Software development, photography, jokes, ....

Sites by me

 
tas-logoTransportation Administration System
snoezelkussen-logo-kleinstSnoezelen Pillows for Dementia
ikzoekeenbegeleider-logoBegeleiders voor gehandicapten
Laat uw hond het jaarlijkse vuurwerk overwinnen
Betuweroute en Kunst
logo 50x50Hey Vos! Je eigen naam@vos.net emailadres?
Kunst in huis? Nicole Karrèr maakt echt bijzonder mooie dingen
nettylogo2Kunst in huis? Netty Franssen maakt ook bijzonder mooie dingen
Professionele opvang bij Gastouderbureau
Kind-Zijn
Salarisadministratie en belastingadvies bij
De Zaak Loont
Zutphense Bomenstichting

Hosting Favorites

 
ANU Internet Services
XelMedia .internet services
register.com
GoDaddy.com

Blogroll

 
Bomenstichting
MacFreak
Google Translate
PHP
MySQL
jQuery
jQuery UI
codecademy
YourHead Stacks API
Favicon Generator. For real.
Check HTTPS problems



Categories

Archives

Marc's Place


 

Powered by the Blogspot.stack

Restrict Lasso AJAX-file calls to the intended web page

 Permalink
Suppose you have a nice setup where a page interacts with the server via AJAX-calls and executes a Lasso file on the server to get some data. You don't want this file to be called directly via the URL-bar in a web browser, or via other self-made web pages by others who try to access it via a copy of your page. Anybody can see which AJAX-files your page is calling, so for some it is always a challenge to execute them outside the normal webpage to see what data will come up. Might be of interest! So you want to prevent that, somehow.

There is a Lasso-tag called referrer_url, which returns a string containing the URL that requested your AJAX-page. If you look into this string for a domain name or a path that only you have, you can block execution if the requestor is not coming from your server. When a page is called directly in the browser, the referrer_url is always an empty string. Which is logical, since the page was not referred to by another page.

Suppose I have a page mypage.html with a jQuery auto-complete implementation in it. This auto-complete can of course be used by more than one page and you do not want people to try it out in other ways.

...
...
<input type="text" id="inp1" size="25"><span id="desc1"></span>
...
...
<script>
$(document).ready(function() {
   $("#inp1").autocomplete({minLength:2, source: "ajax.lasso?p1=a&p2=b", select: function(e,u) { $("#inp1").val(u.item.value); $("#desc1").html((u.item.label).replace("(" + u.item.value + ")", "")); return false; } });
});
</script>


Simple protection:
[
if (referrer_url >> '/mypage.html' || referrer_url >> '/myotherpage.html');
...
...
/if;
]


Better protection:
[
if (string(referrer_url)->beginswith('http://my.domain.com/') &&
   (referrer_url >> '/mypage.html' || referrer_url >> '/myotherpage.html'));
...
...
/if;
]


So this gives you some protection from just try something-users. Add a login-system, which restricts the number of users that might want to hack your pages - you can trace their actions on your site. In that case, add a check if the user is logged in. You must execute your complete login-sequence in your AJAX-pages too, as with 'normal' pages, since the xhttprequest is a normal HTTP request and thus the browser sends the same HTTP-headers and cookies, etc.. to your AJAX-page.

More protection:
[
if (referrer_url >> '/mypage.html' || referrer_url >> '/myotherpage.html');
   var('loggedIn = false');

   include('checkuser.lasso');

   if($loggedIn);
      ...
      ...
   /if;
/if;
]


Even better protection:
[
if (string(referrer_url)->beginswith('http://my.domain.com/') &&
   (referrer_url >> '/mypage.html' || referrer_url >> '/myotherpage.html'));
   var('loggedIn = false');

   include('checkuser.lasso');

   if($loggedIn);
      ...
      ...
   /if;
/if;
]


But, as with everything web-related, nothing can be trusted.
 
 Comments

Foto: Night Train Impression

 Permalink
Night Train Impression

Night Train Impression


While waiting for my train to come, I suddenly felt like taking this picture - it was all about the combination of people, the (or no) interaction, etc..
After that I used some apps on the iPhone to get the desired effect to abstract the situation and leave more to the imagination.
 Comments

Casal dos Jordões - Finest Reserve Port

 Permalink
Looking for a superb, organic port wine? I really can recommend this one! More about this company, which wins medal after medal since moving to organic growing of plants in 1994.

casal-dos-jordoes-finest-reserve-port
 Comments

Foto: Dinner in a hotel room

 Permalink
Dinner in a hotel room

Dinner in a hotel room

 Comments

MySQL: Split a comma-separated list and insert result into table

 Permalink
Looking for a SPLIT-function in MySQL, I came across this one. I tried it and I must have have done something not right, because MySQL threw an error at the function. I am not a MySQL guru and since this is a one time Q&D conversion-action, I only took the SUBSTRING code and created a query with which one can split the contents of an old field into separate columns and directly insert the results into a new, normalized table.

My example is about a TEXT-column I want to get rid of and of which I want to transfer the contents to a separate table. This column contains email addresses separated by a comma. Thus, first, I had to find the maximum number of email addresses used in that column, so I found this query and added MAX() around it.

select max(length(emails) - length(replace(emails, ',', ''))) as occurrences
from old_table
where emails<>''


With that number, I created that number+1 of unions, so I would end up with all email addresses in one column. That select statement is then used in a left join to retrieve the corresponding user name and feed the results at the same time into a new table, which uses an ID and a USER-ID, instead of an email address:

insert into new_table
select idnr, user
from (
  select idnr,
  trim(substring(substring_index(emails, ',', 1), char_length(substring_index(emails, ',', 1 -1)) + 1)) as email
  from old_table
  where emails<>''

  union

  select idnr,
  trim(substring(substring_index(emails, ',', 2), char_length(substring_index(emails, ',', 2 -1)) + 2)) as email
  from old_table
  where emails<>''

  union

  select idnr,
  trim(substring(substring_index(emails, ',', 3), char_length(substring_index(emails, ',', 3 -1)) + 2)) as email
  from old_table
  where emails<>''

  union

  select idnr,
  trim(substring(substring_index(emails, ',', 4), char_length(substring_index(emails, ',', 4 -1)) + 2)) as email
  from old_table
  where emails<>''
) as x
join users u on (u.email1=x.email or u.email2=x.email)
where x.email<>''


Now that I have all used email address associated with the IDs of the original rows, I can now delete the old column and change all my LIKE-queries into LEFT JOINs. Much better, because email addresses change.
 
 Comments

Foto: Deer on Dune-top near Zandvoort

 Permalink
Deer on a dune-top

Deer on a dune-top

 Comments

SheepShaver - Mac OS 9.0 Classic Emulation on Mac OS 10.8

 Permalink
If you do not want to spend much money on upgrades for software you hardly use, just because you are running the latest Mac OS, try a Mac OS emulator! These are free and run nice and fast on the new Macs.

Let's take FileMaker Pro 6 for example. A piece of software I need, for a regional tree foundation I do some work for, but rarely use. And I do not want to upgrade - too expensive for the infrequent usage. So I looked at installing it on Windows in Parallels, since I have that software anyway - but that is a bit too much overhead just for running FileMaker 6. WINE did a bad job so I ditched that. Then I got a 500MHz G4 Cube! The advantage was that it runs all my older software too, like the Starwars Episode 1 Racer. But it is a bit much work turing that Mac on and off, just to do some administrative work in FileMaker 6.

So I still want to be able to run FM6 on my iMac, in Mac OS 10.8, because it is simply more convenient. I tried SheepShaver a long time ago, but then it did not work for me, somehow. But today I came across it again while searching for Mac OS emulators for Moutain Lion, and saw '2012' in the SheepShaver's blog, so that means it is still actively supported. I gave it a try and it works fantastic! And it runs my FM6 applications - and some old games, of course, like BreakThru! Really cool!

If you want to try it too, download SheepShaver and download a ROM file and the OS9 System. READ and follow these instructions and you should be ok.

SheepShaver
 Comments

Brunello di Montalcino 2007

 Permalink
A few weeks ago, while shopping at ALDI in my hometown, I came across this wine. Lucky for them I was in a good mood and spend €12 on this wine, just this once.

Well, turns out it was a very good wine!

But, not worth the price. I have had similar quality for just about €8 a bottle. Now I am waiting until the last ones of their stock get a yellow sticker with a reduced price - maybe then this wine gets interesting to buy again.

If you can get it for a reasonable price, I suggest you try it!

brunello-di-montalcino1 (aldi,okt,12euro)brunello-di-montalcino2 (aldi,okt,12euro)
 Comments

Foto: iMac going crazy

 Permalink
iMac going crazy

iMac going crazy

 Comments

Daily Script on Mac OS X Server did not clean up /tmp

 Permalink
Lately my /tmp folder was piling up with files (krb5cc*) without any signals that these files were regularly deleted. A bit of googling showed that these come from the Open Directory Server, but that's something I cannot control. So I went to investigate why the daily script would not delete them. I googled a bit again and found out where the parameter file for the daily, weekly and monthly cleanup-scripts is located: /etc/defaults/periodic.conf. There, I found these settings for /tmp :

# 110.clean-tmps
daily_clean_tmps_enable="YES"           # Delete stuff daily
daily_clean_tmps_dirs="/tmp"            # Delete under here
daily_clean_tmps_days="3"               # If not accessed for
daily_clean_tmps_ignore=".X*-lock .X11-unix .ICE-unix .font-unix .XIM-unix"
daily_clean_tmps_ignore="$daily_clean_tmps_ignore quota.user quota.group"
                                        # Don't delete these
daily_clean_tmps_verbose="YES"          # Mention files deleted


The one to look for is where it says "3". This indicates that the routine should clean up old files not accessed for 3 days. But it did not - and the files were not mentioned in the ignore-parameters. Even rm -rf krb5cc* returned immediately an error that its argument list was too long. Therefore I started reading what the exact values for this parameter should be.

Well, it turns out that the value needs a qualification, like d(ays) or m(months), etc.. I found that out by reading /etc/periodic/daily/110.clean-tmps and studying how find uses -atime, -ctime and -mtime and how to add or subtract values. Here are a few find-commands, copied from /etc/periodic/daily/110.clean-tmps, which I tried to make sure that what I just read was right:

$ cd /tmp
$ sudo find -dx . -fstype local -type f -atime +1h -mtime +1h -ctime +1h
$ sudo find -dx . -fstype local -type f -atime +1d -mtime +1d -ctime +1d
$ sudo find -dx . -fstype local -type f -atime +2d -mtime +2d -ctime +2d


Further reading suggested to use override-files, so I sudo'd into vi to create the file /etc/periodic.conf with the following contents:

daily_clean_tmps_days="2d"

Yes, 2 days. Three days is too long for a server, in my opinion. The file's attributes look like this:

marcvos @ ~ $ ls -l /etc/periodic.conf
-rw-r--r-- 1 root wheel 27 Oct 25 16:38 /etc/periodic.conf


Next, delete the file daily.out:

$ sudo rm /var/log/daily.out

Reboot the server. Check your /tmp folder and /var/log/daily.out the next days.

With me, I now finally saw all those files getting deleted.
 
 Comments
© 1997- Marc Vos (and others)   -   Privacy Statement   -    Contact Me