Detecting Postgres SQL Injection
By Greg Sabino Mullane
June 10, 2012
SQL injection attacks are often treated with scorn among seasoned DBAs and developers—“oh it could never happen to us!”. Until it does, and then it becomes a serious matter. It can, and most likely will eventually happen to you or one of your clients. It’s prudent to not just avoid them in the first place, but to be proactively looking for attacks, to know what to do when they occur, and know what steps to take after you have cleaned up the mess.
What is a SQL injection attack? Broadly speaking, it is a malicious user entering data to subvert the nature of your original query. This is almost always through a web interface, and involves an “unescaped” parameter that can be used to change the data returned or perform other database actions. The user “injects” their own SQL into your original SQL statement, changing the query from its original intent.
For example, you have a page in which the a logged-in customer can look up their orders by an order_number, a text field on a web form. The query thus looks like this in your code:
$order_id = cgi_param('order_number');
$sql = "SELECT * FROM order WHERE order_id = $order_id AND order_owner = '$username'"; …database monitoring postgres security
Devise on Rails: Prepopulating Form Data
By Steph Skardal
June 8, 2012
I recently had a unique (but reasonable) request from a client: after an anonymous/guest user had completed checkout, they requested that a “Create Account” link be shown on the receipt page which would prepopulate the user form data with the user’s checkout billing address. Their application is running on Ruby on Rails 3.2 and uses devise. Devise is a user authentication gem that’s popular in the Rails community.
A customer request was to include a link on the receipt page that would autopopulate the user create account form with checkout data.
Because devise is a Rails engine (self-contained Rails functionality), the source code is not included in the main application code repository. While using bundler, the version information for devise is stored in the application’s Gemfile.lock, and the engine source code is stored depending on bundler configuration. Because the source code does not live in the main application, modifying the behavior of the engine is not quite as simple as editing the source code. My goal here was to find an elegant solution to hook into the devise registration controller to set the user parameters.
ActiveSupport::Concern
To start off, I set up a …
rails
Integrating UPS Worldship - Pick and Pack
By Terry Grant
May 29, 2012
Using UPS WorldShip to automate a pick and pack scenario
There are many options when selecting an application to handle your shipping needs. Typically you will be bound to one of the popular shipping services; UPS, FedEx, or USPS or a combination thereof. In my experience UPS Worldship offers a very robust shipping application that is dynamic enough to accommodate integration with just about any custom or out of the box ecommerce system.
UPS Worldship offers many automating features by allowing you to integrate in many different ways. The two main automated features consist of batch label printing and individual label printing. I would like to cover my favorite way of using UPS Worldship that allows you to import and export data seamlessly.
You should choose the solution that works best for you and your shipping procedure. In this blog post I would like to discuss a common warehouse scenario refereed to as Pick And Pack. The basic idea of this scenario is an order is selected for a warehouse personnel to fulfill, it is then picked, packed, and shipped. UPS Worldship allows you to do this in a very automated way with a bit of customization. This is a great solution for a small to …
ecommerce shipping
Simple Pagination with AJAX
By Jeff Boes
May 24, 2012
Here’s a common problem: you have a set of results you want to display (search results, or products in a category) and you want to paginate them in a way that doesn’t submit and re-display your results page every time. AJAX is a clear winner in this; I’ll outline a very simple, introductory approach for carrying this off.
(I’m assuming that the reader has some modest familiarity with JavaScript and jQuery, but no great expertise. My solutions below will tend toward the “Cargo Cult” programming model, so that you can cut and paste, tweak, and go, but with enough “how and why” sprinkled in so you will come away knowing enough to extend the solution as needed.)
Firstly, you have to have the server-side processing in place to serve up paginated results in a way you can use. We’ll assume that you can write or adapt your current results source to produce this for a given URL and parameters:
/search?param1=123¶m2=ABC&sort=colA,colB&offset=0&size=24That URL offers a state-less way to retrieve a slice of results: in this case, it corresponds to a query something like:
SELECT … FROM … WHERE param1='123' AND param2='ABC'
ORDER BY colA,colB OFFSET 0 LIMIT …javascript json
Liquid Galaxy at Doodle 4 Google
By Alejandro Ramon
May 21, 2012
Last week I went to Google’s New York Office on 8th Ave with Ben, intern Ben, and hired hand Linton. For those who have not experienced this wonderful place, Google’s building takes up an entire city block, is very colorful, and is probably one of the coolest places I have ever been to in the Big Apple.
Walking through the huge building is an experience in itself, with people riding Razor Scooters by you as you pass by street signs marking different areas in the office. It was explained to me that each floor is themed after a different place in the city. For example, the 10th floor, the main floor we were working on, is based on Queens. And of course they have the best break rooms. Free food everywhere! Also they have ball pits. You know you are awesome when you have ball pits.
Anyway, the reason we were at Google in the first place was to move the Liquid Galaxy on the 10th floor down to the 5th floor. It was great to see how many people came up to us and told how much they enjoyed using the system, and they all wanted to know when and if it would ever be back.
Moving the Liquid Galaxy went smoothly, and setting it back up on the 5th floor (at the “Water Tower”) went even smoother. …
clients event visionport
Website Performance Boot Camp at UTOSC 2012
By Jon Jensen
May 21, 2012
I’ll keep brief my last post about this year’s Utah Open Source Conference.
I was asked to give on both day one and day two a talk called “Website Performance Boot Camp” which carried this brief description:
What’s the difference between a snappy website and a sloth that you turn away from in frustration? A lot of little things, usually. It’s rarely worth doing 100% of the optimization you could do, but getting 75% of the way isn’t hard if you know where to look.
We’ll look at HTTP caching, compression, proxying, CDNs, CSS sprites, minification, and more, how to troubleshoot, and what’s best to leave alone when you have limited time or tolerance for risk.
Here is the video recording of the first time I presented the talk. (The technician noted its audio was “a little hot”.)
Use this Website Performance Boot Camp direct YouTube video link if the embedded video doesn’t work for you.
The slides for this Website Performance Boot Camp presentation are available.
Thanks again to the conference organizers and the other speakers and sponsors, and the nice venue Utah Valley University, for making it a great conference!
community conference ecommerce open-source optimization performance
UTOSC 2012 talks of interest
By Jon Jensen
May 18, 2012
It’s been two weeks now since the Utah Open Source Conference for 2012. My fellow End Pointers wrote previously about it: Josh Ausborne about the mini Liquid Galaxy we set up there for everyone to play with, and Josh Tolley with a write-up of his talks on database constraints and KML for geographic mapping markup.
There were a lot of interesting talks planned, and I could only attend some of them. I really enjoyed these:
-
Rob Taylor on AngularJS
-
Brandon Johnson on Red Hat’s virtualization with oVirt, Spacewalk, Katello, and Aeolus
-
Daniel Evans on testing web applications with Capybara, embedded WebKit, and Selenium (which End Pointer Mike Farmer wrote about here back in December)
-
Aaron Toponce on breaking full-disk encryption (I missed this talk, but learned about it from Aaron in the hallway track and his slides afterwards)
-
Matt Harrison’s tutorial Hands-on intermediate Python, covering doctest, function parameters and introspection, closures, function and class decorators, and more.
I gave a talk on GNU Screen vs. tmux, which was fun (and ends with a live demo that predictably fell apart, and audience questions …
browsers conference javascript python redhat security sysadmin virtualization kml
Keeping Your Apps Neat & Tidy With RequireJS
By Greg Davidson
May 17, 2012
RequireJS is a very handy tool for loading files and modules in JavaScript. A short time ago I used it to add a feature to Whiskey Militia that promoted a new section of the site. By developing the feature as a RequireJS module, I was able to keep all of its JavaScript, HTML and CSS files neatly organized. Another benefit to this approach was the ability to turn the new feature “on” or “off” on the site by editing a single line of code. In this post I’ll run through a similar example to demonstrate how you could use RequireJS to improve your next project.
File Structure
The following is the file structure I used for this project:
├── index.html
└── scripts
├── main.js
├── my
│ ├── module.js
│ ├── styles.css
│ └── template.html
├── require-jquery.js
├── requirejs.mustache.js
└── text.jsThe dependencies included RequireJS bundled together with jQuery, mustache.js for templates and the RequireJS text plugin to include my HTML template file.
Configuration
RequireJS is included in the page with a script tag and the data-main attribute is used to specify additional files to load. In this case “scripts/main” tells RequireJS to load the main.js file …
css javascript jquery open-source tools