Database Info

Java Archive tag and web Browser

Hi, I own and HTC P3600, but I understand this is an issue more general.
I'm trying to access to urls that have java code and use the "Archive" tag in the applet call.
I know that the internet Explorer included in Windows Mobile 5 doesn't support the "Archive" tag of the applet sentence.
I downloaded and tried several java (cre-Me, for instance) and browsers (Netfront 3.3, Opera Mobile 8.60, Mozilla Minimo 0.20) but neither of them is able to work correctly with that piece of code, that I don't own, it is a part of the remote web codes, so, I cannot change the tag for the "parameter name= " code.
Is there any solution for doing it? Is there any browser that supports the "archive" tag ?
Thanks and best regards.

Passing value with out using variable in query string in PHP!

Hi all here at forum.
I am working to find out some solution to access a web page in PHP that is showing information on the bases of given argument in query string variable. My problem is this that I want to get the value of variable in query string but I don’t want to show the variable name and also want to hide the page name like below urls are opening fine.
globalguideline.com/JavaScript_Guide/JavaScript_Examples.php?JScript=first_JavaScript
globalguideline.com/JavaScript_Guide/JavaScript_Examples.php?JScript=JavaScript_HelloWorld
globalguideline.com/JavaScript_Guide/JavaScript_Examples.php?JScript=HTML_With_JavaScript
But I want to open the same pages as below urls instead of above all.
globalguideline.com/JavaScript_Guide/first_JavaScript
globalguideline.com/JavaScript_Guide/JavaScript_HelloWorld
globalguideline.com/JavaScript_Guide/HTML_With_JavaScript
Is it possible in PHP if yes then please help me to get out from this problem.
Regards,
Ali.

You could use sessions, cookies or a POST to do that quite easily. Or are you trying to access the php page from a windows mobile application?

If you dont want to see the variable data in the string (aka GET) then use the POST method instead.

[Q] web app

Hello,
I dont know if the title fits, so i gonna explain my Problem.
I want to Programm a Game With User Login. Sadly wp7 doesnt Support SQL api, so i cant make the User Management directly over sql.
So i got a Website with a working Login Formular. I want to link the wp7 textboxes with the textboxes of the Website which works with SQL.
Is there a simple way to get this working? Or does anyone have a better idea to get my User Management working?
Greatings win99
Sent from my HD2 using Board Express

Hmm... I can only suggest you to learn how to do http requests (and general programming of course). I hope u'll stop thinking in terms like "linking textboxes"

yeah, "linking" is maybe the wrong word
What exactly do you mean with "http request"?
I can program a bit html an php, which i could include in a "WebBrowser" control. This way i could use php with mysql, but i don't want to make a browser game.
Is there somethink like a "http database"? Cause i don't know yet any database based on http. And is there an API availible to do this requests from a panorama app?
Sorry for this basicly questions, but i'm just a hobby programmer and since now i just programme windows desktop projects, where i could easily use SQL.

Your "very basic question" requires a very long answer (sorry, but I don't have enough time. Also, I'm not an expert in SQL http communication). FYI, all communications between web page (and you can treat your WP7 page as a web page) and SQL server based on HTTP POST requests (but of course not on "linked textboxes"! ). So, try to google with words such as "WP7 SQL HTTP POST" - first five links possible will have all info you need (but you should understand "how everything works" first!)

ok, if i understand it correctly, this sound like instead of using "app<->SQL" i should use "appy<->http<->sql".
i will try to find some good tutorials and reply on success/ no success.

win98 said:
ok, if i understand it correctly, this sound like instead of using "app<->SQL" i should use "appy<->http<->sql".
i will try to find some good tutorials and reply on success/ no success.
Click to expand...
Click to collapse
Well, from the sounds of it, I am going to assume you networking and web API knowledge and maybe decent enough MySQL/SQL/Database knowledge, and possibly somewhat new to WP7 C#.NET (Don't take this personal or a lashing towards you, not the case, I mention it so I can be basic and to the point without assuming you know what references I make or offend you).
If you want an "out-of-the-box" easy solution, let's stop and go download RestSharp (http://restsharp.org). After you get it, visit: https://github.com/restsharp/RestSharp/wiki/Getting-Started, as this will give you a great example of HOWTO use this solution.
You also need to remember about the footprint, a 90MB limit (Max) on 256MB phones. Too big can cause some issues.
Also, another good option is SQLlite, probably one of the most popular, straight forward and well respected (I even use it on some projects). Should you choose to use it, go to http://sviluppomobile.blogspot.com/2010/07/wp7-sqliteclient-preview.html and read his Blog post, VERY informative and a Sample available for you to learn from as well.
If you really wanted to do this yourself, you could create an HTML page and do all your coding in it (e.g. Login Box) and use JavaScript as well, this way you grab the contents from your textbox(s) and send to the embedded web browser you load the HTML page in, hence scripting is available for WP7 but must enable scripting support and highly recommend to use IsolatedStorage and can invoke JS just as easy as:
window.external.notify("(Task)Param)");
So this should hopefully get you to where you want to be but if any of the above statement I made was true, I recommend out-of-the-box solutions for you.
Thanks,
Lance

lseidman said:
If you really wanted to do this yourself, you could create an HTML page and do all your coding in it (e.g. Login Box) and use JavaScript as well, this way you grab the contents from your textbox(s) and send to the embedded web browser you load the HTML page in, hence scripting is available for WP7 but must enable scripting support and highly recommend to use IsolatedStorage and can invoke JS just as easy as:
window.external.notify("(Task)Param)");
Click to expand...
Click to collapse
This is the way i planned to do it. How do you call it? For me it is hard to find a tutorial or book or something like that, cause i don't know which keyword to google
thanks anyway

win98 said:
This is the way i planned to do it. How do you call it? For me it is hard to find a tutorial or book or something like that, cause i don't know which keyword to google
thanks anyway
Click to expand...
Click to collapse
First and foremost, I appreciate your honesty which is why I will basically show you the way...
Well, if you wish to invoke JavaScript via WP7 you can, like below:
1). Open your Mainpage.xaml and find the grid and insert:
<phone:WebBrowser HorizontalAlignment="Left" Name="webBrowser1" VerticalAlignment="Top" Height="xxx" Width="xxx" IsScriptEnabled="True" ScriptNotify="webBrowser_callback" />
2). Make an HTML page, go in the HEADER section and type something like: "<SCRIPT LANGUAGE="JavaScript" src="HelloWorld.js"></SCRIPT>" and add a button that has a function to fire upon clicking + name the section like:
<h1 id='myName'>Hello World!</h1>
<form>
<input id="button" type="button" class="button-standard" style="width:200;height:100" value="Hello World!" onClick="HelloWorld()"/>
* Remove the Quotes from above...
3). Make a file called HelloWorld.js and put in something like:
function HelloWorld() {
window.external.Notify("Name");
}
function sets(val) {
document.getElementById('myName').innerHTML = val;
}
4). In your Mainpage.xaml.cs, find where you want to invoke the script/site and put in:
webBrowser1.Navigate(new Uri("http://lance.compulsivetech.biz/login", UriKind.Relative));
*Change the URI to your address, not my blog's fake login...
5). Since we are loading the site locally in Isolated Storage, go forth and type this in:
private void CreateDirOnStore(string strDir)
{
// Create a directory for local storeage.
IsolatedStorageFile isoStore = IsolatedStorageFile.GetUserStoreForApplication();
if (!isoStore.DirectoryExists(strDir))
isoStore.CreateDirectory(strDir);
}
private void SaveFileToIsoStore(string strFileName)
{
// This will save the file to the isolated storage based on the string provided.
IsolatedStorageFile isoStore = IsolatedStorageFile.GetUserStoreForApplication();
//remove the file if exists to allow each run to independently write to
// the Isolated Storage
if (isoStore.FileExists(strFileName) == true)
{
isoStore.DeleteFile(strFileName);
}
StreamResourceInfo sr = Application.GetResourceStream(new Uri(strFileName, UriKind.Relative));
using (BinaryReader br = new BinaryReader(sr.Stream))
{
byte[] data = br.ReadBytes((int)sr.Stream.Length);
//save file to Isolated Storage
using (BinaryWriter bw = new BinaryWriter(isoStore.CreateFile(strFileName)))
{
bw.Write(data);
bw.Close();
}
}
}
6). In your public MainPage() put:
this.Loaded += new RoutedEventHandler(Load_WebPage);
* Always put stuff after your Intialize call
7). We need to make a page load function as below (in xaml.cs):
void Load_WebPage(object sender, RoutedEventArgs e)
{
//Set the start folder of the widget and navigate to the start page
CreateDirOnStore("helloworld");
SaveFileToIsoStore("helloworld/index.html");
SaveFileToIsoStore("helloworld/helloworld.js");
webBrowser1.Base = "helloworld";
webBrowser1.Navigate(new Uri("index.html", UriKind.Relative));
}
8). Now we invoke the function as seen below:
void webBrowser_callback(object sender, NotifyEventArgs e)
{
//Use invokeScript to give to the web env.
webBrowser1.InvokeScript("eval", new string[] { "sets('txtName.Text')"});
}
Hope this helps, this is basically off the top of my head but should be pretty close to being right and Mango Compat.

Creating a WCF services that calls SQL will be the quickest way...about 30 minutes.

[Q] how execute/apply xml file?

Hello,
I have a lot of problems with omnia 7 due to app profile network of samsung haven´t got the profile of my operator. I can set it thanks to a post of here, but I think that it is a bit difficult and you need the computer to set it. As I have studied some of programming c#, I decided to make an app that set mms and internet. I have already done the screen and I´ve get to make that app create the file xml with the code in order to set mms and internet, but I haven´t found information about how execute/apply the file xml with the app. Where can I find about it?
PD: Sorry, I do not control English very well

Hi,
I guess it's a topic a bit complex, but can not someone help me with this?

You use an OEM COM interface, accessed from C# by using Microsoft.Phone.InteropServices.ComBridge. One easy way to see how this is done is to look at the source of an app that does it. If you can't get the source to DiagProvXML, you could always just decompile it (decompiling .NET code is pretty easy and there are several tools that can do it). There are several other apps that also use provxml; one or more of them may offer source access.

Hi,
Thank for your help and I can select the services that I have load, but I have a small problem that I hadn't taken into account. I know c# but my apps are a lot of more easy that diagprovxml, and I can´t find the part of program that I´m interested. I use "JustDecompile" to decompile the app. Could you tell me what class(or classes) is (are) what I'm looking for?
Thank you very much again

Hmm... it's not linked in my SIG because it's out-o-date, but you could try using Search to find my old DeployProvXml app. It includes a pretty straightforward example of using provxml.
Essentially, you need the following things:
The interopservices DLL (allows you to use the ComBridge class).
The OEM DLLs (DMXMLCOM.dll and such).
COM class and interface definitions for them in C# (this is the stuff with the [ComImport] attributes and the GUIDs).
ID_CAP_INTEROPSERVICES in your WMAppManifest.
WPInteropManifest.xml file in your project.
Use the ComBridge to register the COM interfaces, then create an instance of the COM class(es), cast to the appropriate interface type(s), and use a variable of the interface type like any other .NET object.
You can read a bit more about COM and native code in Heathcliff74's guide. It's aimed at making your own native libraries, so skip all the stuff about creating your own COM classes and writing native code. http://forum.xda-developers.com/showthread.php?t=1299134

Hi again, Does the method WP7RootToolsSDK.Environment.ProcessConfigXml allow to set the parameters that have a tipical xml file?
thank you again

I'm not sure what you mean by "set the parameters" but the Root Tools SDK does in fact allow you to consume ProvXML files now (I think it even supports the query provXML and returns the output, though I haven't tried).

Framework discussion

Hi all,
As part of a class I'm doing, we are required to post some content to a forum to engage in discussion on security:
.
Cross Site Scripting (XSS)
OWAPS describes Cross Site Scripting (XSS) where a website has been marked as a trusted website, which for some reason, can run malicious code or scripts through inputs such as forms. As the end user’s browser sees this site as trusted, it allows the malicious script or code to execute, which can give access to client side information before it is encrypted (such as usernames, passwords, session IDs, cookies, etc).
In PHP for example, a normal input box where a user would enter their name, would be able to enter the following:
When PHP prints this back out after submission, it will execute the script between the script tags (In this case, just a simple popup).
In this scenario, this can be solved by wrapping the input value with htmlentities:
This would print any script as literal text rather then executing it.
In Java,
XSS is still a major issue, both due to some sites not implementing simple work around such as htmlentities or htmlspecialchars, or for reasons where these cant be used. XSS affects PHP applications by as much as 86% - its PHPs biggest vulnerability.
In Java, the easiest method is to simply validate inputs and to encode special characters (<>[email protected]#$%^&*). Alternativley, OWASP have a XSS class which includes easy methods to best prevent against certain types of XSS.
Code Injection
Code injection is where using the sites scripting language, you can inject (rather, have the site pull) code from somewhere else.
For example, php can call one of its own pages like so:
however, if we replace the contact.php page with an external hosted script:
This will cause the enduser to execute that script. This all comes down to PHP validation which is coded within the PHP to ensure only valid respsonses are accepted.
This is unlike command injection. Command Injection is an attack which is designed to execute commands on the PHP hosted system (server). This can be done where most parameters are passed (headers, input boxes, etc) and will typically display any output on the returned webpage.
For example, to return a password for a certain user, you could use a command like:
Typically, to prevent such commands from executing, a whitelist of command can be made, whereby only those listed are allowed to be executed on the server. Alternativly, it is recommend where the application needs to invoke system side commands, to do this through local python scripts, rather then PHP calling the commands.
CRLF injection
CRLF injection comes from the elements CR (Carriage Return) and LF (Line Feed) – together (CRLF) this denotes a new line (done simply by pressing the enter button). If a website for example, allows you to upload a file, an attacker may name this file as follows:
This would result in a system command being carried out to delete everything in the /bin folder.
It also allows an attacker to write to the log file, by creating it own new line. If the logs are configured in such a way that they will email out any WARNINGS or ERRORS, an attacker may add these to a new log line repetitively, backing up the email and bandwidth.
The simple way around this is for JAVA to sanitise any input strings, either through substituting known commands, or through methods such as
SQL Injection
.NET SQL Injection allows an authorised SQL command to be sent to the SQL server and executed.
An SQL string may be built using inputs from a form. A possible example of this is:
Code:
SELECT email, passwd, login_id, full_name FROM members WHERE email = 'formemail';
where the red is the text from an input field.
However, we can modify this string which can allow some malicious stuff to happen:
Code:
SELECT email, passwd, login_id, full_name FROM members WHERE email = 'formemail'; DROP DATABASE members --';
Adding the red text to the email input box, would allow us to delete the whole table, or alternatively insert a new record into a table, or possible delete records, modify records (change passwords), or even delete whole tables.
To prevent this, you can limit the damage an SQL injection can do you using proper database permissions (deleting records, tables, etc), and to also use good sanitisation – look for -- or ; in any field and invalidate the data if it has these characters.
Directory Traversal
Directory traversal can also be referred to as a “dot dot slash” attack.
In php, a resource (page) can be called as follows:
However, it may be possible to get other files, not even part of the web directory using the following examples:
The easiest way to prevent this is to assign proper permission on the server itself. However, many web developers do not own the server, therefore, another layer of protection is fully qualify the file path, with the root being where the webpage sits.
Connection String Injection
Also known as connection string pollution, it is possible for an attacker to inject parameters into a connection string to a database. Typically a connection string is built by delimiting each value with a comma. In an injection attack, strings can be built using semi colons as a delimiter.
A typical connection string to a windows SQL server may look like the following:
Code:
Data source = SQL2005; initial catalog = db1; integrated security=no; user id=+’User_Value’+; Password=+’Password_Value’+;
However, if an attacker places a rouge windows SQL server on the internet, and then uses a connection string like follows:
Code:
Data source = SQL2005; initial catalog = db1; integrated security=no; user id=;Data Source=Rogue Server; Password=; Integrated Security=true;
This allows the target windows SQL server to connect to the rouge server using its own Windows credentials, exposing much data.
Backdoors
Backdoors can be common within applications and web applications and can occur across many types of frameworks, however, it’s the security around the knowledge of backdoors, and what they allow, which can be of concern. All modems, routers and some managed network infrastructure have administrator usernames and passwords. However, sometimes, the network vendor (CISCO, NETGEAR, etc) or ISP may choose to put a backdoor access onto these devices. This may be in case a user forgets their administrator credentials, for automatic firmware updates, or for remote troubleshooting. Some of these backdoors may allow for more settings then what is normally shown to an end user.
For example, some older Optus supplied modems had the hidden user: Admin, and a password of: Y3S0ptus. This was standard across thousands of supplied modems. The problem was, the end user had no way of changing the default setting for remote web access from Enabled to Disabled, which meant anyone that knew of their IP address or domain name, could now remote access their modem router, add port redirects, and now connect to devices within their LAN.
In the case of ISP provided modems, it might be safer to simply by something else, not supplied by the ISP.