The Left Side of Normal Airplanes, The Internet, and Everything Else

Pete Freitag, of HackMyCF fame, has written an informative guide on securing Adobe ColdFusion Server.  The guide is available from Adobe.  It covers how to lock down the ColdFusion Server installation and limit the attack surface that the server software itself presents.  It also talks about how to lock down the administrator so that it is only available to those who need access.  The guide makes great suggestions for those who run production ColdFusion servers that want to minimize their attack surface.  The guide also discusses how to remove functionality you're not using from the server, makes suggestions for various ColdFusion administrator settings and their impacts, as well as some suggestions for developers to improve the security of their code.  Overall, a nice guide for anyone who administers a ColdFusion server.

I've been using Mango Blog on and off for quite a while, but recently I've really began to dig my heels in and use it as a platform to base entire websites on.  Part of the magic of Mango Blog is its extensibility.  Laura has done a fabulous job of providing hooks into the core engine.  My goal is to write code around it that does what I want but never actually modifies the core engine.  This is easier said than done, but Mango makes that goal a lot easier to reach.  Now, one of the things that comes up often is creating new posts automatically.  They could be coming from an RSS feed, another content management system, or user submissions.  The first thing that springs to mind would be to write the data directly to the database.  That, however, would be a Very Bad Thing(tm).  Mango may change the database structure with a new release, or move to some other means of storing posts entirely.  That would also bypass the event announcements that plugins are looking for.  That would ruin your whole day!  So what are we to do?

Enter the API.  Mango provides a pretty decent set of APIs into the core functionality.  One of these is the ability to create a new post through code in a way that lets Mango handle the data storage and preserves the event announcements and all the other "work" that goes on in the background.  The API says, "Give me the data and I'll take care of the dirty work for you."  How do we use the API?  It's simple, really.  Here's an example:

<cfscript>
// Get the API
mangoAPI = createObject("component", "api.api");
// Set up the post attributes.
myPost = structNew();
myPost.username = "admin-username";
myPost.password = "admin-password";
myPost.title = "API Post Title";
myPost.content = "This is a post through the API";
myPost.publish = true;
myPost.blogID = "";
// Call the API.  Returns the post ID or an error string.
postID = mangoAPI.newPost(argumentcollection=myPost);
</cfscript>

Wasn't that easy?  The username and password would be the login credentials of the admin user you want to "own" the post.  The publish setting determines whether the post will be published on the site or put into "draft" mode.  The blogID is ignored as of this writing (perhaps it's reserved for a future release where Mango supports multiple blogs on the same install).  The API will return either a UUID which is the new post ID, or an error string letting you know what isn't right.  Hopefully this will help anyone who's trying to automate their Mango a bit.  Cheers!

A couple of years ago I wrote about my horrific experiences working with MLS listing data from a variety of providers.  I thought it would be interesting to revisit the topic to see what's changed.  Unfortunately, not much.  The client we were working with through all of those experiences eventually got fed up with the constant battle with the images.  They complained to the Florida Association of Realtors, who suggested they try the FAR IDX feed.  Apparently, in Florida, all brokers and IDX providers are required to push their data up to the state level.  The Florida Association then aggregates all of this data into a single, well-formed IDX feed that is actually not all that difficult to use.  Their feed is well documented, normalized (no more having to deal with a dozen ways to misspell Sarasota), and they host the images on their server complete with a list of all of the image URLs right in the data file.  Oh, and it's free.  All the broker has to do is fill out a form and they will be issued access to the downloadable data.

If you're developing an online listing display for a realtor in Florida and you're NOT using the FAR IDX feed, STOP.  Just stop what you're doing and ask the broker to get in touch with the Florida Association and get access to their IDX data.  Compared to MLXchange (or any other vendor I've had the dubious pleasure of working with), their data is like a dream come true.  Not only that, but the support at FAR IDX is far superior to anything else I've experienced in the industry.  I found a couple of minor issues with the feed data and was able to speak directly with someone who had the ability to fix the problem at the source.

The way their feed works is that every quarter they assign a new FTP username and password.  Once you have FTP access, you download the file containing all of the listings for the local association.  In our case, the Sarasota association was joined up with the Mid-Florida Regional MLS, so we got the mid-Florida regional listings which included Sarasota, Manatee, Pinellas, and several other counties.  It was more data than we needed, but we could filter out the counties that were farther away upon import without any trouble.  All of the listing types are in the same file with the same data fields, so we could import everything into one database table.  As I mentioned, they hosted the images and even provided image URLs, so whatever was current is what we were fed through in the file.  No more downloading, sorting, or matching images.  If an agent deleted a photo, it got dropped from the feed the following day.  I can't impress enough how much easier working with their data is.

Unfortunately, that client of ours was bought out by another company, so their site is gone and the other company already had a solution in place, so we don't have any sites using MLS at the moment.  We have one project in production that will make use of MLS data, so we asked them to get access through FAR IDX and we just brought over the import code from the retired site and the data is being brought in daily without a hitch.

So, there is hope for MLS IDX data.  For anyone outside of Florida, ask your local or state association to get in touch with the Florida Association of Realtors and pick their brains.  They are doing it right.