Recent Blog Posts by Ben Nadel
Using Row Constructor Comparisons In MySQL
In his High Performance SQLite course, Aaron Francis made reference to a feature he referred to as "Row value syntax". This syntax allowed a list of values to be compared directly to another list of values. I had never seen this before; and just assumed it was a SQLite-specific concept. But then, he referenced this syntax once again in his Mastering Postgres course. At that point, I wondered if this was a baseline SQL feature that I didn't know about; and, more specifically, was this something available in MySQL?.. read more →
Mastering Postgres Video Course By Aaron Francis
Anytime you bring up databases in public, someone will inevitably suggest that Postgres (aka PostgreSQL) can address all of your data storage needs and then some. I love relational databases as much as the next person; but, I've never felt the kind of fervor and passion that seem to permeate the Postgres ecosystem. As an outsider, it's fascinating! So when I saw that Aaron Francis had a video course on Mastering Postgres, I jumped at a chance to get an insider's look at the database technology that seems to have a cult-like following... read more →
Adding Keyboard Shortcuts To Incident Commander Using Alpine.js
In the old Angular version of my Incident Commander tool, all of the interactivity took place in a Single-Page Application (SPA) context. In that model, the primary input never lost focus. In my new ColdFusion version, I'm using a Multi-Page Application (MPA) architecture which naturally resets the focus after each form submission. As such, I needed a way to re-focus the primary form control; but, I didn't want to hurt the accessibility (A11Y) of the page. To this end, I've implemented a keyboard shortcut for focusing the input using Alpine.js... read more →
What Every Engineer Should Know About Digital Accessibility By Sarah Horton And David Sloan
A few months ago, after blogging about keyboard navigation techniques, Jean Ducrot warned me that my approach might not be very "accessible" because it broke the "linear navigation" of the web page. He suggested that I read the book, What Every Engineer Should Know About Digital Accessibility by Sarah Horton and David Sloan. I've never felt confident about my mental model regarding accessibility, especially when creating highly dynamic Single-Page Applications (SPA); so, I picked this book up and have been slowly going through it over the past few months... read more →
Ask Ben: Sorting Quasi-Numeric Values Like 4K And 3M In ColdFusion
Out of the box, ColdFusion provides a .sort() method on arrays that makes it trivial to sort uniform collections; that is, collections which contain uniformly numeric or uniformly text values. But, when you have mixed collections, complex objects, or when you want to implement a "natural sort", the text and numeric sorting strategies fall-short. In such cases, the .sort() method also accepts a callback that can act as the comparison operator. We can use this operator to reduce the elements down to a set of sortable values... read more →
Associating Form Inputs With ColdFusion Validation Error Types
In my ColdFusion applications, I've never have a lot of ceremony around error handling. I simply try to catch errors as high-up in the stack as I can; and then, I use a centralized error translator to translate exceptions into a user-safe error response which I then render at the top of my form interface. It recently occurred to me that I might be able to use my user-safe error response to make my ColdFusion forms more accessible by marking form inputs as being related to certain server-side validation errors... read more →
Exploring Cloudflare R2 And Request Authorization Using AWS Signature V4
Once I rebuilt my Incident Commander app in ColdFusion, I finally had the ability to upload images and screenshots as supporting evidence of the incident triage investigation. Right now, those uploads are saved to the server—it's what makes the most sense in a free MVP (minimum viable product). In the long run, I'd prefer to save uploads to a remote object store like Amazon Web Services (AWS) S3 or Cloudflare R2... read more →
Using CSS Gap To Control Margins In Website Copy
For the next update to my Incident Commander triage app, I was thinking about adding the CSS Open Props project from Adam Argyle. I've looked at Open Props a bit in the past; but, I never looked at Adam's "Built With" section before. And, upon closer inspection, I saw something that kind of blew my mind: Adam is using the CSS Grid layout to render website copy. And, more to the point, he's using the CSS gap property to control the margins in between the block-level copy elements... read more →
Optional Password Protection Added To Incident Commander
Now that I've rebuilt my Incident Commander triage app in ColdFusion, I've been trying to incrementally improve it. First I added the ability to use markdown in the incident description and status updates; then I added the ability to upload supporting screenshots; and now, I've added the ability to include an optional password to satisfy particularly security-minded teams... read more →
Considering Encrypting Passwords At Rest In ColdFusion
Now that I've rebuilt my Incident Commander triage app in ColdFusion, I'm looking at ways to make it more security-minded. Right now, it uses a large 64-byte alpha-numeric URL-based token to prevent brute-force attacks. But, I'd like to give users the option of including an additional non-URL-based authentication mechanism. To this end, I'm exploring the idea of a session password. Only, unlike a traditional password, which can leverage a one-way hash (think bCrypt, sCrypt, and Argon2), I need to be able to render this password in the application experience. To do this securely, I need to store the password in an encrypted state... read more →
Considering A Secure Encoding Technique Inspired By JWT In ColdFusion
Earlier this week, I looked at rebuilding my Incident Commander triage application in ColdFusion. The initial implementation uses a 64-byte alpha-numeric URL-based token to gate access to an incident. The goal of this token is to keep the application secure and prevent brute-force attacks without requiring the user to authenticate via any other mechanism. Essentially, I want to keep the barrier to entry for the application as low as possible in order to remove as much friction as I can from what is otherwise likely to be a very stressful situation (the current incident or outage)... read more →
Formatting Dates In The Local Timezone With Alpine.js
On a recent episode of Syntax.fm, Wes Bos, Scott Tolinski, and guest Scott Jehl discussed the current landscape of "Web Components" (aka, custom elements). I haven't worked with custom elements directly; but, I have been playing around a lot with Alpine.js. And, one thing that Jehl mentioned that caught my ear was the use of custom elements to format date/time values on the client-side. I wanted to see what it might look like to perform this task with an Alpine.js component... read more →
Counting The Occurrences Of A Substring Or RegEx Pattern In ColdFusion
The other day, in my Incident Commander app code, I needed to count the number of back-ticks in a truncated piece of text in order to make sure that the count was balanced (ie, that there were an equal number of starting and ending back-ticks for a Slack-formatted message). I don't often have to count substrings in ColdFusion; but, I was surprised to find that even in recent releases of the language there's no native method for counting occurrences of a substring or regular expression pattern. As such, I wanted to take a quick look at how this can be done in Adobe ColdFusion... read more →
Rebuilding Incident Commander As A ColdFusion App
Years ago, I created a simple Firebase and Angular app for triaging incidents at work. The app allowed the incident commander (IC) to record notes and share messages in Slack (via copy-paste). But, one thing that it never allowed for was the storing of supporting screenshots. To remedy this (and as a fun thought experiment), I've rebuilt my Incident Commander app in Adobe ColdFusion with a MySQL data store; and, it now allows screenshots to be embedded within the shareable timeline... read more →
Using fileGetMimeType() To Determine File Type In ColdFusion
This morning, in a discussion about inspecting file upload contents within the temp directory, Brian Reilly taught me that there is a native ColdFusion function for determining a given file's mime-type: fileGetMimeType(). This function—when operating in the default "strict mode"—will inspect the contents of a given file and return the true mime-type, regardless of which file extension is being used. I can't believe this has existed since ColdFusion 10 and I didn't know about it!.. read more →
Building A Moment-Inspired .fromNow() Date Formatting Method In ColdFusion
I'm working on a small personal tool for incident triage and management. And, one of the things that the tool does is render a timeline of status updates in reverse chronological order. I'm been wrestling with how to best render such a timeline when everyone lives in different timezones. One thought that I have is to use a Moment.js-style "from now" format where the dates are labeled relative to the current time. I've done this in Angular before; but, I've never done this in ColdFusion. As such, I wanted to try porting my logic over to the server-side... read more →
Inspecting The Form Upload File Field Metadata In ColdFusion
When you upload a file in ColdFusion, the fileUpload() function and the CFFile[action=upload] tag aren't actually uploading the file to the server—at that point in the workflow, the file already exists on the server. The fileUpload() function is just moving the file from a temporary location to a permanent location of your choosing. And, when you're uploading files through a standard form post, the form field that represents your file upload contains the path to that temporary location. Which means you can therefore inspect a file in ColdFusion before you move it to its permanent location... read more →
VARCHAR(Length) Limit Refers To Characters, Not Bytes, In MySQL
When you define a varchar field in a MySQL database table, you can provide a length limit, ex varchar(255). For as long as I can remember, I thought this limit referred to the number of bytes that could be stored in the field. And, to be fair, back when I was only consuming ASCII characters, this assumption was coincidentally true—one ASCII character is represented by one byte. In reality, this length limit refers to the number of characters that can be stored in a field, regardless of how many bytes are needed to represent said character string... read more →
Using JSoup To Report Untrusted HTML Elements And Attributes In ColdFusion
Yesterday, I took my first look at using JSoup to sanitize untrusted HTML in ColdFusion. Historically, I've been using the OWASP AntiSamy project to do the same thing; and while the JSoup approach feels more flexible is easier to consume, it's missing one important feature that AntiSamy had: an ability to report on which aspects of the untrusted DOM (Document Object Model) were being removed during the sanitization process. As such, I wanted to look at how I can use JSoup to report the untrusted HTML elements and attributes that were being removed in my ColdFusion processing... read more →
Using jSoup To Sanitize Untrusted HTML In ColdFusion
For years, I've been using the OWASP AntiSamy project to sanitize untrusted HTML in ColdFusion. And for years, James Moberg has suggested that I just use JSoup. I'm not one to switch tools unnecessarily. However, when I went to install AntiSamy in a new project and remembered just how many JAR files were required, I figured it was time to look at JSoup's single JAR approach to cleaning and sanitizing HTML... read more →
Safe-Navigation Operator Swallows Method Errors In Adobe ColdFusion 2023
This morning, I was running into a strange null-reference error in my ColdFusion dependency injector (DI). A CFProperty-based component wasn't being injected; but, no error was being thrown or logged. After commenting-out a bunch of code, I finally narrowed it down to a bug in ColdFusion. If you use the safe-navigation operator to invoke a component method, any error thrown in that method will be swallowed up and the method will be short-circuited. I confirmed this behavior in both Adobe ColdFusion (ACF) 2021 and 2023... read more →
Working Code Podcast - Episode 200: We're Taking A Break
After recording 200 episodes, we've decided to take a short break from the show. We never really had a plan going into this endeavor; and, there was no sense of a seasonal cadence to what we were doing. As such, we're gonna call this the end of "season one" and take a hiatus through the end of the calendar year 2024. In January, we'll regroup and start "seasons two". Thank you all for listening to the show and for following along on this journey... read more →
Feature Flags Book Playground, Videos, And Code
As a companion piece to my Feature Flags Book, I've created a feature flags playground to provide my readers with some lightweight hands-on experience. It's great to read about a concept in a book. But, some concepts don't become tangible until you can roll your sleeves up and get little bit dirty. This feature flags playground gives people an opportunity to define feature flags, add rules, target cohorts, and incrementally release new features to a demo user-base. The primary goal of this playground is to add dimension to the content of the book; but, if you want to see the underlying code, I've made it all available on GitHub—it's built in ColdFusion, Parcel.js, Alpine.js, and Less CSS and runs on Docker... read more →
Playing With Window Functions In MySQL 8
Earlier this week, I went through the High Performance SQLite course by Aaron Francis. Among the many SQL topics that he covered, he included something that I've never tried before: Window Functions. These functions allow you to calculate data based on the current row. These functions behave somewhat like a subquery that is locked-down to the existing result-set. And, which can be further subdivided using a partition column... read more →
High Performance SQLite Video Course By Aaron Francis
Last night, I finished the High Performance SQLite video course by Aaron Francis. It is one of the best video courses that I've taken to date. Aaron strikes the perfect balance between density of content, depth of discussion, levity, and flow. And the quality of the video production is outstanding—this is obvious from the very first video; and, remains consistent through to the end. Using a distraction-free staging context, Aaron delivers the information in bite-size morsels that are easy to consume. If you're interested in learning more about SQLite, I highly recommend this course... read more →
Working Code Podcast - Episode 199: Country Code TLDs
All 2-character top level domains (TLDs) represent country codes. For example, .us is the TLD for the United States; .ai is the TLD for Anguilla; and, .io is the TLD for the British Indian Ocean Territory. In addition to their original purpose, these TLDs have been heavily co-opted by the tech sector. Normally this wouldn't be an issue; however, the British government has recently ceded control over the India Ocean's Chagos island. This may obviate the need for an .io TLD. Which could mean—in theory—that .io domains eventually stop working. This gives us a moment to pause and reflect upon the practice of overloading country code TLDs... read more →
Running Memory Leak Detection After Every ColdFusion Request
In the comments of a post over on LinkedIn, I was talking to Charles Robertson about how unnerving it is to have unscoped local variables leak into the variables scope of a persisted component. This type of memory leak can lead to the cross-contamination of requests; and, in a worst case scenario, will cause one user's data to be shown to another user. Inspired by that conversation, I decided to add memory leak detection to the post-processing of every ColdFusion request in my feature flags playground application... read more →
Collocating My ColdFusion, CSS, And JavaScript Files
When building a ColdFusion multi-page application (MPA), I've never been satisfied with how files are organized. Client-side files (CSS and JS) that are tightly coupled to server-side files (CFML) are often located in completely different parts of the application's folder structure. This adds friction to the maintenance of the ColdFusion application. In an effort to experiment with a more cohesive file strategy, I want to try putting CSS and JavaScript files right next to their CFML counterparts... read more →
Dave Farley On What Makes High Quality Code
This morning, on the latest episode of the Engineering Room podcast, Dave Farley said something about code quality that really connected with the way in which I see software development. In the past, I've talked about the importance of writing code that's easy to find and easy to delete. But, both of these concepts tactically roll-up in a higher-level strategy that Dave identifies: write code that's safe and easy to change:.. read more →
Making A Case For Var Declarations In ColdFusion Templates
Last week, I opened a feature request in the Adobe bug tracker to allow for var declarations in CFML templates. After I opened this, I shared it within the Working Code discord; and, all those who responded did so in opposition to the idea. As such, I wanted to take a moment to more clearly articulate my case for allowing var declarations in, essentially, any ColdFusion context... read more →