RE: [ACFUG Discuss] portcullis update

[Wes Byrd]

Thanks Dean.  Yes, I have done much with firewalls and server modifications 
(such as disabling SSLv2 and weak ciphers) and even web application and 
database vulnerability defenses.  I've been able to pass all PCI Compliance 
scans for several hosted shopping carts but needed to address the WAP issue as 
it is now a requirement.

Thanks again.  I'll check into mod_security and F5 ASM.  

Wes

-Original Message-
From: ad...@acfug.org [mailto:ad...@acfug.org] On Behalf Of Dean H. Saxe
Sent: Tuesday, January 05, 2010 10:22 PM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] portcullis update

A WAF won't by itself help you pass PCI.  That said, mod_security and the F5 
ASM are good products.

-dhs

--
Dean H. Saxe
"A true conservationist is a person who knows that the world is not given by 
his fathers, but borrowed from his children."  -- John James Audubon




On Jan 5, 2010, at 6:58 PM, Wes Byrd wrote:

> John (and list),
> 
> I'm on the hunt for a good Web Application Firewall for PCI Compliance 
> purposes.  I've looked into Cisco ACE Web Application Firewall and a couple 
> others.  Do you have any recommendations?  Are there any software options 
> that will comply with the PCI Compliance guidelines (6 & 6.5) that would work 
> well rather than a dedicated device?
> 
> Wes
> w...@dynapp.com
> www.facebook.com/dynapp  
> 
> -Original Message-
> From: ad...@acfug.org [mailto:ad...@acfug.org] On Behalf Of John Mason
> Sent: Monday, January 04, 2010 6:02 PM
> To: discussion@acfug.org
> Subject: [ACFUG Discuss] portcullis update
> 
> I just released the 2.0 version of the Portcullis filter on 
> riaforge.org. You can download it at http://portcullis.riaforge.org. The 
> filter helps block and log sql injection and cross-site scripting (xss) 
> attacks. It's also going to be included in the 3.2 version of the 
> Model-Glue framework. I think most people are finally starting to use 
> cfqueryparam to help prevent sql injection, but many are still not doing 
> anything about xss. Portcullis takes maybe five minutes to install on 
> your site - so there's very little reason not to use it.
> 
> John
> ma...@fusionlink.com
> twitter: john_mason_
> 
> 
> 
> 
> -
> To unsubscribe from this list, manage your profile @ 
> http://www.acfug.org?fa=login.edituserform
> 
> For more info, see http://www.acfug.org/mailinglists
> Archive @ http://www.mail-archive.com/discussion%40acfug.org/
> List hosted by http://www.fusionlink.com
> -
> 
> 
> 
> 
> 
> -
> To unsubscribe from this list, manage your profile @
> http://www.acfug.org?fa=login.edituserform
> 
> For more info, see http://www.acfug.org/mailinglists
> Archive @ http://www.mail-archive.com/discussion%40acfug.org/
> List hosted by http://www.fusionlink.com
> -
> 
> 
> 



-
To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=gin.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-





-
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-

Re: [ACFUG Discuss] portcullis update

[Dean H. Saxe]

A WAF won't by itself help you pass PCI.  That said, mod_security and the F5 
ASM are good products.

-dhs

--
Dean H. Saxe
"A true conservationist is a person who knows that the world is not given by 
his fathers, but borrowed from his children."  -- John James Audubon




On Jan 5, 2010, at 6:58 PM, Wes Byrd wrote:

> John (and list),
> 
> I'm on the hunt for a good Web Application Firewall for PCI Compliance 
> purposes.  I've looked into Cisco ACE Web Application Firewall and a couple 
> others.  Do you have any recommendations?  Are there any software options 
> that will comply with the PCI Compliance guidelines (6 & 6.5) that would work 
> well rather than a dedicated device?
> 
> Wes
> w...@dynapp.com
> www.facebook.com/dynapp  
> 
> -Original Message-
> From: ad...@acfug.org [mailto:ad...@acfug.org] On Behalf Of John Mason
> Sent: Monday, January 04, 2010 6:02 PM
> To: discussion@acfug.org
> Subject: [ACFUG Discuss] portcullis update
> 
> I just released the 2.0 version of the Portcullis filter on 
> riaforge.org. You can download it at http://portcullis.riaforge.org. The 
> filter helps block and log sql injection and cross-site scripting (xss) 
> attacks. It's also going to be included in the 3.2 version of the 
> Model-Glue framework. I think most people are finally starting to use 
> cfqueryparam to help prevent sql injection, but many are still not doing 
> anything about xss. Portcullis takes maybe five minutes to install on 
> your site - so there's very little reason not to use it.
> 
> John
> ma...@fusionlink.com
> twitter: john_mason_
> 
> 
> 
> 
> -
> To unsubscribe from this list, manage your profile @ 
> http://www.acfug.org?fa=login.edituserform
> 
> For more info, see http://www.acfug.org/mailinglists
> Archive @ http://www.mail-archive.com/discussion%40acfug.org/
> List hosted by http://www.fusionlink.com
> -
> 
> 
> 
> 
> 
> -
> To unsubscribe from this list, manage your profile @
> http://www.acfug.org?fa=login.edituserform
> 
> For more info, see http://www.acfug.org/mailinglists
> Archive @ http://www.mail-archive.com/discussion%40acfug.org/
> List hosted by http://www.fusionlink.com
> -
> 
> 
> 



-
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-

RE: [ACFUG Discuss] portcullis update

[Wes Byrd]

John (and list),

I'm on the hunt for a good Web Application Firewall for PCI Compliance 
purposes.  I've looked into Cisco ACE Web Application Firewall and a couple 
others.  Do you have any recommendations?  Are there any software options that 
will comply with the PCI Compliance guidelines (6 & 6.5) that would work well 
rather than a dedicated device?

Wes
w...@dynapp.com
www.facebook.com/dynapp  

-Original Message-
From: ad...@acfug.org [mailto:ad...@acfug.org] On Behalf Of John Mason
Sent: Monday, January 04, 2010 6:02 PM
To: discussion@acfug.org
Subject: [ACFUG Discuss] portcullis update

I just released the 2.0 version of the Portcullis filter on 
riaforge.org. You can download it at http://portcullis.riaforge.org. The 
filter helps block and log sql injection and cross-site scripting (xss) 
attacks. It's also going to be included in the 3.2 version of the 
Model-Glue framework. I think most people are finally starting to use 
cfqueryparam to help prevent sql injection, but many are still not doing 
anything about xss. Portcullis takes maybe five minutes to install on 
your site - so there's very little reason not to use it.

John
ma...@fusionlink.com
twitter: john_mason_




-
To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-





-
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-

Re: [ACFUG Discuss] Security Tests for ColdFusion site

[Ajas Mohammed]

Thanks Dean. As always, your input is much appreciated. :-)



http://ajashadi.blogspot.com
We cannot become what we need to be, remaining what we are.
No matter what, find a way. Because thats what winners do.
You can't improve what you don't measure.
Quality is never an accident; it is always the result of high intention,
sincere effort, intelligent direction and skillful execution; it represents
the wise choice of many alternatives.


On Tue, Jan 5, 2010 at 6:27 PM, Dean H. Saxe wrote:

> I spent the past 5 years doing pen testing for a living and there are
> many, many companies out there performing this service.  You get what
> you pay for!  So ask yourself this question:  What do I want to know
> from a test?  Do you want to know what can be found by a machine
> running automated scans, which will likely miss things like
> authorization flaws and stored cross-site scripting (cheapest,
> includes a test of the server the code runs on)?  Do you want a human
> to test the site thoroughly  only finding what can be discovered
> remotely (mid-range, includes a test of the server the code runs on)?
> Do you want a code review to discover all code-level vulnerabilities
> and suggest fixes (most expensive, most detailed, lacks any review of
> server configuration).  Also, why do you need a test?  If you are
> seeking PCI compliance, you need to find a vendor who can offer PCI
> specific services.
>
> For a reputable company to do a manual pen test, you can expect to pay
> $10 - $15k/week of testing.  Most small sites can be tested in a week,
> two tops.  Larger sites may require many weeks of assessment.  A code
> review will run you about the same, but the timeframes are longer.
> Figure 1 week for 10KLOC of code, 3 weeks for 50KLOC of code and
> beyond that expect a good vendor to want to do a threat model first so
> the code review can be more narrowly scoped.
>
> So who would I recommend to do your testing?  Here are some reputable
> companies that I would hire based on personal knowlege of their
> testing teams:
>
> Intrepidus Group
> Foundstone, A Division of McAfee
> VerSprite (a local ATL based company)
> WhiteHat (a SaaS model, not a one-time targeted test)
>
> I won't publicly state who I won't hire... but there are a lot of mom
> & pop type infosec shops out there that are not worth a damn.  There
> are a lot of consultancies that are large... but not very good.
>
> Hope this helps!
> -dhs
> --
> Dean H. Saxe
> "A true conservationist is a person who knows that the world is not
> given by his fathers, but borrowed from his children."  -- John James
> Audubon
>
>
>
> On Tue, Jan 5, 2010 at 1:35 PM, Ajas Mohammed  wrote:
> > Hi,
> >
> > I have heard of http://www.coresecurity.com/ who do security testing for
> web
> > applications etc. Does anyone know of this company or any similar
> companies
> > who do security/penetration tests for web applications. Needless to say,
> our
> > applications are CF based.
> >
> > Is there anything to worry about or to be aware of, since these people if
> > hired, perform penetration testing on the production sites, which of
> course
> > would be on weekends.
> >
> > Thanks,
> >
> > 
> > http://ajashadi.blogspot.com
> > We cannot become what we need to be, remaining what we are.
> > No matter what, find a way. Because thats what winners do.
> > You can't improve what you don't measure.
> > Quality is never an accident; it is always the result of high intention,
> > sincere effort, intelligent direction and skillful execution; it
> represents
> > the wise choice of many alternatives.
> >
>
>
> -
> To unsubscribe from this list, manage your profile @
> http://www.acfug.org?fa=login.edituserform
>
> For more info, see http://www.acfug.org/mailinglists
> Archive @ http://www.mail-archive.com/discussion%40acfug.org/
> List hosted by http://www.fusionlink.com
> -
>
>
>
>

Re: [ACFUG Discuss] Security Tests for ColdFusion site

[Dean H. Saxe]

I spent the past 5 years doing pen testing for a living and there are
many, many companies out there performing this service.  You get what
you pay for!  So ask yourself this question:  What do I want to know
from a test?  Do you want to know what can be found by a machine
running automated scans, which will likely miss things like
authorization flaws and stored cross-site scripting (cheapest,
includes a test of the server the code runs on)?  Do you want a human
to test the site thoroughly  only finding what can be discovered
remotely (mid-range, includes a test of the server the code runs on)?
Do you want a code review to discover all code-level vulnerabilities
and suggest fixes (most expensive, most detailed, lacks any review of
server configuration).  Also, why do you need a test?  If you are
seeking PCI compliance, you need to find a vendor who can offer PCI
specific services.

For a reputable company to do a manual pen test, you can expect to pay
$10 - $15k/week of testing.  Most small sites can be tested in a week,
two tops.  Larger sites may require many weeks of assessment.  A code
review will run you about the same, but the timeframes are longer.
Figure 1 week for 10KLOC of code, 3 weeks for 50KLOC of code and
beyond that expect a good vendor to want to do a threat model first so
the code review can be more narrowly scoped.

So who would I recommend to do your testing?  Here are some reputable
companies that I would hire based on personal knowlege of their
testing teams:

Intrepidus Group
Foundstone, A Division of McAfee
VerSprite (a local ATL based company)
WhiteHat (a SaaS model, not a one-time targeted test)

I won't publicly state who I won't hire... but there are a lot of mom
& pop type infosec shops out there that are not worth a damn.  There
are a lot of consultancies that are large... but not very good.

Hope this helps!
-dhs
--
Dean H. Saxe
"A true conservationist is a person who knows that the world is not
given by his fathers, but borrowed from his children."  -- John James
Audubon



On Tue, Jan 5, 2010 at 1:35 PM, Ajas Mohammed  wrote:
> Hi,
>
> I have heard of http://www.coresecurity.com/ who do security testing for web
> applications etc. Does anyone know of this company or any similar companies
> who do security/penetration tests for web applications. Needless to say, our
> applications are CF based.
>
> Is there anything to worry about or to be aware of, since these people if
> hired, perform penetration testing on the production sites, which of course
> would be on weekends.
>
> Thanks,
>
> 
> http://ajashadi.blogspot.com
> We cannot become what we need to be, remaining what we are.
> No matter what, find a way. Because thats what winners do.
> You can't improve what you don't measure.
> Quality is never an accident; it is always the result of high intention,
> sincere effort, intelligent direction and skillful execution; it represents
> the wise choice of many alternatives.
>


-
To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-

[ACFUG Discuss] Security Tests for ColdFusion site

[Ajas Mohammed]

Hi,

I have heard of http://www.coresecurity.com/ who do security testing for web
applications etc. Does anyone know of this company or any similar companies
who do security/penetration tests for web applications. Needless to say, our
applications are CF based.

Is there anything to worry about or to be aware of, since these people if
hired, perform penetration testing on the production sites, which of course
would be on weekends.

Thanks,


http://ajashadi.blogspot.com
We cannot become what we need to be, remaining what we are.
No matter what, find a way. Because thats what winners do.
You can't improve what you don't measure.
Quality is never an accident; it is always the result of high intention,
sincere effort, intelligent direction and skillful execution; it represents
the wise choice of many alternatives.

Re: [ACFUG Discuss] Examples of How NOT to Code in ColdFusion?

[Derrick Peavy]

Agree with Teddy that closing would be good.

Although (cringe) I don't. It's just not habit I ever started. But I  
may change that.


As for "peeve" and all that - I was just ranting, really in response  
to other conversations. And yes, "peeve" is personal.


I think the discussion is good to have.

_
Derrick Peavy
derr...@derrickpeavy.com
404-786-5036

“Innovation distinguishes between a leader and a follower.” -Steve Jobs
_



On Jan 5, 2010, at 11:23 AM, Teddy R. Payne wrote:


I can remember something anal and small that irks me.

I am a big fan of closing tags and scoping variable.  I think it  
looks more neat and adheres to an XHTML type mind set.


Example:


This would ping my OCD part of brain and want to reach out and do:


I know the scope and the fact that the statement is concluded.  This  
obviously does not apply to custom tags unless you program your tags  
to respond to execution in the various states.  *IF* it did bother  
me, I would just not use the short notation and invoke it.


Oh!  I just thought of another, I like to initialize variables even  
though CF allows for dynamic creation of just about everything.  I  
like the "var" or "local" scopes.  I started way back when on the  
web in JS heavy shops and variable definition just carried over  
deeply from C and C++.


 or
 or

variables.foo = '';

... etc.  =)

Prevents all sorts of problems for me when I receive data and  
variables from unknown recipients.



My $0.02,
Teddy R. Payne, ACCFD
Google Talk - teddyrpa...@gmail.com



On Tue, Jan 5, 2010 at 11:04 AM, Teddy R. Payne  
 wrote:
I agree that the amount of concurrent users and traffic do determine  
how much preparation, planning, and code design is necessary.  We  
can definitely run into "scope creep" or "analysis paralysis" over a  
simple problem.


Remember that "peeve" is a subjective and personal condition.  It  
does not mean that everyone should adopt or be concerned if their  
code irks someone from outside their organization or even their team.


What I read from Allen's comment was more of a "use the right tool  
for the right job."  If you return 100,000 records for 10-20 records  
at a time, I would agree that would not make sense network  
utilization wise.  A logical approach would be to return possibly a  
few pages before and after the current page, so you are returning  
30-50 records.


For smaller application with 1000 records, this may not be a design  
approach or architectural consideration.  I would say though if you  
are comfortable that the size of the application will stay a given  
size, then you are perfectly fine.  If you have a small number of  
users now, but expect more later, I would say that planning now  
instead of responding to the performance issues later is always good  
advice.


As for the OO approach for queries, it depends if you used an ORM  
for your data access or if you are just using something as simple as  
a gateway.  A gateway being just a logically(domain) grouped  custom  
query objects that a service can call to get custom (non-generic)  
data.


I like gateways myself if I have the ability to cache the gateway,  
so as not to instantiate the object frequently.  This, however, does  
not have anything to do with query caching.  You can still query  
cache inside of those gateway methods, use stored procedures, or  
cache stored procedures.


If I were to say that I have a "peeve" would be to see code that  
implements a technique, design pattern, or functionality not to its  
full potential.  "Half cocked" would be what I would call this or as  
someone of online buddies would say "borked."


You can get into endless discussion about when to use a framework,  
design pattern, anti-pattern, ...etc.  I think the original intent  
of this email chain was more for identifying small little nit pick  
things for fun.



Teddy R. Payne, ACCFD
Google Talk - teddyrpa...@gmail.com




On Tue, Jan 5, 2010 at 8:25 AM, Derrick Peavy > wrote:
(looking forward to being told how wrong I am here and being raked  
over the community coals for my heresy.)



Something that is clear from this thread - the needs of some types  
of apps are different than others. Size and business does dictate  
coding.


For someone at UPS or another large company, there are multiple  
issues defining code structure, techniques, etc., I would guess that  
at any large corp. the need to do something in a standard way far  
outweighs other issues. If you need to hire a developer, you need to  
be able to hunt for a specific skill set which is most commonly  
used. Ergo, matching your development to that makes sense. And yes,  
I do understand that it is also good practice in general and proper  
form, etc., etc.,


But I do believe that is actually the minority of cases. Places I  
recall off the top of my head that use CF in all of their app, or  
some CF in all or part of their large scale production app:: Bank

Re: [ACFUG Discuss] Examples of How NOT to Code in ColdFusion?

[Teddy R. Payne]

I can remember something anal and small that irks me.

I am a big fan of closing tags and scoping variable.  I think it looks more
neat and adheres to an XHTML type mind set.

Example:


This would ping my OCD part of brain and want to reach out and do:


I know the scope and the fact that the statement is concluded.  This
obviously does not apply to custom tags unless you program your tags to
respond to execution in the various states.  *IF* it did bother me, I would
just not use the short notation and invoke it.

Oh!  I just thought of another, I like to initialize variables even though
CF allows for dynamic creation of just about everything.  I like the "var"
or "local" scopes.  I started way back when on the web in JS heavy shops and
variable definition just carried over deeply from C and C++.

 or
 or

variables.foo = '';

... etc.  =)

Prevents all sorts of problems for me when I receive data and variables from
unknown recipients.


My $0.02,
Teddy R. Payne, ACCFD
Google Talk - teddyrpa...@gmail.com



On Tue, Jan 5, 2010 at 11:04 AM, Teddy R. Payne wrote:

> I agree that the amount of concurrent users and traffic do determine how
> much preparation, planning, and code design is necessary.  We can definitely
> run into "scope creep" or "analysis paralysis" over a simple problem.
>
> Remember that "peeve" is a subjective and personal condition.  It does not
> mean that everyone should adopt or be concerned if their code irks someone
> from outside their organization or even their team.
>
> What I read from Allen's comment was more of a "use the right tool for the
> right job."  If you return 100,000 records for 10-20 records at a time, I
> would agree that would not make sense network utilization wise.  A logical
> approach would be to return possibly a few pages before and after the
> current page, so you are returning 30-50 records.
>
> For smaller application with 1000 records, this may not be a design
> approach or architectural consideration.  I would say though if you are
> comfortable that the size of the application will stay a given size, then
> you are perfectly fine.  If you have a small number of users now, but expect
> more later, I would say that planning now instead of responding to the
> performance issues later is always good advice.
>
> As for the OO approach for queries, it depends if you used an ORM for your
> data access or if you are just using something as simple as a gateway.  A
> gateway being just a logically(domain) grouped  custom query objects that a
> service can call to get custom (non-generic) data.
>
> I like gateways myself if I have the ability to cache the gateway, so as
> not to instantiate the object frequently.  This, however, does not have
> anything to do with query caching.  You can still query cache inside of
> those gateway methods, use stored procedures, or cache stored procedures.
>
> If I were to say that I have a "peeve" would be to see code that implements
> a technique, design pattern, or functionality not to its full potential.
> "Half cocked" would be what I would call this or as someone of online
> buddies would say "borked."
>
> You can get into endless discussion about when to use a framework, design
> pattern, anti-pattern, ...etc.  I think the original intent of this email
> chain was more for identifying small little nit pick things for fun.
>
>
> Teddy R. Payne, ACCFD
> Google Talk - teddyrpa...@gmail.com
>
>
>
>
> On Tue, Jan 5, 2010 at 8:25 AM, Derrick Peavy wrote:
>
>> *(looking forward to being told how wrong I am here and being raked over
>> the community coals for my heresy.)*
>>
>>
>> Something that is clear from this thread - the needs of some types of apps
>> are different than others. Size and business does dictate coding.
>>
>> For someone at UPS or another large company, there are multiple issues
>> defining code structure, techniques, etc., I would guess that at any large
>> corp. the need to do something in a standard way far outweighs other issues.
>> If you need to hire a developer, you need to be able to hunt for a specific
>> skill set which is most commonly used. Ergo, matching your development to
>> that makes sense. And yes, I do understand that it is also good practice in
>> general and proper form, etc., etc.,
>>
>> But I do believe that is actually the minority of cases. Places I recall
>> off the top of my head that use CF in all of their app, or some CF in all or
>> part of their large scale production app:: Bank of America, UPS, MySpace,
>> Nike (at one time). And I am sure there are others people can point out. All
>> of those should be using the latest, hottest framework, 100% CFC's, etc,
>> blah, blah.
>>
>> Then, there is the rest of us.
>>
>> Mostly small shops, small businesses, start ups or companies that are
>> never going to grow beyond 5-10 people and never more than 1-2 developers.
>> Should we hack things and forget rules, standards, good coding. No of course
>> not. But there are other approaches to take

Re: [ACFUG Discuss] Examples of How NOT to Code in ColdFusion?

[Teddy R. Payne]

I agree that the amount of concurrent users and traffic do determine how
much preparation, planning, and code design is necessary.  We can definitely
run into "scope creep" or "analysis paralysis" over a simple problem.

Remember that "peeve" is a subjective and personal condition.  It does not
mean that everyone should adopt or be concerned if their code irks someone
from outside their organization or even their team.

What I read from Allen's comment was more of a "use the right tool for the
right job."  If you return 100,000 records for 10-20 records at a time, I
would agree that would not make sense network utilization wise.  A logical
approach would be to return possibly a few pages before and after the
current page, so you are returning 30-50 records.

For smaller application with 1000 records, this may not be a design approach
or architectural consideration.  I would say though if you are comfortable
that the size of the application will stay a given size, then you are
perfectly fine.  If you have a small number of users now, but expect more
later, I would say that planning now instead of responding to the
performance issues later is always good advice.

As for the OO approach for queries, it depends if you used an ORM for your
data access or if you are just using something as simple as a gateway.  A
gateway being just a logically(domain) grouped  custom query objects that a
service can call to get custom (non-generic) data.

I like gateways myself if I have the ability to cache the gateway, so as not
to instantiate the object frequently.  This, however, does not have anything
to do with query caching.  You can still query cache inside of those gateway
methods, use stored procedures, or cache stored procedures.

If I were to say that I have a "peeve" would be to see code that implements
a technique, design pattern, or functionality not to its full potential.
"Half cocked" would be what I would call this or as someone of online
buddies would say "borked."

You can get into endless discussion about when to use a framework, design
pattern, anti-pattern, ...etc.  I think the original intent of this email
chain was more for identifying small little nit pick things for fun.


Teddy R. Payne, ACCFD
Google Talk - teddyrpa...@gmail.com



On Tue, Jan 5, 2010 at 8:25 AM, Derrick Peavy wrote:

> *(looking forward to being told how wrong I am here and being raked over
> the community coals for my heresy.)*
>
>
> Something that is clear from this thread - the needs of some types of apps
> are different than others. Size and business does dictate coding.
>
> For someone at UPS or another large company, there are multiple issues
> defining code structure, techniques, etc., I would guess that at any large
> corp. the need to do something in a standard way far outweighs other issues.
> If you need to hire a developer, you need to be able to hunt for a specific
> skill set which is most commonly used. Ergo, matching your development to
> that makes sense. And yes, I do understand that it is also good practice in
> general and proper form, etc., etc.,
>
> But I do believe that is actually the minority of cases. Places I recall
> off the top of my head that use CF in all of their app, or some CF in all or
> part of their large scale production app:: Bank of America, UPS, MySpace,
> Nike (at one time). And I am sure there are others people can point out. All
> of those should be using the latest, hottest framework, 100% CFC's, etc,
> blah, blah.
>
> Then, there is the rest of us.
>
> Mostly small shops, small businesses, start ups or companies that are never
> going to grow beyond 5-10 people and never more than 1-2 developers. Should
> we hack things and forget rules, standards, good coding. No of course not.
> But there are other approaches to take.
>
> In my app, CollegeClassifieds.com, as I said, I have four client vars, some
> standard app vars and the rest are session - that's just an example of the
> development approach - not something that is an issue here.  But yes - I DO
> mix queries and HTML in the same doc - proudly.  I don't use CFC's unless I
> have no choice or I use third party code, and guess what - in the entire
> site, there are maybe, maybe 5-10 queries that are used more than once. And
> I don't mean that I copy a query and make a slight change. No, I mean the
> data structure, the layout, the pathways on the app, the code, the business
> goals, align so that there is not redundant code or the need for it. If a
> query is used more than once in the same exact way without changes, then
> yes, I isolate it. But otherwise, no.
>
> Here is an example:
> This page - http://www.collegeclassifieds.com/
> This page - http://www.collegeclassifieds.com/georgia/
> This page - http://www.collegeclassifieds.com/kennesaw-state-university/
> This page -
> http://www.collegeclassifieds.com/georgia/kennesaw-state-university/jobs/
>
> Are all the same file.
>
> One file.
>
> That entire file, and all the views asso

RE: [ACFUG Discuss] Examples of How NOT to Code in ColdFusion?

[Shane Heasley]

I'll make a short reply to Derrick's post as my posts usually seem to end up
in the bit bucket.
 
I like commenting, and CFC's, and I feel strongly about defining what the
objects are in the application and THEN building the DB and components.  I
vote for MVC every chance I get, but
 
Code is not art.  This is about money and what is best for the business
owner.  Some apps must be highly structured.  Other, smaller applications,
should probably be built using procedural code.  It depends on needed
scalability and how much maintenance is anticipated, how much money can be
spent up front etc.  
 
We all tend to code at our comfort level (and comment at our comfort level
also - if at all  - g).  Some of us get religious about certain coding
principles and cut off the heads of those that disagree.  What we all need
to do is strive to clearly communicate the options to the business owner and
then build what creates the most value for him or her.  That means we should
be comfortable and competent at all levels including the use of frameworks I
suppose which I have little experience with.
 
Shane Heasley
CTek-Media.com 



-
To unsubscribe from this list, manage your profile @ 
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-

Re: [ACFUG Discuss] Examples of How NOT to Code in ColdFusion?

[Douglas Knudsen]

one of my favs
http://www.cubicleman.com/2005/05/23/best-waste-of-code/
Use the API Luke!  Why I usually live in livedocs.adobe.com

DK

Douglas Knudsen
douglasknud...@gmail.com



On Jan 4, 2010, at 3:23 PM, Cameron Childress wrote:

> Since the topic of the next ACFUG meeting is how NOT to code CF, I'd be 
> interested in seeing some examples from people on the list of code that you 
> frequently see.  Also - why is it wrong?  Does it present a security or 
> performance problem?  Is it a big time no-no or is it just a minor thing or 
> maybe annoying (or hard to read) syntax?
> 
> This may provide John with some good fodder for his presentation as well...
> 
> Of course, there are exceptions where almost anything is appropriate, 
> however...
> 
> I'll mention one I see ALL THE TIME - enabling both client and session 
> variables in the Application.cfc|cfm when only one is being used.  Can become 
> a serious performance issue under load.  I guess along with this is actually 
> using BOTH session and client variables in the same application.
> 
> Also, using lists where you should be using an array, struct, or other faster 
> mechanism.  The longer lists get in CF, the slower they get.  I have seen 
> lists with 1,000 or so items totally choke under load.  This can show up in 
> unexpected places too like listFind(valueList(query.column), myValue).
> 
> What are some of your pet peeves and examples of downright bad code?
> 
> -Cameron
> 
> -- 
> Cameron Childress
> Sumo Consulting Inc
> http://www.sumoc.com
> ---
> cell:  678.637.5072
> aim:   cameroncf
> email: camer...@gmail.com

Re: [ACFUG Discuss] Examples of How NOT to Code in ColdFusion?

[Derrick Peavy]

(looking forward to being told how wrong I am here and being raked  
over the community coals for my heresy.)



Something that is clear from this thread - the needs of some types of  
apps are different than others. Size and business does dictate coding.


For someone at UPS or another large company, there are multiple issues  
defining code structure, techniques, etc., I would guess that at any  
large corp. the need to do something in a standard way far outweighs  
other issues. If you need to hire a developer, you need to be able to  
hunt for a specific skill set which is most commonly used. Ergo,  
matching your development to that makes sense. And yes, I do  
understand that it is also good practice in general and proper form,  
etc., etc.,


But I do believe that is actually the minority of cases. Places I  
recall off the top of my head that use CF in all of their app, or some  
CF in all or part of their large scale production app:: Bank of  
America, UPS, MySpace, Nike (at one time). And I am sure there are  
others people can point out. All of those should be using the latest,  
hottest framework, 100% CFC's, etc, blah, blah.


Then, there is the rest of us.

Mostly small shops, small businesses, start ups or companies that are  
never going to grow beyond 5-10 people and never more than 1-2  
developers. Should we hack things and forget rules, standards, good  
coding. No of course not. But there are other approaches to take.


In my app, CollegeClassifieds.com, as I said, I have four client vars,  
some standard app vars and the rest are session - that's just an  
example of the development approach - not something that is an issue  
here.  But yes - I DO mix queries and HTML in the same doc - proudly.   
I don't use CFC's unless I have no choice or I use third party code,  
and guess what - in the entire site, there are maybe, maybe 5-10  
queries that are used more than once. And I don't mean that I copy a  
query and make a slight change. No, I mean the data structure, the  
layout, the pathways on the app, the code, the business goals, align  
so that there is not redundant code or the need for it. If a query is  
used more than once in the same exact way without changes, then yes, I  
isolate it. But otherwise, no.


Here is an example:
This page - http://www.collegeclassifieds.com/
This page - http://www.collegeclassifieds.com/georgia/
This page - http://www.collegeclassifieds.com/kennesaw-state-university/
This page - 
http://www.collegeclassifieds.com/georgia/kennesaw-state-university/jobs/

Are all the same file.

One file.

That entire file, and all the views associated with it are done with  
just 8 queries - all very different queries that are never used, never  
going to be used, anywhere else in the app.  All very fast queries.  
All very simple queries with not more than one join per query because  
someone actually took the time to to frickin' think about the data,  
the business and the code as being one.   But that's the advantage  
that a small business has. The person doing the code and the business  
goals can be one in the same, or 2 or 3 people who can actually  
communicate, take their time to build the right tools for the job and  
not hack something.


In real terms - maintainability, extensibility, troubleshooting, this  
makes life very, very easy. Need to fix a problem - you have one file  
to look at - ONE! And I don't mean it's 5,000 lines. Usually, it's a  
couple hundred, if that. In many cases, less than 100, 33 are empty  
lines, 33 are comments, and 33 are actual code (simplifying here).


If I need to change the sign in form, the contact form, an about page,  
pretty much any page view / screen, I have one file and one file only  
to examine. One file to break. One security issue. One concern.  And  
if I die, then I know that the least capable CF developer in the world  
can pick up my code and go forward. That is worth a lot.


Question - how many people on this list have an app that get's 100k  
page views/loads/crawls in a single 24 hour period on a regular basis?


I'll go further out on a limb here and say that if a CF developer gets  
his or her "panties" in a wad over CF and HTML in the same page, or  
they "just don't 'get' HTML," then they need to "get" out. Period.


I've done Fusebox for years before this, I've looked at other  
frameworks and guess what - even when working for others, very rarely  
was a query actually used in the same form in more than one place. Too  
often the query was isolated through a call (CFC), with 5, 10, 20  
parameters that could be passed to the query from 10, 20, 40 different  
screens/sections in the app. Which means when the next person  
comes in to the development team, they have to learn all of those  
aspects of the app before making one single change. The time, effort  
and complexity involved in doing that - all in the name of "reusable  
code", "extensible code" or som

RE: [ACFUG Discuss] Examples of How NOT to Code in ColdFusion?

[axunderwood]

My biggest pet peeve:
CFQueries inline in a CF template.  I'm not a stickler for complete object 
oriented or "you have to do things exactly a particular way"...that being said, 
I have two reasons why I like to see cfqueries or cfstoredproc calls in a cfc 
or a cfm template that can be called as a cfmodule:

1. You know where to look for the code - if you do it in a cfc, you can have 
all your data access calls in one place that is easy to find in various methods
2. If you're writing a query to be used on a page somewhere, chances are, 
you'll need that same query again somewhere else - this doesn't always stand 
true, but 9 times out of 10, you use the same general queries for multiple 
areas on a site.

My second biggest pet peeve:
Looping over a query just to query x number of times again.  This is probably 
the thing that I see beginners do the most, probably because they just don't 
understand how to write a query to retrieve all the data at once.  For 
instance, someone might want to see their top 100 customer's orders..a lot of 
times you'll see someone write  a query to retrieve their customers, and then 
loop over that query and then query to get the orders (so basically 101 queries 
to the db)...in reality, all they had to do was a query from the customer table 
left joining the order table in one query, and then looping over the results 
with a group by.

The last one I can think of this early:
Using CF as your paging repository for large datasets...this is probably the 
fault of many a book and message board out there, and probably just having the 
feature available in CF makes it too easy to pass up for most.  But, the 
ability to query a db, retrieve 100,000 records, and then just using records 
10-20 or something like that.  I hate seeing that.  The amount of network 
bandwidth being utilized, the memory being wasted, the processing required from 
cf, etc.  It's just a horrible thing to use.  I cringe every time I see 
it...and if I have my hands in it...I change it immediately to do a db 
implementation to just retrieve the rows needed.


From: ad...@acfug.org [mailto:ad...@acfug.org] On Behalf Of Derrick Peavy
Sent: Monday, January 04, 2010 9:07 PM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] Examples of How NOT to Code in ColdFusion?










































_
Derrick Peavy
derr...@derrickpeavy.com
404-786-5036

"Innovation distinguishes between a leader and a follower." -Steve Jobs
_



On Jan 4, 2010, at 7:12 PM, Cameron Childress wrote:

On Mon, Jan 4, 2010 at 5:18 PM, Derrick Peavy 
mailto:derr...@derrickpeavy.com>> wrote:
So, five session vars, numeric in value, less than four digits (or single
char values), along with multiple client vars of less than 4 digit numeric
values or single chars - you're saying that's a huge eff'n no??
I ask because at even 10,000 page views a day, I see no performance hit at
all. But then, maybe if I change it according to some rule, I would see
average CPU loads of 0.004 instead of 0.04??

Well, considering the relatively low load, and low number of
variables, I don't know that it would have a significant impact in
your case.

Like I said, there are always exceptions.  Nine times out of ten,
however, when I see both client vars and session vars both enabled in
an application, it's for no good reason at all.

What's on your list of no-no's?

-Cameron

--
Cameron Childress
Sumo Consulting Inc
http://www.sumoc.com
---
cell:  678.637.5072
aim:   cameroncf
email: camer...@gmail.com


-
To unsubscribe from this list, manage your profile @
http://www.acfug.org?fa=login.edituserform

For more info, see http://www.acfug.org/mailinglists
Archive @ http://www.mail-archive.com/discussion%40acfug.org/
List hosted by http://www.fusionlink.com
-







-

To unsubscribe from this list, manage your profile @ 

http://www.acfug.org?fa=login.edituserform



For more info, see http://www.acfug.org/mailinglists

Archive @ http://www.mail-archive.com/discussion%40acfug.org/

List hosted by http://www.fusionlink.com

-