Here's a tip that I wanted to share within everyone here. It may be
known but I only found out about it today and wanted to share.
If you ever get the dreaded "Invalid Reply from Server" message from
AjaxCFC, spark up Firefox/FireBug and call your site from your local IP.
This will give you the actual message that DWR is sending back.

Put a stop point at about line 517 (or immediately after
"batch.req.send(query);") of engine.js and look for the "batch" object.
In the there you'll find the "req" (XMLHttpRequest request) object which
has a standard attribute called responseText. That will give you all of
the details of your error but for security reasons, it only shows it via
your local IP address (127.0.0.1).

Rey...

Rob Gonda announced in his blog the other day that he's changed the license for ajaxCFC from a restricted open source license in which permission was required to redistribute it, to a more formal open source license.  He's chosen the Apache 2.0 license.

Thanks Rob!

The following applies to CFAJAX version 1.3.  I don't know about previous versions, and I certainly don't know about future versions!

I've noticed that CFAJAX seems to have with Safari. I've also noticed that other people have noticed as well.

Although my chat room worked for Safari users, Safari seemed to urlencode the parameters, and cf did not decode them.  Almost as if Safari URL encoded the parameters, and then URL encoded the whole XML packet.. so when coldfusion received the XML packet, it URL decoded it, and the parameters were still urlencoded.  Crazy!

So a safari user would type "hey just checking this out", and it would get passed to my functions as "hey%20just%20checking%20this%20out".

Here's my solution to this problem:

In the "convertDataPassedToCFFunctionParam" function, around line 90ish, just after the <cfelse> tag, I replaced the single line that was there (that starts with <cfset variable.param = listAppend ... >) with the following:

Basically, if the browser is safari, URLDecode the parameter value before placing it into the list. Otherwise, don't.

In an effort to teach myself Ajax, I've written what I think is a pretty nice chat room application that I'll be releasing the source for soon.

While working on my new chat room project using CFAJAX, I discovered a pretty nasty security flaw in the cfajax framework.

Basically, if you have built an application that takes user input as a text string, and passes that text string to a coldfusion function on the server, then chances are good that your application allows people to execute CFML code on your server that you don't want them to.

I discovered it when I was having trouble with my chat application and the double quote mark ".  Any time I used a double quote in whatever I typed and sent to the server, it would cause a CFML error on the back said.

I realized that if I typed the following line, the CFML in the middle would be executed:

foo " & now() & " foo

And then someone else noticed that you could type in #Now()# and it would be executed on the server.

The flaw is basically in the way cfajax (in the file cfajax.cfm) constructs the functionName variable.

To resolve the problem, on or around line 92, in the listAppend() command that appends to the variables.param list, you have to escape both quotes and pound signs by doubling them up, as follows: