LlamaGuy.com

http://www.squarefree.com/bookmarklets/ … wsers.html

Basically this is a little bookmarklet that adds green borders to everything on your page to help you see the elements on your page and where they're aligned. It's pretty cool, except once you fire it, your whole page is mangled. So I rewrote it from scratch so that if you click it again it'll take all the outlines away. Also, it outlines inline elements in yellow, and all other elements in green. You can easily change that by messing with the code.

So here's the bookmarklet for those interested:

javascript:function mark_border(e,r){if(e.style){i='yellow solid 1px';b='green solid 1px';e.style.outline=r?'':(document.defaultView.getComputedStyle(e,null).getPropertyValue('display')=='inline'?i:b)}var c=e.childNodes;for(var i=0;i<c.length;i++){mark_border(c[i],r)}};mark_border(document.body,!(document.marked=!document.marked))

I can't hyperlink it because I use punbb as my backend and it won't let me embed HTML :(. Paste it into your address bar and then drag it to your toolbar to get it to work. I've only tested it in Firefox and Safari... it probably won't work in IE.

Over the past few days I've been breathing a lot of life into my email experience...

Step 1:
I finally fixed my spamassassin configuration... this made me very happy. Before fixing spamassasin I would have to manually delete 30 or so emails a day. Now that number is down to less than one. Once I got spamassassin working again, I installed sa-update and also setup a wicked cronjob that scrapes my Junk folder and runs Bayesian learning on emails that weren't auto-marked as spam.

Step 2:
I decided to check how trunk was doing in Roundcube, but it's still really shitty. Ever since 0.1 beta was tagged they've done nothing but kill Safari's and Firefox's compatibility and obfuscate their Javascript. Don't get me wrong, I still use Roundcube because it's really slick, but I feel like I could build something 100 times better in a few weeks. Too bad I don't have time. So step 2 was actually a waste.

Step 3:
Investigated alternative imap servers that aren't slow as shit. I don't like deleting my email, so I have a lot of it. Not mounds and mounds, but a few thousand messages. courier-imap would take about 10 seconds to deliver my mail to Roundcube and that's just unacceptable. I decided to see what it was doing to suck so bad so I attached an strace to one of the processes and lo-and-behold it was actually opening and parsing every single email any time I opened my inbox. That's pretty shitty. Seriously... what's the point of having a maildir format if you're going to open every single file anyway? After doing some investigating I decided to give Dovecot a shot and the difference was huge. Dovecot is ridiculously fast compared to courier-imap. Also, the configuration of it makes a lot more sense, and I don't have to run two daemons for one service. Yipee!

Step 4 (To be completed):
Get SSL working over imap. When the iPhone comes out in June I'm going to be one of the first on that bandwagon. Since I don't want my email being sent everywhere unencrypted I'll want a secure imap server ready. Right now I access all my email over Roubecube on HTTPS, so configuring imap with SSL has never been a priority.

Notes:
I made this post just to bash courier-imap because I hate it so much, but it seemed too short so I added all the other stuff I've been doing.
This post spell checked by: http://literus.info.

No, this post isn't about converting you to Christianity (but you can read all about that in my book "Coding with Jesus"). This post is about string escaping, and what it means.

Character escaping is what you do when you move a string from one environment to the next. For example, when you're creating a C program, you must escape certain characters such as breaks and quotes. To output the text "hello world" (with quotes) you end up writing
printf("\"hello world\"");

Your compiler sees the \" and interprets as just a regular ". You need to escape the " because if not, the compiler will think it's something else... in this case it will assume the string has ended.

The same goes for PHP -> HTML, PHP -> JS (JSON), JS -> HTML (innerHTML), PHP -> XML, plain text -> RTF, binary -> MySQL, etc, etc. In the example above we were going from plain text to C. I'm focusing on PHP in this post, I just opened with a C example because I didn't want to look like a PHP developer.

php, html, and urls
Explaining proper escaping is difficult, especially when it comes to web development because in most cases you're going to be dealing with four or five different environments... PHP, HTML, Javascript, MySQL, and sometimes XML. Your data starts in HTML, it will make its way to PHP, then to MySQL, then back to PHP, then to HTML again (or Javascript). To add to the confusion, URL components require their own escaping which makes them a sixth environment.

Your escaping needs to be perfect or you're going to run into problems. Escape too often and something like "<3" will turn into "&lt;3", escape too little and you've opened your site up to a huge security hole, escape with the wrong encoding and all your spaces suddenly become %20's. To get your escaping right you need to think of it like a stack. Every time you output a string to another environment, that environment will pop its escaping off the stack. If its escaping isn't on the stack it's either going to fail, or display some ugly data. Going by that rule, before you give your data to another environment you need push the right escaping to it.

In PHP, before outputting data to HTML, the proper way to escape it is with htmlspecialchars. So instead of doing
echo $foo
You'd end up doing
echo htmlspecialchars($foo)

Now... the problem gets trickier when you try to do other things with that data. Say you want a URL in the form "index.php?param=$foo". Since an <a> tag is HTML we can just escape it like regular HTML, right? Nope! In this case you need to use urlencode to escape it as a URL component. If not, if $foo were equal to "bar&bar=foo" our URL would turn out to be "index.php?param=bar&bar=foo". With urlencode, this URL would be "index.php?param=bar%26foo%3Dbar". This URL would get passed to the browser, the user would click it and send a request to your web server. At this point the web server will pop its escaping off the escape stack and bar%26foo%3Dbar will magically turn back into bar&foo=bar for your PHP to use.

If you refer to my stack example, the URL example should have some escaping popped when it goes to your HTML output... and it does. Luckily a urlencoded parameter will have no change when the user's browser unescapes it for HTML. That makes escaping in this case fairly easy.

mysql
When the browser POST's data to your server, by the time it gets to PHP your escaping stack should be empty. So before you send your data off in a MySQL query you need to use mysql_real_escape_string or addslashes on it. When it gets to MySQL, it'll pop your escaping off and store the exact data you gave it. That is... unless you have magic_quotes enabled

magic_quotes is a nightmarish PHP "feature" that is enabled almost by default. Essentially what it does is escape all data it gives you with addslashes. This assume that all data passed to your script is going in a database which is often not the case. If you were to go to foo.php?data='hello' and...
echo htmlspecialchars($_GET['data'])
The user would see \'hello\' . This is because PHP took the liberty of pushing MySQL escaping onto your stack and by the time it got to the user they were left with the responsibility of interpreting addslashes.

outputting javascript
Outputting Javascript falls into the same boat as URLs in that it'll first be interpreted as HTML and then as JS (unless you're creating a JSON request, in which case it's only interpreted as JS). If I have a string $foo='"hello"</script>'; and I want to alert that exact string on the user's side, I will be entering Escaping Hell. I simply write
echo '<script>alert("' . $foo . '")</script>'
My code won't execute as expected. That's because of the </script>. Our string first gets popped as HTML and if the user's browser encounters a </script> it's going to end JS interpretation. So we then change our code to
echo '<script>alert("' . htmlspecialchars($foo) . '")</script>'
So we've pushed HTML escaping which gets popped by the user's browser, but then it's going to also pop JS escaping which we haven't done. The alert call ends up as alert(""hello"</script>") which doesn't make any sense. What we have to do is throw in an addslashes before the htmlspecialchars (and thus the idea of a stack).
echo '<script>alert("' . htmlspecialchars(addslashes($foo)) . '")</script>'

So our code basically pushes JS escaping, pushes HTML escaping and then the user's browser pops HTML escaping, then JS escaping. Simple, no?

how you can avoid nasty escaping errors (if you only read one section, make this it)
So what's the best way to avoid making a character escaping error? You should keep your "stack" empty at all times. Escape data the moment it changes environments and not a line sooner. The longer you handle escaped data internally, the more time you'll have to accidentally escape it again. It will also become unclear exactly where and when data was escaped. You could end with a string that wasn't escaped at all because it was supposed to be escaped in another logic branch. If you htmlspecialchars a string as soon as you get it from your database (or worse, htmlspecialchars it before it goes into the database) you're going to run into maintainability issues with your code. What's to say that later down the road you won't want to use that data in a URL, or in a Javascript call, or in an RSS feed.

By passing around escaped strings your data has lost meaning. No longer are you handling data, you're handling another language's interpretation of that data. It then becomes more and more likely that what gets to your user is not the data you had intended, but something else horribly different.

So here's the nLite settings I'm using for my Parallels version of Windows XP. It can go from 0-to-Windows in about 15 seconds. On my install, I have the pagefile disabled, so the Parallels image takes up less than a gig. You may lose some functionality, but since I only use Parallels for IE testing and RegExBuddy I haven't lost anything.
http://llamaguy.com/nlite.ini (linked for brevity)


Then on that image, I install AutoHotKeys with this script:

LWin::LControl
RWin::RControl

#IfWinActive, ahk_class IEFrame
#r::SendInput {F5}
#IfWinActive

^w::
WinGet, active_id, ID, A
WinClose, ahk_id %active_id%
return

^a::SendInput ^{Home}{Shift Down}^{End}{Shift Up}{Ctrl Down}

The AutoHotKeys script essentially remaps the Control key to Command, so most OS X hotkeys will work the same between Parallels and OS X. I special-case Command+a because in some Windows textbox, Ctrl+A isn't an option.

If you're like me... you got tired of those ugly text-only PHP errors a long time ago. To add to the pain, PHP doesn't link most of them to the PHP manual, even when you have html_errors on in your php.ini. For the past 30 minutes I set out to change that.

The first problem is that PHP's ini parsing routine sucks. It's impossible to get double quotes in values, therefore it is not an adequte venue with which we want to sexify our error messages. We will fall back to apache's httpd.conf (or .htaccess, if that's how you roll).

Simply add these two lines:

php_value error_prepend_string "<div style='display:none'>\"></a></div><div id=\"lasterror\" style='margin:0.6em auto!important;text-align:left!important;font-family:Verdana,sans-serif!important;width:800px!important;border:#ff7777 2px solid!important;padding: 0.5em 0.2em!important;background-color:#ffeeee!important;color:black!important;font-weight:normal!important'>"
php_value error_append_string "<br /></div><script>var l=document.getElementById('lasterror');l.id='error'+Math.ceil(Math.random()*32768);l.innerHTML=l.innerHTML.replace(/(?:(?<=function )|(?<=for ))([\w]+)/,'<a style=\"color:black!important;background:transparent!important\" href=\"http://php.net/$1\">$1</a>')</script>"

and be amazed at the beauty!

What this does is (pre|ap)pends the error messages with some nice HTML and Javascript in order to make them a little more pleasing on the eye. I'll break it down for you now.

<div style='display:none'>\"></a></div>

This breaks out of any hyperlinks if the error was triggered inline. I threw in the display:none so that if we're not in a hyperlink we won't get the "> hanging around

<div id=\"lasterror\" style='margin:0.6em auto!important;text-align:left!important;font-family:Verdana,sans-serif!important;width:800px!important;border:#ff7777 2px solid!important;padding: 0.5em 0.2em!important;background-color:#ffeeee!important;color:black!important;font-weight:normal!important'>

This is what sets the bulk of the style on the error message. The !importants and excessive styling are to override any other styles of which this error may be inside. Feel free to play with the CSS. The id="lasterror" is used after the error is fully outputted...

<br /></div>

Kills the div we opened with error_prepend_string, and sticks a <br /> in there for good measure. PHP automatically prepends their errors with <br /> and there's nothing you can do about it... so the <br /> on the end is just so the bottom padding matches the top.

<script>
var l=document.getElementById('lasterror');
l.id='error'+Math.ceil(Math.random()*32768);
l.innerHTML=l.innerHTML.replace(/(?:(?<=function )|(?<=for ))([\w]+)/,'<a style=\"color:black!important;background:transparent!important\" href=\"http://php.net/$1\">$1</a>')
</script>

(line breaks inserted for her pleasure). This is where the php manual parsing happens. First it grabs the element that was just outputted, and changes the id to something stupid. This way if there's more than one error on a page the next Javascript block will be able to play with errors and we won't be outputting more than one of the same id at a time. The last line just uses some regex magic to hyperlink where appropriate... nothing special there. Again, you'll see excessive styling to make sure we don't display something unreadable because of global CSS set elsewhere.

So there we have it! Awesome PHP errors for everyone! Screenshots will come soon, whenever I get a chance to crop, censor & upload.

I've finally got all my stuff migrated over to the new server.

*  CPU: Dual AMD Opteron 265 (1.8GHz, Dual Core, 1MB/Core L2 Cache) (That's dual dual core, four cores)
* Memory: 4GB (4 x 1GB PC3200)
* HDD1: Western Digital Raptor 74GB (1.5Gb/s, 10K RPM, 8MB Cache) SATA
* HDD2: Western Digital Raptor 74GB (1.5Gb/s, 10K RPM, 8MB Cache) SATA
* HDD3: Seagate 250GB 7200.9 (3Gb/s, 7.2K RPM, 8MB Cache, NCQ) SATA
* $3100 + $175/month

She's so beautiful *tear drops*.

Changes:
* Completly rewrote the backup scripts from scratch
* Cronjobs are a lot more secure (i.e. you can't access them from a web-browser)
* SSL is running on LUElinks
* I'm using Gentoo Linux instead of FreeBSD
* Upgraded to MySQL 5

Backups:

Starting backup for 2006-06-18
Optimizing LUElinks... 957 seconds
Starting mysqlhotcopy... 108 seconds [b][note: this is the only downtime for backups][/b]
Compressing mysql backup... 810 seconds
Starting backup of data files...
  /etc... 1 seconds
  /usr/local... 0 seconds
  /var/spool... 103 seconds
  /var/www... 133 seconds
  /mnt/sdb1/home... 3307 seconds
  /mnt/sdb1/urchin_data... 3685 seconds
  /root/scripts... 0 seconds
  /root/sslcert... 0 seconds
Backup of data files finished (7232 seconds)
Deleting backups from 3 days ago (2006-06-15)... 3 seconds
Backup for 2006-06-18 finished (9113 seconds)

I'm also experimenting with roundcube mail client right now. It's pretty cool except I'm not having much luck with it in Firefox... it's still really buggy. If I had time I'd join the dev team, but I'm too tied up with other stuff.

I'm pretty satisfied with it so far... and after I get my mailing troubles out of the way I'll be good to go.

edit: Heh... once you get your IMAP server setup properly Roundcube works pretty well. Now I just gotta figure out why I can't receive email from certain gmail servers... hmmm...

Last night I went to a concert at the House of Blues in New Orleans and I brought along my camera. I took about 15 pictures when a very angry security guard came up to me and brought me outside. Apparently cameras aren't allowed, so he made me leave the camera at the front and delete all the pictures off of it. I didn't think twice about formatting the memory stick because I knew there was something out there that could get them back. I've seen programs like them before... it was just a matter of how long I would have to spend searching online for a crack or serial.

Well I came across this free program that searches a memory stick (or hard drive) and undeletes everything on the media. TestDisk undeleted every single file on my 1GB memory stick in about 7 minutes. All the pictures from the concert were in perfect condition... along with about 200 other pictures I had deleted months prior. I highly recommend this program to anyone who's had something deleted that they need to get back.

In case you missed the url, here it is again:
http://www.cgsecurity.org/wiki/TestDisk_Download

Jeez, I've been giving Facebook a lot of attention lately, haven't I?

Well, I wrote this little extension last night and it's actually pretty nifty. What it is does, is every time you view a profile, it saves their profile to your hard drive. Then the next time you view their profile it will compare the old profile to their current profile and highlight what's been updated. That way when you see that little "Profile recently updated" notification on that girl from your astronomy class you've been stalking, you can quickly figure out what she updated ;). Here's a screenshot that will give you an idea of what it looks like:



Cool, huh? With version 0.4 it's shaping up to be very nifty.
Facebook Assistant

The Creator @ LSU

the_creator@lsu.edu is an administrative account used by facebook staff for God knows what.

edit:
This shit never gets old:
Dustin Moskovitz @ Harvard (CTO of facebook)

Just thought I'd share a little trick I came up with to dodge spiders looking for email addresses. On a site I run, we needed to put our email address out there so people could get in touch with us (we also didn't want a PHP 'contact us' form)... but we didn't want to worry about spam bots. What I came up was this:

<a href="javascript_required" onmouseover="this.href='mailto:user'+'name'+'@'+'doma'+'in.com'">email us</a>

Pretty clever eh? It obfuscates the email address, and the user should never know. Combine with a gif \ jpeg for the text and it's totally seemless. What we did for the actual implementation was put the code in <body onload and made it set the a's text and href at the same time.

Check out my latest project:
http://literus.info/ (I didn't think about how this domain would be pronounced when I registered it :( )

It's an AJAX spell check engine that's better than the one that other guy did. It's still in development, but it works in Firefox and I hear it also works in Internet Explorer (but I haven't tested this myself). I modelled it after a similar interface that many people know well by now ;).

edit: Works in Safari just fine, Opera is a no-go, and Internet Explorer is hit and miss.

So I'm looking into get a new server for the site that does not exist. This is what I'm look at now: Quad core server. I've already got the money set aside and ready to spend, though I'm not buying until the end of the semester when I'm not school and I can focus on getting the server.

This leaves me in a predicament, though... where am I going to put this new server? I've already considered just renting a server from a datacenter (like I do now), but renting a server with those specs would be around $600 a month... which just isn't going to happen. Here are my options:
1) Collocate the server with a datacenter
2) Collocate the server with a local ISP
3) Get fast Internet to my house and run it straight out of my closet

Right now, option 1 is looking the best. A few users at another forum have said good things about colo4dallas.com... so I'll probably be checking them out.

The problem I'm having is that I only have one server. One 1U beefy server. Most datacenters start collocation pricing at like 24U. I contacted Cox to see how much they charge for (or if they even offer) collocation. I also looked into getting a business line run to a residential house. We'll see when it comes time do this thing.

I'm also thinking of switching from BSD to Linux... but that's another story.

I decided to take some time out of my day to redesign my neglected homepage. This is what I came up with. I think it looks a lot better and is a better reflection on my talents. I've learned a lot about web design since I made that first layout back in 2004 or whenever that was. The whole ordeal only took a couple of hours; the hardest part was coming up with a style that I liked for the posts on this page (the only page).

Some day I'll add a sidebar over on the left with some links to other stuff. It'll probably be whenever I finish my resume.

Around 11am on Thursday, Kyle sent me a very interesting screenshot of his facebook profile. He had managed to change the font on his profile to another color... as small as this sounds, it actually had huge potential. After a few minutes of investigation on my part, I had the same effect on my profile and a few minutes later I was linking to a custom stylesheet. With just a few malformed characters, we could do anything under the sun to our profiles -- or to anyone viewing our profiles.

We decided to go the whitehat route and create a stylesheet to completely mimic MySpace's for satire. An hour or so later we had something truly beautiful. Later, I got word that a friend of Kyle's was writing a worm similar to the samy worm. Originally I was totally against this (my worm and virus days are behind me), but when I heard about what it would do I decided that it was definitely a good idea. The worm would self-propagate through profiles using Javascript and would change the viewer's own profile to the MySpace layout. It could then spread exponentially, converting all of Facebook to MySpace.

Alas, though, I had class and things to do -- so I didn't get much input into the actual code of the worm. The finished product used iframes to update the user's profile. The updates were visible to a trained eye, and all of the user's contact information was lost at the same time. Regardless, the worm was released and flew its course. It only took the facebook staff a few hours to stamp the worm out and release a fix. Later that night I came up with a few concept scripts that would have been much cleaner and undetectable. In retrospect we shouldn’t have made the worm show it's ugly face until we had thousands of infected profiles. Oh well, c'est la vie.

Upon further penetration testing into Facebook, we've found at least three different XSS vulnerabilities, but none as major as the original bug. The vulnerabilities could be used to steal accounts with just the click of a button, but I'm not too interested in that. Maybe one day another bug will pop up and the FaceSpace worm will have its due glory.

In efforts to improve the efficiency of the site that does not exist I've been analyzing many of the queries going back and forth. I've been studying how MySQL handles its database and concurrent connections, and I found one main bottleneck that was slowing down the entire server.

To understand the changes, you must first understand how MySQL does its locking. In a MyISAM table, concurrent connections can INSERT and SELECT without a lock on the table. UPDATE needs a table lock in order to execute. I'm not sure about DELETE, but that doesn't matter since I don't issue DELETE queries on the database. Basically... the searches were creating a huge choke point... here's a scenario of what was happening...

1) User 1 would start a search, these normally take like 6 seconds
2) User 2 would post a message, which would need a lock on the table. He couldn't get a lock because user 1 is still searching... so it would wait for him to finish. Meanwhile, any queries made after user 2's request to post a message would be put in queue.
3) A whole bunch of people view the topic list here (SELECT)... but get put in queue because of user 2's lock
4) User 1's search would finish
5) User 2 would post his message, and release the lock
6) BAM... all those people in queue execute their queries all at the same time.
7) Process repeats getting worse and worse

This is why I've redone the forum and link searches using MySQL full-text searches. They're much faster than table scans, and they don't hog up the database for as long. Furthermore, tables that are changed often by lots of different users (user info table) have been converted to InnoDB. InnoDB, unlike MyISAM supports row level locking, so there's never a time when no one can access the table. I would use InnoDB for all the tables, but it doesn't support full-text searching.

PID    USERNAME  PRI  NICE  SIZE    RES    STATE   TIME   WCPU   CPU    COMMAND
549    mysql     20   -2    184M    116M   kserel  50.8H  5.47%  5.47%  mysqld
79154  nobody    97   0     12688K  8284K  select  0:00   0.28%  0.15%  httpd
77592  nobody    96   0     12652K  8240K  select  0:00   0.05%  0.05%  httpd
78065  nobody    96   0     12720K  8304K  select  0:00   0.05%  0.05%  httpd

As opposed to the 50% or whatever it was running at before the changes.

Despite the fact that Microsoft's SQL database server takes SQL '99 and throws it out the window... it can still do some pretty cool stuff. I had to get some data from a flat text file... each row could have different fixed column width depending on the prefix of that row. I wanted to get the data out of that file and put it in a relational SQL table, and I wanted to do it every single day. Normally I'd have to write some complex parsing script in order to get it done... but Microsoft SQL comes with what's called Data Transformation Services. It's pretty cool.

http://www.llamaguy.com/tech/10-10-2005.jpg

Basically, you just layout all the steps you need to take, and then just specify which steps depend on other steps. Then it takes those, and lays out how it will perform your task. If 2 steps have their dependencies met already, they'll multi-thread automatically. You can transform data with either VBScript or JavaScript. Then, you can use SQL Agent to schedule it to trigger whenever you want. And as an added bonus: if anyone at work thinks you don't have enough to work on, just load up a DTS package like that one and start pulling at your hair and grunting. You'll probably get a raise.

Hehe, it's funny... the guy before me needed to do this same thing, so he wrote a program to do it. The program runs every night and usually takes about 45 minutes. The exact same task done with a DTS package takes somewhere between 10-15 seconds.