The Code Cave

Well the good news is that the Syntax highlighting is back!

I’ve found another implementation of the GeSHi Syntax highlighter. This one is under current development and in fact version 3.5 (as opposed to 0.2 of that OTHER highlighter) was just released a week or two ago.

The igHiliter 3.5 is available here: http://blog.igeek.info/still-fresh/2006/02/25/code-for-fun/
Now, instead of using braces and code tags, I must use brackets:

I use brackets like so:

This seems to work VERY well, but having learned my lesson, I’ll hold my review till I’ve had a chance to fully test. I’ve already made some changes to the source code to, IMHO, improve the appearance and make it look a bit more standard & professional. I was pleasantly surprised by the quality of the source code. The simple fact that it is consistent in its Styles and Standards (capitalization & spacing), well commented and easy to read, carries high marks in my book.

The integration with GeSHi has been done very smoothly. The standard languages supported in the program are quite sufficient for my needs (a bit over kill really since I won’t be touching Ruby any time soon and while I’ve used it, I won’t be posting Python here any time soon either. So, the author wisely choose not to provide built in support for all possible GeSHi languages. Instead, the plugin is fully compatible with all GeSHi plugins. You gotta love a plugin with plugins. Where will it end?!?!?!

And I learned something new tonight too.

All of those buttons above the editor are contained within the file:
/wp-includes/js/quicktags.js

The format is pretty straight forward. So, for instance, to add a button for the delphi tag, I just put in:

Actually, I’d use brackets instead of braces, but you get the idea.
Those fields are
1. Button Label
2. Openning tag
3. Closing tag
4. Hot key
5. Open Ended Key (0/blank=FALSE -1=TRUE=tag does not need to be closed)

I’ve got some plans for this file!!!!

Thought I’d share this as I got home and found that one of the websites I often open up and just leave open was still open and playing when I got home:

http://www.superchickonline.com Link contains (rocking) sound

WAS: Safe Source Code Highlighting in WordPress 2.02

Since this is a blog large to be devoted to source code segments, I REALLY wanted to be able to do the kind of code highlighting I’ve seen in Forum software such as that used at Codingforums.com. An inadvertent search for how to do a StrToInt (that’s a Delphi function) in PHP (the answer is IntVal()) I found a php unit with Delphi references. I thought it was a neat little unit so I bookmarked it. It turns out it was part of the source code for GeSHi the Generic Syntax Highlighter. Geshi was the syntax highlighter built into phpBB. It since grown into a fully independent universal PHP class available over at http://qbnz.com/highlighter/index.php

The latest stable version of GeSHi is 1.0.7.7, released on the 25th of February, 2006.

Supported Languages: Actionscript; ADA; Apache Log; AppleScript; ASM; ASP; AutoIT; Bash; BlitzBasic; C; C for Macs; C#; C++; CAD DCL; CadLisp; ColdFusion; CSS; Delphi; DIV; DOS; Eiffel; FreeBasic; GML; HTML; Inno; Java; Java 5; Javascript; Lisp; Lua; Microprocessor ASM; MySQL; NSIS; Objective C; OCaml; OpenOffice BASIC; Oracle 8 SQL; Pascal; Perl; PHP; Python; Q(uick)BASIC; robots.txt; Ruby; Scheme; SDLBasic; Smarty; SQL; T-SQL; VB.NET; Visual BASIC; Visual Fox Pro; and XML.

I was absolutely tickled when on a whim I did a search for Geshi and Wordpress to see if anyone else had tried to integrate it and low and behold, I suddenly found a GeSHi plugin over at the worpress plugin site.
http://dev.wp-plugins.org/wiki/GeshiSyntaxColorer.

It works beautifully. Especially since it stays within the width of hte columns and no other highlighting boxes I tried had done that without specific widths begin set.

You can already see it at work in php and delphi code form earlier posts here. Enjoy!

[edit] Grrrrr… Something I’ve done has changed my blog so that I must explictly specify <br /> at my end points!!! [/edit]

[edit] Double Grrrrr… It is the GeSHI plug in! it is stripping out all p tags from the whole page!?!?!?!?!

Gack…. the plug in is fatally flawed…. This is disappointing… I liked all of my color code…
[/edit]

[edit]
OK - Here’s the fix - use the igHiliter. It seems to work MUCH better. More on this later.
[/edit]

It’s almost funny…

On the same day I get this:

—–Original Message—–
From: newsletter-bounces@womengamers.com [mailto:newsletter-bounces@womengamers.com] On Behalf Of WomenGamers.Com Newsletter
Sent: Monday, March 13, 2006 4:31 PM
To: newsletter@womengamers.com
Subject: [Newsletter] WomenGamers.Com March Newsletter & XBox 360 Giveaway

Greetings and welcome to the re-launch of our very own WomenGamers.Com newsletter! To unsubscribe, see instructions below. Since we launched this website back in 1999, we have witnessed a fundamental change in this industry. Way back in the day, when we pried our feet into high heeled pumps to pursue venture funding for this website, we were actually asked “Women play games”? Nowadays we have women’s game conferences, scholarships for women to pursue Masters degree programs in game development, and an inquisitive press who is watching the grass roots movement of women slowly being accepted by the gaming community as consumers and as drivers. We want to thank you, our members, for contributing your time, energy and passion to our online community. YOU have made a difference.

Now to the news. In recent news, the Electronic Entertainment Expo is going to be placing a heavy fine on booth babes this year, new surveys show a near 50-50 male/female split of gamers in Asia, and Reggie Fils-Aime, Executive Vice President of Sales and Marketing for Nintendo, urges the industry to embrace new demographics, even if it means running ads during Oprah. How is *that* for fundamental change!
[...]

ZDNet publishes this:

Industry wants girls to stick to knitting ZDNet - 9 hours ago Commentary–The computer industry may pride itself on being different. But for all its self-congratulatory pretensions, this business …

My first reaction to the article title was: What a load of bunk!

The computer industry, while admittedly male weighted, has always been one the most accepting industries out there. Being married to a woman that worked Technical Support for a software and hardware company may make me a little biased, but I don’t think there is a problem in the technology industry in seeing a woman as an equal. For example if you look at the company I work for now, I beleive it has a good ratio of women to men - one I expect to be in the forty percent range, that includes the woman I used to report to before I took on my current role. I also maintain the misleading ratio of recommending for hire 100% of the women that I’ve interviewed for internships. The problem is that that amounts to a total count of 1 out of maybe 20 interviews and 60 resumes.

After actually reading the article, I’d have to say that it does have a valid point in that there are a lot more men in CEO positions then women. The thing is, I’m quite certain that in large part is is purely numbers issue, Perhaps in more ways than one. First, there’s the obvious, for years every one was told flat out that “Women are not good at math.” Now, it is statistically impossible (or infinately improbable, if you will) that there are exactly the same number of men and women genetically gifted with the exact same skill aptitudes for mathmatics. Therefore geneticaly and statistically speaking, one gender will be better than the other. Whether that is to an extent that is measurable, is another matter.

But regardless of the genetics involved, it is a self fulfilling statement. If you repeatedly tell large groups of people they aren’t good at something, a certain percentage will begin to act as if that is true. Then the condition snowballs it becomes obvious that there are fewer of that group participating and people look for reasons why. I will say that that was the case for many years in the technical fields. Women simply weren’t participating as much as men. For that reason alone you’d logically expect there to be fewer women CEOs. But does that explain it all? Not quite yet. For I have the sneaking suspicion, that we are right where we should expect to be.

You see, the real question in my mind is: “Is the number of CEOs out of proportion to the gender bias as it was when today’s CEOs entered the work force?”. There is a certain path that todays CEO’s took to get to where they are. It is logical to assume that most CEOs should be expected to take similar course. So we need to look at what that course is.

The best (first) number I could get for the average age of CEOs in the technolgy sector is 45.7 in 2003 (http://www.forbes.com/2003/03/31/cx_wt_0401exec.html) Let’s make our math easy and say they entered the technology fields at 19.7 years of age. That’s a difference of 26 years in the industry. So, we’d have to look at the women that graduated with degrees in technology related fields starting in 1980.

Well, it turns out, purely coincidentally, that 1980 was the year that the male to female graduate ratio reached an equalibrium in the United States with just as many female college graduate as male (http://sll.stanford.edu/projects/tomprof/newtomprof/postings/361.html). It does not stretch the imagination to believe that the degrees women received that year were largely weighted to non-technological fields such as Nursing.

Personally, I think this goes much further to explaining the lack of women in the top positions. This article was published in the US and self centeredly addresses a problem in the US. I agree that’s where the problem lies. A majority of North Americans are trained to want (and get) everything now! now! now! When they don’t get it, whether it is reversing the historical trends of the last century, or the re-training and cultural indoctrinization of a nation’s police force (off topic, sorry), it takes time.

Thoughts?

(Have I mentioned that I HATE the TinyMCE implementation in WordPress… I appologize if you came to this post after I edited it changing one letter which allowed TinyMCE to totally scramble it!)

While creating the entry form for the WordPress 2.0 Theme database, I had to learn a bunch of stuff.

First I’d only every created two forms before and one of them only had one field, but I was very proud of it.

See:
http://forums.the-wildwest.com/checkip.php

It uses the first of several form submission techniques: GET

You can tell a GET form because when you hit submit, you go to a page with a new url followed by a question mark and a bunch of values seperated by ampersands. Since it is a GET, and I didn’t know enough then, it was vulnerable to some of the methods used to attack servers. For instance, I could inject HTML into the url and have it processed in the form like this:
http://forums.the-wildwest.com/checkip.php?ip=I%20should%20not%20be%20able%20to%20put%20HTML%20here

The result was that when I displayed the value for $ip, the HTML code that I put in that value would have been executed. In my simple example the text would have been displayed in bold. NO WHERE in the form should the text I put in there be bold. But it was. I SHOULD have strip all html tags out of my values before displaying them, but I didn’t know any better then. AND bigger and better people than me have made that same mistake. In fact, many of the problems in the WordPress release were at least somewhat related to this technique.

The fix was simple I took the code:

and changed it to

That way, if the variable was blank, I filled it in. If the variable included html, I cleaned it up so that it would not execute. Well, that’s enough of a hacking lesson for now. I will post more ways to protecting your in a different post later. Back to creating forms…

As always W3 Schools has some of the best information about forms and you can see how the GET method can be used to retrieve information from the user in a bunch of different ways. http://www.w3schools.com/html/html_forms.asp

In my Theme submission form, I ask for about 20 different fields to be (optionally) filled in including a description field that could be up to 200 characters long. EVERY submission would likely produce an url that was too long for the Browser to handle. So, using the GET method was right out. I was on new ground.

The method of submitting information I would have to use is the POST method. It sends the information to the server in the array variable $HTTP_POST_VARS. Then you must use PHP or PERL or CGI or whatever to process it. (BTW any method is subject to the HTML injection, so I must parse it too. It is just more when obvious using GET.)

However as it turned out, the POST method seemed to work differently than GET when filling out multiple check boxes and that was something I REALLY wanted to do. My end goal was to take mutiple check boxes and turn them into a binary bitmapped field. That’s an integer value that when looked at in binary represents all of the checked boxes. So the value of 1010101 means that every other check box is checked. And that would be stored in a database integer field as the integer 85.

See, I’m lazy. I could easily make a form with 20 different checkboxes each having a seperate field in the database. But if I’m going to go to the effort of creating a table that stores descriptions of things submitted to my website, I’m going to make it generic and reuse it for all sorts of things. So not only will this be a table for storing theme information, but it will also store the information for the pictures of knitting projects from my wife’s book for here www.knitchat.com website. It will also store pictures of Kits sent down to Missisipi for the Katrina relief project at www.PurlsOfHope.com. Who knows what else I’ll use it for…

Anyway, to create multi-selectible checkboxes, you just put a bunch of checkboxes with the same name (again go to w3schools for the basics of fields).

My sample code worked as desired if I used a Get method to display the result of multiple check boxes.
See here: http://www.Thecodecave.com/MultipleXBox_Get.php
See all of those values in the address bar? There are a bunch of them for the flag check boxes. that’s what I wanted.

However, if I use a Post method do submit the form, I only get one value back, the last one, from my multiple check boxes. See: http://www.Thecodecave.com/MultipleXBox.php

I could find no documentation supporting that said multiple check boxes worked differently under the POST method, but they do!!!

Here’s my original code:

In the end, thanks to the peope over at CodingForums.com, I was able to get it to work. I was missing a simple peice of information. To get Multiple field values to work using a post method, you MUST have them populate an array. How do you do that? Simple: put empty brackets after the field name.

So, I just changed my code like this:

and it works great!

You can see it in action here: http://www.Thecodecave.com/MultpleXBox_Fix.php

(Have I mentioned that I HATE the TinyMCE implementation in WordPress… I appologize if you came to this post after I edited it changing one letter which allowed TinyMCE to totally scramble it!)

While creating the entry form for the WordPress 2.0 Theme database, I had to learn a bunch of stuff.

First I’d only every created two forms before and one of them only had one field, but I was very proud of it.

See:
http://forums.the-wildwest.com/checkip.php

It uses the first of several form submission techniques: GET

You can tell a GET form because when you hit submit, you go to a page with a new url followed by a question mark and a bunch of values seperated by ampersands. Since it is a GET, and I didn’t know enough then, it was vulnerable to some of the methods used to attack servers. For instance, I could inject HTML into the url and have it processed in the form like this:
http://forums.the-wildwest.com/checkip.php?ip=I%20should%20not%20be%20able%20to%20put%20HTML%20here

The result was that when I displayed the value for $ip, the HTML code that I put in that value would have been executed. In my simple example the text would have been displayed in bold. NO WHERE in the form should the text I put in there be bold. But it was. I SHOULD have strip all html tags out of my values before displaying them, but I didn’t know any better then. AND bigger and better people than me have made that same mistake. In fact, many of the problems in the WordPress release were at least somewhat related to this technique.

The fix was simple I took the code:

and changed it to

That way, if the variable was blank, I filled it in. If the variable included html, I cleaned it up so that it would not execute. Well, that’s enough of a hacking lesson for now. I will post more ways to protecting your in a different post later. Back to creating forms…

As always W3 Schools has some of the best information about forms and you can see how the GET method can be used to retrieve information from the user in a bunch of different ways. http://www.w3schools.com/html/html_forms.asp

In my Theme submission form, I ask for about 20 different fields to be (optionally) filled in including a description field that could be up to 200 characters long. EVERY submission would likely produce an url that was too long for the Browser to handle. So, using the GET method was right out. I was on new ground.

The method of submitting information I would have to use is the POST method. It sends the information to the server in the array variable $HTTP_POST_VARS. Then you must use PHP or PERL or CGI or whatever to process it. (BTW any method is subject to the HTML injection, so I must parse it too. It is just more when obvious using GET.)

However as it turned out, the POST method seemed to work differently than GET when filling out multiple check boxes and that was something I REALLY wanted to do. My end goal was to take mutiple check boxes and turn them into a binary bitmapped field. That’s an integer value that when looked at in binary represents all of the checked boxes. So the value of 1010101 means that every other check box is checked. And that would be stored in a database integer field as the integer 85.

See, I’m lazy. I could easily make a form with 20 different checkboxes each having a seperate field in the database. But if I’m going to go to the effort of creating a table that stores descriptions of things submitted to my website, I’m going to make it generic and reuse it for all sorts of things. So not only will this be a table for storing theme information, but it will also store the information for the pictures of knitting projects from my wife’s book for here www.knitchat.com website. It will also store pictures of Kits sent down to Missisipi for the Katrina relief project at www.PurlsOfHope.com. Who knows what else I’ll use it for…

Anyway, to create multi-selectible checkboxes, you just put a bunch of checkboxes with the same name (again go to w3schools for the basics of fields).

My sample code worked as desired if I used a Get method to display the result of multiple check boxes.
See here: http://www.Thecodecave.com/MultipleXBox_Get.php
See all of those values in the address bar? There are a bunch of them for the flag check boxes. that’s what I wanted.

However, if I use a Post method do submit the form, I only get one value back, the last one, from my multiple check boxes. See: http://www.Thecodecave.com/MultipleXBox.php

I could find no documentation supporting that said multiple check boxes worked differently under the POST method, but they do!!!

Here’s my original code:

In the end, thanks to the peope over at CodingForums.com, I was able to get it to work. I was missing a simple peice of information. To get Multiple field values to work using a post method, you MUST have them populate an array. How do you do that? Simple: put empty brackets after the field name.

So, I just changed my code like this:

and it works great!

You can see it in action here: http://www.Thecodecave.com/MultpleXBox_Fix.php

or “Wordpress news finally posted a week late”

With the “hacking” of the original Wordpress 2.0 theme competition and a new security release of WordPress 2.0, it has been an exciting week. First a quick word on the competition then a break down of the changes in 2.01.

Now about the competition: When WordPress 2.0 was released, everyone was looking for themes. And google led everyone to just a few places. The main one ended up being a competition site by someone known only as Justin. It seems now, even to an eternal optimist like myself, that it is likely that either the whole KyCap.com competion was a fraud or the Justin just got in over his head. Here are the final posts from that site:

Better News

6th March 2006

I had contacted the server admin and they told me they will look into it and get back to be as soon as possible. At the mean time, i had received a lot of help e-mails from everyone on how to retrive back almost every post from the google cache. I am very grateful on this help. I would like to say thanks to those who help me out.

Trying to retrive Database

5th March 2006

I am truely very sad on what happening to my competition blog. I took more than a month time planing everything up before i organise this competition to let everyone share their works. I don’t earn anything from this competition and i don’t even put up any google adsense to earn any side income. I just hope everyone could enjoy looking for a nice themes.

Message to the hacker, “If you did clear up all this competition blog database, we got nothing to say but if you did save a backup for this database. Please send a copy to us to our email at kcyap@kcyap.com. We will appreciate if you could send it over as soon as possible”

It is really everyone’s hard work on organising this competition. We spend most of our time trying our best to host the best competition ever.

I am very happy with all the comments and the e-mails that had been sent to me regarding this incident. A lot of people had been helping me up on how to get back all the lost post. For your information, my whole database had been deleted by the hacker. Not even a thing left on my server directory. Luckily i did back at least something up for my personal blog. I guess the only way to retrieve all the lost post is trought google cache. Google cache doesn’t shows every page for my post that had been publish. Are there any better ways to retrieve them all?

The themes will all be publish as we had moved them to a new server. The new server is sponsored by one of the followers for this competition blog. I will blog about it soon. Thanks.

Website Got Hacked

5th March 2006

Very regret to announced that this competition blog website had been hacked. I have no backup for all this data and not sure if the server admin did have a backup on it or not. I am very sorry for this incident.
The prizes will still be the same and i will upload once again all the submitted themes on by one from now. This may takes quite some time, please be patient.

The result for this competition will still be announce don the 10th March 2006.

To the sponsors who had agreed to sponsor for this prize, i wont put all the blame on your if u retrieve from sponsoring the prizes because of this incident. We will sponsor the prizes ourself. Luckily we did prepare on it.

Anyone have any idea on how to get back all the deleted post ? Once again, i am very sorry on what had happened. I will try to get back the deleted post if possible. I guess today will be the worst day of my life after i’ve hardly organising this competition for over a month period.

Ironically, it seems his website now HAS been hacked since it is totally crashed. It only displays “No such file or directory in /home/u1/ahkiongkc1/html/index.php” , something I am putting on record here since I can’t see any reationship between the name “Justin” and “achkiongks1″. But that is just matter for further speculation. On the positive side, there were several decent themes put up including the one I am using right now, Binary Blue by Count Zero.

I’ve decided that I will actually put together a 2.0 theme database that people could log their themes to and even upload them for distribution if they don’t have the storage space. So, you’ll soon see some posts explaining what I’ve learned about web forms and fields. I think I’ve got all of the peices working now. 1. An Entry form with the fields I’d use to evaluate whether or not to download a theme. 2. A Page to allow the uploading of an archived theme to my site. 3. A page that performs the actual upload and validation and hopefully provides some protection from abuse security. Oh, and I need the form that iterates the database and displays the result in a table, but that’s easy. So I just need to put them together.

NOTE: This will NOT be a theme competion. This is just a compendium or listing of themes. HOPEFULLY it will be the BEST listing of themes but it is in no way is this meant to compete with the new theme competion at http://www.wordpressarena.com/ which will stop accepting new themes in a week.

Regarding Count Zero, and that’s the English translation - in German he would be known as Count Null (making his website www.4null4.de 404 like the invalid page error Get it? Get it?), we’ve been emailing back and forth all week and, despite my earlier comment about his Customer Relations skills (which I’ll have to rescind - I guess everyone is entitled to get grumpy now and again), I really like the guy. In spite of an off the wall conspiracy theory that he might actually be Justin (lol), I think a good friendship can evolve here, assuming I ever get around to reviewing his theme like I said I would last weekend.

One of the things we’ve discussed over the last week is the security holes in the WordPress Blogging system. They did indeed exist. Count pointed me at where the flaw was and later that night I tested an attack on this website. Luckily the site I host this blog through has a setting that protects against that kind of attack I was using. I still want to determine which knitting blogs may be vulnerable to this kind of attack and tell them how to fix it. Yes I said knitting. With my wife’s knitting blog getting me into this, I feel like I should try to help that community with the technical sides of things. I already know there are a bunch of vulnerable sites. How to approach them is the key. I’m pretty sure that leaving a comment that changes the title of the post I am commenting on by adding a period to it is the wrong aproach. But it is still tempting and would get the point across.

The good news is that the the security in Worpress 2.02 fixes this particular vulnerability. The other good news is that no one has gone around taking advantage of this hole yet in the fashion that they could. KnitChat.com was actualy hacked twice through holes in Wordpress 1.52 that have since been plugged. That allowed the index.php file to be replaced with a hacked version. As of tonight, I’m pretty sure I know how that was done. Repairing the attack was easy. If you haven’t taken the right precautions in your blog, this attack could do anything from deleting all of your posts, to wiping the whole DB or worse (yes there is worse).

So, onto what has changed in 2.02 (this was supposed to be the meat of this post and was the only reason why I started it.) Since this is a security release, the Wordpress developers didn’t do a detailed “Here is how you can attack older blogs” listing, but they could have gone further than they actually have. The people that will attack blogs, will already know how to compare files between versions and can write their own attacks. I want to know what holes there are in older systems so that I don’t make the same mistakes in what I write.

BTW there will be a couple areas in which I am technically correct in what I say, but I am somewhat vague or don’t explain all of the effects of the code. These are intentional, please do not supply extra detail. However, if I am blatently wrong on something, let me know. Thanks!

So here is the break down:

End User Changes

\WP-Comments-Post.PHP

Old code:

Why:
See how the stripslashes was added? That is to ensure that the cookies that are stored on the poster’s computer contain the raw unprotected code. WordPress will do the protection each time a post is madeIf you protect an already protected entry, the data just gets garbled.

[/php]See how the stripslashes was added? That is to ensure that the cookies that are stored on the poster’s computer contain the raw unprotected code. WordPress will do the protection each time a post is madeIf you protect an already protected entry, the data just gets garbled.

\wp-register.PHP

Old Code:

New code:

Why:
This is fairly straight forward. If the UserName or User Email supplied while registering contains invalid info, possibly from an attack, don’t leave the info there to be built upon. Just clear it out and have the user try again.

Old Code: