Thursday, March 24, 2005

Limitation of Unobtrusive JavaScript?

Unobtrusive JavaScript
Mike Rankin's MX Blog: Unobtrusive JavaScript

I was looking at the provacative article about unobtrusive JavaScript and realized that there is a limitation based on how I wrote some of my older JavaScript.

If you use ColdFusion to populate values in your JavaScript, moving your code out to .js files prevents the cf engine from processing them.

There are many instances where I use a form control event to trigger a JavaScript function that accepts a parameter that is generated by ColdFusion. How would this work if the event is not triggered from the .cfm page?

Are there elegant ways to handle this? Is there a way to make the cf engine parse a .js file? Can the JavaScript code be changed to make it work with the unobtrusive approach?

Monday, March 21, 2005

Mozilla Thunderbird 1.0.2 Release Notes

Mozilla Thunderbird 1.0.2 Release Notes

This is a security and stability update.

Thursday, March 17, 2005

Enterprise Architect CFC patch

I fixed a bug in the method generator to remove the default parameter when the attribute is requried.

Wednesday, March 16, 2005

Yes or No? Is there a best practice when it comes to cftag attributes.

Is there a best practice for choosing between "yes/no" vs. "true/false" vs. "1/0" (haha, that last one is undefined)?

Of course, there may be some constraints imposed by external technologies like your database.

I've noticed that in cf tags you will sometimes see thisAttribute = "yes/no" or thisAttribute = "true/false".

Is there a reason why one would be used over the other? I'm not even sure why the choice exists.

It looks like the latest documentation is going with the yes/no approach for tag attributes in general. There are still some consistency problems with some of the functions. For example, xmlNew() uses true/false to indicate case sensitivity, whereas xmlParse() uses yes/no for the same thing.

I think I'm leaning toward the yes/no approach. It's still clear, it's a little shorter, and it seems like it is used most in the cf docs. I'll probably tend to still use the 1/0 approach for anything relating to sql or web services. It just seems to work more reliably that way.

Any thoughts?

Tuesday, March 15, 2005

CFC generator for Enterprise Architect

If you use the UML to drive the dialog between your developers and your stakeholders, you owe it to your self to take a look at Enterprise Architect by Sparx Systems. The interface is deceptively simple at first glance. Be warned, this program takes a while to learn how to use and tune to your development environment.

Note: Big plus for EA - value priced.

One of the promising features of this package is the ability to generate code from your model. For some languages, this can work in both directions. Unfortunately, the user accessible interface only supports going from model to code.

You can get my cfc generator [right-click and save] to help take some of the drudgery out of building the repetitive blocks of code common to most cfcs used as ColdFusion classes. It takes your class drawings and converts them to cfcs using the code generation screens.

It is obviously a 0.0001 release. I haven't even had a chance to test it myself yet.

I haven't yet figured out how to deal with composition yet, especially when something other than 1..1 multiplicity is involved.

The nice thing about this approach is that the format is easily editable. If you don't like the way I'm presenting something, you can open up the model driven generation screens and edit until your heart's content.

Make sure you drop me a line if you make changes to the xml file or find bugs.

Friday, March 11, 2005

Macromedia ranked in top 100 english language web sites.

Alexa Web Search - Top 500

Currently number 74, as of this writing, according to Amazon.com's Alexa.

They also have a free toolbar for IE. Seems like everybody has one of those these days.

They claim that "This is the most useful toolbar ever made." Wow. Pretty strong assertion that I think a lot of people may not agree with.

I only mentioned the toolbar because I'm pretty sure that's what they are using to compile their statistics.

Wednesday, March 09, 2005

Questioning the one true faith

A few months ago, I made the unfortunate decision to post a somewhat derisive entry on my blog about Fusebox and my personal, anecdotal experiences with it. Even then, I realized that my comments could be viewed as being overly critical of the framework. I tried to backpedal a bit and at least acknowledge some of the excellent discoveries and fine work that has gone into its development. It didn't receive much attention when I wrote it and I was content to let the post just fade into history.

I should have known better.

Andy Jarrett resurrected the subject when he spoke about his adventure building a small project that he felt didn't need the formality of the Fusebox framework. [thanks a lot Andy ;-) ] It sounded like he had a lot of fun with the project.

Over the past year or so, I've been exposed to 3 Fusebox development environments. One with a team of 5, one with 15 and one with 32. All three worked multiple projects simultaneously. NONE of them are contemplating a move to Fusebox 4 or Mach-II. Development environment inertia at its worst.

At the 5 member team organization, we were able to put together a second team and environment without Fusebox and watch the organization for almost 3 years. The second team had 6 developers move through it but never more than 3 at a time. The original 5 member team moved an additional 4 people through during the same period.

The smaller team more than kept up and in many cases surpassed the larger team in terms of speed of code generation, flexibility of design, responsiveness to changes, maintenance of existing code, etc.

The small team had a rocky start including a short dabble with cfobjects and some in-house framework attempts. After cfmx came out, the small team began to see gains in productivity. The large team performance was flat. This was most evident on an integration project between the two groups. The small team was always ahead of the large teams schedule on two ends of the same project. The small team's code had fewer bugs, required less rework and was easier to maintain.

Similar patterns were evident at the other two organizations.

Since my experience is purely anecdotal, it's quite possible that these are not typical results. Our small team almost always had somebody with previous oo experience in other languages, either java, c++ or c#. The large team was pure cf with a bit of asp. The smaller team also had been exposed to enterprise design/management tools and ideas like the RUP and had done lots of modeling with the UML.

Where the larger team was unwilling/unable to do anything but Fusebox 3, the smaller team chafed at the prospect of adopting it.

The organization that had 30 devs was completely stuck on cf5. They were unable to solve some technical driver issues and were unable to upgrade. I hope they have been able to work that out. Again, there was very little interest in even putting a pilot together in a lab environment.

The middle outfit is getting some really good mileage out of Fusebox 3. They have a very narrowly focused set of products and are delivering their products rapidly and consistently. They have been skilled/lucky enough to retain their original developers.

My guess is that this is what most Fusebox organizations are experiencing. However, there is some dissention in the ranks. There is some frustration with lack of interesting projects. They are a pretty forward thinking organization and yet they are not even evaluating Fusebox 4 or Mach-II.

I'm there building something that nobody else wanted to tackle (a mainframe/cobol integration). In the process, I've turned a few heads in terms of thinking about their software lifecycles. I'm not pushing anything on anybody, I'm just showing my work each week and explaining what's going on.

I don't have any empirical evidence one way or another regarding Fusebox. There probably isn't any. As an industry, we have enough trouble just trying to estimate project size. Measuring gains in productivity quantitatively is beyond most organization's capabilities.

So, was my original post completely off the mark? I don't think so. My experience leads me to believe that some of the benefits proposed by Fusebox are overhyped. I think I would rather have seasoned developers than a framework and inexperienced developers.

Was the original post an eloquent statement of position? Nope. Especially that line about using Fusebox in a shared environment. That one was a mystery to me when I first read it. Where I had intended to go with that was to discuss some of the challenges presented by multi-homed sites where you don't have access or control of the hosting environment.

Based on some of the comments I received, you would have thought I had said that the Pope was praying to the wrong Gods. Sheesh, relax a little bit. You'll live longer.

So, for the next six months or so, I'm not using Fusebox. I don't want to. You can't make me. Nyahh.

Unless of course you want to pay me large sums of money. At that point, all other religions become false.

Tuesday, March 08, 2005

Getters getting me down.

Building all those getters can sure be boring. You've probably seen them about a thousand times by now. Three lines of code always looking like this:
<cffunction name="getSomeProperty" ...
<cfreturn someProperty >
</cffunction>
At least we're getting our money out of the cut-n-paste and find-n-replace features.

The question I want to pose is:

Are we taking too big a productivity hit using private properties in cfcs instead of just exposing them with the "this" scope?

It feels like we are creating greater code encapsulation at the expense of rapid development. I've only had a few instances where I've needed a property's value to be stored in the object's instance differently than how it was to be displayed or used by other objects. These could have been handled by a few conversion functions pretty easily.

I'm also not overly fond of the gymnastics we have to go through to use cfdump. It's a really handy tool during development if you use public properties. You can see everything. Put all of your properties into the variables scope and you have some work to do.

I know we are still relatively fresh out of the gate with these things, but I'm looking forward to the day when the tools can create some of this code for us.

I think I'm getting repetative stress syndrome :(.

Saturday, March 05, 2005

What D&D Character Are You?

What D&D Character Are You?

Admit it. If you're reading this blog, you're a nerd. You probably have closet full of Dungeons & Dragons books and other assorted paraphanalia that you're just dieing to get back into. Too bad, the "work thing" and the "family thing" take up so much of your time.

In the interest of helping you keep your job and save your marriage, follow the link for a quick fix. It'll help, I promise.

UPDATE:

I Am A: Lawful Good Dwarf Fighter Paladin

Alignment:
Lawful Good characters are the epitome of all that is just and good. They believe in order and governments that work for the benefit of all, and generally do not mind doing direct work to further their beliefs.

Race:
Dwarves are short and stout, and easily recognizable by their well-cared-for beards. They are hard workers, and adept at stonework and engineering. They tend to live apart from other races; generally in deep, underground excavated systems, and as such tend to be distant from other races.

Primary Class:
Fighters are the warriors. They use weapons to accomplish their goals. This isn't to say that they aren't intelligent, but that they do, in fact, believe that violence is frequently the answer.

Secondary Class:
Paladins are the Holy Warriors. They have been chosen by a God/dess to be their representative on Earth, and must follow the code of that deity, or risk severe penalties. They tend towards being righteous, but not generally to excess.

Deity:
Moradin is the Lawful Good dwarven god of stone, rock, fire, and metal. He is also known as the Creator God, because he is the creator of the dwarven race. Followers of Moradin believe that a person's worth is determined by the things they do. They also are trained to work in the forge, creating weapons in the name and spirit of Moradin. They can use any weapon, but it must be one that they have created themselves. Moradin's symbol is a hammer and an anvil.

Find out What D&D Character Are You?, courtesy ofNeppyMan (e-mail)

Thursday, March 03, 2005

Mozilla Foundation Security Advisories

Mozilla Foundation Security Advisories

Unfortunately, even our favorite browser has the occasional security problem. I think the nastiest one was that top one that made it possible to spoof the url shown in the address bar. It wasn't out long, though.

If you haven't patched your copy of Firefox yet, it's really easy to do.
  1. Open Firefox
  2. Click Tools, Options...
  3. Click the Advanced icon on the left
  4. Scroll down to Software Update
  5. Make sure Firefox is selected and click the Check Now
That should do it.

Flash Player7 w/ Y! WTF?!

Flash Player Download. <--- Visit this link with IE. Firefox is "immune".

WHAT IS MM THINKING? We're out here, busy trying to sell Flash as an application platform and Macromedia is bundling the Yahoo toolbar with the player? What's next, Gator?

Ok, so maybe that's a little over the top. But, this deal should have been struck the other direction. I don't think there would be any problem if Yahoo! bundled the latest flash player. It would be even better if the Yahoo! toolbar was a cool Flash app.

I think this move potentially undermines the (limited) headway that Flash is beginning to make in the enterprise space. I think I can actually hear the din of panic from network admins across the nation freaking out when they realize they just reluctantly installed Flash and this "bundled" think came along for the ride. "See! I TOLD you we should have never trusted Flash. Look how much it's going to cost us to uninstall and remove this thing."

But, you don't have to install the toolbar, you say. Well, I think there are a lot of admins out there with a huge predisposition against Flash. This just gives them the amunition they need to kill it in the organization (and Breeze, and Flex, and CFMX7 flash forms).

Can I have the guy's/gal's job that gets fired for making this deal? Just kidding. (but not really.)

Robots to Watch Children Showcased

ABC News: Robots to Watch Children Showcased

This has got to be the scariest thing I've read in a long time. Remember that creepy teddy bear in the movie AI?

I just have visions of hordes of zombied teddy bears secretly attacking the country. Imagine your kids accused of participating in a massive DDoS attack.

Or worse...

The latest virus causes the toy to subliminally whisper messages to your kid like...

"Lisa, they're all against you. They all must die. Kill. Kill. Kill."

Wednesday, March 02, 2005

CFLOGIN synchronization with SQL logins

I haven't quite decided if this creates a better security situation or a worse security situation. Maybe you can help.

I've created a bit of code that lets you use the login credentials stored in MSSql server as the supplier of your cflogin data. Doing this gives you a couple of nice benefits including:
  1. All of your querries can identify who is making them. You use the username and password attributes of cfquery and cfstoredproc throughout your app.
  2. Since you have a named user for each connection, you can build triggers that support detailed logging in the db.
  3. Removal of the user from the db removes them from access to your app.
  4. Users can manage their passwords in sql from within your app.
  5. SQL admins don't need to know user passwords.
Downside:
  1. You might create a new attack vector directly to your db through your app. Would this be any different than having cfide on the same machine?
  2. Definitely not portable to other databases.
  3. ?
Here's the bulk of the code that makes it happen:

application.cfc (partial)
<cffunction name="OnRequestStart">
<cfargument name="request" required="true"/>
<cfif IsDefined("form.logout")>
<cflogout>
</cfif>
<cflogin>
<cfif NOT IsDefined("cflogin")>
<cfinclude template="loginform.cfm">
<cfabort>
<cfelse>
<cfif cflogin.name is "" or cflogin.password IS "">
<cfoutput>
<h2>You must enter text in both the User Name and Password fields.</h2>
</cfoutput>
<cfinclude template="loginform.cfm">
<cfabort>
<cfelse>
<cftry>
<cfstoredproc procedure="sp_helpuser" datasource="acs" username="#cflogin.name#" password="#cflogin.password#">
<cfprocparam type="in" cfsqltype="cf_sql_varchar" value="#cflogin.name#">
<cfprocresult name="sqlUser">
</cfstoredproc>
<cfloginuser name="#cflogin.name#" password="#cflogin.password#" roles="#valueList(sqlUser.GroupName)#">
<cfcatch type="database">
<h2>Login failed.</h2>
<cfinclude template="loginform.cfm">
<cfabort>
</cfcatch>
</cftry>
</cfif>
</cfif>
</cflogin>
</cffunction>>

loginform.cfm
<form name="loginFrm" action="" method="post">
<label for="j_username">Username:</label>
<input type="text" name="j_username" />
<br />
<label for="j_password">Password:</label>
<input type="password" name="j_password" />
<input type="submit" value="submit" />
</form>

index.cfm
<h1>You Made it.</h1>
<cfoutput>
<!--- SQL Role names --->
ACSAdmin: #IsUserInRole("ACSAdmin")#<br />
ACSManager: #IsUserInRole("ACSManager")#<br />
ACSUser: #IsUserInRole("ACSUser")#<br />
</cfoutput>>


Does this make any sense, or is this a stupid thing to do?