The Largest Repository of ColdFusion Knowledge in The World for More Than 12 Years

ColdFusion on Ulitzer

Subscribe to ColdFusion on Ulitzer: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get ColdFusion on Ulitzer: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


CFDJ Authors: AppDynamics Blog, Michael Kopp, Tad Anderson, Bob Gourley, Jayaram Krishnaswamy

Related Topics: ColdFusion on Ulitzer

CFDJ: Article

CFContent With Images

CFContent With Images

Many of us have used the CFCONTENT tag that comes with ColdFusion to serve up files to browsers, but very few ColdFusion developers are aware that the CFCONTENT tag can be used in conjunction with the HTML <IMG> tag to serve up graphics, such as JPEGs and GIFs. In this case, the why of doing this is perhaps just as interesting as the how.

It turns out that using this technique is perfect for use with creating an advertising banner server, controlling access to graphic files, or - on the more sinister side - creating "Web bugs."

If you don't recall, a Web bug is a graphic (usually an invisible 1 pixel shim) that is embedded in an HTML e-mail message or Word document that tips off its creator when and who is reading without readers even knowing their access was logged.

If you've never used the CFCONTENT tag before, it's an excellent tool to become familiar with. In layman's terms, CFCONTENT tells a Web browser that it's about to receive a non-HTML file, and then sends it to the browser. It does this by allowing you to specify a MIME type and a filename to send to the browser. So a ColdFusion template name can be put in place of a JPEG or GIF file, like so:

<IMG SRC="http://www.myserver.com/
images/send_graphic.cfm">

The ColdFusion template "sendgraphic.cfm" will contain a CFCONTENT tag that specifies "image/gif" for the MIME type and is pointed at the name of an actual .GIF file. The kicker is that you can also include code that logs the access to the file to a database table or does just about anything else ColdFusion can do. This is where privacy advocates get upset.

If logging access isn't bad enough, your send_graphic.cfm file could also use CFCOOKIE to set a cookie on the viewer's machine. In turn you could later check for the cookie when the user visits your Web site. If the cookie is there, then you could infer that the person viewed the e-mail, and then decided to visit the Web site. And that's just the beginning of the worst of the possibilities.

A more common use of CFCONTENT in this way is to serve graphics for a banner server-type application. The logistics and possibilities are about the same as for a Web bug. The only major difference is that even less savvy Internet users are aware that someone is probably logging each and every time the graphic is viewed. In the same spirit as with security flaws in applications, the authors of this article feel that it's better to make as many people as possible aware of these techniques and then let them decide how to use the information. This is, after all, real-world stuff that is regularly used by Web programmers at Microsoft, Barnes & Noble, and other major direct e-mailers. So in that spirit, let's look at some example code in Listing 1.

This simple example uses a custom tag called <CFX_NSLookup> free from Lewis Sellar's Intra foundation (www.intrafoundation.com/freeware.html), and is used to get the user's domain name from the IP Address. We will use CFTRY tags to catch any possible logging failures and just send the image anyway. Finally, we use CFSETTING to suppress any extra white space that might be generated by our code formatting. To avoid problems with Web browsers, the only output we need or want comes from CFCONTENT.

So there you have it. When the Web browser or e-mail client loads the HTML containing <IMG SRC=" www.myserver.com/images/send_graphic.cfm">, their IP address, the date, and possibly their domain name are logged in a database and the graphic sent, and the uneducated viewer is none the wiser.

Advantages of using CFCONTENT to serve graphics are:

1. The actual location of the file does not have to be in the accessible Web path. (This is good if your users are paying for the files, such as graphics libraries, PDF reports, or install EXEs.)
2. You can include code in the template that can log access to the file.
3. The file to be displayed can be dynamically selected based on other criteria; for instance, random image display, and graphic size based on connection speed.

Web bugs graphics let you track who reads e-mail or Word documents. ColdFusion can server up smart Web bugs or any other dynamic graphic using CFCONTENT.

Resources
1.Web bug FAQ: www.eff.org/pub/Privacy/Profiling_cookies_webbugs/web_bug.html
2. General privacy site: www.privacyfoundation.org/

More Stories By Eron Cohen

Eron Cohen is a ColdFusion programmer, MDCFUG speaker, and author.

More Stories By Michael Smith

Michael Smith is president of TeraTech (www.teratech.com/), an
11-year-old Rockville, Maryland-based consulting company that
specializes in ColdFusion, database, and Visual Basic development.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.