home Links Articles Books Past Meetings Photos SiteMap
The MDCFUG is sponsored by TeraTech. Visit us at www.TeraTech.com

Please send
comments/questions to

michael@
teratech.com

 

Text Box: Practical CF: CFCONTENT with images: From Web Bugs to Banner Servers
by Eron Cohen and Michael Smith
TeraTech http://www.teratech.com/

Use CFCONTENT to secretly track readers of your emails from ColdFusion.

 

Text Box: MIME Type
A MIME type is a description of what kind of data the browser is receiving. It helps the browser decide how to display the data. For example a type image/gif will be displayed as an image while type text/HTML is a regular HTML page. MIME was originally intended for sending binary files via email, thus the abbreviation stands for Multipurpose Internet Mail Extension

Tip - in Netscape the menu option View, Page Info will display all parts of a web page together with their MIME types.
Many of us have used the CFCONTENT tag that comes with ColdFusion to serve up files to browsers, but very few ColdFusion developers are aware that the CFCONTENT tag can be used in conjunction with the HTML <IMG> tag to server up graphics such as JPEGs and GIFs.  In this case, the why of doing this is perhaps just as interesting as the how.  It turns out that using this technique is perfect for use with creating an advertising banner server, controlling access to graphic files or on the more sinister side, for creating “web bugs.”  If you don’t recall, a web bug is a graphic (usually an invisible one pixel shim) that is embedded in an HTML email message or Word document that tips off its creator when and who is reading without the reader even knowing their access was logged.

 

If you’ve never used the CFCONTENT tag before, it’s an excellent tool to know about.  In layman’s terms, CFCONTENT tells a web browser that it’s about to receive a non-HTML file, and then sends it to the browser.  It does this by allowing you to specify a MIME type and a filename to send to the browser.  So a ColdFusion template name can be put in place of a JPEG or GIF file like so:

 

 

 

<IMG SRC="http://www.myserver.com/images/send_graphic.cfm">

 

The ColdFusion template “send_graphic.cfm” will contain a CFCONTENT tag that specifies “image/gif” for the MIME type and is pointed at the name of an actual .GIF file.   The kicker is that you can also include code that logs the access to the file to a database table or does just about anything else ColdFusion can do.  This is where privacy advocates get upset.  If logging access isn’t bad enough, your send_graphic.cfm file could also use CFCOOKIE to set a cookie on the viewer’s machine.  In turn you could later check for the cookie when the user visits your website.  If the cookie IS there, then you could infer that the person viewed the email and then decided to visit the website.  And that’s just the beginning of the worst of the possibilities.

 

A more common use of CFCONTENT in this way is to serve graphics for a banner server-type application.   The logistics and possibilities are about the same as for a web bug.  The only major difference is that even less savvy Internet users are aware that someone is probably logging each and every time the graphic is viewed.  In the same spirit as with security flaws in applications, the authors of this article feel that its better to make as many people as possible aware of these techniques and then let them decide how to use the information.  This is after all real world stuff that is regularly used by web programmers at Microsoft, Barnes and Noble and other major direct emailers.  So in that spirit, lets take a look at some example code. 

 

send_graphic.cfm:

<CFTRY>

<CFSETTING enablecfoutputonly="yes">

 

<CFPARAM name="nslookup" default="unknown">

 

<CFLOCK NAME="NSLOOKUP" TIMEOUT="30">

<CFX_NSLookup IPHOST="#CGI.remote_addr#">

</CFLOCK>

 

<CFQUERY NAME="Log_Image_Views" DATASOURCE="#application.dsn#">

 

    INSERT INTO log_image_views

 (logo_view_IP,logo_view_date,logo_view_domain )

            values ('#CGI.remote_addr#',#createodbcdatetime("#now()#")#, '#NSLookup#')

 

</CFQUERY>

 

<!--- ////////////////////////////////////////////////////////////////////////////// --->

<!--- //   Force the browser to download the image file.     //--->

<!--- ///////////////////////////////////////////////////////////////////////////// --->

 

<CFCONTENT TYPE="image/gif" FILE="c:\images\invisible_pixel.gif">

 

<CFSETTING enablecfoutputonly="no">

 

<CFCATCH TYPE="any">

<CFCONTENT TYPE="image/gif" FILE=" c:\images\invisible_pixel.gif">

</CFCATCH>

 

</CFTRY>

 

This simple example uses a custom tag called <CFX_NSLookup> free from Lewis Sellar’s Intrafoundation (http://www.intrafoundation.com/freeware.html) that is used to get the user’s domain name from the IP Address.  We will use CFTRY tags to catch any possible logging failures and just send the image anyway.  Finally, we use CFSETTING to suppress any extra white space that might be generated by our code formatting.  To avoid problems with web browsers, the only output we need or want comes from CFCONTENT.

 

So there you have it.  When the web browser or email client loads the HTML containing: <IMG SRC="http://www.myserver.com/images/send_graphic.cfm"> their IP Address, date and possibly their domain name are logged in a database and the graphic sent, and the uneducated viewer is none-the-wiser.

 

Advantages of using CFCONTENT to serve graphics:

1)     The actual location of the file does not have to be in the accessible web path (This is good if your users are paying for the files such as graphics libraries, PDF reports or install EXEs)

2)     You can include code in the template that can log access to the file

3)     The file to be displayed can be dynamically selected based on other criteria. Eg random image display, graphic size based on connection speed etc.

 

Did they read the email?

Did you ever want to know who reads your email? Just embed their email address in a web bug URL. You'll probably be CFLOOPING over a list of e-mail addresses, so in your CFMAIL tag, you'd embed the following web bug (where email is the name of the field that contains your e-mail addresses.

 

<img src="http://www.myserver.com/bug.cfm?id=#urlencodedformat(email)#"

height=1 width=1>

 

Then on your server, you'd have the following script (saved as /bug.cfm).

 

<CFSET dtDate = createodbcdatetime(now())>

<CFIF isdefined("ID") and len(ID)>

<CFQUERY NAME="SAVEDATA" DATASOURCE="MYDATASOURCE">

UPDATE EmailList SET HasRead = #dtDate# WHERE email='#ID#'

</CFQUERY>

</CFIF>

<CFCONTENT TYPE="image/gif" FILE="c:\inetpub\wwwroot\shim.gif"

DELETEFILE="no">

 

 

Summary

Web bugs graphics let you track who reads email or Word documents. ColdFusion can server up smart web bugs or any other dynamic graphic using CFCONTENT.

Resources

Web bug FAQ

http://www.eff.org/pub/Privacy/Profiling_cookies_webbugs/web_bug.html

General privacy site

 http://www.privacyfoundation.org/

Bio

Eron Cohen ([email protected]) is freelance ColdFusion programmer, MDCFUG speaker, trainer and author. Michael Smith is president of TeraTech http://www.teratech.com/ , a 12-year-old Rockville, Maryland based consulting company that specializes in ColdFusion, Database and Visual Basic development.  Michael runs the MDCFUG and recently organized the two-day, Washington, DC-based CFUN-2k conference that attracted more than 750 participants. You can reach Michael at [email protected] or 301-881-1440.


Home | Links | Articles | Past Meetings | Meeting Photos | Site Map
About MDCFUG | Join | Mailing List |Forums | Directions |Suggestions | Quotes | Newbie Tips
TOP

Copyright © 1997-2024, Maryland Cold Fusion User Group. All rights reserved.
< >