The Left Side of Normal Airplanes, The Internet, and Everything Else

I just discovered something interesting in the way ServerFault handles links to Amazon.  In a post regarding Google's infrastructure, I recommended a book, Scalable Internet Architectures, with a link to it on Amazon.  The link I put in the comment is the same one here in this post.  It's not an affiliate link, just a plain link to the book's page.  After the post was saved and displayed on the question page, I noticed that the link had changed.  Editing the post shows the link I entered, but the display shows a different link as follows:

http://rads.stackoverflow.com/amzn/click/067232699X

It appears that their view generator for the answers has some code which sniffs out links to Amazon and replaces them with an internal link to their ad server.  This link generates a 302 redirect to Amazon:

http://www.amazon.com/dp/067232699X/?tag=stackoverfl08-20

That URL includes their Amazon Associates tag, so if someone were to click the link and purchase the book, ServerFault would get a referral fee credited to them.  Now, I'm not saying that this is wrong or that they shouldn't be doing it, but I don't recall seeing anything about this mentioned anywhere else.  To the contrary, the sites that are part of the Stack Overflow network (like ServerFault) are the best of their kind.  Unlike some "other" question and answer sites, they don't charge us for the priviledge of assisting our peers (and getting a little help when we need it).  They deserve to be compensated for their efforts.  I just wasn't expecting a link in one of my posts to get hijacked.  It would have been nice if their editor detected the Amazon link and gave me a little note, "Hey, we see you're posting a link to Amazon.  We're going to alter that a bit so we can track it and earn some flow, mmm-kay?"  Now, if you're a network junkie, go to ServerFault and help some people that aren't as smart as you are. :)

Pete Freitag, of HackMyCF fame, has written an informative guide on securing Adobe ColdFusion Server.  The guide is available from Adobe.  It covers how to lock down the ColdFusion Server installation and limit the attack surface that the server software itself presents.  It also talks about how to lock down the administrator so that it is only available to those who need access.  The guide makes great suggestions for those who run production ColdFusion servers that want to minimize their attack surface.  The guide also discusses how to remove functionality you're not using from the server, makes suggestions for various ColdFusion administrator settings and their impacts, as well as some suggestions for developers to improve the security of their code.  Overall, a nice guide for anyone who administers a ColdFusion server.

I've been using Mango Blog on and off for quite a while, but recently I've really began to dig my heels in and use it as a platform to base entire websites on.  Part of the magic of Mango Blog is its extensibility.  Laura has done a fabulous job of providing hooks into the core engine.  My goal is to write code around it that does what I want but never actually modifies the core engine.  This is easier said than done, but Mango makes that goal a lot easier to reach.  Now, one of the things that comes up often is creating new posts automatically.  They could be coming from an RSS feed, another content management system, or user submissions.  The first thing that springs to mind would be to write the data directly to the database.  That, however, would be a Very Bad Thing(tm).  Mango may change the database structure with a new release, or move to some other means of storing posts entirely.  That would also bypass the event announcements that plugins are looking for.  That would ruin your whole day!  So what are we to do?

Enter the API.  Mango provides a pretty decent set of APIs into the core functionality.  One of these is the ability to create a new post through code in a way that lets Mango handle the data storage and preserves the event announcements and all the other "work" that goes on in the background.  The API says, "Give me the data and I'll take care of the dirty work for you."  How do we use the API?  It's simple, really.  Here's an example:

<cfscript>
// Get the API
mangoAPI = createObject("component", "api.api");
// Set up the post attributes.
myPost = structNew();
myPost.username = "admin-username";
myPost.password = "admin-password";
myPost.title = "API Post Title";
myPost.content = "This is a post through the API";
myPost.publish = true;
myPost.blogID = "";
// Call the API.  Returns the post ID or an error string.
postID = mangoAPI.newPost(argumentcollection=myPost);
</cfscript>

Wasn't that easy?  The username and password would be the login credentials of the admin user you want to "own" the post.  The publish setting determines whether the post will be published on the site or put into "draft" mode.  The blogID is ignored as of this writing (perhaps it's reserved for a future release where Mango supports multiple blogs on the same install).  The API will return either a UUID which is the new post ID, or an error string letting you know what isn't right.  Hopefully this will help anyone who's trying to automate their Mango a bit.  Cheers!