Posted by jpluimers on 2018/03/20
Important small [WayBack] Update for DprojNormalizer | The Art of Delphi Programming: it fixes usage of SanitizedProjectName in all other properties.
It is now at [WayBack] Version 2.2.1.
via:ย [WayBack] Small update for DprojNormalizer available – Uwe Raabe – Google+
–jeroen
Posted in Delphi, Development, Software Development | Leave a Comment »
Posted by jpluimers on 2018/03/20
I keep being amazed that new generations of people keep writing SQL injection vulnerable code, so further below is a repeat ofย [WayBack] xkcd: Exploits of a Momย on Little Bobby Tables named Robert '; Drop TABLE Students;--
Take this recent question on G+ for instance: [WayBack] Hi can you help to write correct Query for Filter 3 Data fields for Example Data1 , Data2 , Data2 txt1 = Data1 txt2= data2 txt3 = data3… – Jude De Silva – Google+ with this code fragment:
Tables:
Data1 , Data2 , Data2
Text control contents:
txt1 = Data1 txt2= data2 txt3 = data3
Examples when text property is filled:
ex1: Data1 and Data 3 ex2: Data 3 and Data2 ex3: Data 1, Data 2 Data 3
Code:
Qury.Close; Query.Sql.Clear; Qury.Sql.Add (Select * From Table1); If Not (txt1.text = ' ')then Begin Qury.Sql.Add(Format ('Where Data1= ' '%s' ' ',[txt1] )); end; If not (txt3.text = ' ') then Begin Qury.Sql.Add(Format ('and Data3= ' '%s' ' ',[txt1] )); end;
This example is wrong on so many levels, to lets explain a few:
Quryย and Queryย for queries: are they actually two variables?The basic solution for solving the actual problem asked is like this (assuming all user input are strings):
where 1=1ย for a starting point for andย based querieswhere 1=0ย for a starting point of orย based queriesAddAndClauseย or AddOrClause taking with parameters Query,ย ย FieldName, ParameterNameย and ParameterValuethen when ParameterValue is not empty:
andย based queries:Format('and %s = :%s', [FieldName, ParameterName]);orย based queries:Format('or %s = :%s', [FieldName, ParameterName]);Query.ParamByName(ParameterName).AsString := ParameterValueBack in 2007, SQL Injection was already a very well known vulnerability (they date back to at least 1998), soย Randall Munroe publishedย [WayBack] xkcd: Exploits of a Momย on Little Bobby Tables named Robert '; Drop TABLE Students;--
School: “Hi, this is your son’s school. We’re having some computer trouble.”
Mom: “Oh, dear — Did he break something?”
School: “In a way. Did you really name your sonRobert'); DROP TABLE Students;-- ?”
Mom: “Oh. Yes. Little Bobby Tables we call him.”
School: “Well, we’ve lost this year’s student records. I hope you’re happy.”
Mom: “And I hope you’ve learned to sanitize your database inputs.”
(Alt-text: “Her daughter is named Help I’m trapped in a driver’s license factory.”)
It did not just get explained atย [WayBack] 327: Exploits of a Mom – explain xkcdย (Explain xkcd is a wiki dedicated to explaining the webcomic xkcd. Go figure.), Little Bobby Tables got his own page there:ย [WayBack] Little Bobby Tables – explain xkcd.
Like people continuing writing SQL injection vulnerable code, XKCD posted another SQL injection inย [WayBack] 1253: Exoplanet Names – explain xkcdย by using e'); DROP TABLE PLANETS;--ย as name for Planet eย of Star Gliese 667.
A few years later, around 2009, Bobby Tables inspired [WayBack] bobby-tables.com: A guide to preventing SQL injectionย explaining:
bobby-tables.com
It goes on with many examples of parameterised queries in many environments and language, for instance in the language used above: Delphi.
You can contribute new environments and languages as the site has source code at [WayBack] GitHub – petdance/bobby-tables: bobby-tables.com, the site for preventing SQL injections.
Finally, it points to a few more resources:
WayBack bobby-tables.com: A guide to preventing SQL injection in Delphi
Delphi
To use a prepared statement, do something like this:
query.SQL.Text := 'update people set name=:Name where id=:ID'; query.Prepare; query.ParamByName( 'Name' ).AsString := name; query.ParamByName( 'ID' ).AsInteger := id; query.ExecSQL;
–jeroen
Posted in Development, Software Development, SQL | Leave a Comment »
Posted by jpluimers on 2018/03/20
Quite a while back, I got attended toย Ben, blogging: Show the complete apache config file:
If you really want to see all the complete config settings, there is no existing tool for that. This Stack Overflow pageย answered this question pretty well: You can use apachectl -S to see the settings of Virtual Host, or apachectl -M to see the loaded modules, but to see all settings, there is no such tool, you will have to go through all the files , starting from familiar yourself with theย ย general structure of the httpd config files.… script …The usage is simple: Run it as
python ย CombineApacheConfig.py. Since there is no additional parameters given, it will retrieve the default Ubuntu apache config file from ย/etc/apache2/apache2.confand generate the result complete config file in/tmp/apache2.combined.conf. If your config file is in different location, then give the input file and output file location.Note: Apache server-info page http://127.0.0.1/server-info also provide similar information, but not in the config file format. It is in human readable format. The page works only when it is open from the same computer.
python CombineApacheConfig.py /etc/apache2/httpd.conf /tmp/apache2.combined.conf
–jeroen
| #!/usr/bin/python2.7 | |
| # CombineApacheConfig.py | |
| __author__ = 'ben' | |
| import sys, os, os.path, logging, fnmatch | |
| def Help(): | |
| print("Usage: python CombineApacheConfig.py inputfile[default:/etc/apache2/apache2.conf] outputfile[default:/tmp/apache2.combined.conf") | |
| def InputParameter(): | |
| if len(sys.argv) <> 3: | |
| Help() | |
| return "/etc/apache2/apache2.conf", "/tmp/apache2.combined.conf" | |
| return sys.argv[1], sys.argv[2] | |
| def ProcessMultipleFiles(InputFiles): | |
| Content = '' | |
| LocalFolder = os.path.dirname(InputFiles) | |
| basenamePattern = os.path.basename(InputFiles) | |
| for root, dirs, files in os.walk(LocalFolder): | |
| for filename in fnmatch.filter(files, basenamePattern): | |
| Content += ProcessInput(os.path.join(root, filename)) | |
| return Content | |
| def RemoveExcessiveLinebreak(s): | |
| Length = len(s) | |
| s = s.replace(os.linesep + os.linesep + os.linesep, os.linesep + os.linesep) | |
| NewLength = len(s) | |
| if NewLength < Length: | |
| s = RemoveExcessiveLinebreak(s) | |
| return s | |
| def ProcessInput(InputFile): | |
| Content = '' | |
| if logging.root.isEnabledFor(logging.DEBUG): | |
| Content = '# Start of ' + InputFile + os.linesep | |
| with open(InputFile, 'r') as infile: | |
| for line in infile: | |
| stripline = line.strip(' \t') | |
| if stripline.startswith('#'): | |
| continue | |
| if stripline.lower().startswith('include'): | |
| match = stripline.split() | |
| if len(match) == 2: | |
| IncludeFiles = match[1] | |
| IncludeFiles = IncludeFiles.strip('"') #Inserted according to V's comment. | |
| if not IncludeFiles.startswith('/'): | |
| LocalFolder = os.path.dirname(InputFile) | |
| IncludeFiles = os.path.join(LocalFolder, IncludeFiles) | |
| Content += ProcessMultipleFiles(IncludeFiles) + os.linesep | |
| else: | |
| Content += line # if it is not pattern of 'include(optional) path', then continue. | |
| else: | |
| Content += line | |
| Content = RemoveExcessiveLinebreak(Content) | |
| if logging.root.isEnabledFor(logging.DEBUG): | |
| Content += '# End of ' + InputFile + os.linesep + os.linesep | |
| return Content | |
| if __name__ == "__main__": | |
| logging.basicConfig(level=logging.DEBUG, format='[%(asctime)s][%(levelname)s]:%(message)s') | |
| InputFile, OutputFile = InputParameter() | |
| try: | |
| Content = ProcessInput(InputFile) | |
| except Exception as e: | |
| logging.error("Failed to process " + InputFile, exc_info=True) | |
| exit(1) | |
| try: | |
| with open(OutputFile, 'w') as outfile: | |
| outfile.write(Content) | |
| except Exception as e: | |
| logging.error("Failed to write to " + outfile, exc_info=True) | |
| exit(1) | |
| logging.info("Done writing " + OutputFile) |
Posted in *nix, *nix-tools, Apache2, Development, Linux, openSuSE, Power User, Python, Scripting, Software Development, SuSE Linux | Leave a Comment »
Posted by jpluimers on 2018/03/19
Many more things to learn and practice, especially on how these concepts interact, how to make things quantifiable and especially practice them in ways that people intrinsically understand how to:
The ideas of agile are great. Itโs the way it has been codified into rituals and certifications and rolled out mindlessly that misses the point. When people talk about Lean, the conversation often ends atย process optimization, waste, andย quality, andย misses so much of what the Lean mindset offers. Design Thinking is held high as the new magic trick of design facilitators.
Source: [WayBack]ย Understanding how Design Thinking, Lean and Agile Work Together | ThoughtWorks.
The article has some nice graphics to illustrate the points (some are below) and points to a lot more links for further learning.
Via [WayBack]ย ThoughtWorks on Twitter: “Instead of focusing on applying a process, teams ought to challenge how they think and try new things, embrace the things that work, and learn from the things that donโt. #Agile #DesignThinking “
–jeroen
Posted in Agile, Development, Software Development | Leave a Comment »
Posted by jpluimers on 2018/03/15
Over time, there are lots of complaints about Embarcadero related internet services (like forums, QC, Appanalytics, docwiki, blogs,ย web site, maintenance,ย …) so to track uptime, I’ve created a set ofย EmbarcaderoMonitoringย pages:
This is preliminary work based on my own lists of Embarcadero endpoints combined with some research like [WayBack] dnsdumpster embarcadero.com.pngย and [WayBack] IdentIPSpy
Underneath, they run on the uptimerobot.com infrastructure which has a limit of 50 free monitors.
It means I have to:
Any ideas on improving this are welcome: please post a comment here on on the resulting G+ thread.
Note it likely won’t show cases like when the website was hackedย or TLS certificate issues like inย SSLLabs security reports for some embarcadero subdomains. I need to think about a means for those, as it will certainly help monitoring my own infrastructure in a similar way.
–jeroen
Posted in *nix, Cloud, Development, DevOps, Infrastructure, Monitoring, Power User, Software Development, Uptimerobot | Leave a Comment »
Posted by jpluimers on 2018/03/15
TL;DR:
Reminding everybody of the actual purpose of the daily stand-up and of the goal(s) you have for the sprint may be all thatโs needed to give the shortened versions some much needed context and focus.
Always read the Scrum guide, as it states the purpose of this meeting:
The Daily Scrum is a 15-minute time-boxed event for the Development Team to synchronize activities and create a plan for the next 24 hours.
Source: [WayBack]ย Stop using anemic daily stand-up questions | Software on a String
via: [WayBack]ย Marjan Venema – Google+
–jeroen
Posted in Agile, Development, Scrum, Software Development | Leave a Comment »
Posted by jpluimers on 2018/03/15
A very interesting discussion on what the mixing of interfaces and classes can get you into: [WayBack] I’ve got an interface with generics which accepts classes:IMyGeneric = interface…..end;What I want to do is to allow this interface toโฆ – John Kouraklis – Google+
TL;DR: do not mix interfaces and classes.
As often, Asbjรธrn Heid chimes in showing some insight on clever mixing of the two with sample code accepting an unconstrained type. Don’t do that unless you really know what’s going on behind the scenes.
–jeroen
Posted in Delphi, Development, Software Development | 4 Comments »
Posted by jpluimers on 2018/03/14
[WayBack] GitHub – keith-turner/ecoji: Encodes (and decodes) data as emojis:
Ecojiย ๐ฃ๐๐ฆ๐ผ
Ecoji encodes data as 1024ย emojis, its base1024 with an emoji character set. As a bonus, includes code to decode emojis to original data.
Sick. Works splendid when all your systems are fully nice to Unicode.
None are. So there’s a German word for it:
Nein
Via:
–jeroen
Posted in Development, Encoding, Fun, Go (golang), Software Development, Unicode | Leave a Comment »
Posted by jpluimers on 2018/03/14
Interesting read of about 20 minutes on the time between the request of an URL and the actual visible rendering clues.
Do libraries and frameworks prioritize components on boot? If so, how, and if not what can we do? And, in exploring that question, I discovered that Server-Side Rendering isn’t a silver bullet!
Source: [WayBack]ย Aerotwist – ๐ When everything’s important, nothing is! ๐
The state about a year ago was that progressive rendering had the best results as seen on the right.
I wonder if that has changed by now.
–jeroen
via:ย [WayBack] ๐ When everything’s important, nothing is! ๐ ย -via FlynxGood read for javascriptโฆ – Roderick Gadellaa – Google+
Posted in Development, Software Development, Web Development | Leave a Comment »
Posted by jpluimers on 2018/03/14
This is a great complimentary tool to Http Fiddler on Windows and Mac OS X, and the only tool on Linux (that is not covered by Http Fiddler): kdzwinel/betwixt: Web Debugging Proxy based on Chrome DevTools Network panel.
–jeroen
Posted in Development, Fiddler, Software Development, Web Development | Leave a Comment »
The Wiert Corner - irregular stream of stuff 