In a number of recent sites I have seen the use of hard coded physical server paths in XML arrtibutes such as the path="" in <folder> and <filesystem> nodes.
The problem with this approach is that whilst the code will operate perfectly on a development workstation by pointing to something beginning "c:\fx8build\web\....." it is unlikely this is th correct path in the test or live environments and to the system will immediately fal test on first deployment.
Best practive is to use the set of replacement values to ensure the correct path is addressed in each server deployment.
The following replacement values are supported in all config, map and point files:-
|
Replacement Value |
Meaning |
|---|---|
|
[path:content] |
The physical path to the root of the current site. eg: c:\fx8build\web\content\fx.mysite |
|
[path:theme] |
The physical path to the root of the current theme.
eg. c:\fx8build\web\conten\fx.mysite\themes\private |
|
[path:system] |
The physical path to the system folder. eg. c:\fx8build\web\system |
|
[path:root] |
The pysical path to the root of the web eg. x:\fx8build\web |
Thus a folder node may be configured as:
<folder id="blog-images" path="images\blogs" >
<sizes>
<size id="News Thumbnail" width="100" height="100" filetype="jpg" />
<size id="Fixed Height" width="auto" height="160" filetype="jpg" />
<size id="Panel Photo" width="160" height="160" filetype="jpg|png" />
</sizes>
</folder>
Note: All paths are resolved to INCLUDE the training "\".
Sadly I will have to work from home for another day as my Multipla languishes in the garage awaiting a replacement engine mount.
I am on my second Fiat Multipla now and all have had their problems but then if you treat them the way we do perhaps this is not so unreasonable. With five passengers, five bikes and enough clothes, toys, gluten free food and "stuff" for two weeks in Aviemore I think we must be close to the record for how much stuff can you cram in a Multipla.
With some 90,000 miles on the clock we made it to Aviemore and back but on setting out from Musselburgh yesterday to make the drive to St Andrews there was a rather fatal sounding bang and a lot of juddering and, sadly, Multi was seriously injured.
Magnus of course immediately started running through alternative ways to make the meeting in Aberdeen, this included hime thinking aloud with phrases such as ... "My mothers car is in Shetland" and "I don't suppose you can fix it here".
I on the other hand was trying to work out how I could use the Google maps linked with the GPS device on my phone to provide a location whilst at the same time use the same device to make a call to the AA recovery service. This resulted in one call being aborted as I tried to task switch with the same button as drops a call. Perhaps there was something to be said for disparate devices. In the end I wrote the location on the back of a business card.
I must compliment the AA on the service provided. They were at the car within 30 minutes of my second call (yes the GPS location did work) and i' was on tow to lauder within a further 30 minutes only after they has ascertained that the required part was not available from any of three main suppliers in Edinburgh and so a road side repair was not possible.
I am assured the part will arrive tomorrow and I look forward to many more miles in this ever-so family ever-so-not executive vehicle.
It is generally being reported across the web that the use of SQL injection attacks by distributers of pornographic materials and malware is on the rise. Injection attacks will try to add url links, script containing popups, redirects to malware sites or inapropriate text to your site's database. Once inserted these unwanted materials will manifest in your site's visitors browsers. Yours visitors will of course blame you!
An SQL injection attack is where an unwelcome user of a web site passes code to the server that is designed to execute in the database layer. Code is usually passed on the query string or in the post and masquerades as known parameters for existing pages.
Many developers fail to realise the significance or the sophistication of these attacks. Some developers wrongly believe that attacks can only be made against pages that are designed to write to the database, however this is not the case. Most attacks will be leveraged on pages that simply retrieve records from a database.
There are many different defences against SQL Injection and the most security aware sites will implement many of these together. Methods include:-
1. Securing the database user
2. Using parameterised queries to access the database
3. Validating that all user input from post, query, cookies etc is validated to a known pattern
4. Searching inputs for known database keywords and injection characters
The above list is roughly in order of importance yet many developers over the years have elected to stop injection by item 4, searching for known injection characters and keywords.
The current rise in successful attacks is in part down to the use of encoding to pass the injection code in a form that does not contain any recognisable database keywords or injection characters until it is decoded at the database layer by which time it is too late to do anything about it.
The most important method is, however, to secure the database such that the database user object used by your website has the lowest possible privaledges allowing them to do only that which you intended they could do.
Even this is, of course, less than simple and there are a number of things that administrators often overlook.
If your site never updates the database then all is well and you can provide the database user with readonly access the the table ensuring that no attack will succeed.
If, like many, you are trying to capture shopping cart details, contact requests or simply log access then it is likely you will be providing write access to tables. Where this is the case then the most important protection against an injection attack is to ensure that the attacking script will not be able to gain access to a list of table names - typically this will stop all automated scripts as without the table names it is not possible to construct valid SQL statements.
Sadly Microsoft SQL (and others) make it all too easy to gain access to table names. Try running the following statements on your MS SQL database using a user that in your opinion only have read and write access to the web database and no access to the master tables
SELECT * FROM sysobjects
or
SELECT * FROM sys.tables
The second command will only succeed in MS SQL 2005 and above.
It is likely that your "secure user" can execute these commands and if so your site is open to the most prevalent set of injection attacks.
It is a simple process to resolve these insecurities by running the following commands whilst connected to the relevant database(s) as an administrator.
DENY SELECT ON sysobjects to [databaseusername]
DENY SELECT ON syscolumns to [databaseusername]
where [databaseusername] is the user object used by your web code to access the database
If you are running on MS SQL 2005 or above (including SQL Express) you should also deny access to the SYS Schema with the following additional command whilst connected to the relevant database(s) as an administrator.
DENY VIEW DEFINITION TO [databaseusername]
It should not be impossible for any script to gain access to the objects necessary to read the table names in your database and although not perfect you have made a significant step towards greater security.
By default Internet Explorer/Options/Security only has 4 security zones.
There is an additional zone "My Computer" that can be made visible via the following registry edit.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
Find the key for FLAGS and set the value to "47" hex (it will be at 21 by default)
Now the new zone will be available, edit its custom settings and find the entry for:
Web sites in less privileged zones may navigate .....and set this to either Prompt to Enable.
Links form HTTP:// protocol to FILE:// protocol will now work and thus links to FILES in the Factonomy portfolio application will function as desired.
The first thing to do is to open a connection from your computer to your mail server.
telnet mail.domain.ext 25
Trying ???.???.???.???...
Connected to mail.domain.ext.
Escape character is '^]'.
220 mail.domain.ext ESMTP Sendmail version-number; date+time+gmtoffset
You will then need to delcare where you are sending the email from:
HELO local.domain.name
250 mail.domain.ext Hello local.domain.name [loc.al.i.p], pleased to meet you
don't worry too much about your local domain name although you really should use your exact fully qualified domain name as seen by the outside world the mail server has no choice but to take your word for it as of RFC822-RFC1123.
Now give your email address:
MAIL FROM: mail@domain.ext
250 2.1.0 mail@domain.ext... Sender ok
Now give the recipients address:
RCPT TO: mail@otherdomain.ext
250 2.1.0 mail@otherdomain.ext... Recipient ok
To start composing the message issue the command
DATA
If you want a subject for your email type
Subject: type subject here
then press enter twice (these are needed to conform to RFC 882)
You may now proceed to type the body of your message
Just type the body of the message as it should appear with any punctuation, new lines etc as needed.
To tell the mail server that you have completed the message enter a single "." on a line on it's own.
.
250 2.0.0 ???????? Message accepted for delivery
You can close the connection by issuing:
QUIT
221 2.0.0 mail.domain.ext closing connection
Connection closed by foreign host
Setting the autoclose option on an SQL database causes the SQL server to in effect detatch from the MDF datafile as soon as the last user closes their dataconnection.Setting this option has the advantage that when the DB is not in use the MDF and LDF files can simply be copied from one server to another with no further requirementUse the following syntax to change the option use mastergosp_dboption <databasename>, autoclose, "on"
See http://msdn.microsoft.com/library/default.asp?url=/library/en-us/tsqlref/ts_sp_da-di_8c32.asp for full details of the sp_dboption procedure
The process involved is someting like this
Link to the ActiveX FindIT component, in the example below I am assuming it has a logal object objFindIT
Initialise the FindIT object
This tells the FindIT object where to locate the .DAT file that ships with the FindIT system and contains data including lists of common names, towns and other such data
objFindIT.Initialise(foldername,"") :where foldername is the location of the FindIT.DAT file supplied with the system
Set to Record 1
as we are not running in batch mode at this stage we will only ever make a call to deal with a single record.
objFindIT.CurrentRecord := 1;
Populate the input fields with data from the inbound schema
objFindIT.Addressee :=
objFindIT.Address1 :=
objFindIT.Address2 :=
etc - max = Add9 - the Town, County, Postcode etc will be somewhere in the address lines but not in known fields. This is what FindIT is good at!
Call the generate method to populate the output fields in the object
objFindIT.Generate();
Retrieving the generated fields and return them to the orchestration.
strSalutation := objFindIT.Salutation;
strContact := objFindIT.Contact;
strPostcode := objFindIT.Postcode;
etc
The following is the list of fields available to read back
|
Name |
Comments |
|---|---|
|
Prefix |
These fields are an alternative to the Addressee field. If you supply these fields as well as the Addressee field, the Addressee field will be ignored. |
|
Address1 |
Address lines (maximum of 9 allowed) |
|
Postcode |
Max Size = 10 |
