Microsoft Access – Random Identity Seeds and @@Identity

So I discovered a few things with Microsoft Access recently. It’s not my database of choice, but it’s very easy in my current work environment to use it effectively – and effectiveness is always the key. So we have been discussing more and better ways to implement security. One of the ways to do this is to change how the ID for a record is created. Access provides a way to use GUIDs for the AutoNumber column of your choice, but they’re very cumbersome – especially if you’re going to be passing them around in a secure app environment as a URL string. I know, URL Strings aren’t the best, but they’re fast. That references back to the same thing as effectiveness in my book! Well I didn’t like the way they looked so I changed back to a Number format and started getting very odd results for the AutoNumber. Very long integers as well as negatives and they were no longer sequential. That’ll teach me not to click on the “New Values” option of my AutoNumber fields. There’s an option there to change them to “Random” from “Increment”. This will help by providing a minor bit of security where users before might have been able to change the URL ID and change what record they were looking at.

The next problem this created for me was in the way I normally had been grabbing the newly created records in my Access tables. I guess it’s pretty standard for most people to do something along these lines when creating and inserting values into your access tables:

1
2
3
4
5
6
7
8
9
10

<cfquery name="test1" datasource="source1">
     INSERT INTO Table (datacol)
     VALUES ("datapiece");
</cfquery>
 
<cfquery name="getID" datasource="source1">
    SELECT MAX(ID) as MaxID FROM Table
</cfquery>
 
<cfset myID = getID.MaxID />

Well this didn’t work anymore with the Random seed for the AutoNumber. The max was no longer the last one inserted. It led to quite a bit of hair pulling on my part – and that’s an accomplishment when you’re bald. So I had heard from a co-worker that @@Identity did in fact work in Access. I hadn’t spent much time looking into it – being as I had a solution that worked (Max(id)) and I prefer to work in SQL Server or MySQL. But now I was presented with a need to figure it out. A few minutes of Googling led me to this article by Charlie Arehart from 2002(!) I was a little surprised to see it had been working for this long. So now I do my access inserts like this:

1
2
3
4
5
6
7
8
9
10
11
12

<cftransaction>
      <cfquery name="test1" datasource="source1">
             INSERT INTO Table (datacol)
             VALUES ("datapiece");
      </cfquery>
 
      <cfquery name="getID" datasource="source1">
             SELECT @@IDENTITY as MaxID;
      </cfquery>	
 
      <cfset myID = getID.MaxID />
</cftransaction>

And everything works out just fine. The keys are the CFTransaction tag and using two separate CFQuery tags. Now to go revamp a whole section of code to use this little tidbit!

PCI Compliance and Portcullis

So we’ve been doing a little bit of PCI Compliance work here at the office. One of the things that we found that really helped us out was a program called Portcullis – http://www.codfusion.com/blog/post.cfm/portcullis-cfc-filter-to-protect-against-sql-injection-and-xss. I suppose it’s not a full program, but a CFC to assist in how you do your security. We used it to help secure a site and meet our requirements. Much less expensive than some of the other web application firewalls out there, since it’s free

Guest Post: cftransaction & multiple datasources

I ran across an interesting error today regarding cftransactions and multiple cfqueries inside of them.
The resulting error was

The root cause was that: java.sql.SQLException: Datasource names for all the database tags within CFTRANSACTION must be the same.

This seems pretty straightforward, until you start digging into the problem, and become led down a few wrongs paths courtesy of google serving up results that aren’t entirely true.
One of the discussions I found was an adobe tech note, which I discovered via a link from a post by Ben Nadal.  In this tech note, the solution was to simply replace all cfexit tags, with a cfabort.

Simple, yes, except that I had NO cfexit tags within my cftry/cftransaction statement, they were already cfaborts!

Further investigation revealed that you simply cannot have multiple datasource names withing a cftransaction.

Now, with no actual documentation on the subject, and not actually knowing what spell coldfusion is uttering while it waves its wand over its magic hat, I cannot give a ‘good’ reason as to why.  All I know is the problem was fixed once I removed the offending query to outside the cftransaction.

In order to duplicate the desired effect, you will have to keep track of the transactions, and rollback/commit based on the prior cftransaction attempts, which is a discussion for another post.

-Dave

Guest Post: structDeleteAt() doesn’t play nice with webservice returns

Sooner or later, we all experience it.  The chill runs down our spines, and we stare at the computer screen, not knowing whether to cry or curse at the cryptic error that rears its ugly head and laughs at us.

What I’m referring to is, of course, coldFusion deciding that it only wants to do things a certain way, regardless of how you *think* the process should go.

Not too long in the distant past, I encountered such a beast, and will relate my story now.

The task was simple:  connect to a webservice, and display the results.  As the project progressed, the rules changed slightly – now I needed to grab the results, and filter out any that didn’t belong based upon a criterion set.  Never you mind that usually, the web service would be changed or manipulated so that a parameter or two could be passed in & perform the filtering on the server side.  That wasn’t a possibility in this case, and wouldn’t prove to have been near as much fun.

The rumblings and mutterings from the nether world began when I attempted to loop over the results and filter out any which didn’t fall within the specified criteria.  Normally, this would just involve a cfif tag to test each set of returned data to decide to display it or not.  The crux of the problem was that before entering the loop, the count of how many records were returned was displayed.  Depending on how many records were excluded, this count could be, and was, way off of the actual records that were displayed.

My initial theory was to loop over the record set returned from the webservice, and use a structDeleteAt() call to remove any records which did not match what I was trying to display.

*KABOOM*

ColdFusion refused to delete the record.  I tried everything.  Setting the value to empty, using a Javacast to set it to null, even copying the returned result set, and working with the copy.

None of it worked.

ColdFusion liked how the returned result tasted, and wasn’t about to let go, not for any amount of cajoling or cursing at it.

Finally, defeated, I tried a different approach.  Instead of using any trickery, or established CF functions or methods, I decided to bring a howitzer to this knife fight.

The answer lies in the code below.

<cfloop from="#ArrayLen(serviceReturn.contacts.anyType)#" to="1" step="-1" index="i">
<cfset tmp = serviceReturn.contacts.anyType[i] />
<cfset tmpPaidThrough = tmp.getPaidThrough() />
<cfif EXPRESSION_TO_CHECK_AGAINST >
<cfset tmpInsert = arrayappend(session.searchResults,serviceReturn.contacts.anyType[i]) />
</cfif>
</cfloop>

To explain:

• loop over the record set returned by the webservice.
• set the record to a temp variable, and get the part that we want to check against (in this case, paidThrough)
• if the record passes the test, append it to a new variable (session.searchResults)
• note that I have gone from the end of the struct to the beginning, but I believe it would work either way

Then, in the display portion of the code, instead of using the returned record set, we use the new variable we set up that only has the records in it that have passed the test for display purposes.

*VOILA*

ColdFusion, realizing that it has been defeated, slinks off to haunt some other poor soul.

I’m not entirely sure why CF would not relinquish the record of the returned set.  In discussion with other developers, we reasoned that perhaps since the return was a struct of struct of structs, somewhere in the vast underlying java mysteries, the pointers could not be moved or deleted, so CF did not want to delete the data.  Copying the returned structure resulted in a structure of the same design, so CF wasn’t able to delete from a copy any more than it could from the original record set.

So there you have it.  Wipe the blood off your sword, hoist a beer, and move on to another realm, full of it’s share of demons and battles.

-Dave

CFGoogle – Now that’s neat

So I stumbled across this on my twitter feed while reading what Ray Camden had put up about the rework of the riaforge.org backend to incorporate the CFGoogle api interface written by Todd Sharp. It looks really need and could provide a great deal of use to us ColdFusion junkies out there. I say check it out!

CFSilence:
CFGoogle

RiaForge:
http://cfgoogle.riaforge.org/

datefield cfinputs and _f is undefined

So there have been two occasions I’ve run into this error on a page – and it’s very ambiguous and hard to track down both times I’ve experienced it.  Fortunately, both times have also involved a very easy solution once I looked through the page for the 40th time.  The first time I encountered this, the previous form designer had named both cfforms on the page the same thing.  While this worked, it’s never advisable.  By doing this, the cfcalendar script could not locate the item because it couldn’t track down the form properly.

The second time I ran into this – just a few moments ago – was the same problem surfacing because the declaration for the form had been placed inside the declaration for the table.

1
2
3

<table>
         <form></form>
</table>

This just did not sit well with the browser, being invalid and all.  Once I moved them outside of that formation and made it this:

1
2
3

<form>
      <table></table>
</form>

it worked like a champ.    Hopefully this helps someone out there with this error in the future!

Flash Builder 4 and ColdFusion for Flex

Saw this video through a link provided by Hal Helms (@halhelms) on Twitter.   Really interesting stuff about using the new Flash Builder 4 interface to import Coldfusion CFCs directly and then once you have them imported, wire them right into your Flash piece without writing any Flex code at all.

http://snurl.com/j7e56

Limit on CFC Size?

So a few months ago I wrote a post about a java.lang.StackOverflowError I had experienced with Model-Glue and ColdSpring.   You can read about it here and here.  We it reared it’s ugly head again today.  I’m not sure exactly what is happening and maybe someone with a better knowledge of ColdSpring can help me out here.  I solved the problem by moving my new function into a different Service.cfc.  Why this worked?  I don’t know, but it seems that it has something to do with the size of the file.  It’s only running about 1500 lines in the service, but I have another service with more functions that runs 3000 lines of code.  But moving it out, definitely solves the ColdSpring compile error and allows me to move forward with development.

Any thoughts out there?

OO Form Processing

Read a few interesting posts recently about Object Oriented Form work. Going to have to try this out myself. Here are some examples if you’re interested:

http://www.halhelms.com/blog/index.cfm/2009/4/8/Form-Processing–the-OO-Way–the-Movie

http://www.bennadel.com/blog/1557-Object-Oriented-Form-Helpers-And-Reusing-Form-Validation-On-The-Client.htm

Web Service Run Around

I was recently tasked by my bosses to make some changes to a web service that existed on one of our clients sites. I’m not an ASP.NET guy – but it turned out to be what it was currently written in so I wanted to give it a shot and figured it would save me time on actually getting it done. That should have been my first clue that I was way off!

So I started off by having to upgrade the .NET library – the old app was written on version 1 something of .NET and the free Visual Web Developer forced it into an upgrade in order for me to even look at the code. I had tried using Eclipse first but that just have any way to compile out the ASP code. So after upgrading, we went through some hoops getting the server upgraded and also one crash of the IIS Server by not setting the DefaultAppPool properly. Like I said – not an ASP.NET guy!

So after that’s all compartmentalized, we start running into 401 – User Not Authorized problems. Turns out we had the server set to accept client certificates and were unable to connect through with them. Got that changed over and both the old service and the new seemed to be accepting the login scheme I copied over without a problem. When I went to run my new functionality though I just couldn’t get it to work. So I changed the name of my .asmx file from the default Service1 to NewService and went through the associated hoops trying to get everything running and compiling again. That was fun in and of itself. After uploading it, I could no longer connect when pointing to NewService. It seems that even though Service1 was in a different directory and application for ASP.NET when I was calling them – the SOAP URLs were pointing to the right places – that my calls to the app that now had NewService had been calling the Old Service1 instead.

So again I ran into the 401 Unauthorized problems. Started digging some more and there were a couple of things that I was able to finally find after much reading on the Internet. It seems that most suggest using anonymous browsing for the web service application directory. We couldn’t do that because of security requirements on the project, so we had it set to Integrated Windows Authentication under the Directory Security tab. However ColdFusion wasn’t able to talk to it then. Once I added Basic Authentication and gave it the proper domain, I was then able to connect like a champ and hit the newly created service!

So don’t forget to make sure your IIS Settings are what they should be, and then add to that the name changes. Now I just need to figure out how to create a test environment for this so that I can compile and make changes without taking down the service for the clients while they are working!