If you’re nerdy enough to care, here’s the code to install a new search plugin…
// Firefox plugin installer code
function addEngine(name,ext)
{
if ((typeof window.sidebar == "object") && (typeof
window.sidebar.addSearchEngine == "function"))
{
window.sidebar.addSearchEngine(
"http://www.example.com/searching/"+name+".src",
"http://www.example.com/searching/"+name+"."+ext,
name,
"" );
}
else
{
errorMsg(name,ext,"");
}
}
Firefox’s search plugins at mycroft.mozdev.org are really neat! There’s no reason that a site shouldn’t publish one of these if it uses GET parameters in a search URL.
Anyway, I submitted my multimap plugin to them. The guys at work seemed quite impressed with these things too.
So I was telling one of my friends about Javascript in the IE Links bar. Turns out that there is a name for these – Favlets – and a website. So much for my great discovery…
Anyway, it seems that mostly they’re being used to do things Firefox does by default.
Just read an article on Sitepoint about PHP’s Eval function, and basically, how it is evil.
Eval let’s you ‘run’ a string, as if it were code. Sounds useful, but I can’t say that I’ve ever found a situation where it is a good idea. Quite apart from the security risk highlighted – which is really more a question of user input validation – it seems to me that if you’re writing a programme, you should know what it is supposed to do up front.
If you already know what it is supposed to do, why would you need an eval function at all? Why not just programme it that way. Sure, I can see how eval might be a useful ‘shortcut’, but it just isn’t elegant
I just discovered, you must make sure that the archive folder you want to index is in your profile before starting Google desktop indexing.
It’s a bit of a pain, but seems to work. I had problems that I couldn’t search my email archive in Outlook 2002 (XP)
Apparently, SHA-1 might have been broken. Well, I say ‘broken’, but it’s not like it’s a code to ‘break’. Rather, some guys have been able to figure out a way to make a collision with a hash much easier. No more MD5, no more SHA-1 – what’s next?
I discovered this in the course of some work at a customer’s site – you can put Javascript into IE’s links bar!
The links bar is intended to give you buttons to take you to your commonly used websites (although it is nowhere near as good or useful as Firefox’s links bar, which is more like a menu). You press a button, it goes to that page.
However, in HTML in an anchor tag you can specify to Javascript to run, rather than just a page address. Out of interest, I tried doing this with IE’s links buttons, and it worked.
I was looking for a way to get a substring of the URL that the browser was currently at. The URL was of the form:
http://server/instance/app.dll?action=x&id=1234&next=y
and I was trying to get the value of the ‘id’ parameter (1234 in this case).
What I came up with was a URL that I put into a link. The URL was (one one line):
javascript:x=/id=([0-9]+)/i;x.exec(window.location);
window.clipboardData.setData("Text",RegExp.$1);alert(RegExp.$1);
To break it down:
javascript:
specifies that it is javascript code, not just a page address.
x=/id=([0-9]+)/i;
sets up a regular expression to get the ID
x.exec(window.location);
applies the expression to the current location of the browser window.
window.clipboardData.setData("Text",RegExp.$1);
copies this ID to the clipboard.
alert(RegExp.$1);
confirms that this has been done.
And it works! Hard to believe, but it really works! I’m sure that there must be some sort of security issue here – I need to think about how this might be abused, but there should be a way. Will let you know when I think of something…
Didn’t know you could do this, but PHP supports functions for finding the ‘Levenshtein’ algorithm. Given an array of strings, and a target, you can easily find the string in the array most like (though not necessarily the same as) the target.
An interesting morning, not bad given that it isn’t 0915 yet. Anyways, I’ve just read some fascinating articles…
A guy I work with had been asking about how to figure out the entropy of a password. This is, put simply, measuring the disorder of a password – the more disordered, the harder it is to predict. And this is very hard to do, for reasons I’ll explain some other time.
Anyways, we then discussed passphrases. Instead of being a word like ‘Bgc4$4q2’ or something equally obscure, you use a phrase that would be difficult to reproduce – ‘Eat flying doughnut on Thursday’. This is still difficult to figure out the entropy for – you could choose an easily predicted password (e.g. ‘In the beginning God created the heaven and the earth’) – but is generally more secure.
So this morning I read a fascinating article by a guy from Microsoft PSS Security about passphrases. Worth a look for all techies, certainly I’ll be looking at using passphrases from here on.
I’ve also just read an article about how authentication never expires in e-commerce sites. An interesting point – it should be possible to terminate accounts on e-commerce sites. I mean, if you don’t, if the account is still valid, then your details could be used. But I can’t say that I know of a way to go to Amazon and tell them to disable my account.
I guess one option would be that if an account just hasn’t seen any activity in a while, you send out an email warning of it’s impending shutdown. If there is no response, close it down. Not perfect, but you’re making the window for the abuse of that username/password smaller.
And lastly, there is an article on why secret questions are a bad idea for password recovery. Basically, it’s the old ‘Security is as good as it’s weakest link’. Never liked these things anyway.
Andy Burns' Blog 