Search Results

Search found 390 results on 16 pages for 'escaping'.

Page 15/16 | < Previous Page | 11 12 13 14 15 16  | Next Page >

  • ERB doesnt get executed in javascript scripts

    - by Stefano
    Hi guys I have a select input on my page. this select input displays/hides fields in the form. This all works fine. But the problem is that if i submit the form and lack some necessary fields, it doesnt set the select to the right value afterwards. I just cant get the embedded ruby to work! it keeps escaping the whole thing... here my code: $(document).ready(function() { $("#profile_sex").val('<%= @profile.sex %>') $("#profile_sex").change(function(){ ($(this).val() == "Frau") ? $('#form-female').show() : $('#form-female').hide(); ($(this).val() == "Mann") ? $('#form-male').show() : $('#form-male').hide(); if ($(this).val() == "Paar") { $('#form-female').show(); $('#form-male').show(); } }); }); why doesnt this work??? I dont get any error or anything it just sets the value to "<%= @profile.sex =" I was googling and searching about on stack overflow and railscasts, the rails API, everything. Im seriously confused... thanks for your help.

    Read the article

  • Elegant solution to retrieve custom date and time?

    - by kefs
    I am currently using a date and time picker to retrieve a user-submitted date and time, and then I set a control's text to the date and time selected. I am using the following code: new DatePickerDialog(newlog3.this, d, calDT.get(Calendar.YEAR), calDT.get(Calendar.MONTH), calDT.get(Calendar.DAY_OF_MONTH)).show(); new TimePickerDialog(newlog3.this, t, calDT.get(Calendar.HOUR_OF_DAY), calDT.get(Calendar.MINUTE), true).show(); optCustom.setText(fmtDT.format(calDT.getTime())); Now, while the above code block does bring up the date and time widgets and sets the text, the code block is being executed in full before the user can select the date.. ie: It brings up the date box first, then the time box over that, and then updates the text, all without any user interaction. I would like the date widget to wait to execute the time selector until the date selection is done, and i would like the settext to execute only after the time widget is done. How is this possible? Or is there is a more elegant solution that is escaping me? Edit: This is the code for DatePickerDialog/TimePickerDialog which is located within the class: DatePickerDialog.OnDateSetListener d=new DatePickerDialog.OnDateSetListener() { public void onDateSet(DatePicker view, int year, int monthOfYear, int dayOfMonth) { calDT.set(Calendar.YEAR, year); calDT.set(Calendar.MONTH, monthOfYear); calDT.set(Calendar.DAY_OF_MONTH, dayOfMonth); //updateLabel(); } }; TimePickerDialog.OnTimeSetListener t=new TimePickerDialog.OnTimeSetListener() { public void onTimeSet(TimePicker view, int hourOfDay, int minute) { calDT.set(Calendar.HOUR_OF_DAY, hourOfDay); calDT.set(Calendar.MINUTE, minute); //updateLabel(); } }; Thanks in advance

    Read the article

  • Write to the second line of a PHP file

    - by Woz
    I have a php file that I want to add an include path to on the second line. I need to open the file and inset a line of code on line 2. I have tried a few techniques none of which are working but I think it has something to do with the text I am trying to write and possibly not escaping character correctly as I am not too familiar with file writing. So here is the file I want to write to: $file = $_SERVER['DOCUMENT_ROOT'].'/'.$domaindir.'/test.php'; Here is the piece of text I want to insert into the file: $dbfile = "include('".$_SERVER['DOCUMENT_ROOT']."/".$domaindir."/web_".$dbname.".inc.php');"; Then what I was doing was a string replace but all it did was bump the "session_start();" bit to a newline! Can anyone point me in the direction of a tutorial that might tell me how to insert this into the second line of my php file or indeed if anyone has any ideas? I can say for sure that the path to the PHP file is fully tested so i know its not that the file is not being open or written to. Any ideas would be much appreciated. Thanks in advance.

    Read the article

  • PHP - Calling function inside another class -> function

    - by Kolind
    I'm trying to do this: class database { function editProvider($post) { $sql = "UPDATE tbl SET "; foreach($post as $key => $val): if($key != "providerId") { $val = formValidate($val); $sqlE[] = "`$key`='$val'"; } endforeach; $sqlE = implode(",", $sqlE); $where = ' WHERE `id` = \''.$post['id'].'\''; $sql = $sql . $sqlE . $where; $query = mysql_query($sql); if($query){ return true; } } // }//end class And then use this function * INSIDE of another class *: function formValidate($string){ $string = trim($string); $string = mysql_real_escape_string($string); return $string; } // .. on $val. Why doesn't this work? if I write in a field of the form, it's not escaping anything at all. How can that be? * UPDATE * handler.php: if(isset($_GET['do'])){ if($_GET['do'] == "addLogin") { $addLogin = $db->addLogin($_POST); } if($_GET['do'] == "addProvider") { $addProvider = $db->addProvider($_POST); } if($_GET['do'] == "editProfile") { $editProfile = $db->editProfile($_POST); } if($_GET['do'] == "editProvider") { $editProvider = $db->editProvider($_POST); } } //end if isset get do ** The editProvider function works fine except for this :-) **

    Read the article

  • Will these security functions be enough? (PHP)

    - by ggfan
    I am trying to secure my site so I don't have sql injections and xss scripting. Here's my code. //here's the from, for brevity, i just show a field for users to put firstname <form> <label for="first_name" class="styled">First Name:</label> <input type="text" id="first_name" name="first_name" value="<?php if (!empty($first_name)) echo $first_name; ?>" /><br /> //submit button etc </form> if (isset($_POST['submit'])) { //gets rid of extra whitesapce and escapes $first_name = mysqli_real_escape_string($dbc, trim($_POST['first_name'])); //check if $first_name is a string if(!is_string($first_name) { echo "not string"; } //then insert into the database. ....... } mysqli_real_espace_string: I know that this func escapes certain letters like \n \r, so when the data gets inputted into the dbc, it would have '\' next to all the escaped letters? --Will this script be enough to prevent most sql injections? just escaping and checking if the data is a string. For integers values(like users putting in prices), i just: is_numeric(). --How should I use htmlspecialchars? Should I use it only when echoing and displaying user data? Or should I also use this too when inputting data to a dbc? --When should I use strip_tags() or htmlspecialchars? SOO with all these function... if (isset($_POST['submit'])) { //gets rid of extra whitesapce and escapes $first_name = mysqli_real_escape_string($dbc, trim($_POST['first_name'])); //check if $first_name is a string if(!is_string($first_name) { echo "not string"; } //gets rid of any <,>,& htmlspecialchars($first_name); //strips any tags with the first name strip_tags($first_name) //then insert into the database. ....... } Which funcs should I use for sql injections and which ones should I use for xss?

    Read the article

  • How to use bzdiff to find difference between 2 bzipped files with diff -I option?

    - by englebip
    I'm trying to do a diff on MySQL dumps (created with mysqldump and piped to bzip2), to see if there are changes between consecutive dumps. The followings are the tails of 2 dumps: tmp1: /*!40101 SET SQL_MODE=@OLD_SQL_MODE */; /*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */; /*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */; /*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */; /*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */; /*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */; /*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */; -- Dump completed on 2011-03-11 1:06:50 tmp2: /*!40101 SET SQL_MODE=@OLD_SQL_MODE */; /*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */; /*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */; /*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */; /*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */; /*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */; /*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */; -- Dump completed on 2011-03-11 0:40:11 When I bzdiff their bzipped version: $ bzdiff tmp?.bz2 10c10 < -- Dump completed on 2011-03-11 1:06:50 --- > -- Dump completed on 2011-03-11 0:40:11 According to the manual of bzdiff, any option passed on to bzdiff is passed on to diff. I therefore looked at the -I option that allows to define a regexp; lines matching it are ignored in the diff. When I then try: $ bzdiff -I'Dump' tmp1.bz2 tmp2.bz2 I get an empty diff. I would like to match as much as possible of the "Dump completed" line, though, but when I then try: $ bzdiff -I'Dump completed' tmp1.bz2 tmp2.bz2 diff: extra operand `/tmp/bzdiff.miCJEvX9E8' diff: Try `diff --help' for more information. Same thing happens for some variations: $ bzdiff '-IDump completed' tmp1.bz2 tmp2.bz2 $ bzdiff '-I"Dump completed"' tmp1.bz2 tmp2.bz2 $ bzdiff -'"IDump completed"' tmp1.bz2 tmp2.bz2 If I diff the un-bzipped files there is no problem: $diff -I'^[-][-] Dump completed on' tmp1 tmp2 gives also an empty diff. bzdiff is a shell script usually placed in /bin/bzdiff. Essentially, it parses the command options and passes them on to diff as follows: OPTIONS= FILES= for ARG do case "$ARG" in -*) OPTIONS="$OPTIONS $ARG";; *) if test -f "$ARG"; then FILES="$FILES $ARG" else echo "${prog}: $ARG not found or not a regular file" exit 1 fi ;; esac done [...] bzip2 -cdfq "$1" | $comp $OPTIONS - "$tmp" I think the problem stems from escaping the spaces in the passing of $OPTIONS to diff, but I couldn't figure out how to get it interpreted correctly. Any ideas? EDIT @DerfK: Good point with the ., I had forgotten about them... I tried the suggestion with the multiple level of quotes, but that is still not recognized: $ bzdiff "-I'\"Dump.completed.on\"'" tmp1.bz2 tmp2.bz2 diff: extra operand `/tmp/bzdiff.Di7RtihGGL'

    Read the article

  • Open a terminal window & run command, then close the terminal window if command completed successfully?

    - by Caspar
    I'm trying to write a script to do the following: Open a terminal window which runs a long running command (Ideally) move the terminal window to the top left corner of the screen using xdotool Close the terminal window only if the long running command exited with a zero return code To put it in Windows terms, I'd like to have the Linux equivalent of start cmd /c long_running_cmd if long_running_cmd succeeds, and do the equivalent of start cmd /k long_running_cmd if it fails. What I have so far is a script which starts xterm with a given command, and then moves the window as desired: #!/bin/bash # open a new terminal window in the background with the long running command xterm -e ~/bin/launcher.sh ./long_running_cmd & # move the terminal window (requires window process to be in background) sleep 1 xdotool search --name launcher.sh windowmove 0 0 And ~/bin/launcher.sh is intended to run whatever is passed as a command line argument to it: #!/bin/bash # execute command line arguments $@ But, I haven't been able to get the xterm window to close after long_running_cmd is done. I think something like xterm -e ~/bin/launcher.sh "./long_running_cmd && kill $PPID" & might be what I'm after, so that xterm is launched in the background and it runs ./long_running_cmd && kill $PPID. So the shell in the xterm window then runs the long running command and if it completes successfully, the parent process of the shell (i.e. the process owning the xterm window) is killed, thereby closing the xterm window. But, that doesn't work: nothing happens, so I suspect my quoting or escaping is incorrect, and I haven't been able to fix it. An alternate approach would be to get the PID of long_running_cmd, use wait to wait for it to finish, then kill the xterm window using kill $! (since $! refers to last task started in the background, which will be the xterm window). But I can't figure out a nice way to get the PID & exit value of long_running_cmd out of the shell running in the xterm window and into the shell which launched the xterm window (short of writing them to a file somewhere, which seems like it should be unnecessary?). What am I doing wrong, or is there an easier way to accomplish this?

    Read the article

  • Issues POSTing XML to OAuth and Signature Invalid with Ruby OAuth Gem

    - by thynctank
    [Cross-posted from the OAuth Ruby Google Group. If you couldn't help me there, don't worry bout it] I'm working on integrating a project with TripIt's OAuth API and am running into a weird issue. I authenticate fine, I store and retrieve the token/secret for a given user with no problem, I can even make GET requests to a number of services using the gem. But when I try using the one service I need POST for, I'm getting a 401 "invalid signature" response. Perhaps I'm not understanding how to pass in data to the AccessToken's post method, so here's a sample of my code: xml = <<-XML <Request> <Trip> <start_date>2008-12-09</start_date> <end_date>2008-12-27</end_date> <primary_location>New York, NY</primary_location> </Trip> </Request> XML` response = access_token.post('/v1/create', {:xml => xml}, {'Content-Type' => 'application/x-www-form-urlencoded'}) I've tried this with and without escaping the xml string before hand. The guys at TripIt seemed to think that perhaps the xml param wasn't getting included in the signature_base_string, but when I output that (from lib/signature/base.rb) I see: POST&https%3A%2F%2Fapi.tripit.com%2Fv1%2Fcreate&oauth_consumer_key %3D%26oauth_nonce %3Djs73Y9caeuffpmPVc6lqxhlFN3Qpj7OhLcfBTYv8Ww%26oauth_signature_method %3DHMAC-SHA1%26oauth_timestamp%3D1252011612%26oauth_token %3D%26oauth_version%3D1.0%26xml%3D%25253CRequest%25253E %25250A%252520%252520%25253CTrip%25253E%25250A %252520%252520%252520%252520%25253Cstart_date%25253E2008-12-09%25253C %252Fstart_date%25253E%25250A %252520%252520%252520%252520%25253Cend_date%25253E2008-12-27%25253C %252Fend_date%25253E%25250A %252520%252520%252520%252520%25253Cprimary_location%25253ENew %252520York%252C%252520NY%25253C%252Fprimary_location%25253E%25250A %252520%252520%25253C%252FTrip%25253E%25250A%25253C%252FRequest%25253E %25250A This seems to be correct to me. I output signature (from the same file) and the output doesn't match the oauth_signature param of the Auth header in lib/client/ net_http.rb. It's been URL-encoded in the auth header. Is this correct? Anyone know if the gem is broken/if there's a fix somewhere? I'm finding it hard to trace through some of the code.

    Read the article

  • Why do I get extra, unexpected results with my ack regex?

    - by Gauthier
    I'm finally learning regexps and training with ack. I believe this uses Perl regexp. I want to match all lines where the first non-blank characters are if (<word> !, with any number of spaces in between the elements. This is what I came up with: ^[ \t]*if *\(\w+ *! It only nearly worked. ^[ \t]* is wrong, since it matches one or none [space or tab]. What I want is to match anything that may contain only space or tab (or nothing). For example these should not match: // if (asdf != 0) else if (asdf != 1) How can I modify my regexp for that? EDIT adding command line ack -i --group -a '^\s*if *\(\w+ *!' c:/work/proj/proj Note the single quotes, I'm not so sure about them anymore. My search base is a larger code base. It does include matching expressions (quite some), but even for example: 274: }else if (y != 0) , which I get as a result of the above command. EDIT adding the result of mobrule's test Mobrule, thanks for providing me a text to test on. I'll copy here what I get on my prompt: C:\Temp\regex>more ack.test # ack.test if (asdf != 0) # no spaces - ok if (asdf != 0) # single space - ok if (asdf != 0) # single tab - ok if (asdf != 0) # multiple space - ok if (asdf != 0) # multiple tab - ok if (asdf != 0) # spaces + tab ok if (asdf != 0) # tab + space ok if (asdf != 0) # space + tab + space ok // if (asdf != 0) # not ok } else if (asdf != 0) # not ok C:\Temp\regex>ack '^[ \t]*if *\(\w+ *!' ack.test C:\Temp\regex>"C:\Program\git\bin\perl.exe" C:\bat\ack.pl '[ \t]*if *\(\w+ *!' a ck.test if (asdf != 0) # no spaces - ok if (asdf != 0) # single space - ok if (asdf != 0) # single tab - ok if (asdf != 0) # multiple space - ok if (asdf != 0) # multiple tab - ok if (asdf != 0) # spaces + tab ok if (asdf != 0) # tab + space ok if (asdf != 0) # space + tab + space ok // if (asdf != 0) # not ok } else if (asdf != 0) # not ok The problem is in my call to my ack.bat! ack.bat contains: "C:\Program\git\bin\perl.exe" C:\bat\ack.pl %* Although I call with a caret, it gets away at the call of the bat file! Escaping the caret with ^^ does not work. Quoting the regex with " " instead of ' ' works. My problem was a DOS/win problem, sorry for bothering you all for that.

    Read the article

  • Lucene: Wildcards are missing from index

    - by Eleasar
    Hi - i am building a search index that contains special names - containing ! and ? and & and + and ... I have to tread the following searches different: me & you me + you But whatever i do (did try with queryparser escaping before indexing, escaped it manually, tried different indexers...) - if i check the search index with Luke they do not show up (question marks and @-symbols and the like show up) The logic behind is that i am doing partial searches for a live suggestion (and the fields are not that large) so i split it up into "m" and "me" and "+" and "y" and "yo" and "you" and then index it (that way it is way faster than a wildcard query search (and the index size is not a big problem). So what i would need is to also have this special wildcard characters be inserted into the index. This is my code: using System; using System.Collections.Generic; using System.IO; using System.Linq; using System.Text; using Lucene.Net.Analysis; using Lucene.Net.Util; namespace AnalyzerSpike { public class CustomAnalyzer : Analyzer { public override TokenStream TokenStream(string fieldName, TextReader reader) { return new ASCIIFoldingFilter(new LowerCaseFilter(new CustomCharTokenizer(reader))); } } public class CustomCharTokenizer : CharTokenizer { public CustomCharTokenizer(TextReader input) : base(input) { } public CustomCharTokenizer(AttributeSource source, TextReader input) : base(source, input) { } public CustomCharTokenizer(AttributeFactory factory, TextReader input) : base(factory, input) { } protected override bool IsTokenChar(char c) { return c != ' '; } } } The code to create the index: private void InitIndex(string path, Analyzer analyzer) { var writer = new IndexWriter(path, analyzer, true); //some multiline textbox that contains one item per line: var all = new List<string>(txtAllAvailable.Text.Replace("\r","").Split('\n')); foreach (var item in all) { writer.AddDocument(GetDocument(item)); } writer.Optimize(); writer.Close(); } private static Document GetDocument(string name) { var doc = new Document(); doc.Add(new Field( "name", DeNormalizeName(name), Field.Store.YES, Field.Index.ANALYZED)); doc.Add(new Field( "raw_name", name, Field.Store.YES, Field.Index.NOT_ANALYZED)); return doc; } (Code is with Lucene.net in version 1.9.x (EDIT: sorry - was 2.9.x) but is compatible with Lucene from Java) Thx

    Read the article

  • Best Practice: Legitimate Cross-Site Scripting

    - by Ryan
    While cross-site scripting is generally regarded as negative, I've run into several situations where it's necessary. I was recently working within the confines of a very limiting content management system. I needed to include database code within the page, but the hosting server didn't have anything usable available. I set up a couple barebones scripts on my own server, originally thinking that I could use AJAX to import the contents of my scripts directly into the template of the CMS (thus retaining dynamic images, menu items, CSS, etc.). I was wrong. Due to the limitations of XMLHttpRequest objects, it's not possible to grab content from a different domain. So I thought "iFrame" - even though I'm not a fan of frames, I thought that I could create a frame that matched the width and height of the content, so that it would appear native. Again, I was blocked by cross-site scripting "protections." While I could indeed load a remote file into the iFrame, I couldn't execute JavaScript to modify its size on either the host page or inside the loaded page. In this particular scenario, I wasn't able to point a subdomain to my server. I also couldn't create a script on the CMS server that could proxy content from my server, so my last thought was to use a remote JavaScript. A remote JavaScript works. It breaks when the user has JavaScript disabled, which is a downside; but it works. The "problem" I was having with using a remote JavaScript was that I had to use the JS function document.write() to output any content. Any output that isn't JS causes script errors. In addition to using document.write() for every line, you also have to ensure that the content is escaped - or else you end up with more script errors. My solution was as follows: My script received a GET parameter ("page") and then looked for the file ({$page}.php), and read the contents into a variable. However, I had to use awkward buffering techniques in order to actually execute the included scripts (for things like database interaction) then strip the final content of all line break characters ("\n") followed by escaping all required characters. The end result is that my original script (which outputs JavaScript) accesses seemingly "standard" scripts on my server and converts their standard output to JavaScript for displaying within the CMS template. While this solution works, it seems like there may be a better way to accomplish the same thing. What is the best way to make cross-site scripting work specifically for the purpose of including content from a completely different domain?

    Read the article

  • How to limit results in a SharePoint XSL query

    - by David
    Hello all, I am creating a SharePoint site that we will use to report issues with trucks used in our business. Linked to the list I have created will be a page that will display an overview of the trucks and a little truck icon will show the trucks current status. Green and the truck is okay (no open issues), Red and the truck have an open issue with status "Undrivable", Orange and there is two issues open that requires the user to look further into the truck before using it and finally a Gray truck for when there is a new issue created that has not been looked into (not sure if it is drivable or not). I have managed to create the "Dashboard" and with my limit XSL/XPATH knowledge been able to add a truck and replicate the description above but... in my test I have created 4 issues, for example if three of them are changed to status Closed and one left to Undrivable I will get four icons on the page, three with Green trucks and the last one Red. So in theory it works but I obviously only want to see the last truck, one truck. I am not interested in seeing the others. <xsl:template name="dvt_1.rowview"> <xsl:variable name="CountReport" select="count(/dsQueryResponse/Rows/Row[@Highloader='GGEU12' and @Status!='Closed'])" /> <xsl:variable name="MoreThan" select="$CountReport &gt; 1" /> <xsl:variable name="NoReports" select="$CountReport = 0" /> <xsl:variable name="Closed" select=" @Highloader='GGEU12' and @Status='Closed'" /> <xsl:choose> <xsl:when test="$MoreThan"> <div class="ms-vb"><img title='More than one report exist!' border='0' alt='In Progress' src='highloader/Library/hl-orange.png' /></div> </xsl:when> <xsl:otherwise> <div class="ms-vb"><xsl:value-of disable-output-escaping="yes" select="@Icon" /></div> </xsl:otherwise> </xsl:choose> </xsl:template> My hope is that someone with slightly more knowledge can find the last piece of the puzzle for me! Thanks for reading and asking questions to fill any gap I left above. David

    Read the article

  • Is there a standard way to encode a .NET string into javascript string for use in MS AJAX?

    - by Rich Andrews
    I'm trying to pass the output of a SQL Server exception to the client using the RegisterStartUpScript method of the MS ScriptManager. This works fine for some errors but when the exception contains single quotes the alert fails. I dont want to only escape single quotes though - Is there a standard function i can call to escape any special chars for use in Javascript? string scriptstring = "alert('" + ex.Message + "');"; ScriptManager.RegisterStartupScript(this, this.GetType(), "Alert", scriptstring , true); Thanks tpeczek, the code almost worked for me :) but with a slight amendment (the escaping of single quotes) it works a treat. I've included my amended version here... public class JSEncode { /// <summary> /// Encodes a string to be represented as a string literal. The format /// is essentially a JSON string. /// /// The string returned includes outer quotes /// Example Output: "Hello \"Rick\"!\r\nRock on" /// </summary> /// <param name="s"></param> /// <returns></returns> public static string EncodeJsString(string s) { StringBuilder sb = new StringBuilder(); sb.Append("\""); foreach (char c in s) { switch (c) { case '\'': sb.Append("\\\'"); break; case '\"': sb.Append("\\\""); break; case '\\': sb.Append("\\\\"); break; case '\b': sb.Append("\\b"); break; case '\f': sb.Append("\\f"); break; case '\n': sb.Append("\\n"); break; case '\r': sb.Append("\\r"); break; case '\t': sb.Append("\\t"); break; default: int i = (int)c; if (i < 32 || i > 127) { sb.AppendFormat("\\u{0:X04}", i); } else { sb.Append(c); } break; } } sb.Append("\""); return sb.ToString(); } } As mentioned below - original source: here

    Read the article

  • Background-image won't change using jquery in IE6

    - by slav
    There is a panel on my page with no default background-image css. On load it is set with jquery to an initial image, waits for 10 seconds then loads a random image out of some predetermined images. There are previous and next buttons which allow you to cycle through the images. In ie6 the initial image loads and then a random image also loads after 10 seconds, however pressing prev/next causes the background to become white and the images aren't loaded. With alerts I was able to find that it's still keeping track of the position and url of the image it's supposed to load, but just won't load it. Here is the code below. <script type="text/javascript"> var facts = new Array(); var position; $(document).ready(function() { <xsl:for-each select="$currentPage/ancestor-or-self::node[@level=1]/../node[@nodeName='Fun Fact Folder']/node"> facts[<xsl:value-of select="position()" />] = '<xsl:value-of select="." />'; </xsl:for-each> if(window.location.pathname == "/homepage.aspx" || window.location.pathname == "/") { $(".fun_facts_bg").css("background-image", "url(images/fun_fact_homepage.JPG)"); setTimeout("randomFact()",10000); } else { randomFact(); } }); function randomFact() { $("a.previous_button").css("display", "block"); $("a.next_button").css("display", "block"); position = Math.ceil(Math.random() * (facts.length - 1)); changeFact(0); } function changeFact(increment) { position = checkPosition(position, increment); $(".fun_facts_bg").css("background-image", "url(" + facts[position] + ")"); } <xsl:text disable-output-escaping="yes">&lt;!--//--&gt;&lt;![CDATA[//&gt;&lt;!-- function checkPosition(currentPos, increment) { currentPos = currentPos + increment; if (currentPos &gt; facts.length - 1) { currentPos = 1; } else if (currentPos &lt; 1) { currentPos = facts.length - 1; } return currentPos; } //--&gt;&lt;!]]&gt;</xsl:text> </script> <a class="previous_button" href="javascript:void(0);" onclick="changeFact(-1);"> <a class="next_button" href="javascript:void(0);" onclick="changeFact(1);">

    Read the article

  • PHP 'instanceof' failing with class constant

    - by Nathan Loding
    I'm working on a framework that I'm trying to type as strongly as I possibly can. (I'm working within PHP and taking some of the ideas that I like from C# and trying to utilize them within this framework.) I'm creating a Collection class that is a collection of domain entities/objects. It's kinda modeled after the List<T> object in .Net. I've run into an obstacle that is preventing me from typing this class. If I have a UserCollection, it should only allow User objects into it. If I have a PostCollection, it should only allow Post objects. All Collections in this framework need to have certain basic functions, such as add, remove, iterate. I created an interface, but found that I couldn't do the following: interface ICollection { public function add($obj) } class PostCollection implements ICollection { public function add(Post $obj) {} } This broke it's compliance with the interface. But I can't have the interface strongly typed because then all Collections are of the same type. So I attempted the following: interface ICollection { public function add($obj) } abstract class Collection implements ICollection { const type = 'null'; } class PostCollection { const type = 'Post'; public function add($obj) { if(!($obj instanceof self::type)) { throw new UhOhException(); } } } When I attempt to run this code, I get syntax error, unexpected T_STRING, expecting T_VARIABLE or '$' on the instanceof statement. A little research into the issue and it looks like the root of the cause is that $obj instanceof self is valid to test against the class. It appears that PHP doesn't process the entire self::type constant statement in the expression. Adding parentheses around the self::type variable threw an error regarding an unexpected '('. An obvious workaround is to not make the type variable a constant. The expression $obj instanceof $this->type works just fine (if $type is declared as a variable, of course). I'm hoping that there's a way to avoid that, as I'd like to define the value as a constant to avoid any possible change in the variable later. Any thoughts on how I can achieve this, or have I take PHP to it's limit in this regard? Is there a way of "escaping" or encapsulating self::this so that PHP won't die when processing it?

    Read the article

  • removing contents of div using Jquery "empty" doesn't work

    - by Andrew
    I'm trying to remove contents of particular div which are basically list items and a heading by using jquery empty so that I could replace with new contents. What happens when I run the code is, the whole div element blinked and flash the replaced content and then the old one reappear. Can anyone tell me what am I doing wrong? Here's an excerpt of my code - <pre> $("#msg_tab").bind("click",function(){ $("#sidebar1").remove(); var html="<ul><li><h2>test</h2><ul><li><a href='#'>Compose New Message</a></li><li><a href='#'>Inbox</a></li><li><a href='#'>Outbox</a></li><li><a href='#'>Unread</a></li><li><a href='#'>Archive</a></li></ul></li></ul>"; $("#sidebar1").append(html); }); <div id="sidebar1" class="sidebar"> <ul> <li> <h2>Messages</h2> <ul> <li><a href="#">Compose New Message</a></li> <li><a href="#">Inbox</a></li> <li><a href="#">Outbox</a></li> <li><a href="#">Unread</a></li> <li><a href="#">Archive</a></li> </ul> </li> </ul> </div> Another question is, how do I write multiple line html code string in javascript so that java would recognize as a string value? Placing forward slash at the end is ok when the string is not a html code but, in html code, I can't figure out how to escape forward slash from ending tags.I've tried escaping it with backward slash but doesn't work. I would be appreciated if anyone could shed a light on this matter as well.

    Read the article

  • How do I write object classes effectively when dealing with table joins?

    - by Chris
    I should start by saying I'm not now, nor do I have any delusions I'll ever be a professional programmer so most of my skills have been learned from experience very much as a hobby. I learned PHP as it seemed a good simple introduction in certain areas and it allowed me to design simple web applications. When I learned about objects, classes etc the tutor's basic examnples covered the idea that as a rule of thumb each database table should have its own class. While that worked well for the photo gallery project we wrote, as it had very simple mysql queries, it's not working so well now my projects are getting more complex. If I require data from two separate tables which require a table join I've instead been ignoring the class altogether and handling it on a case by case basis, OR, even worse been combining some of the data into the class and the rest as a separate entity and doing two queries, which to me seems inefficient. As an example, when viewing content on a forum I wrote, if you view a thread, I retrieve data from the threads table, the posts table and the user table. The queries from the user and posts table are retrieved via a join and not instantiated as an object, whereas the thread data is called using my Threads class. So how do I get from my current state of affairs to something a little less 'stupid', for want of a better word. Right now I have a DB class that deals with connection and escaping values etc, a parent db query class that deals with the common queries and methods, and all of the other classes (Thread, Upload, Session, Photo and ones thats aren't used Post, User etc ) are children of that. Do I make a big posts class that has the relevant extra attributes that I retrieve from the users (and potentially threads) table? Do I have separate classes that populate each of their relevant attributes with a single query? If so how do I do that? Because of the way my classes are written, based on what I was taught, my db update row method, or insert method both just take the attributes as an array and update all of that, if I have extra attributes from other db tables in each class then how do I rewrite those methods as obbiously updating automatically like that would result in errors? In short I think my understanding is limited right now and I'd like some pointers when it comes to the fundamentals of how to write more complex classes.

    Read the article

  • Zend Framework AjaxContext filters the results and Decorators not removable

    - by Janis Peisenieks
    Ok, since this problem has 2 parts, it will be easier to explain them together. So here goes: I am trying to remove the default decorators from these elements, since I am using a little different way of styling them. But no matter what i do, the DtDDWrapper still shows up. If I try to remove all of the decorators, all of the fields below disappear. public function newfieldAction() { $ajaxContext = $this->_helper->getHelper('AjaxContext'); $ajaxContext->addActionContext('newfield', 'html')->initContext(); $id = $this->_getParam('id', null); $id1=$id+1; $id2=$id+2; $element = new Zend_Form_Element_Text("newTitle$id1"); $element->setOptions(array('escape'=>false)); $element->setRequired(true)->setLabel('Vertiba')->removeDecorator('label'); $tinyelement=new Zend_Form_Element_Text("newName$id"); $tinyelement->setRequired(true)->setOptions(array('escape'=>false))->setLabel('Vertiba')->removeDecorator('label'); $textarea_element = new Zend_Form_Element_Textarea("newText$id2"); $textarea_element->setRequired(true)->setOptions(array('escape'=>false))->setLabel('Vertiba')->removeDecorator('label'); $this->view->descriptionField = "<td>".$textarea_element->__toString()."</td>"; $this->view->titleField = $element->__toString(); $this->view->field = $tinyelement->__toString(); $this->view->id=$id; } The context view script seams to trim my code in one way or another. When I try to put a <td> or a <table> tag in the view script, it just skips the tags. Is there a way to stop this escaping from happening? My view script: id; ?" asdfasdfasdfasd field ? titleField ? descriptionField ? id ?"remove P.S. the code formatting system is barfing at me, could someone please help me with the formatting of the code?

    Read the article

  • Delphi / MySql : Problems escpaing strings

    - by mawg
    N00b here, having problems escaping strings. I used the QuotedStr() function - shouldn't that be enough. Unfortunately, the string that I am trying to quote is rather messy, but I will post it here in case anyone wants to paste it into WinMerge or KDiff3, etc. I am trying to store an entire Delphi form into the database, rather than into a .DFM file. It has only one field, a TEdit edit box. The debugger shows the form as text as 'object Form1: TScriptForm'#$D#$A' Left = 0'#$D#$A' Top = 0'#$D#$A' Align = alClient'#$D#$A' BorderStyle = bsNone'#$D#$A' ClientHeight = 517'#$D#$A' ClientWidth = 993'#$D#$A' Color = clBtnFace'#$D#$A' Font.Charset = DEFAULT_CHARSET'#$D#$A' Font.Color = clWindowText'#$D#$A' Font.Height = -11'#$D#$A' Font.Name = 'MS Sans Serif''#$D#$A' Font.Style = []'#$D#$A' OldCreateOrder = False'#$D#$A' SaveProps.Strings = ('#$D#$A' 'Visible=False')'#$D#$A' PixelsPerInch = 96'#$D#$A' TextHeight = 13'#$D#$A' object Edit1: TEdit'#$D#$A' Left = 192'#$D#$A' Top = 64'#$D#$A' Width = 121'#$D#$A' Height = 21'#$D#$A' TabOrder = 8'#$D#$A' end'#$D#$A'end'#$D#$A before calling QuotedStr() and ''object Form1: TScriptForm'#$D#$A' Left = 0'#$D#$A' Top = 0'#$D#$A' Align = alClient'#$D#$A' BorderStyle = bsNone'#$D#$A' ClientHeight = 517'#$D#$A' ClientWidth = 993'#$D#$A' Color = clBtnFace'#$D#$A' Font.Charset = DEFAULT_CHARSET'#$D#$A' Font.Color = clWindowText'#$D#$A' Font.Height = -11'#$D#$A' Font.Name = ''MS Sans Serif'''#$D#$A' Font.Style = []'#$D#$A' OldCreateOrder = False'#$D#$A' SaveProps.Strings = ('#$D#$A' ''Visible=False'')'#$D#$A' PixelsPerInch = 96'#$D#$A' TextHeight = 13'#$D#$A' object Edit1: TEdit'#$D#$A' Left = 192'#$D#$A' Top = 64'#$D#$A' Width = 121'#$D#$A' Height = 21'#$D#$A' TabOrder = 8'#$D#$A' end'#$D#$A'end'#$D#$A''' afterwards. The strange thing is that my complete command 'INSERT INTO designerFormDfm(designerFormDfmText) VALUES ("'object Form1: TScriptForm'#$D#$A' Left = 0'#$D#$A' Top = 0'#$D#$A' Align = alClient'#$D#$A' BorderStyle = bsNone'#$D#$A' ClientHeight = 517'#$D#$A' ClientWidth = 993'#$D#$A' Color = clBtnFace'#$D#$A' Font.Charset = DEFAULT_CHARSET'#$D#$A' Font.Color = clWindowText'#$D#$A' Font.Height = -11'#$D#$A' Font.Name = ''MS Sans Serif'''#$D#$A' Font.Style = []'#$D#$A' OldCreateOrder = False'#$D#$A' SaveProps.Strings = ('#$D#$A' ''Visible=False'')'#$D#$A' PixelsPerInch = 96'#$D#$A' TextHeight = 13'#$D#$A' object Edit1: TEdit'#$D#$A' Left = 192'#$D#$A' Top = 64'#$D#$A' Width = 121'#$D#$A' Height = 21'#$D#$A' TabOrder = 8'#$D#$A' end'#$D#$A'end'#$D#$A''");' executes in a MySql console, but not from Delphi, where I pass that command as parameter command to a function which ADOCommand.CommandText := command; ADOCommand.CommandType := cmdText; ADOCommand.Execute(); I can only assume that I am having problems escpaing sequences which contain single quotes (and QuotedStr() doesn't seem to escape backslahes(?!)) What am I doing that is obviously, glaringly wrong?

    Read the article

  • How SQLite on Android handles long stings?

    - by Levara
    Hi! I'm wondering how Android's implementation of SQLite handles long Strings. Reading from online documentation on sqlite, it said that strings in sqlite are limited to 1 million characters. My strings are definitely smaller. I'm creating a simple RSS application, and after parsing a html document, and extracting text, I'm having problem saving it to a database. I have 2 tables in database, feeds and articles. RSS feeds are correctly saved and retrieved from feeds table, but when saving to the articles table, logcat is saying that it cannot save extracted text to it's column. I don't know if other columns are making problems too, no mention of them in logcat. I'm wondering, since text is from an article on web, are signs like (",',;) creating problems? Is Android automaticaly escaping them, or I have to do that. I'm using a technique for inserting similar to one in notepad tutorial: public long insertArticle(long feedid, String title, String link, String description, String h1, String h2, String h3, String p, String image, long date) { ContentValues initialValues = new ContentValues(); initialValues.put(KEY_FEEDID, feedid); initialValues.put(KEY_TITLE, title); initialValues.put(KEY_LINK, link); initialValues.put(KEY_DESCRIPTION, description ); initialValues.put(KEY_H1, h1 ); initialValues.put(KEY_H2, h2); initialValues.put(KEY_H3, h3); initialValues.put(KEY_P, p); initialValues.put(KEY_IMAGE, image); initialValues.put(KEY_DATE, date); return mDb.insert(DATABASE_TABLE_ARTICLES,null, initialValues); } Column P is for extracted text, h1, h2 and h3 are for headers from a page. Logcat reports only column p to be the problem. The table is created with following statement: private static final String DATABASE_CREATE_ARTICLES = "create table articles( _id integer primary key autoincrement, feedid integer, title text, link text not null, description text," + "h1 text, h2 text, h3 text, p text, image text, date integer);"; Thanks!

    Read the article

  • What are the Rails best practices for javascript templates in restful/resourceful controllers?

    - by numbers1311407
    First, 2 common (basic) approaches: # returning from some FoosController method respond_to do |format| # 1. render the javascript directly format.js { render :json => @foo.to_json } # 2. render the default template, say update.js.erb format.js { render } end # in update.js.erb $('#foo').html("<%= escape_javascript(render(@foo)) %>") These are obviously simple cases but I wanted to illustrate what I'm talking about. I believe that these are also the cases expected by the default responder in rails 3 (either the action-named default template or calling to_#{format} on the resource.) The Issues With 1, you have total flexibility on the view side with no worries about the template, but you have to manipulate the DOM directly via javascript. You lose access to helpers, partials, etc. With 2, you have partials and helpers at your disposal, but you're tied to the one template (by default at least). All your views that make JS calls to FoosController use the same template, which isn't exactly flexible. Three Other Approaches (none really satisfactory) 1.) Escape partials/helpers I need into javascript beforehand, then inserting them into the page after, using string replacement to tailor them to the results returned (subbing in name, id, etc). 2.) Put view logic in the templates. For example, looking for a particular DOM element and doing one thing if it exists, another if it does not. 3.) Put logic in the controller to render different templates. For example, in a polymorphic belongs to where update might be called for either comments/foo or posts/foo, rendering commnts/foos/update.js.erb versus posts/foos/update.js.erb. I've used all of these (and probably others I'm not thinking of). Often in the same app, which leads to confusing code. Are there best practices for this sort of thing? It seems like a common enough use-case that you'd want to call controllers via Ajax actions from different views and expect different things to happen (without having to do tedious things like escaping and string-replacing partials and helpers client side). Any thoughts?

    Read the article

  • .NET to iOS: From WinForms to the iPad

    - by RobertChipperfield
    One of the great things about working at Red Gate is getting to play with new technology - and right now, that means mobile. A few weeks ago, we decided that a little research into the tablet computing arena was due, and purely from a numbers point of view, that suggested the iPad as a good target device. A quick trip to iPhoneDevCon in San Diego later, and Marine and I came back full of ideas, and with some concept of how iOS development was meant to work. Here's how we went from there to the release of Stacks & Heaps, our geeky take on the classic "Snakes & Ladders" game. Step 1: Buy a Mac I've played with many operating systems in my time: from the original BBC Model B, through DOS, Windows, Linux, and others, but I'd so far managed to avoid buying fruit-flavoured computer hardware! If you want to develop for the iPhone, iPad or iPod Touch, that's the first thing that needs to change. If you've not used OS X before, the first thing you'll realise is that everything is different! In the interests of avoiding a flame war in the comments section, I'll only go so far as to say that a lot of my Windows-flavoured muscle memory no longer worked. If you're in the UK, you'll also realise your keyboard is lacking a # key, and that " and @ are the other way around from normal. The wonderful Ukelele keyboard layout editor restores some sanity here, as long as you don't look at the keyboard when you're typing. I couldn't give up the PC entirely, but a handy application called Synergy comes to the rescue - it lets you share a single keyboard and mouse between multiple machines. There's a few limitations: Alt-Tab always seems to go to the Mac, and Windows 7's UAC dialogs require the local mouse for security reasons, but it gets you a long way at least. Step 2: Register as an Apple Developer You can register as an Apple Developer free of charge, and that lets you download XCode and the iOS SDK. You also get the iPhone / iPad emulator, which is handy, since you'll need to be a paid member before you can deploy your apps to a real device. You can either enroll as an individual, or as a company. They both cost the same ($99/year), but there's a few differences between them. If you register as a company, you can add multiple developers to your team (all for the same $99 - not $99 per developer), and you get to use your company name in the App Store. However, you'll need to send off significantly more documentation to Apple, and I suspect the process takes rather longer than for an individual, where they just need to verify some credit card details. Here's a tip: if you're registering as a company, do so as early as possible. The approval process can take a while to complete, so get the application in in plenty of time. Step 3: Learn to love the square brackets! Objective-C is the language of the iPad. C and C++ are also supported, and if you're doing some serious game development, you'll probably spend most of your time in C++ talking OpenGL, but for forms-based apps, you'll be interacting with a lot of the Objective-C SDK. Like shifting from Ctrl-C to Cmd-C, it feels a little odd at first, with the familiar string.format(.) turning into: NSString *myString = [NSString stringWithFormat:@"Hello world, it's %@", [NSDate date]]; Thankfully XCode's auto-complete is normally passable, if not up to Visual Studio's standards, which coupled with a huge amount of content on Stack Overflow means you'll soon get to grips with the API. You'll need to get used to some terminology changes, though; here's an incomplete approximation: Coming from a .NET background, there's some luxuries you no longer have developing Objective C in XCode: Generics! Remember back in .NET 1.1, when all collections were just objects? Yup, we're back there now. ReSharper. Or, more generally, very much refactoring support. The not-many-keystrokes to rename a class, its file, and al references to it in Visual Studio turns into a much more painful experience in XCode. Garbage collection. This is actually rather less of an issue than you might expect: if you follow the rules, the reference counting provided by Objective C gets you a long way without too much pain. Circular references are their usual problematic self, though. Decent exception handling. You do have exceptions, but they're nowhere near as widely used. Generally, if something goes wrong, you get nil (see translation table above) back. Which brings me on to. Calling a method on a nil object isn't a failure - it just returns nil itself! There's many arguments for and against this, but personally I fall into the "stuff should fail as quickly and explicitly as possible" camp. Less specifically, I found that there's more chance of code failing at runtime rather than getting caught at compile-time: using the @selector(.) syntax to pass a method signature isn't (can't be) checked at compile-time, so the first you know about a typo is a crash when you try and call it. The solution to this is of course lots of great testing, both automated and manual, but I still find comfort in provably correct type safety being enforced in addition to testing. Step 4: Submit to the App Store Assuming you want to distribute to more than a handful of devices, you're going to need to submit your app to the Apple App Store. There's a few gotchas in terms of getting builds signed with the right certificates, and you'll be bouncing around between XCode and iTunes Connect a fair bit, but eventually you get everything checked off the to-do list, and are ready to upload your first binary! With some amount of anticipation, I pressed the Upload button in XCode, ready to release our creation into the world, but was instead greeted by an error informing me my XML file was malformed. Uh. A little Googling later, and it turned out that a simple rename from "Stacks&Heaps.app" to "StacksAndHeaps.app" worked around an XML escaping bug, and we were good to go. The next step is to wait for approval (or otherwise). After a couple of weeks of intensive development, this part is agonising. Did we make it? The Apple jury is still out at the moment, but our fingers are firmly crossed! In the meantime, you can see some screenshots and leave us your email address if you'd like us to get in touch when it does go live at the MobileFoo website. Step 5: Profit! Actually, that wasn't the idea here: Stacks & Heaps is free; there's no adverts, and we're not going to sell all your data either. So why did we do it? We wanted to get an idea of what it's like to move from coding for a desktop environment, to something completely different. We don't know whether in a year's time, the iPad will still be the dominant force, or whether Android will have smoothed out some bugs, tweaked the performance, and polished the UI, but I think it's a fairly sure bet that the tablet form factor is here to stay. We want to meet people who are using it, start chatting to them, and find out about some of the pain they're feeling. What better way to do that than do it ourselves, and get to write a cool game in the process?

    Read the article

  • A New Threat To Web Applications: Connection String Parameter Pollution (CSPP)

    - by eric.maurice
    Hi, this is Shaomin Wang. I am a security analyst in Oracle's Security Alerts Group. My primary responsibility is to evaluate the security vulnerabilities reported externally by security researchers on Oracle Fusion Middleware and to ensure timely resolution through the Critical Patch Update. Today, I am going to talk about a serious type of attack: Connection String Parameter Pollution (CSPP). Earlier this year, at the Black Hat DC 2010 Conference, two Spanish security researchers, Jose Palazon and Chema Alonso, unveiled a new class of security vulnerabilities, which target insecure dynamic connections between web applications and databases. The attack called Connection String Parameter Pollution (CSPP) exploits specifically the semicolon delimited database connection strings that are constructed dynamically based on the user inputs from web applications. CSPP, if carried out successfully, can be used to steal user identities and hijack web credentials. CSPP is a high risk attack because of the relative ease with which it can be carried out (low access complexity) and the potential results it can have (high impact). In today's blog, we are going to first look at what connection strings are and then review the different ways connection string injections can be leveraged by malicious hackers. We will then discuss how CSPP differs from traditional connection string injection, and the measures organizations can take to prevent this kind of attacks. In web applications, a connection string is a set of values that specifies information to connect to backend data repositories, in most cases, databases. The connection string is passed to a provider or driver to initiate a connection. Vendors or manufacturers write their own providers for different databases. Since there are many different providers and each provider has multiple ways to make a connection, there are many different ways to write a connection string. Here are some examples of connection strings from Oracle Data Provider for .Net/ODP.Net: Oracle Data Provider for .Net / ODP.Net; Manufacturer: Oracle; Type: .NET Framework Class Library: - Using TNS Data Source = orcl; User ID = myUsername; Password = myPassword; - Using integrated security Data Source = orcl; Integrated Security = SSPI; - Using the Easy Connect Naming Method Data Source = username/password@//myserver:1521/my.server.com - Specifying Pooling parameters Data Source=myOracleDB; User Id=myUsername; Password=myPassword; Min Pool Size=10; Connection Lifetime=120; Connection Timeout=60; Incr Pool Size=5; Decr Pool Size=2; There are many variations of the connection strings, but the majority of connection strings are key value pairs delimited by semicolons. Attacks on connection strings are not new (see for example, this SANS White Paper on Securing SQL Connection String). Connection strings are vulnerable to injection attacks when dynamic string concatenation is used to build connection strings based on user input. When the user input is not validated or filtered, and malicious text or characters are not properly escaped, an attacker can potentially access sensitive data or resources. For a number of years now, vendors, including Oracle, have created connection string builder class tools to help developers generate valid connection strings and potentially prevent this kind of vulnerability. Unfortunately, not all application developers use these utilities because they are not aware of the danger posed by this kind of attacks. So how are Connection String parameter Pollution (CSPP) attacks different from traditional Connection String Injection attacks? First, let's look at what parameter pollution attacks are. Parameter pollution is a technique, which typically involves appending repeating parameters to the request strings to attack the receiving end. Much of the public attention around parameter pollution was initiated as a result of a presentation on HTTP Parameter Pollution attacks by Stefano Di Paola and Luca Carettoni delivered at the 2009 Appsec OWASP Conference in Poland. In HTTP Parameter Pollution attacks, an attacker submits additional parameters in HTTP GET/POST to a web application, and if these parameters have the same name as an existing parameter, the web application may react in different ways depends on how the web application and web server deal with multiple parameters with the same name. When applied to connections strings, the rule for the majority of database providers is the "last one wins" algorithm. If a KEYWORD=VALUE pair occurs more than once in the connection string, the value associated with the LAST occurrence is used. This opens the door to some serious attacks. By way of example, in a web application, a user enters username and password; a subsequent connection string is generated to connect to the back end database. Data Source = myDataSource; Initial Catalog = db; Integrated Security = no; User ID = myUsername; Password = XXX; In the password field, if the attacker enters "xxx; Integrated Security = true", the connection string becomes, Data Source = myDataSource; Initial Catalog = db; Integrated Security = no; User ID = myUsername; Password = XXX; Intergrated Security = true; Under the "last one wins" principle, the web application will then try to connect to the database using the operating system account under which the application is running to bypass normal authentication. CSPP poses serious risks for unprepared organizations. It can be particularly dangerous if an Enterprise Systems Management web front-end is compromised, because attackers can then gain access to control panels to configure databases, systems accounts, etc. Fortunately, organizations can take steps to prevent this kind of attacks. CSPP falls into the Injection category of attacks like Cross Site Scripting or SQL Injection, which are made possible when inputs from users are not properly escaped or sanitized. Escaping is a technique used to ensure that characters (mostly from user inputs) are treated as data, not as characters, that is relevant to the interpreter's parser. Software developers need to become aware of the danger of these attacks and learn about the defenses mechanism they need to introduce in their code. As well, software vendors need to provide templates or classes to facilitate coding and eliminate developers' guesswork for protecting against such vulnerabilities. Oracle has introduced the OracleConnectionStringBuilder class in Oracle Data Provider for .NET. Using this class, developers can employ a configuration file to provide the connection string and/or dynamically set the values through key/value pairs. It makes creating connection strings less error-prone and easier to manager, and ultimately using the OracleConnectionStringBuilder class provides better security against injection into connection strings. For More Information: - The OracleConnectionStringBuilder is located at http://download.oracle.com/docs/cd/B28359_01/win.111/b28375/OracleConnectionStringBuilderClass.htm - Oracle has developed a publicly available course on preventing SQL Injections. The Server Technologies Curriculum course "Defending Against SQL Injection Attacks!" is located at http://st-curriculum.oracle.com/tutorial/SQLInjection/index.htm - The OWASP web site also provides a number of useful resources. It is located at http://www.owasp.org/index.php/Main_Page

    Read the article

  • MySQL for Excel 1.1.3 has been released

    - by Javier Treviño
    The MySQL Windows Experience Team is proud to announce the release of MySQL for Excel version 1.1.3, the  latest addition to the MySQL Installer for Windows. MySQL for Excel is an application plug-in enabling data analysts to very easily access and manipulate MySQL data within Microsoft Excel. It enables you to directly work with a MySQL database from within Microsoft Excel so you can easily do tasks such as: Importing MySQL Data into Excel Exporting Excel data directly into MySQL to a new or existing table Editing MySQL data directly within Excel MySQL for Excel is installed using the MySQL Installer for Windows. The MySQL installer comes in 2 versions   Full (150 MB) which includes a complete set of MySQL products with their binaries included in the download Web (1.5 MB - a network install) which will just pull MySQL for Excel over the web and install it when run.   You can download MySQL Installer from our official Downloads page at http://dev.mysql.com/downloads/installer/. MySQL for Excel 1.1.3 introduces the following features:   Upon saving a Workbook containing Worksheets in Edit Mode, the user is asked if he wants to exit the Edit Mode on all Worksheets before their parent Workbook is saved so the Worksheets are saved unprotected, otherwise the Worksheets will remain protected and the users will be able to unprotect them later retrieving the passkeys from the application log after closing MySQL for Excel. Added background coloring to the column names header row of an Import Data operation to have the same look as the one in an Edit Data operation (i.e. gray-ish background). Connection passwords can be stored securely just like MySQL Workbench does and these secured passwords are shared with Workbench in the same way connections are. Changed the way the MySQL for Excel ribbon toggle button works, instead of just showing or hiding the add-in it actually opens and closes it. Added a connection test before any operation against the database (schema creation, data import, append, export or edition) so the operation dialog is not shown and a friendlier error message is shown.   Also this release contains the following bug fixes:   Added a check on every connection test for an expired password, if the password has been expired a dialog is now shown to the user to reset the password. Bug #17354118 - DON'T HANDLE EXPIRED PASSWORDS Added code to escape text values to be imported to an Excel worksheet that start with an equals sign so Excel does not treat those values as formulas that will fail evaluation. This is an option turned on by default that can be turned off by users if they wish to import values to be treated as Excel formulas. Bug #17354102 - ERROR IMPORTING TEXT VALUES TO EXCEL STARTING WITH AN EQUALS SIGN Added code to properly check the reason for a failing connection, if it's a failing password the user gets a dialog to retry the connection with a different password until the connection succeeds, a connection error not related to the password is thrown or the user cancels. If the failing connection is not related to a bad password an error message is shown to the users indicating the reason of the failure. Bug #16239007 - CONNECTIONS TO MYSQL SERVICES NOT RUNNING DISPLAY A WRONG PASSWORD ERROR MESSAGE Added global options dialog that can be accessed from the Schema Selection and DB Object Selection panels where the timeouts for the connection to the DB Server and for the query commands can be changed from their default values (15 seconds for the connection timeout and 30 seconds for the query timeout). MySQL Bug #68732, Bug #17191646 - QUERY TIMEOUT CANNOT BE ADJUSTED IN MYSQL FOR EXCEL Changed the Varchar(65,535) data type shown in the Export Data data type combo box to Text since the maximum row size is 65,535 bytes and any autodetected column data type with a length greater than 4,000 should be set to Text actually for the table to be created successfully. MySQL Bug #69779, Bug #17191633 - EXPORT FAILS FOR EXCEL FILES CONTAINING > 4000 CHARACTERS OF TEXT PER CELL Removed code that was replacing all spaces typed by the user in an overriden data type for a new column in an Export Data operation, also improved the data type detection code to flag as invalid data types with parenthesis but without any text inside or where the contents inside the parenthesis are not valid for the specific data type. Bug #17260260 - EXPORT DATA SET TYPE NOT WORKING WITH MEMBER VALUES CONTAINING SPACES Added support for the year data type with a length of 2 or 4 and a validation that valid values are integers between 1901-2155 (for 4-digit years) or between 0-99 (for 2-digit years). Bug #17259915 - EXPORT DATA YEAR DATA TYPE NOT RECOGNIZED IF DECLARED WITH A DISPLAY WIDTH) Fixed code for Export Data operations where users overrode the data type for columns typing Text in the data type combobox, which is a valid data type but was not recognized as such. Bug #17259490 - EXPORT DATA TEXT DATA TYPE NOT RECOGNIZED AS A VALID DATA TYPE Changed the location of the registry where the MySQL for Excel add-in is installed to HKEY_LOCAL_MACHINE instead of HKEY_CURRENT_USER so the add-in is accessible by all users and not only to the user that installed it. For this to work with Excel 2007 a hotfix may be required (see http://support.microsoft.com/kb/976477). MySQL Bug #68746, Bug #16675992 - EXCEL-ADD-IN IS ONLY INSTALLED FOR USER ACCOUNT THAT THE INSTALLATION RUNS UNDER Added support for Excel 2013 Single Document Interface, now that Excel 2013 creates 1 window per workbook also the Excel Add-In maintains an independent custom task pane in each window. MySQL Bug #68792, Bug #17272087 - MYSQL FOR EXCEL SIDEBAR DOES NOT APPEAR IN EXCEL 2013 (WITH WORKAROUND) Included the latest MySQL Utility with a code fix for the COM exception thrown when attempting to open Workbench in the Manage Connections window. Bug #17258966 - MYSQL WORKBENCH NOT OPENED BY CLICKING MANAGE CONNECTIONS HOTLABEL Fixed code for Append Data operations that was not applying a calculated automatic mapping correctly when the source and target tables had different number of columns, some columns with the same name but some of those lying on column indexes beyond the limit of the other source/target table. MySQL Bug #69220, Bug #17278349 - APPEND DOESN'T AUTOMATICALLY DETECT EXCEL COL HEADER WITH SAME NAME AS SQL FIELD Fixed some code for Edit Data operations that was escaping special characters twice (during edition in Excel and then upon sending the query to the MySQL server). MySQL Bug #68669, Bug #17271693 - A BACKSLASH IS INSERTED BEFORE AN APOSTROPHE EDITING TABLE WITH MYSQL FOR EXCEL Upgraded MySQL Utility with latest version that encapsulates dialog base classes and introduces more classes to handle Workbench connections, and removed these from the Excel project. Bug #16500331 - CAN'T DELETE CONNECTIONS CREATED WITHIN ADDIN You can access the MySQL for Excel documentation at http://dev.mysql.com/doc/refman/5.6/en/mysql-for-excel.html You can find our team’s blog at http://blogs.oracle.com/MySQLOnWindows. You can also post questions on our MySQL for Excel forum found at http://forums.mysql.com/. Enjoy and thanks for the support!

    Read the article

  • Why does this mod_rewrite rule 'not-match'? (big rewrite log included)

    - by Christopher
    I've got a scenario involving two domains: WordPress site hosted on domain1.com domain2.co.uk, simply redirecting users to domain1 via mod_rewrite This rule applies irrespective of whether www. is specified or not. (It's eventually removed from the URL, I'm a no-WWW fan.) There's nothing on domain2.co.uk at all except for an .htaccess with some mod_rewrite rules. However, I want to be able to allow users to be redirected to the correct article URI even if they specify the "wrong" URL (i.e., a 301 redirect preserving the stuff after the first forward slash). I'm currently achieving this with this ruleset: RewriteCond %{HTTP_HOST} ^((www\.)?[^\.]+)\.domain2\.co\.uk [NC,OR] RewriteCond %{HTTP_HOST} ^domain2\.co\.uk [NC] RewriteRule ^(.*)$ http://domain1.com/$1 [R=301,L] This works but is uglier than I want it to be. I'm not a mod_rewrite zen master, but from what I can tell the top rule should match irrespective of whether www. is specified... But it doesn't. In order to catch www-less requests, I need the second RewriteCond. From the rewrite log, with just the first RewriteCond: [domain2.co.uk/sid#e200498][rid#e670168/initial] (3) [perdir /home/devnull/domains/domain2.co.uk/public_html/] strip per-dir prefix: /home/devnull/domains/domain2.co.uk/public_html/ -> [domain2.co.uk/sid#e200498][rid#e670168/initial] (3) [perdir /home/devnull/domains/domain2.co.uk/public_html/] applying pattern '^(.*)$' to uri '' [domain2.co.uk/sid#e200498][rid#e670168/initial] (4) [perdir /home/devnull/domains/domain2.co.uk/public_html/] RewriteCond: input='domain2.co.uk' pattern='^((www\.)|[^\.]+)\.domain2\.co\.uk' [NC] => not-matched [domain2.co.uk/sid#e200498][rid#e670168/initial] (1) [perdir /home/devnull/domains/domain2.co.uk/public_html/] pass through /home/devnull/domains/domain2.co.uk/public_html/ [domain2.co.uk/sid#e200498][rid#e653868/subreq] (1) [perdir /home/devnull/domains/domain2.co.uk/public_html/] pass through /home/devnull/domains/domain2.co.uk/public_html/index.html [domain2.co.uk/sid#e200498][rid#e65f8b8/subreq] (1) [perdir /home/devnull/domains/domain2.co.uk/public_html/] pass through /home/devnull/domains/domain2.co.uk/public_html/index.htm [domain2.co.uk/sid#e200498][rid#e653868/subreq] (1) [perdir /home/devnull/domains/domain2.co.uk/public_html/] pass through /home/devnull/domains/domain2.co.uk/public_html/index.shtml [domain2.co.uk/sid#e200498][rid#e65f8b8/subreq] (1) [perdir /home/devnull/domains/domain2.co.uk/public_html/] pass through /home/devnull/domains/domain2.co.uk/public_html/index.php [domain2.co.uk/sid#e200498][rid#e653868/subreq] (1) [perdir /home/devnull/domains/domain2.co.uk/public_html/] pass through /home/devnull/domains/domain2.co.uk/public_html/index.php5 [domain2.co.uk/sid#e200498][rid#e666c98/subreq] (1) [perdir /home/devnull/domains/domain2.co.uk/public_html/] pass through /home/devnull/domains/domain2.co.uk/public_html/index.php4 [domain2.co.uk/sid#e200498][rid#e65f8b8/subreq] (1) [perdir /home/devnull/domains/domain2.co.uk/public_html/] pass through /home/devnull/domains/domain2.co.uk/public_html/index.php3 [domain2.co.uk/sid#e200498][rid#e653868/subreq] (1) [perdir /home/devnull/domains/domain2.co.uk/public_html/] pass through /home/devnull/domains/domain2.co.uk/public_html/index.phtml [domain2.co.uk/sid#e200498][rid#e65f8b8/subreq] (1) [perdir /home/devnull/domains/domain2.co.uk/public_html/] pass through /home/devnull/domains/domain2.co.uk/public_html/index.cgi [domain2.co.uk/sid#e200498][rid#e66c370/initial/redir#1] (3) [perdir /home/devnull/domains/domain2.co.uk/public_html/] strip per-dir prefix: /home/devnull/domains/domain2.co.uk/public_html/403.shtml -> 403.shtml [domain2.co.uk/sid#e200498][rid#e66c370/initial/redir#1] (3) [perdir /home/devnull/domains/domain2.co.uk/public_html/] applying pattern '^(.*)$' to uri '403.shtml' [domain2.co.uk/sid#e200498][rid#e66c370/initial/redir#1] (4) [perdir /home/devnull/domains/domain2.co.uk/public_html/] RewriteCond: input='domain2.co.uk' pattern='^((www\.)|[^\.]+)\.domain2\.co\.uk' [NC] => not-matched [domain2.co.uk/sid#e200498][rid#e66c370/initial/redir#1] (1) [perdir /home/devnull/domains/domain2.co.uk/public_html/] pass through /home/devnull/domains/domain2.co.uk/public_html/403.shtml [domain2.co.uk/sid#e200498][rid#e668ca8/initial] (3) [perdir /home/devnull/domains/domain2.co.uk/public_html/] strip per-dir prefix: /home/devnull/domains/domain2.co.uk/public_html/favicon.ico -> favicon.ico [domain2.co.uk/sid#e200498][rid#e668ca8/initial] (3) [perdir /home/devnull/domains/domain2.co.uk/public_html/] applying pattern '^(.*)$' to uri 'favicon.ico' [domain2.co.uk/sid#e200498][rid#e668ca8/initial] (4) [perdir /home/devnull/domains/domain2.co.uk/public_html/] RewriteCond: input='domain2.co.uk' pattern='^((www\.)|[^\.]+)\.domain2\.co\.uk' [NC] => not-matched [domain2.co.uk/sid#e200498][rid#e668ca8/initial] (1) [perdir /home/devnull/domains/domain2.co.uk/public_html/] pass through /home/devnull/domains/domain2.co.uk/public_html/favicon.ico [domain2.co.uk/sid#e200498][rid#f160b40/initial/redir#1] (3) [perdir /home/devnull/domains/domain2.co.uk/public_html/] strip per-dir prefix: /home/devnull/domains/domain2.co.uk/public_html/404.shtml -> 404.shtml [domain2.co.uk/sid#e200498][rid#f160b40/initial/redir#1] (3) [perdir /home/devnull/domains/domain2.co.uk/public_html/] applying pattern '^(.*)$' to uri '404.shtml' [domain2.co.uk/sid#e200498][rid#f160b40/initial/redir#1] (4) [perdir /home/devnull/domains/domain2.co.uk/public_html/] RewriteCond: input='domain2.co.uk' pattern='^((www\.)|[^\.]+)\.domain2\.co\.uk' [NC] => not-matched [domain2.co.uk/sid#e200498][rid#f160b40/initial/redir#1] (1) [perdir /home/devnull/domains/domain2.co.uk/public_html/] pass through /home/devnull/domains/domain2.co.uk/public_html/404.shtml However with the second RewriteCond added, the rule works, and the logs show this: [domain2.co.uk/sid#e200498][rid#e65fe58/initial] (3) [perdir /home/devnull/domains/domain2.co.uk/public_html/] strip per-dir prefix: /home/devnull/domains/domain2.co.uk/public_html/ -> [domain2.co.uk/sid#e200498][rid#e65fe58/initial] (3) [perdir /home/devnull/domains/domain2.co.uk/public_html/] applying pattern '^(.*)$' to uri '' [domain2.co.uk/sid#e200498][rid#e65fe58/initial] (4) [perdir /home/devnull/domains/domain2.co.uk/public_html/] RewriteCond: input='domain2.co.uk' pattern='^((www\.)?[^\.]+)\.domain2\.co\.uk' [NC] => not-matched [domain2.co.uk/sid#e200498][rid#e65fe58/initial] (4) [perdir /home/devnull/domains/domain2.co.uk/public_html/] RewriteCond: input='domain2.co.uk' pattern='^domain2\.co\.uk' [NC] => matched [domain2.co.uk/sid#e200498][rid#e65fe58/initial] (2) [perdir /home/devnull/domains/domain2.co.uk/public_html/] rewrite '' -> 'http://domain1.com/' [domain2.co.uk/sid#e200498][rid#e65fe58/initial] (2) [perdir /home/devnull/domains/domain2.co.uk/public_html/] explicitly forcing redirect with http://domain1.com/ [domain2.co.uk/sid#e200498][rid#e65fe58/initial] (1) [perdir /home/devnull/domains/domain2.co.uk/public_html/] escaping http://domain1.com/ for redirect [domain2.co.uk/sid#e200498][rid#e65fe58/initial] (1) [perdir /home/devnull/domains/domain2.co.uk/public_html/] redirect to http://domain1.com/ [REDIRECT/301] Can anybody help me figure out why it just won't work with the one rule? I feel like I'm missing the bleeding obvious, and while the second RewriteCond is a valid workaround, it's a kludge and that annoys me. ;-) All help appreciated...

    Read the article

< Previous Page | 11 12 13 14 15 16  | Next Page >