Last night I quickly threw together a Mango Blog plugin for something I've wanted ever since leaving WordPress: Smart Dashes. Since it was possible with the component I was implementing, I also added conversion of elipses.

I can't take any credit for any of the difficult parts of this; all I did was wrap Seb's Code in a Mango plugin.

From the project page:

SmartType Mango Blog Plugin is a simple implementation of Seb Duggan's SmartType ColdFusion Component to prettify post and page content and titles. It implements his replacement for elipses (... as …) and en and em dashes (- as – and -- or --- as —). Folks who have used WordPress in the past should be familiar with this behavior, except that I'm not changing single or double quotes. That was one of the things I hated about WordPress, because it always messed up my code samples.

If you want to include in an elipses, single dash, or set of dashes, without it being replaced, preceed it with a back-slash: \

Download it here: SmartType Mango Blog Plugin 0.1

Install Instructions:

1. Unzip to the components/plugins/user/ folder
2. Activate in the Add-ons section of your Mango Blog Admin
3. There is no step 3.

Last year I got my first ColdFusion certification, just in time for a new version of CF to come out and make me feel like I was behind again. Since the test is only $150, I figure I might as well upgrade to a CF8 certification.

I've heard rumors that thanks to Ray, the CF8 exam is much tougher than the CF7 exam. And since it's going to be harder, and I really don't want to lose the "Advanced" level, I'm going to prepare pretty hard. Last year I did self-study, and it was pretty overwhelming — there's just so much material and you don't get a great idea for what to study. This year, I'm going to prepare with the recently released CF8 Exam Buster training software.

I've already got it installed and gone through the first test, and I'm confident it's going to help me be prepared for the exam. I'll post again after I get my exam results and let you know what I think of CF8 Exam Buster, and whether or not I maintained my "advanced" level certification.

If you're like me you leave error reporting emails on for most of the sites that you build, so that wherever possible you are alerted to potential problems — like the recent wave of SQL Injection attacks — before the website owner (your client) knows they're being attacked, and hopefully, before an attack is successful. Of course, you're a responsible coder and you're logging and reporting errors, and then hunting down and eradicating the buggy code… right?

But as was pointed out this moring on twitter by Adam Lehman, if you log and subsequently email yourself or anyone else for every single error your website throws, you could end up flooding your own inbox (or worse, the inboxes of your clients and coworkers!) with error reports; essentially causing a Denial Of Service attack on yourself. And you may overly tax your server's resources in the process. It doesn't get much more lose-lose than that.

As ColdFusion Muse points out, a majority of recent attacks have been an attempt to append some javascript to every text field in a database, and they are using a very specific method: Declaring a text variable that contains some TSQL instructions, and then evaluating it. And like something out of a bad comedey, a few hours after reading Mark's post, it started happening to two of the websites my group manages. And boy, did the emails start coming.

Luckily, because the attack is so specific, it's easy to head off.

If you're using Application.cfm, just add this somewhere near the top:

<cfif findNoCase("DECLARE%20@S", cgi.query_string)><cfabort/></cfif>

And of course, if you're using Application.cfc, you can just put it in the onRequestStart function. Either way, you should position this code so that it is run before any significant work is done on the web server. There's really no generic reason it can't be line 1.

By doing this, you'll protect yourself from this specific attack (but not all SQL Injection) and stop all of those nagging error emails and log entries. Then you can focus on important things like making sure all of your queries use CFQueryParam.