Adventures in IT

Just another working day in Redmond Being placed in the dire situation where my project has to go live and is being served by a Windows server that has no administrator I was forced to open up my RDP client and venture back in time to the days of dinosaurs and IIS. Unified Communications SSL Certificates are pretty much the only solution I could find to allow a single installation of IIS to share a single certificate that is valid for multiple domains that don't conform to a wildcard.  Whew, what a mouthful.  In other words if you have the domains http://www.ihatemicrosoft.com , http://www.apacheisfree.com , and http://www.graphicalinterfacesareforpansies.com you can use a SSL single certificate to secure them by setting up Subject Alternate Names . Getting them up and running was a cinch for me made only slightly more complicated by previous failed installation issues which I had to identify and undo. Firstly if somebody else has tried to install the certificate and f...

Directory traversal attacks occur when your program reads or writes a file where the name is based on some sort of input that can be maliciously tampered with.  When used in conjunction with log poisoning this can lead to an attacker gaining remote shell access to your server. At the most simple it could be to include a file like this: echo file_get_contents($_GET['sidebar']); The intention would be for you to be able to call your URL and send a parameter indicating which sidebar content you want to load... like this:  http://foo.bar/myfile.php?sidebar=adverts.html Which is really terrible practice and would not be done by any experienced developer. Another common place where directory traversal attacks can occur is in displaying content based on a database call. If you are reading from or writing to a file based on some input (like GET, POST, COOKIE, etc) then make sure that you remove paths .  The PHP function basename will strip out paths and make sure ...

http://jenkins-ci.org/ Jenkins is a free and open source solution for monitoring the execution of jobs, including software project builds. By monitoring the outcome of a build you are able to provide continuous quality control throughout the development period of a project.  The aim is to reduce the effort required in quality control at the end of development by  consistently applying small amounts of effort to quality throughout the development cycle. Under the continuous integration (CI) model developers should consistently integrate their development efforts into the repository.  There should be time delay between committing code changes and the new build - this allows developers to recognize and correct potential problems immediately.  Of course measures must be in place to flag errors with the build. The advantage to developers and project managers to having a stable repository to which commits are made and tested are multiple.  I don't need to ...

It's very simple to set up a name based virtual host in Apache 2.2 using the default Ubuntu package. I'm assuming that you have installed Apache already and that you have edited /etc/apache2/sites-enabled/000-default to change the AllowOverride None to something like this: <Directory /var/www/> Options Indexes FollowSymLinks MultiViews AllowOverride All Order allow,deny allow from all </Directory> If you have not already used this command sudo a2enmod rewrite then do so in order to enable mod_rewrite. Now edit your /etc/hosts file and add an entry that points to the server where you are setting up the virtual host. The line should look something like this: 192.168.0.100 mysite.local Where the IP address points to the server where you are setting up the host and mysite.local is a nickname for the site. Remember to add the .local :) Now create a file in /etc/apache2/sites-ava...

Microsoft Just Clowning Around Again If you're impatient here is the link that this article leads to SOAP is generally understood to be a simple method for systems to exchange data in a standard manner. This allows for remote systems to make calls on a server application. This sounds like a Good Idea. Microsoft, however, does not appear to fully understand the concept of SOAP when it comes to providing a SOAP server based on "datasets". Apparently the use of these datasets make it much easier for programmers using Microsoft languages to consume web services.  Unfortunately it makes it inconvenient for everybody else. So we have a standard way of doing things, but Microsoft decides to "improve" it and thereby forces everybody else to manually parse their XML responses. What is the point of having a standard method of accessing server methods if Microsoft then makes their implementation inoperable to Java, PHP, Ruby, Python, developers?  Isn...

I often get CV's from developers applying for positions. Some colleges give people a certificate without really giving the candidate any problem solving skills or real understanding of theory. Here are some standard questions that I ask candidates to complete with pen and paper without access to Google. They cover basic OOP theory, logic, basic PHP syntax, and try to get some idea of the candidates passion for learning. In the rare occasion that a candidate actually bothers to investigate the company and finds my blog they will naturally be expected to do well on this quiz.  I guess that's bonus marks for being prepared :p PHP quiz ======== 1) Explain what SQL injection is and give TWO ways to combat it 2) If you type hint an interface name in a function argument what sort of variables can you pass? 3) What is an abstract class? 4) How would you call the construct method of a parent class inside  a child of that class? 5) Given two variables $a and $b which c...

The splash screen for Squirrel SQL I'm working on a project that draws from a Microsoft Sql Database.  Unfortunately there is no project documentation which means that it takes longer to become familiar with the design.  I particularly wanted an ERD of the database but this wasn't available.  So I looked for open source reverse engineering tools and found Squirrel SQL .  This is a very handy tool as it supports a variety of databases and client operating systems. Installing the Microsoft JDBC ( available from the Microsoft site ) was a snap: Just download the archive, extract it somewhere meaningful (I put mine as a directory in Squirrel). Edit the Microsoft SQL driver in your driver list Add an extra class and point it to the JDBC4 jar file (version 4 is required for newer versions of the JDK) The driver should load now Then proceed to add your connection alias per normal and you're connected to your MS-SQL database. The plugin to reverse engineer your dat...