Mar 30 2010

Top 25 Most Dangerous Programming Errors

I’ve always been interested in understanding common programming errors so that I can easily recognize and diagnose problems, hopefully without spending hours staring at my breakpoints in my debugger. Previously, I’ve written on Common Groovy Errors and Top Worse Java Errors.

The US Department of Homeland Security, under the Common Weakness Enumeration initiative put out the 2010 CWE/SANS Top 25 Most Dangerous Programming Errors. Most of the errors noted related to web application security programming errors.

  • Failure to Preserve Web Page Structure (‘Cross-site Scripting’)
  • Improper Sanitization of Special Elements used in an SQL Command (‘SQL Injection’)
  • Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)
  • Cross-Site Request Forgery (CSRF)
  • Improper Access Control (Authorization)
  • Reliance on Untrusted Inputs in a Security Decision
  • Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
  • Unrestricted Upload of File with Dangerous Type
  • Improper Sanitization of Special Elements used in an OS Command (‘OS Command Injection’)
  • Missing Encryption of Sensitive Data
  • Use of Hard-coded Credentials
  • Buffer Access with Incorrect Length Value
  • Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP File Inclusion’)
  • Improper Validation of Array Index
  • Improper Check for Unusual or Exceptional Conditions
  • Information Exposure Through an Error Message
  • Integer Overflow or Wraparound
  • Incorrect Calculation of Buffer Size
  • Missing Authentication for Critical Function
  • Download of Code Without Integrity Check
  • Incorrect Permission Assignment for Critical Resource
  • Allocation of Resources Without Limits or Throttling
  • URL Redirection to Untrusted Site (‘Open Redirect’)
  • Use of a Broken or Risky Cryptographic Algorithm
  • Race Condition

Jun 15 2008

Google IO: Open Social

I many 10-5 developers not working directly with ajaxified web 2.0 applications I was not able to go to the Google I/O conference. I don’t feel so bad not going since Google has just released video recordings of over 70+ technical presentations from Google I/0. Most of the technical presentations are pushing Google’s APIs such as Android, Google App Engine, GWT, and Open Social.

As an aid for myself, and maybe other Open Social developers, I have organized the pertinent Open Social presentations as follows…

Meet the OpenSocial Containers
Representatives from current OpenSocial containers give an overview of their implementations, policies, and what’s unique about their container. They also share some of the fruits of their labors including high level stats. Team members from upcoming containers review their planned launches, policies, and timelines.


Continue reading


Oct 27 2007

Top Programming Books on Google Book Search

Here is an extensive list of top programming books available for preview on Google Books. Google Books provides scans of thousands of textbooks. The scans are not the best, most books have visible scan defects in them.

Even though the scans are not the best, there are some features that just work well. Just like Google Maps, where you can send a link to a map (with a set size, address, etc), with Google Books you can send a link to a specific page in a certain book with specific words highlighted. Google also has handy links such as the table of contents, popular passages, and where to buy the book (perhaps in a better quality PDF format).

All the books listed here have a ‘limited preview’, meaning that some pages are not available for viewing but for the most part you can browse through most the the book. Google Books does indicate the pages that are not available.

Java
The Java Language Specification
Effective Java Programming language
Java: The complete Reference
Java In A Nutshell
Head First Java

C/C++
Practical C++ Programming
C++ The Core Language
The Concurrent C Programming Language
C++ Primer Plus

.Net/C#
The C# Programming Language
The Visual Basic .NET Programming Language
Pro C# 2005 and the .NET 2.0 Platform
Learning Visual Basic .NET
VB.NET Language in a Nutshell

Python
Python in a Nutshell
Learning Python
Visual Quickstart Guide: Python
Python Pocket Reference
Python Cookbook

JavaScript/DOM
JavaScript: The Definitive Guide
Beginning JavaScript with DOM Scripting and AJAX
The Book of JavaScript
The Complete Reference JavaScript
JavaScript Bible
DOM Scripting

Ruby/Rails
Ruby in a Nutshell
The Ruby Way
Beginning Ruby
Ruby on Rails: Up and Running
Rails Solutions: Ruby on Rails Made Easy
Beginning Ruby on Rails E-Commerce

PHP
PHP in a Nutshell
Programming PHP
PHP Cookbook
Learning PHP and MySQL
Learning PHP 5

Database
Visual Quickstart Guide: MySQL
MySQL Cookbook
MySQL in a Nutshell
MySQL Tutorial
Programming SQL Server 2005
SQL Server 2005: Developer’s Guide
SQL Server 2005: A Beginner’s Guide
Beginning SQL Server 2005 Express

Technorati Tags: , , , , , , , , , , , , ,


Oct 11 2007

Run PHP Web Applications on the Java Platform

There has been a lot of commotion and even a book with having Ruby on Rails run on the Java VM. But looking past the JRuby hype it is clear that PHP has a several orders of magnitude more open source code, projects, and corporate backing than Ruby on Rails. The folks behind the Resin application server have the ubiquitous of PHP and have developed Quercus, a PHP 5 implementation written in Java.

Quercus is available with the latest Resin but it is also available for download as a WAR file which can be deployed on Resin or other application Servers such as GlassFish.

Getting Started

Get the latest version of Resin server, as of this writing the latest version is Resin 3.1.3. To start the server just run the <INSTALL DIRECTORY>\bin\httpd script from the command prompt. If you look around the Resin install directory you will find a php folder where the Quercus WAR file is already configured to handle any PHP file. To give the Quercus PHP engine a try, lets create a simple test. First lets create phptest directory in <INSTALL DIRECTORY>\webapps. In the phptest directory create a new file, index.php, and add the following text to it.

<html>
<body>
<?php phpinfo(); ?>
</body>
</html>

The phpinfo method outputs a large amount of PHP configuration information. I usually print this information out to ensure that PHP is setup correctly. If you have already started the Resin server you can direct your browser to the following URL: http://localhost:8080/phptest/

You should be looking at a screen that looks like the following screen shot.

phpinfo

Mixing PHP with Java

Since Quercus is written in Java there are hooks to import and mix Java classes in your PHP files. Lets import a Java class and manipulate it in PHP. In the next sample piece of code I will import a Java HashMap class and manipulated it PHP. The import functionality is obviously not part of PHP but an extension made possible by Quercus. .

<html>
<body>
<?php
import java.util.HashMap;

$map = new HashMap();

// Add some name-value pairs
$map->put(‘california’, 1000);
$map->put(‘oregon’, 1200);

$total = 0;
// Iterate over keys and sum values
for($itr = $map->keySet()->iterator(); $itr->hasNext(); ) {
$key = $itr->next();
$total += $map->get($key);
}
print “Total $total”;

?>
</body>
</html>

Once a Java class has been loaded it can be handled just like any other object in PHP. In addition having access to JDK classes, you can import your own Java code. You can import any class that is available in your web applications class loader.

Run PHP Applications

Using Quercus and Resin you can deploy full fledge PHP web applications such as WordPress or Joomla! To get a PHP application running on Resin with Quercus you just need to unzip the application into the <INSTALL DIRECTORY>\webapps directory. Since your PHP application would be running on top of Java you need to have the right JDBC dirver installed in the <INSTALL DIRECTORY>\lib directory. This is usually all you have to do to have a PHP application to run on JSP/Servlet container like Resin.

There is a list of PHP applications that are known to be running on Java via Quercus.

Quercus opens a lot of opportunities for PHP web development. Now you don’t really have to choose between languages or frameworks, develop in what you know is best for the task and resources at hand and interoperate between PHP, Java, Ruby, Groovy whatever not at the XML level but at the bytecode.

Technorati Tags: , , , , , , , , ,


May 27 2007

CommunityOne 2007: Up the Stack

The last session of CommunityOne 2007 was titled Up the Stack. The main concern of this session was the whole software development stack, from the Operating System to the database and all the way to the web framework. For the most part, developers these days working on the next great Web 2.0 pay no heed to limitations and strengths of the OS.

This session dealt with performance and profiling considerations spanning the whole stack from using DTrace on Solaris to using caching in your application. Dtrace is dynamic tracing utility made available in Solaris that will help you discover bottlenecks in your application by analyzing the whole process.

Another session dealt with GlassFish. GlassFish is an enterprise ready Java EE 5 Application Server with easy management tools and clustering support. GlassFish supports RIFE, Rails, Struts, Wicket and just about every other Java web application framework under the sun, no pun intended.

Tim Bray of Sun moved up the stack and talked about web technologies such as PHP and Rails. Tim stated that PHP is easy to learn and quick to develop with. PHP has a share nothing architecture that is great for scaling but is historically known for the tons of security holes, SQL injection, and cross-site scripting attacks. Tim noted that some developers would trade the security of JEE for the speed of development of PHP to get first to market. Tim also mentioned that Don’t Repeat Yourself, Convention Over Configuration and the expressiveness of Ruby while talking about Rails. The Ruby programming language allows for Rapid Agile Development. The big knock against Rails is its lack luster performance and it’s multi-headed mongrel deployment story. PHP or Rails are a good solution for many of the CRUD applications that babysit a database.

The last session of the talked compared Ehcache and memcached. Memchached is said to be used in LiveJournal and Slashdot as well as many Ruby on Rails applications. Ehcache distributed peer-based caching in Java sync/async operations used in Spring and Hibernate.

Technorati Tags: , , , , , , , , , ,


Feb 19 2007

Rails Flash Charting Plugin

Flash charts just look a lot better than what we could do with plan images. Flash is a lot more interactive and since they are vector base you can zoom in and out without image deterioration. The PHP folks have a lot of great libraries for working with Flash such as Ming, PHP/SWF Charts, and Amfphp. If you want flashy graphs, pun intended, you can do so thanks to ZiYa, an XML/SWF Charts based Ruby on Rails plugin. ZiYa can be installed from the following SVN repository.

svn://rubyforge.org/var/svn/liquidrail/plugins/ziya/trunk

You typically install a Rails plugin by executing ‘script/plugin install URL’ from the application directory where you replace URL with the one above.

Once ZiYa has been installed you need to include one line into the controller to load the required graphing capabilities. Add the following line in the controller near the top.

include Ziya

To follow along with the code examples, create a bargraph action in the controller so that we can create a bar graph. In the bargraph action we will create a bar chart object with code similar to the following.

def bargraph
chart = Ziya::Charts::Bar.new
render :text => chart
end

The new bar chart will contain default data so that at this point we can quickly move onto the view and see ZiYa and XML/SWF in action. You do not have to create a rhtml view for bargraph since the action will generate the necessary XML required for the chart. You can render the chart in any rhtml view by adding the following view helper code.

<%= gen_chart(“chart_id”,
url_for(:controller => ‘mycontroller’, :action => “bargraph”),
“#ffffff”,
400,
300) %>

The above action and view code will generate a chart with default data that looks like the following.

ZiYa Bar Chart Example

if you want to create a similar graph with code replace the action with the following code.

def bargraph
chart = Ziya::Charts::Bar.new
chart.add(:axis_category_text, [ “2003”, “2004”, “2005”])
chart.add(:series, “Region A”, [100, 25, 40], [‘Large’, ‘Low’, ‘Soso’])
chart.add(:series, “Region A”, [80, 70, 20])
render :text => chart
end

For this graph, the :axis_category_text symbol indicate that the following values are the y-axis labels. To produce x-axis labels you can add data for :axis_value_text. The series symbol indicates your data points. You will also notice that when setting the series data point there is an optional string array. That string array is used as legend or label for the bars in this series. The chart is highly customizable, you can create yml files that describe the theme such as color, border, and even animation effect for each charts.

The other graph types are just as easy to generate. Just as an example below is the action code required to generate a pie chart.

def piegraph
chart = Ziya::Charts::Pie.new
chart.add :axis_category_text, [“2003″, “2004”, “2005”]
chart.add :series, “Region I”, [200, 100, 50], [‘Super’, ‘Large’, ‘Medium’]
render :text => chart
end

ZiYa is such a large and rich plugin that I obviously can’t do it justice. Please take a look at the Google Groups and official documentation.

Technorati Tags: , , , , , , , , , , , , ,