Security - You're doing it wrong!
-
So, I got an interesting link from one of our suppliers. At the end of it there's a feed containing product prices and stocks, which need to be parsed and inserted into our ERP. The link was the following (username and password changed to protect the innocent):
https://services.it4profit.com/product/ro/705/ProductList.xml?USERNAME=[username]&PASSWORD=[password]I know that (usually) no data (including the GET parameters) is sent before the SSL connection is established, and from an outside point-of-view, the only visible information is the server and the port. Now, what we're receiving isn't that private anyway (we're talking about some product prices that are customized per-company, within certain limits). But I really don't wanna know how many sites are out there that do the same thing. And if someone opens something like that from a browser, it sticks within the history. Also, not to mention the server logs. Some people just need to be smacked over their heads every once in a while.Full-fledged Java/.NET lover, full-fledged PHP hater. Full-fledged Google/Microsoft lover, full-fledged Apple hater. Full-fledged Skype lover, full-fledged YM hater.
-
So, I got an interesting link from one of our suppliers. At the end of it there's a feed containing product prices and stocks, which need to be parsed and inserted into our ERP. The link was the following (username and password changed to protect the innocent):
https://services.it4profit.com/product/ro/705/ProductList.xml?USERNAME=[username]&PASSWORD=[password]I know that (usually) no data (including the GET parameters) is sent before the SSL connection is established, and from an outside point-of-view, the only visible information is the server and the port. Now, what we're receiving isn't that private anyway (we're talking about some product prices that are customized per-company, within certain limits). But I really don't wanna know how many sites are out there that do the same thing. And if someone opens something like that from a browser, it sticks within the history. Also, not to mention the server logs. Some people just need to be smacked over their heads every once in a while.Full-fledged Java/.NET lover, full-fledged PHP hater. Full-fledged Google/Microsoft lover, full-fledged Apple hater. Full-fledged Skype lover, full-fledged YM hater.
X| I actually saw a website on internet security do that! :wtf: :doh: :~ :sigh:
Bill Gates is a very rich man today... and do you want to know why? The answer is one word: versions. Dave Barry Read more at [BrainyQuote](http://www.brainyquote.com/quotes/topics topic_technology.html#yAfSEbrfumitrteO.99)[^]
-
So, I got an interesting link from one of our suppliers. At the end of it there's a feed containing product prices and stocks, which need to be parsed and inserted into our ERP. The link was the following (username and password changed to protect the innocent):
https://services.it4profit.com/product/ro/705/ProductList.xml?USERNAME=[username]&PASSWORD=[password]I know that (usually) no data (including the GET parameters) is sent before the SSL connection is established, and from an outside point-of-view, the only visible information is the server and the port. Now, what we're receiving isn't that private anyway (we're talking about some product prices that are customized per-company, within certain limits). But I really don't wanna know how many sites are out there that do the same thing. And if someone opens something like that from a browser, it sticks within the history. Also, not to mention the server logs. Some people just need to be smacked over their heads every once in a while.Full-fledged Java/.NET lover, full-fledged PHP hater. Full-fledged Google/Microsoft lover, full-fledged Apple hater. Full-fledged Skype lover, full-fledged YM hater.
POSTis far too complicated.GETis so much easier. -
POSTis far too complicated.GETis so much easier.[Sarcasm start] Yes, and on the client side especially. Even if you use jQuery.Ajax,
POSTis soooo much more complicated thanGET. You have to type an extra letter, which is much more effort than should be required for anyone. For instance, this is a jQuery GET call:$.ajax({
type : 'GET',
url : "url.jsp",
data: {
id: client_id,
action_code: 2,
action_data: $('#content').val()
},
success: function(result) {
$('#list-content').html(result);
},
error: function(result) {
alert(result);
},
});compared to...this abomination:
$.ajax({
type : 'POST',
url : "url.jsp",
data: {
id: client_id,
action_code: 2,
action_data: $('#content').val()
},
success: function(result) {
$('#list-content').html(result);
},
error: function(result) {
alert(result);
},
});Notice the difference? It's soooooomuch easier to simply
GETinstead ofPOST-ing, isn't it? [/Sarcasm end] On the other hand, I'm having fun now with LINQ parsing the list of products from suppliers (didn't get to play with LINQ so far, but I'm quite liking it. Heard it's pretty slow compared to the other alternatives, but in my case speed is not that much of an issue)Full-fledged Java/.NET lover, full-fledged PHP hater. Full-fledged Google/Microsoft lover, full-fledged Apple hater. Full-fledged Skype lover, full-fledged YM hater.
-
[Sarcasm start] Yes, and on the client side especially. Even if you use jQuery.Ajax,
POSTis soooo much more complicated thanGET. You have to type an extra letter, which is much more effort than should be required for anyone. For instance, this is a jQuery GET call:$.ajax({
type : 'GET',
url : "url.jsp",
data: {
id: client_id,
action_code: 2,
action_data: $('#content').val()
},
success: function(result) {
$('#list-content').html(result);
},
error: function(result) {
alert(result);
},
});compared to...this abomination:
$.ajax({
type : 'POST',
url : "url.jsp",
data: {
id: client_id,
action_code: 2,
action_data: $('#content').val()
},
success: function(result) {
$('#list-content').html(result);
},
error: function(result) {
alert(result);
},
});Notice the difference? It's soooooomuch easier to simply
GETinstead ofPOST-ing, isn't it? [/Sarcasm end] On the other hand, I'm having fun now with LINQ parsing the list of products from suppliers (didn't get to play with LINQ so far, but I'm quite liking it. Heard it's pretty slow compared to the other alternatives, but in my case speed is not that much of an issue)Full-fledged Java/.NET lover, full-fledged PHP hater. Full-fledged Google/Microsoft lover, full-fledged Apple hater. Full-fledged Skype lover, full-fledged YM hater.
Looking forward to seeing some gems from their XML/XSD files!
-
Looking forward to seeing some gems from their XML/XSD files!
Yeah, it's totally inconsistent. For instance, product data is stored as:
... ... ... ...whereas product attributes (for instance, product specs) are stored as:
...Which would make sense up to a point (after all, maybe product attributes should be stored as xml node attributes, who knows? :doh: ). However, there are different types of nodes as well. Images links, for instance, which should be stored in the same way as product attributes are stored, being attributes too after all, right? Wrong!!! They're stored just like general product info:
https://....jpg https://....jpg https://....jpg https://....jpgAnd then comes MarketingInfo (product description), which is stored just like the attributes list. Other than that, I dunno, at least it's structured humanly-readable? Buuuuuuuuuuut...Thank God for Linq on this one. Parsing came out pretty elegantly
Full-fledged Java/.NET lover, full-fledged PHP hater. Full-fledged Google/Microsoft lover, full-fledged Apple hater. Full-fledged Skype lover, full-fledged YM hater.
-
So, I got an interesting link from one of our suppliers. At the end of it there's a feed containing product prices and stocks, which need to be parsed and inserted into our ERP. The link was the following (username and password changed to protect the innocent):
https://services.it4profit.com/product/ro/705/ProductList.xml?USERNAME=[username]&PASSWORD=[password]I know that (usually) no data (including the GET parameters) is sent before the SSL connection is established, and from an outside point-of-view, the only visible information is the server and the port. Now, what we're receiving isn't that private anyway (we're talking about some product prices that are customized per-company, within certain limits). But I really don't wanna know how many sites are out there that do the same thing. And if someone opens something like that from a browser, it sticks within the history. Also, not to mention the server logs. Some people just need to be smacked over their heads every once in a while.Full-fledged Java/.NET lover, full-fledged PHP hater. Full-fledged Google/Microsoft lover, full-fledged Apple hater. Full-fledged Skype lover, full-fledged YM hater.
I have found several sites that do that, and found that at least one uses (used?) admin/admin as the administrator login. :doh: I did alert them to the issue.
Bill Gates is a very rich man today... and do you want to know why? The answer is one word: versions. Dave Barry Read more at [BrainyQuote](http://www.brainyquote.com/quotes/topics topic_technology.html#yAfSEbrfumitrteO.99)[^]
-
[Sarcasm start] Yes, and on the client side especially. Even if you use jQuery.Ajax,
POSTis soooo much more complicated thanGET. You have to type an extra letter, which is much more effort than should be required for anyone. For instance, this is a jQuery GET call:$.ajax({
type : 'GET',
url : "url.jsp",
data: {
id: client_id,
action_code: 2,
action_data: $('#content').val()
},
success: function(result) {
$('#list-content').html(result);
},
error: function(result) {
alert(result);
},
});compared to...this abomination:
$.ajax({
type : 'POST',
url : "url.jsp",
data: {
id: client_id,
action_code: 2,
action_data: $('#content').val()
},
success: function(result) {
$('#list-content').html(result);
},
error: function(result) {
alert(result);
},
});Notice the difference? It's soooooomuch easier to simply
GETinstead ofPOST-ing, isn't it? [/Sarcasm end] On the other hand, I'm having fun now with LINQ parsing the list of products from suppliers (didn't get to play with LINQ so far, but I'm quite liking it. Heard it's pretty slow compared to the other alternatives, but in my case speed is not that much of an issue)Full-fledged Java/.NET lover, full-fledged PHP hater. Full-fledged Google/Microsoft lover, full-fledged Apple hater. Full-fledged Skype lover, full-fledged YM hater.
Andrei Straut wrote:
On the other hand, I'm having fun now with LINQ parsing the list of products from suppliers (didn't get to play with LINQ so far, but I'm quite liking it. Heard it's pretty slow compared to the other alternatives, but in my case speed is not that much of an issue)
One thing that can make LINQ slow is not caching query results appropriately. (Not saying it's not slow to begin with; I really don't know!) For instance:
// this method is very slow, it uses the database and network and maybe the TARDIS too
public IEnumerable GetLotsOfData() {...}// this method is *extremely* slow since it calls the database and network over and over again
public void CrashYourServer()
{
var data = GetLotsOfData(); // this just saves a QUERY! not the data!
// so far so good...
foreach (var item in data)
{
item.DoFancyBusinessOperation();
}
// wait, iterating over the enumerable again? uh-oh!
foreach (var item in data) // going to call the database and network and TARDIS again!
{
item.DoOtherFancyBusinessOperation();
foreach (var otherItem in data) // what, now we need an O(N^2) operation? NOOOOOO!
{
ComparisonResults.Add(item.CompareTo(otherItem));
}
}
}// this method is more efficient!
public void PlayNice()
{
var data = GetLotsOfData().ToArray(); // this actually loads and caches the data, yay!
foreach (var item in data)
{
item.DoFancyBusinessOperation();
}
foreach (var item in data)
{
item.DoOtherFancyBusinessOperation();
foreach (var otherItem in data)
{
ComparisonResults.Add(item.CompareTo(otherItem));
}
}
}