Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
RANT: Dumb Windows application security
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3  Next  
Reply to topic    Gentoo Forums Forum Index Off the Wall
View previous topic :: View next topic  
Author Message
trythil
Tux's lil' helper
Tux's lil' helper


Joined: 06 Jun 2002
Posts: 123
Location: RHIT, Terre Haute, IN, USA

PostPosted: Wed Jul 24, 2002 6:29 pm    Post subject: Reply with quote

If you were feeling evil and wanted to enrage the slightly more politically-minded portion of the student body, you could call it "Big Brother"...

Why not make an (admittedly lame) in-joke? AYIABTU. :)
Back to top
View user's profile Send private message
delta407
Bodhisattva
Bodhisattva


Joined: 23 Apr 2002
Posts: 2876
Location: Chicago, IL

PostPosted: Wed Jul 24, 2002 8:22 pm    Post subject: Reply with quote

Okay. I've settled on using PHP on IIS, simply because the workstations automatically authenticate and all I have to do is check $_ENV["REMOTE_USER"]. Strong security with the minimum of fuss.

I've gotten a thousand lines of code down, which is about three-quarters of the framework. It talks to mySQL, provides calls like set_title(), do_header(), and add_nav_entry(), and loads modules. Each module is a separate file in the plugins/ directory that calls register_plugin(). It's coming together very nicely; I plan to work on the security system tomorrow (fine-grained permissions on each module like read, edit, and delete).

Anyone have any ideas for report generation? I'm thinking I could make a PDF file and send it back to the client; that would give me a lot of control over printing (which is the Big Thing™) when printing reports. Should I use PDFlib directly from PHP? Write TeX and convert? Hmm...

Also, I think Big Brother is an interesting name, though I don't think the staff will go with it. ;)
_________________
I don't believe in witty sigs.
Back to top
View user's profile Send private message
trythil
Tux's lil' helper
Tux's lil' helper


Joined: 06 Jun 2002
Posts: 123
Location: RHIT, Terre Haute, IN, USA

PostPosted: Wed Jul 24, 2002 10:20 pm    Post subject: Reply with quote

In my experience, doing something like TeX -> PDF through, say, GhostScript has produced some really ugly results.
Back to top
View user's profile Send private message
delta407
Bodhisattva
Bodhisattva


Joined: 23 Apr 2002
Posts: 2876
Location: Chicago, IL

PostPosted: Thu Jul 25, 2002 1:08 am    Post subject: Reply with quote

Ah, well, PDFlib's API hasn't changed much since I poked around a little around version 2. I printed out the manual (incidentally it was 142 pages -- the exact same number as the database structure) and it seems rather straightforward.

Besides, most of the reports they want are done with a fixed-width font (normal and bold styles) with a few grey boxes and a few black lines.
_________________
I don't believe in witty sigs.
Back to top
View user's profile Send private message
delta407
Bodhisattva
Bodhisattva


Joined: 23 Apr 2002
Posts: 2876
Location: Chicago, IL

PostPosted: Fri Jul 26, 2002 3:18 am    Post subject: Reply with quote

I came up with a name that I think I can run with: LISSARD. LISSARD Integrates School Systems' Administrative Reporting Data. Anyway, I registered a new Sourceforge project, so I should start getting stuff in CVS either Friday or Monday. (I don't think they handle new project registration on weekends, but I could be wrong.)

I got about half a ream of paper on the guts of That Thing, as well as half a ream of paper that came with That Thing. The manual contains screen captures of pretty much every screen in the UI and tells you what every box and button does... further, the UI lines up pretty much 1:1 to the underlying data structure. So, I have pretty much all the data I need. ;)

Anyone want to join the cause? :D
_________________
I don't believe in witty sigs.
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 16102
Location: Colorado

PostPosted: Fri Jul 26, 2002 3:44 am    Post subject: Reply with quote

This makes me wish I could program more than "hello world". I certainly can understand your frustration, but the recreation of the conversation had me laughing pretty hard.
_________________
lolgov. 'cause where we're going, you don't have civil liberties.

In Loving Memory
1787 - 2008
Back to top
View user's profile Send private message
fghellar
Bodhisattva
Bodhisattva


Joined: 10 Apr 2002
Posts: 856
Location: Porto Alegre, BR

PostPosted: Fri Jul 26, 2002 4:02 am    Post subject: Reply with quote

delta407 wrote:
I came up with a name that I think I can run with: LISSARD. LISSARD Integrates School Systems' Administrative Reporting Data.

I found 'bob' a better name... It's easier... 8)
_________________
| www.gentoo.org | www.tldp.org | www.google.com |
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 16102
Location: Colorado

PostPosted: Fri Jul 26, 2002 4:04 am    Post subject: Reply with quote

Big 'Ol Behemoth
_________________
lolgov. 'cause where we're going, you don't have civil liberties.

In Loving Memory
1787 - 2008
Back to top
View user's profile Send private message
delta407
Bodhisattva
Bodhisattva


Joined: 23 Apr 2002
Posts: 2876
Location: Chicago, IL

PostPosted: Fri Jul 26, 2002 5:44 am    Post subject: Reply with quote

fghellar wrote:
I found 'bob' a better name... It's easier... 8)


We can say the LISSARD's name is Bob. :D
_________________
I don't believe in witty sigs.
Back to top
View user's profile Send private message
fghellar
Bodhisattva
Bodhisattva


Joined: 10 Apr 2002
Posts: 856
Location: Porto Alegre, BR

PostPosted: Fri Jul 26, 2002 5:54 am    Post subject: Reply with quote

Wanna know something? Ask Bob!

sounds much better than

Wanna know something? Ask LISSARD!

:P
_________________
| www.gentoo.org | www.tldp.org | www.google.com |
Back to top
View user's profile Send private message
delta407
Bodhisattva
Bodhisattva


Joined: 23 Apr 2002
Posts: 2876
Location: Chicago, IL

PostPosted: Fri Jul 26, 2002 6:07 am    Post subject: Reply with quote

Well, see, it's Bob the LISSARD. :D
_________________
I don't believe in witty sigs.
Back to top
View user's profile Send private message
fghellar
Bodhisattva
Bodhisattva


Joined: 10 Apr 2002
Posts: 856
Location: Porto Alegre, BR

PostPosted: Fri Jul 26, 2002 6:25 am    Post subject: Reply with quote

delta407 wrote:
Well, see, it's Bob the LISSARD. :D

Hehe... Now you need a logo...

http://www.iconarchive.com/mozilla/
http://www.iconarchive.com/mozilla/index2.html
http://w1.511.telia.com/~u51102888/others/mozilla/mozill.htm

I like the sculptor from the first link... :D
_________________
| www.gentoo.org | www.tldp.org | www.google.com |
Back to top
View user's profile Send private message
delta407
Bodhisattva
Bodhisattva


Joined: 23 Apr 2002
Posts: 2876
Location: Chicago, IL

PostPosted: Fri Jul 26, 2002 7:42 pm    Post subject: Reply with quote

[url]sourceforge.net/projects/lissard/[/url]

Code is in the lissard CVS repository.
_________________
I don't believe in witty sigs.
Back to top
View user's profile Send private message
Swishy
Guru
Guru


Joined: 06 Jun 2002
Posts: 491
Location: NZ

PostPosted: Sat Jul 27, 2002 7:32 am    Post subject: Reply with quote

delta407 wrote:
[url]sourceforge.net/projects/lissard/[/url]

Code is in the lissard CVS repository.


Good effort :wink:
_________________
Theres no substitute for C.I.
Back to top
View user's profile Send private message
ebichu
Apprentice
Apprentice


Joined: 03 Jul 2002
Posts: 231
Location: Manchester, England

PostPosted: Mon Jul 29, 2002 7:01 pm    Post subject: Reply with quote

delta407 wrote:
Anyway, I opened up the master database file, ran some silly tool, and printed 142 pages detailing the structure of and relationships between all of the tables. I then got a three-ring binder, some multi-color sticky page marker thingies, three different colors of pens and a comfy chair and stared at it for a while. The data structures aren't all that bad, really, and I think life would be better for everyone if I re-used it. So, it'd be a matter of representing the current data as SQL, importing it into a real database backend (yes, I am dissing Access), and making a new frontend.


Is this reverse engineering/reimplementing as a competitive product all legal? You probably don't want That Company suing your arse off.
_________________
Ebichu wa chiizu ga daisuki dechu!
Back to top
View user's profile Send private message
delta407
Bodhisattva
Bodhisattva


Joined: 23 Apr 2002
Posts: 2876
Location: Chicago, IL

PostPosted: Mon Jul 29, 2002 7:07 pm    Post subject: Reply with quote

I think so. It could be argued completely coincidential that the database structures are similar (not identical, as they were stupid for putting the # character in column names) and the feature set won't be identical since I don't plan on re-implementing the billing system. I have not seen any of their code and everything I have gathered was from files it created on my computer. Also, it currently only talks to mySQL, so it can't read the database directly.

At any rate, if this is illegal, I'm sure I can get the EFF on my side. All I'm doing is writing software, after all, and if it happens to be similar... oh well.
_________________
I don't believe in witty sigs.
Back to top
View user's profile Send private message
delta407
Bodhisattva
Bodhisattva


Joined: 23 Apr 2002
Posts: 2876
Location: Chicago, IL

PostPosted: Tue Jul 30, 2002 2:21 am    Post subject: Reply with quote

Y'all subscribed to lissard-announce, right? After all, it's 30 minutes old... everyone has had enough time. ;)

Also, be sure to check out lissard-users and lissard-devel. Oh yeah, and the CVS repository.
_________________
I don't believe in witty sigs.
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 16102
Location: Colorado

PostPosted: Tue Jul 30, 2002 2:57 am    Post subject: Reply with quote

You're still working on this beast? I'd have thought you'd be finished with 1.0 by now.

;)
_________________
lolgov. 'cause where we're going, you don't have civil liberties.

In Loving Memory
1787 - 2008
Back to top
View user's profile Send private message
delta407
Bodhisattva
Bodhisattva


Joined: 23 Apr 2002
Posts: 2876
Location: Chicago, IL

PostPosted: Tue Jul 30, 2002 5:24 am    Post subject: Reply with quote

kanuslupus wrote:
You're still working on this beast? I'd have thought you'd be finished with 1.0 by now.

;)


Yeah, I keep... erm, "spending" my time in these forums. :twisted:

Anyway, check out db_register_table, my latest (well-commented) monstrosity:

Code:
// Make sure $table exists and is defined with $cols
function db_register_table($table, $cols)
{
    global $config;
    $table = $config["dbprefix"]."_".$table;

    // generate SQL for the table creation
    $sql = "CREATE TABLE $table\n\t(";
    $first = TRUE;
    reset($cols);
    while(list($col, $type) = each($cols))
    {
        // eat whitespace
        $col = trim($col);
        $type = trim($type);

        if ($first)
        {
            // don't prefix with \t
            $first = FALSE;
        }
        else
        {
            // add a comma, a \n, and prefix with \t
            $sql .=",\n\t";
        }

        if ($col == "PRIMARY KEY")
        {
            // don't put backquotes around PRIMARY KEY
            $sql .= "$col $type";
        }
        else
        {
            // normal column, backquote
            $sql .= "`$col` $type";
        }
    }
    $sql .= ")";

    // see if $table exists
    if (@mysql_query("DESCRIBE $table"))
    {
        // $table exists, compare the table layout to the new layout
        $result = mysql_query("SHOW CREATE TABLE $table");
        $row = mysql_fetch_row($result);
        $create = str_replace("`", "", $row[1]);

        // see if $create is identical to what we have now
        if ($create == $sql)
        {
            // table is the same; nothing to do
        }
        else
        {
            // break $create into $curcols
            $create = trim(substr($create, strpos($create, "(") + 1));
            $create = trim(substr($create, 0, strrpos($create, ")")));
            $curcols = explode(",", $create);

            // $curcols is now "$col $type", change it to $col => $type
            $createcols = array();
            foreach($curcols as $curcol)
            {
                $curcol = trim($curcol);

                // split column from type at first space character
                // special case: "PRIMARY KEY"
                if (substr($curcol, 0, 11) == "PRIMARY KEY")
                {
                    // got a primary key (can't break at space)
                    $col = "PRIMARY KEY";
                    $type = trim(substr($curcol, 11));
                }
                else
                {
                    // default handling (break at first space)
                    $col = trim(substr($curcol, 0, strpos($curcol, " ")));
                    $type = trim(substr($curcol, strpos($curcol, " ")));
                }

                // prevent zero-length column names
                if ($col)
                    $createcols[$col] = $type;
            }
            unset($curcols);

            // find $addedcols, $droppedcols, and $changedcols
            $changedcols = array();

            $droppedcols = array();
            reset($createcols);
            while(list($create_name, $create_type) = each($createcols))
            {
                if (!array_key_exists($create_name, $cols))
                    array_push($droppedcols, $create_name);
                else if($createcols[$create_name] != $cols[$create_name])
                    array_push($changedcols, $create_name);
            }

            $addedcols = array();
            reset($cols);
            while(list($col_name, $col_type) = each($cols))
            {
                if (!array_key_exists($col_name, $createcols))
                    array_push($addedcols, $col_name);
            }

            // get analysis results (for debugging)
            // only do this if we're going to change anything
            if (count($droppedcols)
                || count($addedcols)
                || count($changedcols))
            {
                ob_start();
                echo "db_register_table($table) results:\n";
                echo "DESCRIBE "; print_r($createcols);
                echo "Parameters "; print_r($cols);
                echo "Dropping "; print_r($droppedcols);
                echo "Adding "; print_r($addedcols);
                echo "Changing "; print_r($changedcols);
                debug(ob_get_contents());
                ob_end_clean();
            }

            // ALTER database
            // MySQL barfs if you drop all the columns of a database
            // Hence, we add before dropping
            // ...unless it's auto_increment, which we defer...
            // (MySQL also barfs if there's two auto_increments, so we add it
            // after dropping columns and hope that any other auto_increment
            // column is dropped)
            $deferredcols = array();
           
            // add columns
            foreach($addedcols as $col)
            {
                if ($col == "PRIMARY KEY")
                {
                    // can't ADD `PRIMARY KEY`
                    // drop the existing primary key, if any
                    db_exec("ALTER TABLE $table DROP PRIMARY KEY");

                    // check to see that our primary key isn't deferred
                    if (!in_array(substr($cols[$col], 1, -1), $deferredcols))
                    {
                        // not deferred, add now
                        db_exec("ALTER TABLE $table ADD $col $cols[$col]");
                    }
                    else
                    {
                        // it is deferred, defer PRIMARY KEY as well
                        array_push($deferredcols, $col);
                    }
                }
                else
                {
                    // normal column
                    // see if it's auto_increment (MySQL doesn't like two)
                    if (strpos($cols[$col], "auto_increment"))
                    {
                        // is auto_increment, do it after dropping
                        array_push($deferredcols, $col);
                    }
                    else
                    {
                        // not auto_increment
                        db_exec("ALTER TABLE $table ADD `$col` $cols[$col]");
                    }
                }
            }

            // drop columns
            foreach($droppedcols as $col)
            {
                if ($col == "PRIMARY KEY")
                {
                    // can't DROP `PRIMARY KEY`, do it without quotes
                    db_exec("ALTER TABLE $table DROP PRIMARY KEY");
                }
                else
                {
                    // normal column
                    db_exec("ALTER TABLE $table DROP `$col`");
                }
            }
           
            // add deferred columns
            foreach($deferredcols as $col)
            {
                if ($col == "PRIMARY KEY")
                {
                    // ignore; PRIMARY KEY is implied by auto_increment
                }
                else
                {
                    // it's an auto_increment column; only reason to defer
                    // MySQL wants PRIMARY KEY on this line
                    db_exec("ALTER TABLE $table ADD `$col` $cols[$col]"
                        ." PRIMARY KEY");
                }
            }

            // change columns
            foreach($changedcols as $col)
            {
                if ($col == "PRIMARY KEY")
                {
                    // drop the existing primary key
                    db_exec("ALTER TABLE $table DROP PRIMARY KEY");

                    // add the new one
                    db_exec("ALTER TABLE $table ADD PRIMARY KEY $cols[$col]");
                }
                else
                {
                    // normal column

                    // note: ALTER TABLE MODIFY requires MySQL 3.22.16a
                    // we could possibly use ALTER TABLE CHANGE, but that'd be
                    // *too* easy :)
                    db_exec("ALTER TABLE $table MODIFY `$col` $cols[$col]");
                }
            }
        }
    }
    else
    {
        // $table does not exist, create
        db_exec($sql);
    }
}

_________________
I don't believe in witty sigs.
Back to top
View user's profile Send private message
fghellar
Bodhisattva
Bodhisattva


Joined: 10 Apr 2002
Posts: 856
Location: Porto Alegre, BR

PostPosted: Tue Jul 30, 2002 6:08 am    Post subject: Reply with quote

delta407 wrote:
Anyway, check out db_register_table, my latest (well-commented) monstrosity:

What does line 233 do? :?: :roll:
_________________
| www.gentoo.org | www.tldp.org | www.google.com |
Back to top
View user's profile Send private message
delta407
Bodhisattva
Bodhisattva


Joined: 23 Apr 2002
Posts: 2876
Location: Chicago, IL

PostPosted: Tue Jul 30, 2002 6:41 am    Post subject: Reply with quote

Regarding the legality of my actions, read legal.html.

Regarding line 233, that's either whitespace or does not exist. Unless you're referring to line 233 in database.php, which calls a function to count the result rows as part of the function that counts the number of rows in a table.
_________________
I don't believe in witty sigs.
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 16102
Location: Colorado

PostPosted: Tue Jul 30, 2002 1:17 pm    Post subject: Reply with quote

Hrm... 232 is the last line after I did a copy/paste.
_________________
lolgov. 'cause where we're going, you don't have civil liberties.

In Loving Memory
1787 - 2008
Back to top
View user's profile Send private message
fghellar
Bodhisattva
Bodhisattva


Joined: 10 Apr 2002
Posts: 856
Location: Porto Alegre, BR

PostPosted: Tue Jul 30, 2002 6:04 pm    Post subject: Reply with quote

Yes, yes... It was a joke/troll... :P
_________________
| www.gentoo.org | www.tldp.org | www.google.com |
Back to top
View user's profile Send private message
ebichu
Apprentice
Apprentice


Joined: 03 Jul 2002
Posts: 231
Location: Manchester, England

PostPosted: Wed Jul 31, 2002 3:37 pm    Post subject: Reply with quote

delta407 wrote:
Regarding the legality of my actions, read legal.html.

I'm not entirely convinced that this covers your back, but I'm not a lawyer and have little interest in US laws.

I was under the impression that you were intending to replace That Thing with LISSARD, rather than interoperate with it. You don't seem to have pulled apart the existing data structures to see how they work for the purposes of interoperation. You seem to have pulled them apart to see how they work so you can copy them in your own program. This is reasonable for personal use, but seems a bit illegal for a competing program that you are licensing to others, unless the license for the competing program says you must also hold a license for That Thing as well. As I said, I'm not a lawyer, but am I missing something?
_________________
Ebichu wa chiizu ga daisuki dechu!
Back to top
View user's profile Send private message
delta407
Bodhisattva
Bodhisattva


Joined: 23 Apr 2002
Posts: 2876
Location: Chicago, IL

PostPosted: Wed Jul 31, 2002 3:48 pm    Post subject: Reply with quote

ebichu wrote:
delta407 wrote:
Regarding the legality of my actions, read legal.html.

I'm not entirely convinced that this covers your back, but I'm not a lawyer and have little interest in US laws.

I was under the impression that you were intending to replace That Thing with LISSARD, rather than interoperate with it. You don't seem to have pulled apart the existing data structures to see how they work for the purposes of interoperation. You seem to have pulled them apart to see how they work so you can copy them in your own program.

Well, a little of each. Eventually, the plan is to revise portions of That Thing to use a different (hopefully more intelligent) layout, but right now we need to get all of the data from That Thing into LISSARD as quickly as humanly possible. Thus, using the same structures -- in this instance at least -- is a means to provide interoperability. That is the basis of the decision to use the same structure; fast movement of data in between the programs. In fact, if the database backend was rewritten to use ODBC, it would be possible to make LISSARD use That Thing's data directly. Hence, this design (arguably) falls under the reverse-engineering-for-interoperability

ebichu wrote:
This is reasonable for personal use, but seems a bit illegal for a competing program that you are licensing to others, unless the license for the competing program says you must also hold a license for That Thing as well. As I said, I'm not a lawyer, but am I missing something?

Read (3). I can provide said information to others for purposes of interoperability as well.

IANAL either, but... yeah.
_________________
I don't believe in witty sigs.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Off the Wall All times are GMT
Goto page Previous  1, 2, 3  Next
Page 2 of 3

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum