Download Firefox -  a safer, easier to use web browser. Return to iribbit.net - Leap into the online experience! Return to iribbit.net - Leap into the online experience! iribbit.net - Leap into the online experience!

Project News :.

The latest project to launch was the site for Gorilla Offroad Company. Aside from their main site, a social media strategy was develop to launch the company into various industry specific automobile enthusist discussion board communities as well as popular social media fronts like Facebook, Pinterest, and Twitter.


Valid XHTML 1.0 Transitional

Valid CSS!

Section 508 Compliant

powered by: Macromedia ColdFusion MX

made with: Macromedia Dreamweaver MX

What is RSS

XML - often denotes RSS Feed information.

Macromedia - ColdFusion Programming
white horizontal rule

ColdFusion News :.

To bring a little life to my site, I've pulled a couple What is RSS Feeds into this page. You can currently choose between the technology related news stories from the following news sources:



You are currently viewing and RSS Feed from coldfusionbloggers.org.



Oculus Rift
The Oculus VR company was recently bought by Facebook for $2 billion. Since, the company started 2 years ago my husband has been talking about it non-stop and will be the first in line when it goes public, even if many are unhappy about the Facebook buy out. Oculus promises to take Virtual Reality to a whole new level, and Facebook plans on keeping up development of Oculus Rift their Virtual Reality Head Set. Check out this article that explains why Oculus Rift is going to be awesome. 7 Ways the Oculus Rift Could Change Entertainment as We Know It According to the website you can pre-order your developer kit now for $350 and they expect to start sending them out July this year. Pre-Order yours here
(Thu, 17 Apr 2014 18:01:06 GMT)
[view article in new window]

The Cake is a Lie!

Fair warning - minor ranting may be found in this post...

At this point it would be fair to say I really really do not like CakePHP. In fact, I hate it.  Almost two weeks of trying to learn this framework has made me loath coming to work.  It isn't coding, it's figuring out how to do the most convoluted configurations to instruct cake how to write the app for you.  The "code" you have to write for all this configuration is bloated, ugly, and makes no sense.

The only thing I hate more is their ORM which is completely asinine.  Let's take a simple, easy to use query object and convert it into some sort of crazy ass multi-dimensional array.  Really?  Why? Why? Why?  Even they recognize the ridiculousness of this concept as, according to their docs, they are dropping that whole bit in Cake v3.  Reading about Cake 3 it actually sounds like a significant improvement in a lot of ways, including dumping some of the "magic" wand crap.  Problem is, v3 is coming out who knows when.

Which is another issue...we're struggling to learn Cake 2...when 3 is COMPLETELY different (something repeatedly emphasized in the v3 docs), which means we're learning it just to have to relearn again if/when v3 comes out? Or stay in v2 hell?

So we may be dropping it...I'm more than ready to look at something else.  Thus far though all of the PHP frameworks seem to be very similar, bloated, excessively complicated, and designed to do almost everything for you.  I don't want to "build" an app by just running a bunch of generate commands, throwing in some layout, and then just hope it all runs.

Ugh!

Of the frameworks that seemed to consistently be coming out as the most heavily used (i.e. that jobs/developers criteria), here is what I found:

CakePHP
Currently on v2, v3 in development and will be massively different; no release date on v3

Laravel
This framework is all done by a single man so if he gets bored or hit by that proverbial beer truck that is gunning for all developers, there goes that; yes it has some decent sized sponsors sort of behind it and it has its own conference, but really, if he's done it's done.   It's also fairly new, yet in 3 years has already done 4 major releases - seems like a bit much for something like a framework

CodeIgniter
Current owning company does not want to do it anymore because it makes them no money (certainly a fair reason); they posted about looking for a new owner last year and no one has taken them up on it so pretty much in the same state as Mach-II

Phalcon
After acting looking at code from each one, this one seemed more like what we'd like in terms of how it works, other than it being a C-based module (which would mean having to debug C if something really deep broke.  Still I was actually getting a little excited, but before I could share with my partner I saw the fun bit: they are working on a v2 that is *gasp* a complete redo!  Instead of it's current uniqueness of being a C module, they are moving to their own freaking language, Zephir. When done it is, at least, supposed to be totally backwards compatible with apps built in their current version.  I've also seen a lot of complaints about a lack of good docs, though my initial glances seemed to show they had decent ones.

Kohana
A fork of the dead/dying CodeIgniter, at least initially. But then they completely rewrote it, killing that appeal. The documentation though is hideous, whole areas that are just blank pages. Not even a taunting "coming soon" message. Oh, and it was also abandoned two years ago by its creator, and while one guy apparently kept going on it to do a final release, it is officially dead.

Yii
Currently on v1.1.14 and...yep, a v2 is in beta. And, yet again, v2 is a complete rewrite and switching from one to the other is, in their words, "will not be trivial" though they do say the learning curve itself should be smaller as long as you are already familiar with one or the other. This one takes hand holding to a whole new level though - web-based model creation. Just fill in the form and poof...No.

Zend Framework 2
Huge, complicated as all get out, and repeatedly noted to be very hard to learn and slow performing due to its heavy load. Looking at the docs, I'd have to agree on the learning curve, they are so bad.

Symfony
Company supported, like Zend, but like Zend it is also larger, far more complicated, higher learning curve, and often referred to as "bloated" in discussions on frameworks. That said, of the two it did generally have more positive remarks in terms of flexibility and being more modular. From the docs, it seems like you can turn off the stuff you don't need - like that damn ORM crap!

Did you notice how many are in the middle of a major redo?  WTF? Did we just happen to come over to the "dark side" at just the right/wrong time or something?  Another thing that seems common with the PHP frameworks is being heavily connected to all aspects of the apps.  With most ColdFusion frameworks you could relatively easily "lift" off the framework and replace it with something else.  Yeah, you'd have to rewrite views a bit, but if properly done, your framework mostly interacted with service layers, so the "real" app was framework independent. 

Not so with any of these PHP ones, they all have to put their hands heavily into everything - the models, the controllers, the views, etc.  Replacing one with another requires significantly more code rewriting.  And the need to replace seems to be pretty high as most of these frameworks are seeming to have very short life spans, 2-3 years, before being abandoned as they are mostly personal/small group projects.  The few that are older/more established, like Cake and the like, are either in the midst of mass transition or have become too big/bloated for their own good.

I've also looked at some of the "micro" frameworks like Flight and Slim, but they mostly had poor documentation and didn't seem to offer any real benefit over just coding stuff ourself following a normal MVC model.  And maybe that will be the direction we go - just straight PHP and figure out our own way to do the models and what not in a way that makes sense for us.

Waits for the inevitable defense of one or all of the aforementioned frameworks to begin...popcorn?


(Thu, 17 Apr 2014 18:00:31 GMT)
[view article in new window]

SVN Tree Conflict on "tags" directory
I am currently working on a branch, which is created from trunk using SVN. I am using TortoiseSVN 1.8.6 as the client. The directory structure looks like this: web root |- (many dirs) |- tags ||- script.cfm I noticed that after my last merge from trunk, that the script.cfm file was reverted to old code. […]
(Thu, 17 Apr 2014 16:00:27 GMT)
[view article in new window]

Photoshop Live - Charlie And The 3D Egg
I love this Adobe Photoshop CC #CreativityForAll video!
And here are some details on how you can get your hands on one of Charlie's exclusive 3D eggs.
(Thu, 17 Apr 2014 16:00:13 GMT)
[view article in new window]

Article: HTML out of the Browser
Very happy to announce the first publication of an article of mine on the Mozilla Hacks blog. This article is a bit of a departure for me. Less techy and more touchy feelie. Broadly, the article is a look at how HTML (well, web standards in general...
(Thu, 17 Apr 2014 12:01:18 GMT)
[view article in new window]

Railo Server and the Heartbleed vulnerability

Recently there has been a lot of buzz around one of the largest vulnerabilities in SSL, the Heartbeat exploit. There have been questions from the CFML community whether or how Railo Server is affected by this security threat.

Railo Server is a servlet that runs on any servlet engine and therefore by itself (except perhaps for the libraries it uses) not potentially affected by the Heartbleed vulnerability.

Railo Server internal libraries

What libraries which deal with SSL does Railo internally use?

  • Railo uses several libraries that are dealing with SSL. Amongst them there is one that makes use of OpenSSL. Some details.
    • This library is called bcprov-jdk14.jar which is already several years old and therefore alone by this fact not affected by the Heartbleed bug.
    • Next to that the library implements only the SSL client which is anyway not affected by the bug, even though there are issues on the client side as well (see links below).
  • All other libraries Railo uses, use a different SSL library. In any event, these libraries provide an SSL client which anyway is not affected by the bug.
  • Here are all libraries in the current Railo distributions that use some form of SSL:
Library name
apache-commons-httpclient.jar
apache-commons-sanselan.jar
apache-jakarta-commons-fileupload.jar
apache-jakarta-commons-httpclient.jar
apache-jakarta-commons-net.jar
apache-poi-ooxml-schemas.jar
apache-poi.jar
bcprov-jdk14.jar
flex-messaging-proxy.jar
h2.jar
javaparser.jar
jencrypt.jar
jfreechart.jar
jpedal_gpl.jar
jtds.jar
microsoft-sqljdbc.jar
ojdbc14.jar
PDFRenderer.jar
postgresql.jar
sun-jai_core.jar
sun-mail.jar
xdb.jar

Servlet containers

  • Tomcat:
    • Our research revealed that the "tcnative" library is the only piece of Tomcat that is potentially affected as it is the only piece of Tomcat that uses an OpenSSL implementation of SSL.
    • Java's implementation of SSL (JSSE) is not vulnerable. The Railo Tomcat installers don’t do anything with tcnative since most users will use Apache, nginx or IIS to serve up SSL
    • Unless you have specifically compiled tcnative for your system, your instances are safe from a Railo/Tomcat point of view.
  • Jetty
    • Jetty uses JSSE as well, so it's not effected either.

So from a Railo perspective you are safe, if you use our official downloads for your system installation. If however you have built your own system ontop of Tomcat and Apache, nginx etc, you need to follow the different procedures in order to protect your system. There are several different tools out there in order to test and update your systems. The main heartbleed site contains a list of them.

Links:


(Thu, 17 Apr 2014 10:01:04 GMT)
[view article in new window]

Using JSONP With $resource In AngularJS
Ben Nadel looks at how to make JSONP (JavaScript Object Notation with Padding) requests using $resource in AngularJS....
(Thu, 17 Apr 2014 08:00:51 GMT)
[view article in new window]

$scope.$evalAsync() vs. $timeout() In AngularJS
Ben Nadel looks at the $scope.$evalAsync() in AngularJS, how it compares to $timeout(), and how it can be used to prevent "$digest already in progress" errors....
(Thu, 17 Apr 2014 08:00:51 GMT)
[view article in new window]

Adobe Product Security Incident Response Team (PSIRT) On ColdFusion And HeartBleed

The world is abuzz with the OpenSSL "heartbleed" bug and the ColdFusion community has also been going 'round about it too. Firstly, a server (like Apache, Nginx, Tomcat, etc) can be exploited by a client on a hackers machine requesting an SSL connection. In addition, a client (CURL, wget, CFHTTP, etc) can be exploited if connecting to a malicious SSL endpoint. So basically, the bug has the ability to flow both ways.

For most CF sites, they are using IIS, Apache, or Nginx to serve content so ColdFusion has no bearing on the vulnerability from that end. Any CFML application, however, can connect to a malicious SSL endpoint. Of course, it only matters if the OpenSSL library is specifically being used. Any other SSL implementation is safe.

To date, neither Adobe or Railo have yet to make public announcements via securitybulletinsor their official blog. There have been a handful of less "official" conversations in mailinglists and Twitter. As best I can tell, neither Adobe ColdFusion or Railo use OpenSSL and therefore are safe. Of course, any other parts of your web stack (even bundled libraries) might use OpenSSL. Gert from Railo has promised a blog entry "soon" to address the issue regarding Railo. There has been some complainingaboutthe lackof official wordfromAdobe, and my understanding is that the ColdFusion team'shandsare tied by the Adobe PSIRT who are the only ones allowed to comment publicly on security matters.

The general consensus is they could certainly say something, even if it was simply, "Hey, we're looking into it and will get back to you soon". That as it is, I E-mailed Adobe's PSIRT myself and got a reply that seems as close to an official reply as they are willing to provide at this point though I'm unclear why they're talking about it one-on-one but refraining from public statements. For the sake of those who haven't E-mailed PSIRT, I will post their reply here for the benifit of the community until something official comes out. Also, for funsies, I'll post my original E-mail plus my followup. If I hear back again, I'll update this post.


From: Brad Wood
To:PSIRT@adobe.com
Date:Wed, Apr 16, 2014 at 5:45 AM
Subject:Adobe ColdFusion and Heartbleed

Dear Adobe PSIRT team,

I would like to encourage you to please make a public announcement regarding Adobe ColdFusion and if it is vulnerable to the latest OpenSSL "heartbleed" bug. This is a very significant bug that has people around the world scrambling to patch their software. Even if Adobe ColdFusion is not susceptible to the recent "heartbleed" bug I would strongly suggest making an announcement on your blog to state that orauthorize the ColdFusion team to do so on their blog.
Many people in the CF community have noticed the silence on this issue and an official announcement really needs to be made in order for your customers to feel safe and to verify with their employers that they have all the patches they need. Communication is very important and I hate to see the Adobe ColdFusion team getting beat up for not addressing this issue publicly on their blog. Please authorize them to make some kind of statement on this.
Thanks!
~Brad

From: PSIRT@adobe.com
To: Brad Wood
Date:Wed, Apr 16, 2014 at 1:39 PM
Subject: RE:Adobe ColdFusion and Heartbleed

Hello Brad,

Thank you for contacting us. We appreciate your feedback. Please note that ColdFusion does not use OpenSSL. However, customers who are using an external web server with their ColdFusion deployment (ex. Apache) should test for CVE-2014-0160. If affected, customers should follow the recommendations provided in the OpenSSL security advisory, available athttps://www.openssl.org/news/secadv_20140407.txt. Adobe

also recommends consulting the ColdFusion lockdown guides for security best practices:

https://www.adobe.com/content/dam/Adobe/en/products/coldfusion-enterprise/pdf/cf10-lockdown-guide.pdf

http://www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/91025512-cf9-lockdownguide-wp-ue.pdf

We hope this information is helpful. Please let us know if you have additional questions.

Thank you,

Adobe Product Security Incident Response Team


From: Brad Wood
To:PSIRT@adobe.com
Date:Wed, Apr 16, 2014 at 3:13 PM
Subject:Adobe ColdFusion and Heartbleed

Dear PSIRT,

Thanks for the reply. I appreciate the links and concern. Let me be very clear though-- I am not asking about this for the sake of my servers, I am letting you know that Adobe needs to make a public official statement on the matter for the entire community to see. Even if your blog entry said nothing more than what you put in your E-mail reply that would be great-- but the community has noticed the lack of public response by Adobe to this matter and it's reflecting quite poorly on your PR.

If the PSIRT team doesn't have time to make a quick announcement, please authorize the ColdFusion team to put out a blog post. This would do a lot for the community as silence breeds distrust and most every other major technology stack has already addressed their platform publicly-- even if just to say they are not vulnerable.


Thanks!

~Brad


(Thu, 17 Apr 2014 00:37:05 GMT)
[view article in new window]

Open PhoneGap/Cordova Session next week
It has been a while, but next week (Wednesday, April 23rd) at 12PM CST, Holly Schinsky and myself will be hosting an open Q and A session for PhoneGap and Cordova. We've run these before and they are pretty successful. There will not be any present...
(Wed, 16 Apr 2014 18:01:02 GMT)
[view article in new window]


© The connection to the CFBLOGGERS_FEED's RSS feed has timed out - please try again later. We are sorry for any inconvenience this may have caused.