Janko in a Jar

QUBIDRAW (the early release) is online for a while now. I have very little time to push the development forward but nice things happen on it anyway. Here are few of the pictures that kids have drawn:

QUBIDRAW is a online concept of my KUBI game. I plan to make many more activities and polish the thing up few times. Flash part is being made in Haxe, webpart in PHP. They communicate via my tiny RPC spec STRPC - SoTinyRPC.

I am not joking… look below..

<BugAfraid x="314" y="236" size="2" speed="2" type="0" loop="180" />

I had some time these days (holidays and all) and I made some progress at DEBUGR INC which became WATERISK now.

… in freezed state …

… and in motion …

another vid..

This is all made with Processing.

OCaml is a strange beast of a language… at least to my imperative shaped brain. Some very very basic code:

(* define a function *)
# let sqr x = x * x;;
val sqr : int -> int = 

# sqr 5;;
- : int = 25

(* tuple,  *)
# (1, 2, 3);;
- : int * int * int = (1, 2, 3)

(* anonymous functions *)
# (fun x -> x * x) 2;;
val : int = 4

(* the “in” keyword was strange to me but now I an getting it *)
# let ipow3 x =
    let sqr x = x * x in
    x * sqr x;;
val ipow3 : int -> int = <fun>

Ocaml is an impure functional programming language. Impure because it also support imperative concepts, *O*Caml because it also supports object oriented programming. Now.. how do you make a shmup with that?

input data related to DB (SQL injections, wrong unexpected data..)

SQL injections threat is system wide and is best to be solved on a systematic level on all the communication with the database. We use PHP PEAR DB’s quoteSmart on all the queries. In addition all function in our database level have explicit checking for type of input variables and script is stopped if it doesn’t match.

An example of such back-end function is:

function getItemsOfMusic($musicId)
{
	Validator::mustBeInt($musicId);			

	return $this->db->selectRows(array(
		'from' =>'abt_music_items',
		'where'=>"id_musics = $musicId",
		'order'=>'sort, is_set, name'));
}

All this fuss about SQL injections in a little stupid with php+mysql anyway since the core function (mysql_query) doesn’t support multiple queries anyway and you need that I think to do SQL injection.

The time has come that I have to work on security at one bigger project. I know the basics but I digged in that much. I will post my notes here.

Web Application (WA) security is a very wide and also vague term. I need to break it down to concrete things — to the specific security threats for web-apps (WA) and then explore one by one.

1. input data related to DB (SQL injections, wrong unexpected data..)
2. input data when related to HTML, JS, VBs..(script injection and all that it can bring)
3. User authentication (password, login security)
4. sessions and cookies (stolen, replayed, hijacked)
5. directory traversal
6. shell escape (injection)
7. DB password hard-coded in web-reachable file
8. XSS
9. CSRF
10. Canonicalization, Unicode

Some of these threats can be eliminated by just concise coding (and being aware of them), other need some special devotion. I will explore them deeper soon.

Nightwish is basically my angel that keeps me awake in my programming nights. I am listening them for half of the year almost every time I program at night and I am still not sick of them.

Yes, I wish I had an angel is one of their songs…

Planet hell:

more tubes: Elevenpath, Nemo, I wish I had an angel

Too bad the singer Tarja and band split :/ so I won’t be able to see them on a concert together someday.