Youth culture killed my dog

⇐ 5 to 9 of 22 articles ⇒

• Change banner • posts rss • comments rss

RubyConf 2005

27 Oct 05

By now you’ve read the trip reports , viewed the slides , and listened to the presentations . If you haven’t then shame on you, because there is lots of good stuff there. So I’ll just talk about what RubyConf did for me and how you should change your life to take advantage of my new found knowledge.

First of all I got to do fan boy things like thank Matz for Ruby.

Note that Martin Fowler snuck into the picture, but I had to smudge him out since my understanding is that you have to buy a book from him before you can take his picture.

I also got to have lots of great conversations with my fellow rubyists. Some of it was finally getting to put faces with irc nicks and blog entries. But the chance encounters at the lunch table and at the laptop filled tables during the panels were also edifying. I’m not a gregarious person by nature, so I am very glad I pushed myself to talk to people while at the conference. Talking things over with smart people that have similar goals is one of the best ways to generate interesting ideas. Now I just need to follow through on some of them.

Probably the best part though was just spending three days concentrating on something like Ruby with lots of other people that were also enthusiastic about it. You could smell the Ruby in the air. Many of us spend our days working to pay the mortgage, changing diapers, and cooking dinner. Even though those things are important it is good for the spirit to put all of that on hold for a few days and just geek out. That I am posting a blog entry should be proof enough that RubyConf was very energizing.

My plan is to go to at least two conferences a year. I went to No Fluff Just Stuff and RubyConf this year. And I am very happy with the results. Next year I plan to be at RubyConf again. I would also like to go to a large conference like OSCON or maybe an open space conference .

So what are you doing to make yourself a better programmer and advance your career? One of the things should be regularly attending conferences.

Conferences		11 Aug 05
		[print link all ]
There are two conferences I’ll be attending soon: Cincinati No Fluff Just Stuff and RubyConf. If you would like to meet up to discuss Seaside like web frameworks in Java ( Lakeshore ) or Ruby drop me a line at hensleyl@papermountain.org . \|

Poor Man's Ajax

17 Apr 05

[print link all ]

Last summer I began working on extending Avi Bryant’s liveUpdater.js and integrating it into Borges . I was successful as far as that went and reported my results here and here . Unfortunately Borges turned out to be a dead end because of some fundamental problems with its implementation.

However my fork of liveUpdater.js has went on to lead a productive part in the Lakeshore project (more about it later). liveUpdater has been a core piece of the user interface for many commercial applications written by myself, the gentle folk at Mission Data , and several other people that are using Lakeshore. So in short, liveUpdater is under active development and is being used successfully in several commercial applications.

Enough with the history lesson… take a look at the demo . What’s happening is that some event on the client side (a keypress, a click, etc) triggers a request to the server via XMLHttpRequest. The server returns one or more snippets of HTML. The snippets replace existing sections of the current document based on their “id”. Very nice things are now possible with only a tiny amount (or in the case of Lakeshore, no) javascript coding. You get the dynamic feel and most of the responsiveness that is promised by Ajax without splitting your logic between the client and the server.

Here is how the “Update time” link on the demo works. The HTML contains an empty div with an id of “time”. The “Update time” link is set to use liveUpdater with a target URL of time.cgi :



document.getElementById(‘time-link’).onclick = liveUpdaterUri(‘time-link’,‘time.cgi’)

time.cgi sets the content type of its response to “text/xml”. It returns a body element containing a div with the current time. Note that the id of the div matches the id of the empty div in the original HTML document. If you wished to replace additional elements on the page just include them in the body element.

Common Web Security Anti-Patterns 16 Jan 05

[print link all ]

The following is from a handout I used for a presentation to a group of Java programmers. In retrospect I don't think I like the anti-pattern format, but hopefully you will find it helpful in spite of that.

Name: Trusting form data
Problem: Preserving state across a series of web pages and form submissions.
Supposed Solution: Store information in hidden form fields.
Exploit: The values of the hidden fields can be easily changed by an attacker to subvert the application. The application will then use the altered data in calculations that should only performed with trusted data.
Example: The data stored in the hidden field is the price of an item in an ecommerce system. A criminal organization exploits this to purchase a large number of expensive items at a 100% "discount".
Alternative Solutions:

Only accept data from forms when it doesn't matter if it is tampered with. For example instead of storing the price in an ecommerce system, only store the product id then look up the price using the product id as a key.
Use a framework such as Lakeshore that abstracts away the problem of managing state across pages.
In cases where sensitive data must stored on the client side (e.g. a price quote) the sensitive data must be cryptographically signed. A signature can be generated by concatenating the sensitive data with a secret and calculating a one way hash. This signature is then always passed with the sensitive data allowing any tampering to be detected.

Name: SQL Injection
Problem: User supplied data must be used in queries against a database.
Supposed Solution: Just substitute the user input into an SQL template and execute it.
Exploit: An attacker can carefully craft the supplied data to execute arbitrary SQL. The details vary by database vendor, but for Oracle the key concept is starting the SQL to be inserted with a single quote.
Example: An ecommerce system allows the catalog of products to be to searched based on a user supplied string by simply inserting the user supplied string into a query. The attacker enters the following as a search criteria:

x' UNION SELECT table_name FROM user_tables WHERE
'x'='x

. This will allow the attacker to obtain the name of the table that credit card information is stored in then use the same technique to retrieve all of the credit card numbers stored in the system.
Alternative Solutions:

Don't execute SQL using raw JDBC calls. Use a library such as SQLProcessor that always uses prepared statements. This is sufficient for applications that use Oracle databases, but may not be for other databases.
Escape single quotes in user input before using it in an SQL statement.

Further reading: http://www.securityfocus.com/infocus/1644

Name: Cross Site Scripting (xss)
Problem: User supplied data is displayed to other users
Exploit: An attacker can carefully craft the data so that it does a wide variety of malicious things when another user views the data.
Example: An ecommerce system displays the names and addresses of problem orders on a screen accessible by an administrative user. The attacker enters javascript for his address that will steal the viewing user's JSESSIONID cookie and post it to a logging URL controlled by the attacker. When the administrator views the attacker's order his JSESSIONID is stolen and the attacker can then impersonate the administrator.
Alternative Solutions:

Filter out dangerous characters from user supplied input before storing it.
Encode all user supplied input before displaying it to other users

Further reading:

http://www.cgisecurity.com/articles/xss-faq.shtml

http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/cross-site-malicious-content.html

|

Stupid SQL tricks

13 Jan 05

[print link all ]

Consider the following tables:

people

id	name
1	Jack
2	Jane
3	Raja
4	Aaliyah

questions

id	text
1	What’s your favorite color?
2	Do you like dogs?

answers

person_id	question_id	value
1	1	Red
1	2	Yes
2	1	Blue
2	2	No
..	..	..

This SQL:



SELECT people.id, MAX AS name,

  MAX) AS favorite_color,

  MAX) AS likes_dogs

FROM people, answers

WHERE people.id = answers.person_id

GROUP BY people.id

Will yield the following:
|. people.id|. name|. favoritecolor|. likesdogs|
|1|Jack|Red|Yes|
|2|Jane|Blue|No|
|3|Raja|Green|No|
|…|…|…|…|

A coworker of mine, Ken Gibbs, showed me this technique several years ago and I’ve used it frequently since. While this use of MAX and DECODE is hardly unknown , I have recently shown this to a few people who were really excited by it. So I thought I would share it with you, dear reader. Also, note that Oracle’s DECODE can easily be replaced with a CASE in other SQL dialects.

Update: fixed an error in the example SQL

(word|+word|-word)...

My Sites

AJAX autocomplete
Printable Bridal Shower Games
Yahoo! please buy this
drop off, pick up

Blogorrhea

[rss] Darren Day
[rss] Apex Digest
[rss] Mission Data