Year: 2012

Classic ASP – SQL Injection

We still have a few old sites at work that are in classic ASP. One of the problems that tends to occur on these old sites is SQL injection attacks. A lot of old ASP code was written without taking SQL injection into account. It would be great if we could just rewrite all of these sites in ASP.NET, but sometimes the client isn’t interested in doing that.

Well, yesterday, we had a production ASP site get hit. This is a site for an old client that I’ve personally never worked on, so I really knew nothing about it, but I’m getting dragged in, now that we need to clean it up. Looking at the site, I’m actually surprised this hadn’t happened earlier.

Looking at the code, I see a few places where we could be doing a better job of input validation. And also a few places where we’re doing un-parameterized SQL, which is a big no-no if you want to avoid SQL injection. So, I’m going to try to clean some of that up.

I also want to use URLScan on the server, with some SQL injection rules, to try to get some of this stuff caught at the IIS level. I found this article on how to add some rules to the URLScan.ini file to mitigate SQL injection attacks. (I actually first started reading this article, but then remembered that this particular web server is still on IIS 6.)

When I started poking around on the server, I was surprised to see tha URLScan was already installed. However, it was not configured to do any SQL injection prevention. So, Monday morning, I’m going to try to add the SQL injection rules to the ini file, and see if that breaks anything. Then, I hope to have time to tighten up the code a bit and roll out a new version. I can’t say I’m excited to be working on nearly decade-old VBScript, but hey, it’ll be good for a few laughs, right?

Using SSH with Mercurial

We’ve been using Mercurial and Bitbucket at work for quite a while now. Things have been going pretty smoothly, and I don’t regret the choice of Hg over Git or TFS at all. Nor do I regret using Bitbucket as a back-end. They’ve had occasional outages, but probably no more than we’d have with Github or any other web-based service.

I had a bit of a problem pushing a really big changeset today though, so I decided to switch from HTTPS to SSH. It took about 20 minutes to set up, following these instructions. And I had to look here for some additional information on Pageant. I wish there had been a smoother, faster, way to get the whole thing set up, but it’s running smoothly now that I’ve got it all figured out.

NYC Drupal Camp

I went to the NYC Drupal Camp at Columbia this weekend. I only made it out on Saturday, but I would have liked to have gone today also, if I didn’t have other things to take care of.

The sessions I went to were all great (which isn’t always the case at free “code camp” events like this). The first session I attended was on node access, by Ken Rickard. It was a well-presented talk on a fairly dry subject. I’m not sure I’ll have cause to use much of the information in the talk any time soon, but it’s good to know.

The next was on using SQL within Drupal, by David Diers. His slides are here. This was a pretty basic talk, and I already knew the basics of both db_query and db_select, but I didn’t know some of the specifics, so the talk was useful and applicable to the kind of stuff I’m working on.

The next talk was on the Migrate module, given by Ashok Modi. He has his slides up here and a blog post covering similar ground here. This one would have been a great help to me a few months back, when I was trying to figure out how to import a lot of data into a Drupal site we’re working on at EVI. After this talk, I realize I did it the hard way!

After lunch, I went to a session on caching. Their presentation is available on Github. I’m not too familiar with Drupal’s caching, or Apache’s, or with third-party accelerators, so this was all good stuff for me. I’m curious about Varnish now, and I may follow up on that.

After that, I attended a session on Drupal Commerce, given by Richard Jones. I’m probably going to use Drupal Commerce on an upcoming project, so it was good to get a little more info on it.

Finally, I went to a session on hacking Drupal by Ben Jeavons. Very informative. It looks like XSS attacks are the most common problem for Drupal sites. He talked about using the Vuln module to identify problems, which sounded pretty good, but it looks like that module hasn’t been updated for Drupal 7. His slide on handling strings safely was useful; I might need to print it out and keep it handy. I need to remember those functions — check_plain(), check_url(), check_markup(), and filter_xss().

So, overall, a good day. I wish I could have gone back for more today. The main purpose in writing this blog post, by the way, was to get some of this stuff out of my head, in the hope that writing it up will help me retain some of the information. When I go to one of these things, and sit through a half-dozen 45 minute presentations in one day, it’s easy for the information to fade quickly. I’m hoping that writing this stuff up will help me remember.

Wilco – Shot In The Arm

Listening to Summerteeth today. I’d forgotten how good it was.

Maybe all I need is a shot in the arm.
Something in my veins, bloodier than blood.

What you once were isn’t what you want to be anymore.

And searching for “shot in the arm” on Google found an old article about the band’s breakup with Reprise Records over Yankee Hotel Foxtrot. How wrong was Reprise about that?

IPredator

I keep thinking that I ought to sign up for a third-party VPN service, so I can put all my traffic through an encrypted tunnel when I’m on public (or quasi-public) wifi. I meant to do something before I went off to San Diego, but I just didn’t get around to it. Some of the services I’ve seen are fairly expensive. These guys, for instance, are $15/month.

I just found one that’s reasonably simple and inexpensive: IPredator. It’s € 15 for 3 months, which comes out to about $22 US. So, about $7 per month. And it doesn’t auto-renew, so if I stop using it, I can just let the account go inactive until I decide to start using it again.

I have it set up on my Mac, iPhone, and iPad now. Setup was easy enough, and the speed seems reasonable. I need to do some more experimenting on that front.

I’m curious to see if it will work on the wifi at my office. We have a SonicWall security device on our network now, and it can be a bit agressive about blocking stuff. I’m not sure if it will let the VPN traffic through or not.

A few things I bought at the con this year.

I’d been meaning to pick up Umbrella Academy for a while, so now I have two trades of that to read. And a couple of Incal books I found for $5 each, and a discounted Bryan Talbot Alice in Sunderland hardback, which now has a nice big rip on the back cover, thanks (likely) to the TSA. (I got the TSA note card in my luggage on both the trip in to San Diego and the trip back home. Not sure what they found interesting enough about my luggage that they needed to rifle through it both times.)

Stephen Covey

On the drive home from the airport yesterday, I heard the news that Stephen Covey had passed away. A few years ago, I went on a bit of a self-help kick, reading some David Allen and Stephen Covey, and trying to get myself more organized, figure out what my life priorities were, and so on. While I’ve fallen off the GTD bandwagon to some extent, I still keep the principles of Mr Allen and Mr Covey in mind and try to make decisions accordingly. Most of what Stephen Covey wrote is common sense, but it’s common sense that we need to be reminded of from time to time. 

Comic-Con Day Four

I’ve posted a blog entry for every other day of the con, so I might as well post one more, for Sunday. My friend Bill came to the con, but only for Thursday and Sunday, so I had a chance to hang out with him again a bit today. That was cool, since I’m usually on my own for these things. I went to the DC “Young Justice” panel with him, which was not actually about the Young Justice cartoon, rather it was about several DC books featuring young heroes. I’m not reading any DC books right now, but it was interesting to learn a bit about what they’re doing. Plus, I got a free copy of Justice League #1, which means that I now own exactly one “New 52” book.

I spent most of the day in panels, going to the “Cartoon Voices II” panel, and a couple of others. I managed to avoid buying anything at all, other than coffee, at the con on Sunday.

The trip home was fairly uneventful. I managed to get a seat with extra legroom on the flight, so that was nice. And the flight was only a little late getting in. And the drive home went smoothly.

Overall, it was a nice enough con, and a nice vacation from NJ and work. I came home with some new books, but few enough that they fit in my luggage. (I still have a huge backlog of stuff to read, much of it purchased at past cons. But, as I keep reminding myself, that’s a good problem to have.)

Back at home, NJ is still way too hot, and the A/C in my apartment is still not quite working as well as it should be. So, here I am, back in reality. I’ve got tomorrow off, to get laundry done and try to get back on east coast time. Then, back to work on Wednesday.

Comic-Con Day Three

Last night’s Nerdist thing was fun. Also, much shorter than W00tstock, thankfully.

Today, I got into the con right at 9:30, and, surprisingly, walked right in the door, no waiting. The floor was actually not that crowded. I wandered around a bit, but didn’t buy anything. I went upstairs, and sat through three panels, all in the same room. First, a Marvel animation panel which included a screening of a very funny Spider-Man episode, where Loki turns Spider-Man into Spider-Ham. Silly, but funny. Then, the Quick Draw panel, which is always fun, and the Cartoon Voices panel which is also aways fun.

After that, I wandered for a bit, then went back upstairs for a couple more panels. First, a Roddenberry panel, where they talked about the movies and comics they’ve got going on, then Scott Shaw’s Oddball Comics presentation, which was hilarious, as usual.

Then, I wandered around the Gaslamp for a bit, then hopped on a very crowded trolley back to Mission Valley. It’s now just about 8pm. I’d like to go back to the con now, but I’m really tired, and there isn’t much going on tonight that I’m all that interested in. I think I’ll just stay in for the night, and maybe watch a movie here in my room.

Comic-Con Day Two

So, after getting in from W00tstock after midnight last night, I had a bit of trouble getting started this morning, but a nice breakfast and a couple of cups of coffee helped. I got to the convention center a bit after 10am again, and walked right in. Wandered the floor again, for about an hour, and bought a few more random books. I’ve been trying not to buy too much, but I think I’m going to wind up having to check a separate bag full of comics on the way back home, as usual.

I went to a Mike Mignola panel, which was pretty cool. I’m way behind on my reading, so I didn’t even know that Hellboy was dead. I think I’m about two or three years behind on Hellboy/BPRD stuff. I actualy would like to catch up (as opposed to some other books, where I’m OK with having missed a lot, and don’t really intend to pick them up again). I have maybe a year’s worth of actual comics waiting to be read, then maybe another year’s worth of stuff on my iPad. Once I catch up with the stuff I already own, I’m not sure if I’ll just keep buying digital, or switch to buying trades.

After the Mignola panel, there wasn’t really much else I was too excited about, and likely to be able to get into. So I set off to wander the streets a bit. There’s a lot of stuff going on outside the convention center this year. I dropped by Trickster first. That was basically just a room full of indie books. Some cool stuff, but I didn’t buy anything. Then, I found the spot at the far side of the new pedestrian bridge where they had a few random food trucks and other stuff set up, including a Norton truck. (Not sure I’m enthusiastic about computer software companies encroaching my Comic-Con. I don’t really want to think about that stuff while I’m on vacation, thanks!)

The con shuttle bus that goes back to my hotel leaves from that spot too, so I decided to give up for the day, and head back to the hotel, even though it was only around 2pm. So I’m back in the hotel typing away now. I need to get back downtown later for the Nerdist thing at 7pm. Until then, I think I’m going to rest up and get dinner. I was originally thinking I’d just hang out at the con all day, but I think I’m getting too old for that!