Rob's Ramblings

A couple of things have struck me so far as I have been trying out basic tasks in PHP to get a feel for how they work. One immediate concern I have right now is database security in PHP.

The first red flag I have is PHP's insistence that you type in a username and password for the database user in the clear in your database connection code. To me this is just asking for potential trouble. Let's toss out this scenario - disgruntled PHP developer gets the boot. You now have to go and change the database username and/or password on the server in order to make sure things are secure, because that coder has the information he or she needs to get in and screw with the database, not just via PHP code, but with any client tool (assuming they have access inside your network, and let's be honest rarely is there a time when a disgruntled employee isn't that way while still being employed). Even if you code smart and just include your database connection strings in a function so you only have to make the change in one place, it's still a change that shouldn't have to be made.

Compare this to CF, which sets the database access information in the datasource creation in the CF admin. This allows a lot more internal security, as the only people that really need to know that access information are the DBA and the CF administrator (in many cases I imagine this may be the same person). The point is that you can really compartmentalize this information a lot better in CF than you can in PHP. The developers need only know the datasource name, nothing about usernames or passwords are passed along in that. In the case of the disgruntled employee, their access to teh database comes in a totally separate login that can be more quickly locked down without affect to other accounts and applications in the case you need to do so.

The other thing that so far has struck me (and I am sure that this is a pure lack of PHP knowledge on my part, but...) is that there does not seem to be a PHP answer to CFQUERYPARAM in terms of speed and simplicity for locking down your SQL queries from injection attacks. It looks like I need to dig into the mysqli() functions from what I can tell, but they don't seem as clean as CFQUERYPARAM is. File this one not so much under "PHP can't do this", but under the growing list of "PHP takes a lot longer to do this than CF".

Thoughts are appreciated on how or why this impression is incorrect.

In keeping with a time-honored tradition of mine, I finally got around to getting my certification for ColdFusion 8 just as ColdFusion 9 comes out. I did this for CF5 and CFMX7 as well. Mainly this is for me to check that box off my to-do list, but it's also a resume padder for my employer to use on proposals.

I admittedly did very little studying for this exam relative to what I've done in the past, and as a result I did not hit the 80% score needed to get Advanced Developer status. I got a 79%, which I guess means I'm the best of the rest or something like that. But this exam, unlike the other ones I've taken, spent a lot more time into some real niche areas of CF that I personally haven't used too much.

That being said, for those that do want certifications in CF, I highly recommend using CentraSoft's CF Exam Buster software. I've used it as my sole training tool in addition to my years of experience, and I think it's the best. Just next time, I'll use it for more than 2 days in advance of the the CF9 exam...

I recently made a switch in my hosting CFML server. All my sites on Viviotech (including this blog) are now running off of the Railo v3.1.1 CFML server. Railo is one of the two main open-source alternatives to Adobe's ColdFusion, and by all accounts that I can find, the far more stable and advanced one.

The move is primarily because of budgetary concerns, and there have been some tradeoffs involved. Railo v3.1 does not contain all the capabilities that ColdFusion 8 does. What it is missing though are not tags and functions I find myself using a lot, if ever.In fact, when I tested all my sites on Railo to see how they'd work, the only tag I found missing was the CFTEXTAREA tag. Why that one is not part of the current set I don't really understand, but I have faith that they'll add it in someday, and that's really more of an inconvienence than anything else.

That being said, the one aspect Railo is missing is an answer to the CFREPORT tag, and that alone is why I could never recommend it to my day job as an option (even with PHP looming and the high-licensing costs of CF as one of the main arguments the PHP people seem to have as reason to force a CF to PHP switch. We have one major site that uses CFREPORT, and reports created through the CF Report Builder program, heavily. In talking with some of the Railo folks, I have learned that they don't have it high on their list of missing features to incorporate, not many people use it, it seems.

I'm excited about the propects of open-source CFML, it will open a lot of doors potentially for CF coders to push their favorite web development language to new clients if the large costs of CF licenses are no longer an issue. And the Railo team has some heavy hitters in the CF community supporting it, which bodes well for its future in keeping up with what Adobe is offering. Even if the end result is nothing more than forcing Adobe to lower its prices in the wake of competition, that's a win in itself.

This is the first post in a series I will call "What I Learned Today". While this post focuses on tech, expect this series to contain lessons learned from all parts of my life.

With my recent issues regarding getting CF8 installed, I decided to learn how to run CF in a multi-server mode using JRun4 to manage it. The goal for me was to have CF7 and CF8 running on my Macbook concurrently and natively. The reason for this is that the production environment for my day job is CF7 (Unix)/SQL Server (Windows) environment. I work full-time from home, and have a local development environment here so I do not need to work over Citrix remote access all day and be bogged down by the oft-times slow netowrk there. Therefore, I need to mimic that environment so I can code with the rest of my team and keep the same environment variables. Up until now, the way I did it was to rely heavily on VMware Fusion and have two separate virtual machines running at the same time, since I never could get CF7 to install and run correctly natively on OS X. This was a huge memory hog, and often I would be pushing my 4GB of memory to the limit. Knocking out one of the VM's would help me greatly.

Through the aid of the House of Fusion folks, I came across a blog post that described how one person used multi-server mode to do exactly this. I combined the knowledge there with this page from Adobe on how to deploy CF9 as an EAR file, and I had my solution. Using Apache for my web server (I use MAMP Pro for super easy creation of multiple virtual hosts) I will have different CF servers running for different virtual domains.

So, here is how I did it all. I won't steal from the blog posts I reference, I will note where I got the steps from though. These directions assume you are using OS X, modify as needed for Windows or Unix.

1. Uninstall all CF server instances from OS X.
2. Reboot (force of habit, might not be needed but better to be safe).
3. Choose which version will be your most often used version of CF. For me it is CF8. This drives the rest of my instructions, change yours accordingly.
4. Install CF8 as a multi-server installation. This will install JRun4 as well. *
5. Run the ColdFusionLauncher application from the /Applications/JRun4 directory.
6. Start the admin server and CF8 server (if not running).
7. Open Terminal, and connect to the JRun web server configuration tool with the following command
   [code]java -jar /Applications/JRun4/lib/wsconfig.jar[/code]
8. Connect to your Apache server of choice.
   
   1. Select the CF8 server from the JRun server list.
   2. Enter the directory containing your httpd.conf file in the configuration directory field.
   3. Check the configure web server for coldfusion applications check box.
   4. Click on the Advanced button
   5. Ignore the top three check boxes
   6. Enter the location of the httpd binary in the server binary field.
   7. Enter the location of the apachectl binary in the server control script field.
   8. Click OK to close the window.
   9. Click OK to commit the settings.
9. Make sure Apache and the CF8 server are running, then run the CF8 administrator setup at http://localhost/CFIDE/administrator/. If this runs correctly, you have CF8 and JRun installed properly!

The next steps are to be done for each other version of CF you want to have running.

1. Run the installer for CF, choose the create the J2EE files. Choose EAR for file version. I changed the "cfusion" value in the context root option in the installer to "/".
2. Find the location of the cfusion.ear file the installer created.
3. Go to your /Applications/JRun4/servers directory in finder. Create a new subdirectory called "cf[enter your version number here]".
4. Go to the JRun admin console web page (http://localhost:8000/) and create a new server named the same as the new directory name.
5. Delete the default-ear directory from the new directory.
6. Copy the cfusion.ear file to that new directory.
7. Expand the EAR file according to the steps in the Adobe page I referenced.
8. Go back to the JRun admin console, and choose the CF server.
9. Start the server in JRun, it should do initial setup for you.
10. To hook into Apache, make sure that the ProxyService is running. By default it is not. It is found under Services/Active Web Servers. Kee the JRun web server running, you need it for CF administrator access.
11. Use the blog post I referenced to hook this CF server directly to the virtual hosts in Apache that you want to use it.
12. Connect to the CF administrator using the JRun web server and port it defined for you. This will allow CF to finish it's initial set up.
13. Configure CF, and away you go!

Reading the tea leaves, it looks like I may have need to code with both ColdFusion 8 and the newly-released ColdFusion 9. My sites run on CF8, but it looks like ED may be upgrading to CF9 - especially after I relayed my issues in this entry to them.

So I want to have both servers installed obviously for when I need each. ColdFusion allows this through it's multi-server configuration using JRun4. I currently had CF8 installed as standalone, which was going to have to be undone in order to get this multisever configuration going. So I go ahead and uninstall CF8, and I decided that I first wanted CF8 set back up, since that is the version my sites currently use. I thought I had a copy of the CF8 installer saved, but upon trying to install it, it bombed stating that it was the 64-bit OS X version, and I can only use the 32-bit version since while OS X can run some 64-bit applications "natively", the OS itself is only 32-bit still.

I head over to Adobe's site to get another copy of CF8 32-bit for OS X, a free download that is easy to get, or at least used to be. None of the CF8 application server download links are there anymore. Everything is CF9. I checked the places where they store older versions, but nothing could be found. I even tried a back door that works for CFMX7 still, and modified it for CF8 in every way I can think of, still nothing. What the hell?

So I do a bit of Googling, and come across this Adobe Forums thread. Seems they are doing everything possible to steer people away from CF8 and to CF9. Oh you could get CF8, but you have to fork over cash up front for it now it seems. Nevermind that it is the exact same installer file they will give you that, with a simple tick of a check box, becomes the free Developer Edition that we can no longer download.

Are you kidding me? What kind of backwards customer service is that? Not everyone is ready to jump to the latest x.0 release of software (which I am sure has no bugs in it still, right?) Adobe.

UPDATE: Thanks to a very kind poster on the Adobe Forums who happened to have a copy, I now have CF8 back and running. Woo hoo! Also, I have been informed by some people more in the know than I am that Adobe is aware of this issue, and expect they will correct it.