private void logError(string message, string source)
{
	System.Diagnostics.EventLog log = new System.Diagnostics.EventLog();
	log.Source = source;
	log.WriteEntry(message, System.Diagnostics.EventLogEntryType.Error);
	log.Close();
}

private void logError(Exception exception, string source)
{
	logError(exception.ToString(), source);
}

Put it in your class, or in a special logging class.

Read more:

• http://www.csharpfriends.com/Articles/getArticle.aspx?articleID=77
• http://msdn.microsoft.com/en-us/library/system.diagnostics.eventlog.aspx
  I might add that the comment about latency when creating event log sources does not seem to apply on Windows 2008 Server (where I tested the above code – which doesn’t even create a source… ummm)
• http://www.codeproject.com/KB/architecture/exceptionbestpractices.aspx

In general the answer is simple: Java is always pass-by-value.

What does this mean?

Pass-by-value means that you get a copy of the passed in object to work with, as opposed to a reference to it.

Let’s exemplify.  Assume we have a method that manipulates a List object:

public void updateList(List list) {

    ..;

}

Now, assume we’d like to replace the passed-in list with another list we’ve created inside the method.  We might like to do something like:

public void updateList(List list) {

    List myList = new ArrayList();

    // add objects to myList

    list = myList; // replace list with my new list? *WRONG*

}

However, if we test this new method we’ll find list has not changed at all.

This is because list is a copy of the object we passed-in to the method, and not the passed-in object itself.  list has been passed-by-value!

So, are we unable to change variables that are passed-in to a method in Java?  Can we only change them by returning a new object?

No.

And this is where the confusion sets in, because while we’re unable to replace the passed-in object list with another object, we’re perfectly allowed to manipulate it’s member objects.

Basically this means if we want to replace a passed-in list with our own list we must do:

public void updateList(List list) {

    List myList = new ArrayList();

    // add objects to myList

    list.clear(); // empty passed-in list

    list.addAll(myList); // replace passed-in list with my new list!

}

Since we never try to replace list itself, the whole method works just fine and does what we expect.

Recently a colleague gave me the tip to make the mouse pointer black… and larger. I tried this and found that the mouse pointer was much easier to spot.  No surprise there, really.  After all, white on white tends to become a bit hard to keep track of, tiny silhouette outline or not.

I was told how to do this in Windows (Control Panel > Mouse > Pointer, but that’s another story).

In Gnome (I’m running Ubuntu 8.10) you do it in the System > Preferences > Appearance dialog (see below).  In my version of Window’s there’s no settings under Appearance > Mouse.

Next you click the “Customize” button:

In the new dialog select the “Pointer”-tab and select the color of pointer you want.  In order to resize it, see the “size slider” below the list of pointers (there seems to be three distinct sizes to choose from).

Click “Close” once you’re done, and voila, you have a new and much easier to spot mouse pointer!

31. Water shapes its course according to the nature
of the ground over which it flows; the soldier works
out his victory in relation to the foe whom he is facing.

32. Therefore, just as water retains no constant shape,
so in warfare there are no constant conditions.

But then again, we all know war is agile, right?

Or another quote I heard (source unknown, original language Swedish):

Meeting all requirements in programming is like walking on water.  It’s easy if the water and the requirements are frozen…

Mmm… wonder if I may be able to do a thesis on that, just wonder if it should be in the religion or computer science department…

In my case I’m looking into making a simple app that I can use to keep track of passwords, both when I’m at home (regular swing) and when I’m away (at work or similar) and only able to access the application via SSH (CHARVA).

For more info, check out CHARVA here: http://www.pitman.co.za/projects/charva/index.html

So I went back to the drawing board. I installed java 1.4, and made sure my development Tomcat was running it. Then I did some research and found out how to make Eclipse compile 1.4 compliant code. I started and I got the same error still.

Once I figured out what was wrong I realized I was an idiot (Doh!). The error I’ve gotten wasn’t for any file part of the jar I was trying to deploy but for “index_jsp”. The thing is my Tomcat compiled my JSP:s into class files and never looked at them again until they were changed. I am sure there’s several ways to solve the problem, I just went and deleted the files in the “work”-directory (those pertaining to my Context).

The preferences window for setting source and target versions for Java compilation

Now over to how to make Eclipse code projects to a certain Java version.

There are two values you will want to keep track of. The source version and the target version. The source version tells what version your source code is written in. Whereas the target version tells what version of Java you want your class files in.

If for instance you have a project written in Java 1.4 source style, but you have to run it on a Java 5 you’d set the source version to 1.4 and the target to 1.5. You are now compiling Java 1.4 source into Java 5 class files.  Unfortunately you’re not able to do the opposite, compile Java 5 source code into Java 1.4 class files.  This is probably due to API incompatibilities, Java 5 has a larger API than Java 1.4.

Now, in Eclipse you have two settings in three places that controls the source and target versions of your compilations. Under Window->Preferences->Java->Compiler (Eclipse 3.4) you’re able to set the versions for the whole IDE.

When you create a new project you’re able to determine what version of Java (source and target you want) and right clicking on a project and choosing Properties->Java Compiler, you have the same dialog as before.

You set the target level in the select box “Compiler compliance level”, and optionally by unchecking the “Use default compliance settings” you’re able to change the target (“Generated .class files compatibility”) and source respectively.

If you experience other problems you may want to “clean” your project(s). Cleaning a project means all compiled files are removed and all source files are recompiled (something the IDE will do by itself when you change compilation versions, but if you want to be sure, you can do it manually). This is done by choosing Project->Clean. In the dialog you can chose to clean all projects or just those you select.

Opening a site Google has listed as spreading malicious software via the browser.

What is an SQL-injection. How can it affect my site. How does it happen and how can I avoid it?

Since Firefox (2 and 3) and MSIE 7 started using Google’s (and others) system for blocking sites that produce harmful web pages the problem with SQL-injections have been put on the spot.

What happens is that an attacker hacks a site by placing their own SQL-code into the database of the victim system. Instead of just performing a DOS (denial of service) attack bringing the whole site down by for instance deleting all the tables or doing something else harmful to the site the attacker plants client side browser code in the database making all visitors run client side code that will infect their computer with a virus. This virus may do everything from listening in on traffic between the client (web browser) and bank applications, to connecting the client system to a botnet.

Needless to say, the SQL-injection attack has become a problem not so much for the owner of the originally defunct site as for the visitors to said site. (Although users of the web should not underestimate the consequence of a good virus protection, system update policy and secure browsing policy).

Since the owner of the vulnerable software won’t notice any detour from business as usual (and neither will most infected clients), nobody is the wiser to the problem.

This is why Google (and others) have started evaluating (and flagging) sites with bad content, and why Firefox and MSIE (and probably others) have started blocking them.

What is an SQL-injection?

The short explanation (hinted above) is that an SQL-injection is an attack where the attacker inserts their own SQL code into the attacked system, and thus alters the database content of the attacked system. Either wrecks havoc by destroying part of or the whole system, or by inserting virus spreading code onto the pages of the attacked site (if their content is stored in the database).

How is an SQL-injection attack performed?

There are two major ways of doing this (and in order to follow this part of the conversation you will need to know a bit of SQL).

The first method of performing an SQL-injection is by manipulating the input to different kinds of forms on the site (search forms, contact forms, and other places where the user can put information into the system).

To understand this attack you need a basic understanding of SQL.

Imagine we have a database table with products, each having a color, and we want to list all products that are ‘green’. This would be done with the following question:

SELECT * FROM products WHERE color = 'green';

Each database command is ended with a semicolon (;), and all literal strings are enclosed by single quotes (‘). So issuing two commands in a row would look something like:

SELECT * FROM products WHERE color = 'green';
UPDATE products SET hasBeenSearchedFor = 'true' WHERE color = 'green';

Notice the semicolons and the single quotes. You do not need to understand what the commands do in order to understand the rest.

Now imagine that we get the value ‘green’ from an application the user can input data into. As long as the user types things like green, red, blue everything is safe, but what would happen if the user typed in the following as a color?

'; do harmful thing to database; '

In an unprotected system the SQL-string is usually tacked together one part after the other without checking if the search parameter is valid or sane. Imagine the search command is built in the following way (double quotes are used in most systems to create strings, they are not to be confused with the single quotes of the database query):

sql = "SELECT * FROM products WHERE color = '" + colorValue + "'";

Now if a user would put the above value into the color search (placing it in “colorValue”) the value of the sql string (and what would be passed on to the database would be):

"SELECT * FROM products WHERE color = '" +
          "'; do harmful thing to database; '" + "'"

This in turn would evaluate to:

SELECT * FROM products WHERE color = ''; do harmful thing to database; ''

I.e. select all products with an empty color value, then “do harmful thing to database”. After that the SQL-server will encounter the empty quotes and issue an error.

If the database question is executed in a transaction all changes will be rolled back, however this is a rather weak defense against SQL-injections since it is possible to input values that will create three valid commands easily. (I’ll leave that up to the fantasy of the reader!)

The second way of performing an SQL-injection attack is to tack on values to numerical input to the system. Pages that display products, user profiles, or any other information easily mapped to a row in a database table are usually candidates for this kind of attack.

Imagine a page that displays a product profile. It might be called with the following URL:

http://www.mysite.com/showProduct?productid=123

The “productid” value will then be passed on to make the following database question:

sql = "SELECT * FROM products WHERE id = " + productid;

Here the attacker does not even have to add a single quote to get an extra SQL-command. All they need to do is add a trailing “;” and they’re in. The only complicating factor is that the URL used to call the system will have to be URL-encoded in order for this attack to work, but that’s far from a problem even for an unskilled attacker.

How do you protect against SQL-injections?

The key concept is: never, NEVER, NEVER, trust input from a user!

That’s right. NEVER TRUST THE USER.

Don’t ask what-if a user tries to gain access to our system.

Say WHEN the user tries to gain access to our system, then we’re gonna….

The short, technical answer (for Java, .NET and similar languages) is to NEVER build SQL-strings like shown above. Use “prepared statements” or similar constructs where the input variables can be tested by JDBC (or ADODB or LINQ or similar framworks).

Another safe way to go is to use stored procedures. These are not just optimized for speed and performance, they are also, almost always strongly typed, disallowing the kind of problems displayed above.

If neither of these are feasible always make sure the input’s single quotes are filtered away or “escaped”. Escaping a single quote means that all databases have support for using single quotes as values in a table column, if you prepend them with a backslash (\) or use double single quotes (”, that’s two single quotes). Do this programatically before sending the data on to the database.

Protecting against attacks on pages with numerical input is even simpler. If there’s a number input value, make sure it is numerical by translating it into a number before passing it on to the database (input from web applications are almost always sent as strings, but if a value should be a number, make sure it is!)

Part from this a sound backup and restore policy is a sure way to not only protect hours of time invested in putting information into the system but the users trust in the system, and the time it will take to get a blocked site back up on its feet.

Read more about SQL-injections here: http://en.wikipedia.org/wiki/SQL_injection

Searching the web and checking up the MySQL function database returns the following useful command:

REPLACE(str, from_str, to_str)

It would in my case be used like this:

UPDATE myTable SET theTextField =
REPLACE(theTextField, 'http://the.old.site', 'http://the.new.site');

myTable is the table containing the data I want to replace, theTextField is the exact field in which this data is located. Obviously “http://the.old.site” is the existing information, that I want to replace, and “http://the.new.site” is the information this string should be replaced with.

Very simple, very elegant. Now all I have to do is try it out as well. (Expect more reports on the progress of this work!)

1. Log in to the machine where the SQL Server is installed via Remote Desktop (not needed in my case, since it was my local machine).
2. Start SQL Server client (Microsoft SQL Managment Studio) and log in to the local machine using Windows Authentication.
3. You’re in.
4. (Optionally) With your admin account you can now change the password to something you’ll remember this time! ;o)

1) You find Remote Desktop on the Start Menu in “All Programs > Accessories > Remote Desktop Connection”. Most windows servers will have Remote Desktop installed from the start. If, however you are refused a connection because too many people are logged in, see my previous post about how to solve that problem.

Logging in to the local database using Windows authentication in SQL Server Management Studio.

2) To log in on the local database first open SQL Management Studio (All Programs > Microsoft SQL Server 2005 > SQL Server Management Studio), select the name of the local computer in the “Server name”-text field and select “Windows Authentication” in the “Authentication”-text field. Your user name (the one you used to log in via Remote Desktop) will be displayed in the “User name”-text field and this field and the “Password”-text field will both be disabled. Click connect and you should be logged in as an administrator.