Feed: ColdFusion Muse - AggScore: 67.6

I confess I can't live without RDP (Remote Desktop Protocol). Coupled with a VPN it is an effective way to work from home on my high powered office workstation. In fact, on a recent road trip to St. Louis while my wife was driving, I used my Verizon Blackberry tethered to a laptop to connect to my VPN and RDP to my desktop at work. I managed to handle email and write most of an 8 page document. Such things were not even possible 3 or 4 years ago. Telling this to my mom and dad makes them think I'm Captain Kirk (I keep telling them that Picard is better - Kirk's screens and dials were all analog). I prefer RDP to everything else I've tried - including log me in, go to my pc, pcanywhere and VNC.

Anyway, Nicole (our creative director) and I had a similar problem. Her RDP stopped working completely after a windows update. For her, the login screen would not even appear - and no error either. It would just return to the host name box immediately. For me the login would appear and I enter my password to login - but then the process would lock up and I would have to wait a few minutes for the whole thing to time out without ever successfully getting in.

Googling around I found that a lot of folks had problems like this and their solutions seem to focus on display drivers (NVidia in particular). I have a 3 monitor setup and I use 2 NVidia cards - so this seemed likely to me. Checking with Nicole she too was using Nvidia drivers. To fix it, she downgraded her recent drivers one version. I took the opposite approach and simply "upgraded" my drivers to the next version - and that solved my issue.

When you think about it I suppose it makes sense that display drivers can cause RDP issues - since RDP renders the desktop for you. But it was not something on my radar. Now I have something to look for if it happens again.

We had a ticklish issue arise with a customers recently. We host an application for them that allows them to upload files. As they began to use the application more heavily they noticed that file uploads above a certain size were failing. The size was fairly modest. Uploads sized between 1 and 4 megs were simply timing out. We eventually came up with a solution, but not before some head scratching. Here is the play-by-play.

[More]

When I arrived at work this morning I found more than 280 spam links posted as comments to various entries on my blog. They were all for certain articles of clothing which shall remain nameless (but some of them are made for walking). Now occasionally, about 3 or 4 times a week, I'll see a single spammy comment posted and I just kill it - cased closed. The Captcha keeps out most automated spam, so I figure any spam I get is individuals paid to labouriously post links. This seemed like more than that - both in volume and in the systematic way it was perpetrated. I will be keeping a close eye on it - but it makes me wonder if there is a bot out there that has cracked my captcha.

Meanwhile, my sincerest apologies to anyone subscribed to any post of mine who had to suffer through these emails. The Muse will do what he can to make sure it is not a commmon occurance.

I have been looking forward to Google Wave and I was excited to at last have my invite. I got signed up and imported my contact list and created a wave and then.... then.... well... in the words of the dinosaur in the animated movie Meet the Robinsons, "I've got tiny arms and a huge head... I'm not sure you thought this plan through very well." Ok, not the tiny arms part, but this whole invitation thing, while a neat way to create Internet buzz in the lighting world of social media, doesn't really lend itself to useful testing - at least not for a company.

Sure, I'm seeing a few folks in my contact list who have a wave account. They are mostly tech savvy developers. I know I could create a wave and collaborate with them. But what I really need is to be able to roll my company developers and select customers into a wave for testing. I'm not trying to chat about the weather or review movies. If I want to waste time I can Facebook or Twitter. Instead I'm trying to see if the new wave paradigm can enhance my current project management processes (maybe even supersede some of them). I sent out a passel of invites but I've yet to have any of them approved. I guess until I get the right folks on the inside I will sit here and wave to myself. If I ever do get a legitimate test going - and more importantly if I can figure out how to tie Wave into my tracking and billing system - I will make sure and post a full report.

I have a few Win2008 servers under management and I had to renew a cert for one of them today. Now I confess this is the first time I had to do this particular task so there was some head scratching involved. I learned a number of things that might be of some use to you if you are up against this task. In this case I was renewing a Verisign cert. Here's what I learned.

[More]

Client Variables and the Registry

Ask any experienced ColdFusion troubleshooter and he will tell you the same thing, "Don't store client variables in the registry." In fact, when examining a sick server one this is one of the first items I look at. If the customer says "It seems like the server stops about every hour" it's a safe bet that the default storage is set to Registry and the default purge interval has been left alone at 1 hour and 7 minutes (which is kind of an odd interval - probably some Adobe employee's anniversary in binary).

In many cases this is a "hidden" problem waiting to burst onto the scenes and bite some poor site owner in his nether regions. The owner launches his or her site and begins to gather traffic with the default settings for client variables. By default ColdFusion stores 90 days worth of client variables in the Registry - so the site can actually perform well for a few months. But then, out of no where, the server starts to drag and even stop every hour or so. Under the hood the purge operation is starting to find client vars that are 90 days old or more and it is taking quite a long time to delete them. The OS sees the registry keys being deleted and (sometimes) attempts to shrink the registry size. This affects a sort of "locking" on the registry where new keys are not being written - meaning requests are queuing and the server is slowing to a crawl. Now you might think that fixing this is as easy as switching from the registry to a datasource or cookie storage as the default, but there are some nuances to this fix that bear mentioning.

[More]

Last night my wife and I attended an early evening bash thrown by the local chamber of commerce. These shindigs are usually pretty good with door prizes and drinks and fancy-pants hors d'oeuvres. I was milling about feeling uncomfortable as I often do in a "non technology" crowd. I'm a talker by nature but in these crowds the conversation usually goes something like this:

• Bob (who owns a car dealership): So what does your company do?
• Muse: We are a web application development company specializing in complex applications.
• Bob: Oh I see... you design web sites.
• Muse: Well yes, but that's really a small part of what we do. We are really more on programming and problem solving side of the equation.
• Bob (glibly moving on): Hey, you work with computers let me ask you something.
• Muse (heart sinking): Ok
• Bob: When I try to print sometimes I get this error. Why is that?
• Muse (wishing a fight would break out and distract Bob): Well... (small sigh) ... I'm not sure. What does the error say?
• Bob: I don't know I click OK and it goes away. But when I try to print again it comes back.
• Muse: And what does it say the second time?
• Bob (Unaware of the Pavlovian Cycle he is in): I don't know I click OK and it goes away. What do you think it means?
• Muse: I'm afraid I have bad news. It might be time for a new printer.
• Bob: Rats... I knew it.
• Muse: Bob, let me ask you something... you work with cars right? I have this little chirping sound coming from the trunk of my 78 Nova every time I turn left on a Tuesday.... What do you think that means?

And on it goes. It's amazing how regular folks always boil down any technology job to "Oh... you work with computers" - by which they mean you tinker with hardware all day long. They automatically equate your skills to that of the local Best Buy Geek Squad. Not that there's anything wrong with being on the geek squad... some of my best freinds are hardware people.

Anyway, yesterday I was sort of not in a mood to mingle. Ann and I were in a line for some little mini roast beef sandwiches (thank you Brandeis catering) and we were chatting to ourselves waiting for the door prize drawings. A man who was working the room came up to me and said, "How are you this evening?" I turned and said fine and shook his hand and said "I'm Mark Kruger". He shook my hand with a practiced grip and said, "Nice to meet you I'm Jim Suttle". I nodded and made a comment about the food and then turned away.

Something was tickling the back of my mind... nagging at me like bad mayonnaise in the back of the fridge. Finally I got it (Ann's poking me helped a little too). Jim Suttle is Omaha's new mayor. I turned back and said "I'm sorry I guess I didn't put two and two together. It's really nice to meet you Mr. Mayor." He laughed and I laughed and Ann laughed and the waiter (a charming fellow with half an ounce of gold in his mouth) laughed. I could think of little else to say other than "You are shorter in person than on TV" - which I thankfully kept to myself. Anyway, it was an awkward moment for me and funny for everyone else. Sometimes I wonder about the Muse... I have no lack of confidence yet I seem so inattentive at times. I wish I had brought my good friend Tom Long with me. He's got a sales radar like an Ageis cruiser. I bet he could have held the mayor's attention for 5 minutes or more. Anyway, now that the mayor and I are on speaking terms I'll have to invite him to one of my candelight suppers.

Occasionally someone asks me this question about CFQUERYPARAM. "Must I use it here or there? In a boat? With a goat?" Yes Sam-I-Am you should make it a habit to use it everywhere. It should be a common part of your best practice guidelines. There are even reasons to use it that go beyond security. Do a quick search for CFQUERYPARAM on this blog and you will find all sorts of information about why to use it and the very rare exceptions (FYI in case you missed the tone here, there is rarely a good reason not to use it).

As for your specific question, I can think of no way to inject the query above. If you moved the query to a MySQL server you might run afoul of the alternate way of escaping single quotes, but on an MSSQL server the query above is safe as far as I know. Just remember, right now some clever hacker in Elbonia is experimenting with ancient character sets, time travel, and a dead cat which he swings over his head while chanting "...one ring to rule them all..." - all in an effort to try and crack into a query like the one above. So I reiterate, there is no way as far as I know. It's what I don't know that keeps me up at night. You really should just use the tag as a matter of course and stop looking for places to not use it. Let me illustrate with a little story my Dad used to tell me.

[More]

If you read my post on the script injection attack that has been going around you will note that I suggest four solutions or remedies to protect your server (upload off the web root, use cfcontent, disable script and execute permissions on certain directories, and remove superfluous handlers). A fifth solution was pointed out to me that is somewhat related to uploading off of the web root.

The idea would be to create a subdomain just for user resources. So, for example, you could have "www.ilovemoles.com" and "pics.ilovemoles.com". User uploads would go the share for the "pics" subdomain and be served from there. You would still vet the content to make sure it was ok, but the "pics" domain would not allow ColdFusion (or PHP or ASP or any scripts or executable at all). I can see some issues that you might run into - chiefly that you are not really "securing" the content from unauthorized access. I believe that still makes it suitable for public resources, but not able to be fully integrated into an application without a lot of run around. Still it seems an elegant solution.

I like to say Omaha is a great place to live but you wouldn't want to visit there. Unless you are a College World Series fan or a Berkshire Hathaway shareholder there is little reason to choose Omaha as a destination for a vacation (or... let's be honest... even a weekend). Someday it might be known as the home of the Muse but for now it remains a hidden gem on the prairie. Folks around here are mighty friendly (if I could channel Buddy Epson for a moment). In contrast folks in truly recognizable "big" cities (NY, LA, Chicago et al) have a reputation for... well, let's just say impatience. I go most days in Omaha without ever hearing a horn honk, but it's hard to go a few minutes without hearing a horn in NY or Boston. I used to think this impatient, slightly rude state of mind was simply cultural, but my recent trip to the big city changed my mind.

[More]

I stumbled across this typewritten letter on the documents page of famed computer scientist Edsger W. Dijkstra. The letter, written in 1965 is a basic request for a quote for a "general purpose digital computer" for the Technological University at Eindhoven (in the Netherlands). What is notable is the specifications and price:

• Number System - binary, not decimal. Hmmmm... Remember when base 10 systems were around? I don't.
• Memory - (quoting here) "A random access memory with a capacity of say, one or two million bits". Two million bits would be 250,000 bytes and according to this handy calculator that puts RAM somewhere in the 256k range (on the high end). Someone shout out if I got the math wrong.
• Backing Store - Discs or Drums. (quoting again) "We think that a capacity of 20 million bits would be sufficient." That sounds like about 2.5 megabytes - or .002 percent of a 1 GB USB key (do they make those any more?).
• Input Mechanism - paper tape reader.

Other comments of note:

• "We are not very attracted to punched cards." - I don't know of anyone who is, but there are crazy people out there on the Internet these days.
• "If you have noisy line printers and silent line printers we should prefer the silent ones."
• (regarding speed) "If a full length multiplication takes 10 mmsec it is fine; if it takes 25 mmsec we think it would be fine also. ...the difference hardly matters when in practice the machine spends eighty percent of its time winding and rewinding tapes!"

The Price

In 1965, what is the expected price of a machine as quoted above with less power than the music player in those annoying musical Hallmark cards? Dr. Dijkstra indicates to his prospective vendors:

"A million dollars is the upper limit. One or two years after the delivery we might be able to spend a quarter of a million to extend the installation if desired"

Isn't it amazing how far we have come? Here's a shout out to Dijkstra and all the other largely unheralded pioneers who slogged in the trenches so we can have I-phones, Macs, Netbooks and PCs today. Thanks guys! (We'll talk to you later about those musical cards - talk about the law of unexpected consequences...).

Here's an interesting problem we had to solve recently. A customer came to us with a suite of ecommerce sites on a single server. The sites were set structurally with a core set of code that supported all the sites and then individual templates that handled the layout and design. This is actually pretty common. The folder structure allowed for site specific stuff to go in the site folder while all the common stuff (everything but specific images and layout stuff) went into the site folders.

The application file specific to each site set up the variables needed for that site, then all of the heavy lifting code was called from the "core" folder using includes, custom tags or CFCs. The idea here is to be able to affect the application code of all 50 sites on the server with a single deployment. This is an idea I endorse although there are other ways of doing it. For the scope of this suite of sites it seemed an acceptable solution.

The problem came when we wanted to run code directly from outside the application (meaning the core) without first running it through the application.

[More]

As we have discussed in our earlier posts on the Business of Web Development inexperienced customers (ones who have never done an IT project) are often surprised at the cost associated with a project. This is partially the result of the reputation that the web has for being cheap. Customers look at services like godaddy.com for example, and they see that they can register and host a site for the cost of skipping a couple of frappuccinos a month. While this is true, it is really not the same as professional design and development services and high performing, scalable, redundant, mission critical hosting services.

In fact, if I could digress to hosting for a moment, customers often fail to see the cost benefit of a more complete "managed" hosting setup. They spend thousands on development and then try to save a few hundred dollars a year on hosting. Having settled on hosting "on the cheap" they often have to pay someone a high hourly rate to do things like troubleshoot an underperforming server or handle DNS settings or figure out their mail services for them, or (worst of all) alter their code to conform to a changing server environment - like when a host recently disabled createobject() on a server causing an application to fail for someone who is now our customer. Any savings they might have gained is eaten up in support costs and they are actually losing money on the deal. In the words of Jesus they "strain out a gnat and swallow a camel" (email me if you don't know exactly what that means - I'll enlighten you).

Of course when it comes to development costs there are other things that mystify customers. As we have discussed before, customers often only account for the visual "up-front" items of a web application. They see forms, lists, charts and displays when the reality is that the bulk of the work on many complicated projects goes into coding, revisions, Q/A and Project Management. Here are a few fallacies that range from the hair-brained to flights of fancy:

[More]

I apologize to regular Muse readers for taking a short sentimental journey. You might want a tissue. Oh... if you don't understand the title I added a note at the end of this post.

Life is change and change is hard. My daughter Jasmine moved into Creighton University on Saturday. Creighton is right here in Omaha - 15 minutes from my house. Yet even though we picked her up and took her to church with us yesterday I still feel a yawning hole in my heart. It is unlike summer camp or band trips or even the time she went to Nicaragua. Nothing will every really be the same for my wife and I from this moment on. We are officially embarking on our empty nest (one down, two to go).

As for Jasmine, she is the epitome of what a daughter should be. She is smart - I mean really scary smart as in the Nobel Prize committee should be checking up on her. She is sharp and witty too. She is nerdy just like her father and brothers. She is a caring and positive young woman with a natural energy and warmth so like her mother. In 18 years she has never given me cause to fear her judgment. She never used the air bags on the car. She never earned less than an A. She never broke curfew. She has never been sent to the principal's office. She has chosen her friends wisely. She has never failed to live up to and exceed our expectations. This is not the hyperbole of a doting father. It is the truth with my hand up. If she could learn to clean out her car and straighten her room I'd say she was perfect.

So here's to you Jasmine. I hope your college experience is everything you want it to be and more. I hope you find a passion for something that energizes you for the rest of your life. I hope your mind expands and opens to new and dizzying heights. I hope you find friends and companions who love and accept you and encourage you like you encourage others. Most of all I hope and pray that you will continue to grow in grace and wisdom as you embark on this new season of life. Meanwhile, hang in there and remember, the kettle is always on for you at home. I'm up for baking you a pie and the boys are always ready to bake cookies :). See you on Sunday.

FYI for Muse readers: The title is a line by Mushu, the little dragon played by Eddie Murphy in the Disney movie "Mulan". It is one line of many from various movies that are repeated around the Kruger household - to the chagrin of Mrs. Kruger I might add. Now back to our regularly scheduled technical programming.