I'm trying to create a function that allows me to evaluate the login credentials for a restricted area of a database.
this is my code:
declare function local:check() as xs:string {
let $login := request:get-parameter("username",'')
let $password := request:get-parameter("password",'')
let $user := doc('credentials.xml')/credenziali/utente[./user = $login]
return (
if (not(empty($user))) then concat('staff.xq',$login,' ',$password)
else concat('login_error.xq',$login,' ',$password)
)
};
This function is called in:
form name="login" method="post" action="{local:check()}"
but I can not understand why I am always redirected to the page ''login_error'' (ie the user object always empty) despite i enter correct credentials (available in the file credentials.xml).
Credentials.xml contain:
<credenziali>
<utente id="1">
<user>admin</user>
<password>admin</password>
</utente>
</credenziali>
and i set, in the respective input text box of screen, username=admin and password=admin
Without more information it's hard to see exactly what the trouble is here. But we can reason about it. The software is telling you that $user is always empty. That means that
doc('credentials.xml')/credenziali/utente[./user = $login]
evaluates to the empty sequence. If it were my code, I'd now check the following:
Does $login have a value?
Is doc('credentials.xml') empty?
If non-empty, does it have an outermost element named credenziali?
If so, does credenziali have children (or: a child) named utente?
If so, does utente have a child named user? (Why would an element named utente have a child named user, I ask myself. Shouldn't it be username or something? But, hey, it's your XML, not mine, you call things what you like. I'm just showing you that I'm paying attention.)
If so, do any of the user elements have a string value which is identical to to the value of $login?
If the answer to all of those questions is yes, then you have a really interesting and challenging issue, and perhaps a bug report for your XQuery engine.
If I had to bet, without knowing anything more than I do, I'd bet on the first two questions -- because they involve interacting with the environment, which is (a) non-standardized, (b) often complicated by considerations that seem extraneous, (c) often very difficult for the library creator to document well (since they can't know everything they need to know about your environment), and so (d) often not documented particularly well, and thus (e) error prone. I find trial and error helps a lot.
[postscript]
You ask how to check to see whether $login and $user are being initialized correctly. There are no rules or limits here. Debugging XQuery is a lot like debugging any other programming language; you need to find ways to make what is going on in the code visible on your screen, so you can figure out where things are going wrong. Some possibilities:
Temporarily replace the initialization of the variables with something like
let $login := "Paolo",
$password := "Francesca"
$usersdoc := <credenziali>
<utente id="1">
<user>Paolo</user>
<password>Francesca</password>
</utente>
</credenziali>
let $user := $usersdoc//utente[./user = $login]
Make sure this works. (If it doesn't, your problem is somewhere else.) Then replace the initialization of $login with the original code and see if it still works. If it does, replace the initialization of $password and see if it still works. If it does, replace the initialization of $usersdoc, and then $user.
Remove the conditional and return, unconditionally, some value that allows you to see the value of $login. (E.g.
let $login := request:get-parameter("username",'')
let $password := request:get-parameter("password",'')
let $user := doc('credentials.xml')
/credenziali/utente
[./user = $login]
return concat('staff.xq...',$login,'...',$password)
I'm guessing that the string returned by your login function is the URI to which the user is going to be redirected -- if that's so, should you not have a slash or something between 'staff.xq' and the login id? If it's not the URI to which the user is being redirected, you may need to adjust things in the caller so you can see what values are being emitted for $login and $password.
Use trace(), if your XQuery engine produces logs you can inspect.
Related
I'm trying to add some lua functionality to my existing conky setup so that repetitive "code" in my conky text can be cleaned up. For example, I have information for each mounted FS, each core, etc. where each row displayed in my panel differs ONLY by one parameter.
My first skeletal, attempt at using lua functions for this seems to run but displays nothing in my panel. I've only found very simple examples to base this on, so I may have made a simple error, but I don't even know how to diagnose it. My code here is modeled after what I HAVE been able to find regarding writing functions, such as this How to implement a basic Lua function in Conky? , but that's about all the depth I've found on the topic except for drawing and cairo examples.
Here's the code added to my conky config, as well as the contents of my functions.lua file
conky.config = {
...
lua_load = '/home/conky-manager/MyConky/functions.lua',
};
conky.text = [[
...
${voffset 5}${lua conky_test 'test'}
...
]]
file - functions.lua
function conky_test(parm1)
return 'result text'
end
What I would expect is to see is "result text" displayed in my panel at the location where that function call appears, but nothing shows.
Is there a log created by conky as it runs, or a way to provide some debug output? Even if I'd made a simple error here, I'd still like to have the ability to diagnose things as my code gets more complex.
Success!
After cobbling info from several articles together, I figured out my basic flaws -
1. Missing a 'conky_main' function,
2. Missing a 'lua_draw_hook_post' to invoke it, and
3. Realizing that if I invoke conky from a terminal, print statements in lua would appear there.
So, for anyone who sees this question and has the same issues, here's the corrected code.
conky.config = {
...
lua_load = '/home/conky-manager/MyConky/functions.lua',
lua_draw_hook_post = "main",
};
conky.text = [[
...
${lua conky_test 'test'}
...
]]
and the proper basics in my functions.lua file
function conky_test(parm1)
return 'result text'
end
function conky_main()
if conky_window == nil then
return
end
end
A few notes:
I still haven't determined if using 'lua_draw_hook_pre' instead of 'lua_draw_hook_post' makes any difference, but it doesn't seem to in this example.
Also, some examples showed actually calling this 'test' function instead of writing a 'main', but the 'main' seemed to have value in checking to see if conky_window existed.
Some examples seemed to state that naming functions with the prefix 'conky_' was required, but then showed examples of calling those functions without the prefix, so I assume the prefix is inferred during the call.
a major note: you should run conky from the directory containing the lua scripts.
The Reference Source page for stringbuilder.cs has this comment in the ToString method:
if (chunk.m_ChunkLength > 0)
{
// Copy these into local variables so that they
// are stable even in the presence of ----s (hackers might do this)
char[] sourceArray = chunk.m_ChunkChars;
int chunkOffset = chunk.m_ChunkOffset;
int chunkLength = chunk.m_ChunkLength;
What does this mean? Is ----s something a malicious user might insert into a string to be formatted?
The source code for the published Reference Source is pushed through a filter that removes objectionable content from the source. Verboten words are one, Microsoft programmers use profanity in their comments. So are the names of devs, Microsoft wants to hide their identity. Such a word or name is substituted by dashes.
In this case you can tell what used to be there from the CoreCLR, the open-sourced version of the .NET Framework. It is a verboten word:
// Copy these into local variables so that they are stable even in the presence of race conditions
Which was hand-edited from the original that you looked at before being submitted to Github, Microsoft also doesn't want to accuse their customers of being hackers, it originally said races, thus turning into ----s :)
In the CoreCLR repository you have a fuller quote:
Copy these into local variables so that they are stable even in the presence of race conditions
Github
Basically: it's a threading consideration.
In addition to the great answer by #Jeroen, this is more than just a threading consideration. It's to prevent someone from intentionally creating a race condition and causing a buffer overflow in that manner. Later in the code, the length of that local variable is checked. If the code were to check the length of the accessible variable instead, it could have changed on a different thread between the time length was checked and wstrcpy was called:
// Check that we will not overrun our boundaries.
if ((uint)(chunkLength + chunkOffset) <= ret.Length && (uint)chunkLength <= (uint)sourceArray.Length)
{
///
/// imagine that another thread has changed the chunk.m_ChunkChars array here!
/// we're now in big trouble, our attempt to prevent a buffer overflow has been thawrted!
/// oh wait, we're ok, because we're using a local variable that the other thread can't access anyway.
fixed (char* sourcePtr = sourceArray)
string.wstrcpy(destinationPtr + chunkOffset, sourcePtr, chunkLength);
}
else
{
throw new ArgumentOutOfRangeException("chunkLength", Environment.GetResourceString("ArgumentOutOfRange_Index"));
}
}
chunk = chunk.m_ChunkPrevious;
} while (chunk != null);
Really interesting question though.
Don't think that this is the case - the code in question copies to local variables to prevent bad things happening if the string builder instance is mutated on another thread.
I think the ---- may relate to a four letter swear word...
I have code that looks like this:
var variableX:uint = something;
if (variableX > 1)
{
var variableY:uint = foo;
}
else
{
var variableY:uint = bar;
}
When compiled in FlashDevelop, the compiler gives the following warning:
Warning: Duplicate variable definition.
Being a beginner with AS3 and programming I don't like compiler warnings. The compiler is looking at me through squinted eyes and saying "Ok, buddy, I'll let you off this time. But I'm warning you!" and then doesn't tell me what's so wrong about what I'm doing.
What should I be aware of when I do something like this? I mean I could obviously define the variable outside of if and then this wouldn't be a problem, but maybe there's something more to this? Or is the compiler just giving a helpful nudge saying "hey, you might have accidentally created two different variables with the same name" ?
You're correct in your assessment of the warning. It's just letting you know there was already a variable in scope with that name and that you're about to redefine it. This way you don't accidentally overwrite a variable. Although they may not appear to be in the same scope if you check out variable hoisting on this page you'll see what the deal is: http://help.adobe.com/en_US/ActionScript/3.0_ProgrammingAS3/WS5b3ccc516d4fbf351e63e3d118a9b90204-7f9d.html
An interesting implication of the lack of block-level scope is that
you can read or write to a variable before it is declared, as long as
it is declared before the function ends. This is because of a
technique called hoisting , which means that the compiler moves all
variable declarations to the top of the function. For example, the
following code compiles even though the initial trace() function for
the num variable happens before the num variable is declared:
My personal tendency is to just bring the definition up top myself to avoid having extra warnings that make me miss more important issues. Been out of AS3 for a while but in large projects people let things go and you end up with 100s-1000s of warnings and relevant ones get buried.
I want to overwrite some function in an ALV grid. But I can't manage to do it with a callback usercommand. this is just for non-standard functions. any idea? should I use a event exit? I tried something with it but couldn't do it either :P
FORM event_exits.
CLEAR wa_eventexit.
wa_eventexit-ucomm = '&OUP'.
wa_eventexit-before = 'X'.
APPEND wa_eventexit TO it_eventexit.
CLEAR wa_eventexit.
wa_eventexit-ucomm = '&ODN'.
wa_eventexit-before = 'X'.
APPEND wa_eventexit TO it_eventexit.
ENDFORM. "event_exits
FORM user_command Using r_ucomm LIKE sy-ucomm
rs_selfield TYPE slis_selfield.
CASE r_ucomm.
WHEN '&OUP'.
IF ck_del = 'X'.
SORT gt_salord BY audat vbeln lfimg ASCENDING.
ELSE.
SORT gt_salord BY audat vbeln kwmeng ASCENDING.
ENDIF.
WHEN '&ODN'.
IF ck_del = 'X'.
SORT gt_salord BY audat vbeln lfimg DESCENDING.
ELSE.
SORT gt_salord BY audat vbeln kwmeng DESCENDING.
ENDIF.
WHEN 'D01'.
BREAK-POINT.
ENDCASE.
CLEAR sy-ucomm.
ENDFORM. "user_command
The D01 function is just for testing so i can see it enters the user_command when i access it. But when i access the function &OUP it doesn't enter anymore in the CASE ( i test it with debugging )
I don't know whether that's an option for you, but you might want to the ALV Object Model - it's better documented - see for example this chapter about handling functions and events. What's more, it's officially supported - if you use it and it doesn't work as it should, you get help instead of the customary "you're using unreleased internal classes/function modules" remark. Take a look at the demo programs (SALV_DEMO_* or DEMO_SALV_*, can't remember.)
Then again, if you want to define a custom sorting mechanism, you should probably just hude the default buttons and insert your own buttons with different function codes. Who knows, in version 42 someone might come up with the idea to enable the default sorting again and then you won't have to adapt everything again...
TLDR; I want to enable database-logging of xss_clean() when replacing evil data.
I want to enable database logging of the xss_clean() function in Security.php, basically what I want to do is to know if the input I'm feeding xss_clean() with successfully was identified to have malicious data in it that was filtered out or not.
So basically:
$str = '<script>alert();</script>';
$str = xss_clean($str);
What would happen ideally for me is:
Clean the string from XSS
Return the clean $str
Input information about the evil data (and eventually the logged in user) to the database
As far as I can see in the Security.php-file there is nothing that takes care of this for me, or something that COULD do so by hooks etc. I might be mistaken of course.
Since no logging of how many replaces that were made in Security.php - am I forced to extend Security.php, copy pasting the current code in the original function and altering it to support this? Or is there a solution that is more clean and safe for future updates of CodeIgniter (and especially the files being tampered/extended with)?
You would need to extend the Security class, but there is absolutely no need to copy and paste any code if all you need is a log of the input/output. Something along the lines of the following would allow you to do so:
Class My_Security extends CI_Security {
public function xss_clean($str, $is_image = FALSE) {
// Do whatever you need here with the input ... ($str, $is_image)
$str = parent::xss_clean($str, $is_image);
// Do whatever you need here with the output ... ($str)
return $str;
}
}
That way, you are just wrapping the existing function and messing with the input/output. You could be more forward compatible by using the PHP function get_args to transparently pass around the arguments object, if you were concerned about changes to the underlying method.