Here are some hints I find very useful for working with git.

More colour

To get a colourful output in your terminal.

$ git config --global color.branch auto
$ git config --global color.status auto
$ git config --global color.diff true

Merging

For merging I like to use the program `meld`. Add any merge tool you want, such as kdiff3 or xxdiff.

$ git config --global merge.tool meld

For conflicts, you can solve the mess, with your favourite merge program.

$ git mergetool

Checking the logs

Shows the commit log like `git log` including a listing of which files had modifications in a particular commit.

$ git whatchanged

Reset a file to an old revision

Overwrite the file `foobar` with the third last revision of `foobar`.

$ git show HEAD~3:foobar > foobar

Writing a hook

Remove all compiled python files (pyc) before a commit start. To activate a hook you have to make the hook you want in `.git/hooks/` executable.

$ echo "find -name '*.pyc' -delete" >> .git/hooks/pre-commit
$ chmod u+x .git/hooks/pre-commit

Exporting

Create a clean repository export to a folder `foo` in a compressed archive.

$ git archive --format=tar --prefix=foo/ HEAD | gzip -c > foo.tar.gz

That’s not so handy like in svn, I know. Maybe you want to use rsync instead?

$ rsync --exclude='.git'

Blame with GUI

You must install the git-gui package for using it.

$ git gui blame file

GNOME Do erlaubt den Anwendern, sehr schnell durch heterogene Daten zu navigieren, Anwendungen und Skripte zu starten sowie Aktionen auszuführen. Ein ähnliches Programm existiert für Mac OS X und heißt Quicksilver. GNOME Do ist einfach, wenn gewollt komplett ohne Maus zu bedienen und sieht auch grafisch hervorragend aus. Nicht zu Unrecht heißt es auf der Entwickler-Website „A powerful, speedy, and sexy remote control for your GNOME Desktop“.

erschienen im freiesMagazin November 2008

http://www.freiesmagazin.de/mobil/freiesMagazin-2008-11-bilder.html#08_11_gnomedo

This is a collection of my plugins, I wrote for the Gnome Deskbar Applet. Feel free to use them!
You can find the code repository on launchpad https://code.launchpad.net/~bernde/+junk/deskbar-plugins.

leo de/en translate – plugin

Queries the online dictionary of dict.leo.org, only for english or german words.

MD5 – plugin

Converts any string to a MD5 hash.

timestamp – plugin

Returns datetime from given timestamp.

password generator – plugin

Returns random password, ready to copy.

Install

Do a bzr (Bazar) checkout:

Copy the python files (.py) to the folder ~/.gnome2/deskbar-applet/modules-2.20-compatible/ and activate the plugins you want in the preferences settings of Gnome Deskbar.

Sascha Kersken hilft mit seinem leicht verständlichen Buch “Praxiswissen Ruby” AnfängerInnen und UmsteigerInnen mit praktischen Beispielen in die Welt der Ruby-Programmierung einzusteigen.

Den Anfang machen die Geschichte von Ruby, die Installation und das klassische “Hello World”-Skript. In den nächsten Kapiteln geht es darum, sich mit den Sprachgrundlagen und jeder Menge Ruby-typischem “syntactic sugar” vertraut zu machen. Nach funktionalen und prozeduralen Programmier-Beispielen geht es im dritten Kapitel um Objektorientierte Programmierung. Dabei wird das Verwenden von eingebauten Ruby-Klassen (Ein- und Ausgabe, Datum und Zeit usw.) sowie der Ruby-Hilfe “ri” vermittelt. Im nächsten Kapitel beginnen die LeserInnen mit dem Erstellen eigener Klassen. Dabei bleiben keine Fragen rund um die Objektorientiertung von Ruby offen. Nach einer sehr kurzen und gelungenen Einführung in die Netzwerk-Topologie werden Netzwerkanwendungen mit Ruby gebaut, etwa ein Browser und ein Server. Einer der bekanntesten Bereiche von Ruby ist eindeutig das Web-Framework Ruby on Rails, das im letzten Kapitel eingesetzt wird um eine Webanwendung zu bauen, mit der sich die CD-Sammlung verwalten lässt. Um Webanwendungen ging es schon im Kapitel davor, allerdings um einfachere, ohne Ruby on Rails, mittels CGI. Ebenso ging es um Zugriffe auf MySQL-Datenbanken. Ganz hinten befindet sich eine hilfreiche Kurzreferenz.

Das Buch bietet einen guten und vor allem schnellen Einstieg in die Sprache Ruby und schneidet dabei auch das Web-Framework Ruby on Rails kurz an. Der Aufbau ist logisch und die Beispiele praxisnahe. Damit ist es für jedeN, egal mit welchem Vorwissen, eine ausgezeichnete und flott durchgearbeitete Lektüre, die mit Ruby vertraut macht.

Sascha Kersken
Praxiswissen Ruby
O’Reilly Verlag 2008
408 Seiten
EUR 29.90
ISBN: 978-3-89721-478-1

rezensiert von Bernd Essl (November 2008)

I use this Django Middleware for detecting iPhones or iPods and for setting the template directory dynamically. If the user agent is an iPhone or iPod, the template directory is changed, so that different templates for the iProducts can be used. The idea is taken from this snippet, but it only detects iPhones and I had some troubles with caching so I wrote one myself.

from django.conf import settings
import re

class iPhoneMiddleware(object):
    """
    If the Middleware detects an iPhone/iPod the template dir changes to the
    iPhone template folder.
    """

    def __init__(self):
        self.normal_templates = settings.TEMPLATE_DIRS
        self.iphone_templates = (settings.TEMPLATE_DIRS[0] + '/iphone',)

    def process_request(self, request):
        p = re.compile('iPhone|iPod', re.IGNORECASE)
        if p.search(request.META['HTTP_USER_AGENT']):
            # user agent looks like iPhone or iPod
            settings.TEMPLATE_DIRS = self.iphone_templates
        else:
            # other user agents
            settings.TEMPLATE_DIRS = self.normal_templates
        return

.htaccess (hypertext access) is the default name of Apache’s directory-level configuration file. .htaccess is placed in a particular directory, and the directives in the .htaccess file apply to that directory, and all subdirectories thereof.

The most common feature is to restrict access to a folder by force the user to a login prompt, but there are some other helpful things also that I show you in this posting.

Allow access only for the IP 127.0.0.1

Forbid access to files with extensions .bak, .sql, .inc.

This line make the “.txt” extension to executable PHP scripts.

Redirceting from web folder “bla” to http://phpsecurity.wordpress.com/

Rewriting you can use to make better reading URLs. It’s very handy for SEO and looks much more friendlier than long-cryptic looking URLs for your visitors.
In this example the URL can be http://example.org/de/ or http://example.org/en/ and the Rewrite engine catches the parameters in the brackets and give the value “de” or “en” to the $lang to index.php.

Last but not least, set a password prompt to any directory you want

on linux you create a .htpasswd file with:

than you put this lines to your .htaccess:

If you have any problems with .htaccess and you have access to your server, look in the error logs of your apache server. You find them in /var/log/apache2/error.log (depending on system).

In part 1 we made sure that the value is an integer, but what if a value could be a string?
You have to escape special characters in a string for using in a SQL statement. This means that a single quote (‘) get a backslash before (\’).

There are escape functions for each popular database:

MySQL: mysql_real_escape_string()
PostgreSQL: pg_escape_string()
SQLite: sqlite_escape_string()

You can also use PDO’s prepared statements support. PDO uses the native prepared statement support for your database.
As you can see in the next example $_GET['name'] would be escaped, before the query touches the database.

There are some database abstraction layer (DAL) for PHP, such as AdoDB, PEAR::MDB2, or Zend_Db. Most DAL’s provide support for prepared statements and quoting like PDO.

It’s up to you which protection you use, but think about that your database is the heart of your website.

Many applications use a database to store data. Popular products are MySQL, SQLite and PostgreSQL.
A lot websites use a number called ID in the URL to get more information to a dataset like a product or a posting.

The problem of using ID’s is if they aren’t validated, bad guys and girls can spy, change or destroy your database by manipulating the SQL query.
This attack is called SQL injection.

An example to get the field “title” in the row with the value of $_GET['id']

If $_GET['id'] is an integer everything is fine but it’s possibly to manipulate the URL-query with something like this:

In this case your table was deleted.

To protect your database first validate and then cast if you’re waiting for an integer in your code logic.

In PHP 5.2 you can use the native filter to validate the user input:

If the value is something nasty like “?id=1;DROP TABLE users”, $save_id would be false otherwise it would get the value of the user input (integer).

In older PHP versions you can check against the is_numeric() function.

The use of (int) to cast a variable type to an integer, removes any doubt that the output will be an integer and not a string.

This makes a nasty URL like “.php?id=23;DROP TABLE users” to 23 as value from $foo.

Put them all together and the code should look like this:

WebGoat is a insecure web application which is designed to teach web application security concepts.
You can try hacking: Access Control Flaws, Authentication Flaws, Session Management Flaws, Cross-Site Scripting (XSS), Buffer Overflows, Injection Flaws, Improper Error Handling, Insecure Storage, Denial of Service, Insecure Configuration, Web Services and AJAX Security.

There is a “Lesson Plan” a kind of tutorial and in the “Hints Menu” you can view the parameters, cookies, the Code and the solution.
It’s a lot of fun and you learn more about web application security.

You can download the app from http://code.google.com/p/webgoat/.

It comes with the Java Runtime Environment and a configured Tomcat 5.5
server and should run on any platform.

If you are using Linux or OSX you must download http://webgoat.googlecode.com/svn/tags/webgoat-5.1/main/webgoat.sh to start webgoat.
Put the webgoat.sh in your unpacked webgoat directory and start it
with the terminal:

$ sh webgoat.sh start8080

On Windows it should run throw a double-click on webgoat8080.bat.

Browse to http://guest:guest@127.0.0.1:8080/WebGoat/attack with your
browser and start your first lesson.

happy hacking

How to find out if we are on development or production?

The first thing I do is to define a variable “DEVELOPMENT_MODE“ in settings.py, that checks if the server is running on my local machine or not. I found this nice idea on the djangoproject.com website: http://code.djangoproject.com/browser/djangoproject.com/django_website/settings.py

import os, platform

DEVELOPMENT_MODE = (platform.node() != "my_hostname")

Set the hostname, you can find it out with the command

hostname

in your terminal.
Now on your local machine DEVELOPMENT_MODE variable is True, on production should be False.

settings

With this variable you can split your settings for production and development. This makes sense for the settings like DATABASE_*, DEBUG, MEDIA_*, CACHE_BACKEND and others none django-related-stuff like google-API keys.

An example of my settings.py:

if DEVELOPMENT_MODE:
    DEBUG = True
    DATABASE_ENGINE = 'postgresql_psycopg2'
    DATABASE_NAME = 'xxx'
    DATABASE_USER = 'xxx'
    DATABASE_PASSWORD = 'xxx'
    DATABASE_HOST = 'localhost'
    TEMPLATE_DIRS = ('/xxx/templates')
    MEDIA_ROOT = '/xxx/media/'
    MEDIA_URL = '/media/'
    GOOGLE_KEY = "ABQIAAAA2OXrNyQ" #localhost
    CACHE_BACKEND = 'dummy:///'
else:
    DEBUG = False
    DATABASE_ENGINE = 'postgresql_psycopg2'
    DATABASE_NAME = 'xxx'
    DATABASE_USER = 'xxx'
    DATABASE_PASSWORD = 'xxx'
    DATABASE_HOST = ''
    TEMPLATE_DIRS = ('/xxx/templates',)
    MEDIA_ROOT = '/var/www/server/media/'
    MEDIA_URL = 'http://server/media/'
    GOOGLE_KEY = "ABQIA66g" #domain
    CACHE_BACKEND = 'file:///var/tmp/django_cache'

DATABASE_PORT = ''
...

serve static files

I had a long time on my local machine an apache2 for serving static/media files running. I changed this setting now to ‘django.views.static.serve’ which is the build-in fileserver from django. The reason was that I didn’t want to configure on every webdesigners machine the apache2, only for serving the media.
With the DEVELOPMENT_MODE variable it’s easy to do that. Only append this to the urls.py.

from settings import DEVELOPMENT_MODE

if DEVELOPMENT_MODE:
    urlpatterns += patterns('',
        url(r'^media/(?P.*)$', 'django.views.static.serve', {'document_root': "/media/"}),
    )

The ‘django.views.static.serve’ works very well for development, but never ever use it on production!

http://www.djangoproject.com/documentation/static_files/

caching

When you use a cache framework, I’m sure you want it only on your production site, so you can use on your local machine the dummy cache that doesn’t actually cache.

if DEVELOPMENT_MODE:
    CACHE_BACKEND = 'dummy:///'
...

http://www.djangoproject.com/documentation/cache/#dummy-caching-for-development

database

I’m using PostgreSQL now on development and production site. I found it hard to import/export dumps (structure/data) from Sqlite to PostgreSQL and vice versa. I worked a lot with MySQL and have the most experience with it, but with Django it really sucks sometimes, no fixtures support and no transactions.

Ok that’s it I hope you enjoy reading and please give me some of your tips.