other platforms to say. > I'm trying to weigh the value of enabling the "non-latin" option versus the > "N" hinting, but I can't find a way to enter > single-byte strings with cfqueryparam once the option is checked, and I think > it's silly to sacrifice 50% of my storage > space for this convenience. Storage space is cheap. That said, if you want to use Unicode in some fields/tables but not others, you could simply create two separate datasources, one with Unicode enabled and one without. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:335709 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Form cleaner utility
> I'm building a form cleaner utility method that might help thwart some XSS, > clean my fields up, etc. One nice thing about CF is that you can implement existing Java solutions. You can, for example, use Java servlet filters, which will process incoming requests before CF does. Andrew Grosset just suggested AntiSamy, which I haven't worked with, but I'd recommend that over implementing your own solution. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:335708 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Form cleaner utility
> > Why not just use CFQUERYPARAM bound parameters in your SQL? > > In my case, I'm scrubbing the data. cfqueryparam doesn't do that. Right. That was directed to Andrew. CFQUERYPARAM doesn't provide any protection for XSS vulnerabilitis. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:335707 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Adobe no longer part of the OpenCFML committee
Well, no, not at all. CF has been around for a rather long time and never had a committee to define the language. The work of this particular committee had some effect, helping make some changes late in the CF9 development cycle and some changes in Railo and OpenBD I believe, but by and large it just reverts back to the state things were in a year or so ago. And that state was really quite good. I mean, Adobe is hard at work on Coldfusion X, Railo will be releasing 3.2 soonish and has an awesome looking roadmap for 4.0. OpenBD has released some cool new stuff recently and I'm sure has more planned. The big promise of the committee effort was to try and make a smooth roadmap for the core language so that things like a for-in loop over an array worked the same in all cfml engines. And with Java 7 adding in functional language support, I know that Railo will be adding closures (and probably anonymous functions) and I'm sure that Adobe and OpenBD will at some point as well. What would have been nice is if the committee could have worked out an agreed upon syntax *before* the launch of each supporting engine version so that it just worked. Now it probably means that there will be a few more quirks and inconsistencies between cfml engines. Not the end of the world by any means, just makes it a little bit harder for your average developer if you want to make things works cleanly across cfml engines, kind of like when you are writing CSS and Javascript that needs to support multiple browsers. Would it be awesome if IE, Firefox, Chrome, Safari and Opera all got together and made the basic stuff all work the same? Yes it would. But it doesn't, though it has gradually gotten better as the language and the browsers have matured. Same thing is/will likely be true with the various cfml engines. Would be awesome if they worked together on the core language, but if not, we'll live and figure it out and as they all mature, the core language will mostly settle down in compatibility. Cheers, Judah On Sat, Jul 24, 2010 at 11:06 AM, Arsalan Tariq Keen wrote: > > Does this mean CFML is or will be dying ? > > -- > From: "Mark Drew" > Sent: Friday, July 23, 2010 9:19 PM > To: "cf-talk" > Subject: Re: Adobe no longer part of the OpenCFML committee > >> >> Well, is Ben not part of it too? >> >> Just saying >> >> MD >> On 23 Jul 2010, at 17:06, Cutter (ColdFusion) wrote: >> >>> >>> http://www.adrocknaphobia.com/post.cfm/adobe-no-longer-part-of-opencfml >>> >>> Steve "Cutter" Blades >>> Adobe Community Professional - ColdFusion >>> Adobe Certified Professional >>> Advanced Macromedia ColdFusion MX 7 Developer >>> >>> Co-Author of "Learning Ext JS" >>> http://www.packtpub.com/learning-ext-js/book >>> _ >>> http://blog.cutterscrossing.com >>> >>> >>> >>> Dan Baughman wrote: Is there an official adobe announcement that it pulled out? On Thu, Jul 22, 2010 at 5:10 PM, Sean Corfield wrote: > On Thu, Jul 22, 2010 at 12:20 PM, Gerald Guido > wrote: > Or support for Amazon Web services: S3 (well before Adobe did), >> My bad. Before I get a public tongue lashing... I got Railo mixed up >> > with > >> OBD with the S3 support. >> > Yup, Railo introduced the concept of "resources" quite a long time ago > (in Railo 2.0, back in 2007) that allows standard file tags to work > with ram, S3, ZIP files, FTP sites and even database tables. > -- > Sean A Corfield -- (904) 302-SEAN > Railo Technologies, Inc. -- http://getrailo.com/ > An Architect's View -- http://corfield.org/ > > "If you're not annoying somebody, you're not really alive." > -- Margaret Atwo > > > >>> >>> >> >> > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:335706 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Downside of CFQueryParam and Unicode mixing
Someone correct me if I am wrong, but if you enable "non-latin" text for a datasource, cfqueryparam will treat ALL cf_sql_varchar data as unicode. Meaning there is no way to specify a non-unicode (ansi) string other than to NOT use cfqueryparam? I'm trying to weigh the value of enabling the "non-latin" option versus the "N" hinting, but I can't find a way to enter single-byte strings with cfqueryparam once the option is checked, and I think it's silly to sacrifice 50% of my storage space for this convenience. -Igor ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:335705 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Adobe no longer part of the OpenCFML committee
Not at all. Mark Drew Railo Technologies UK Professional Open Source skype: mark_railo email: m...@getrailo.com gtalk: m...@getrailo.com tel:+44 7971 85 22 96 web:http://www.getrailo.com On 24 Jul 2010, at 19:06, Arsalan Tariq Keen wrote: > > Does this mean CFML is or will be dying ? > > -- > From: "Mark Drew" > Sent: Friday, July 23, 2010 9:19 PM > To: "cf-talk" > Subject: Re: Adobe no longer part of the OpenCFML committee > >> >> Well, is Ben not part of it too? >> >> Just saying >> >> MD >> On 23 Jul 2010, at 17:06, Cutter (ColdFusion) wrote: >> >>> >>> http://www.adrocknaphobia.com/post.cfm/adobe-no-longer-part-of-opencfml >>> >>> Steve "Cutter" Blades >>> Adobe Community Professional - ColdFusion >>> Adobe Certified Professional >>> Advanced Macromedia ColdFusion MX 7 Developer >>> >>> Co-Author of "Learning Ext JS" >>> http://www.packtpub.com/learning-ext-js/book >>> _ >>> http://blog.cutterscrossing.com >>> >>> >>> >>> Dan Baughman wrote: Is there an official adobe announcement that it pulled out? On Thu, Jul 22, 2010 at 5:10 PM, Sean Corfield wrote: > On Thu, Jul 22, 2010 at 12:20 PM, Gerald Guido > wrote: > Or support for Amazon Web services: S3 (well before Adobe did), >> My bad. Before I get a public tongue lashing... I got Railo mixed up >> > with > >> OBD with the S3 support. >> > Yup, Railo introduced the concept of "resources" quite a long time ago > (in Railo 2.0, back in 2007) that allows standard file tags to work > with ram, S3, ZIP files, FTP sites and even database tables. > -- > Sean A Corfield -- (904) 302-SEAN > Railo Technologies, Inc. -- http://getrailo.com/ > An Architect's View -- http://corfield.org/ > > "If you're not annoying somebody, you're not really alive." > -- Margaret Atwo > > > >>> >>> >> >> > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:335704 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
CFQueryParam and Unicode mixing
Someone correct me if I am wrong, but if you enable "non-latin" text for a datasource, cfqueryparam will treat ALL cf_sql_varchar data as unicode. Meaning there is no way to specify a non-unicode (ansi) string other than to NOT use cfqueryparam? I'm trying to weigh the value of enabling the "non-latin" option versus the "N" hinting, but I can't find a way to enter single-byte strings with cfqueryparam once the option is checked, and I think it's silly to sacrifice 50% of my storage space for this convenience. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:335703 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Form cleaner utility
> > Why not just use CFQUERYPARAM bound parameters in your SQL? > In my case, I'm scrubbing the data. cfqueryparam doesn't do that. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:335702 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Form cleaner utility
Check out OWASP...here is a CF implementation: http://blog.pengoworks.com/index.cfm/2008/1/3/Using-AntiSamy-to-protect-your-CFM-pages-from-XSS-hacks or the tinyurl link: http://tinyurl.com/yhl34tn > I'm building a form cleaner utility method that might help thwart some > XSS, clean my fields up, etc. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:335701 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
CFQueryParam and Unicode mixing
Someone correct me if I am wrong, but if you enable "non-latin" text for a datasource, cfqueryparam will treat ALL cf_sql_varchar data as unicode. Meaning there is no way to specify a non-unicode (ansi) string other than to NOT use cfqueryparam? I'm trying to weigh the value of enabling the "non-latin" option versus the "N" hinting, but I can't find a way to enter single-byte strings with cfqueryparam once the option is checked, and I think it's silly to sacrifice 50% of my storage space for this convenience. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:335700 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
