My daylight, it is a-wasting!

And good news, everyone: “de-pants” is now included in the Oxford English Dictionary. (“trans. To pull down or remove the trousers of (a person), esp. as a prank or punishment.”)

Well, I’ve installed Firefox 2.0. I recommend that Firefox users upgrade: it incorporates a lot of useful changes.

First of all, some developer-level stuff has changed in the browser. JavaScript 1.7 is supported and SVG capabilities have been increased.

The user would be more likely to notice the new visual theme. Each tab has its own close button (a longstanding gripe of many users), and mouse rollovers are acknowledged by the interface buttons.

I like the new Web Feeds capabilities. They allow reading feeds with Google or other feed aggregators instead of Firefox. I also especially like the menu that houses “Recently closed tabs” — I always wish I didn’t just close that tab. Novice users might appreciate the anti-phishing feature. Most obvious, however, is the automatic spell-checker that underlines misspelled words as you type in web forms. Other features have been improved as well, like the Add-ons managing system.

Bottom line: Same old Firefox, but better. If you already have Firefox, upgrade. If you don’t, now’s as good as ever to join the club.

Attention, Web 2: with infinite power comes infinite liability.

If you don’t properly untaint your CGI variables, I can launch an XSS attack on you really easily. I just input <script language=”javascript” /> for one of your fields, and I can run JS via your website. In fact, I can completely change your website’s appearance and functionality (or get your cookies), thanks to DOM manipulation.

Setting character limits on forms isn’t much of a help, because I can GET or POST whatever the heck I want. You have to trust the client’s HTTP headers, which don’t have to be what the browser would normally serve. In fact, with Perl’s LWP, I can send you arbitrary headers. (Firefox even has a built-in hidden feature to change the User-Agent string.)

Basically, you should escape any suspicious characters. < and > are definite no-gos, and & and “ might be suspicious as well. Run some regexps to convert them into HTML entities. Be sure to turn on taint checking (#!/usr/bin/perl -T) so it’s actually enforced.

It’s even worse when you run SQL statements. SQL injection is awful because I can DROP your table from the database instantly, instead of the innocuous INSERT you wanted. – and ‘ are prime culprits. Better yet, just use the quoting feature built into Perl’s DBI. Pass inputs in execute() rather than concatenating them in your prepare() statement.

Above all, I hope you never concatenate user input to the console! (rm -r *) Of course, some major websites forget to protect against SQL injection. Occasionally I find a URL ending in ?id=5 that returns a database error if you delete the 5. (Yes, this is REALLY BAD NEWS.)

Until next time, may you never SELECT * FROM table WHERE id=’$querystring’.

My charla for Spanish is tomorrow. I have to talk to the class for ten minutes in Spanish about something. I chose Scholastic Bowl and the difference between good and bad questions. (Sr. Bender wants us to address subtleties, not just have simplistic narratives.) Hopefully it will go well. At least I’m experienced.

Which reminds me — our conference started today. We are now 1-0 in Illinois format. Am I allowed to call that “undefeated”?

“When it rains, I think that’s God telling us to go home and take a rest.”

A particularly poignant thought, that is. Sometimes bus drivers have the common sort of wisdom that we all sometimes need to hear. I understand now why people talk to their cabbies.

-

Yes, Monday Mathematics is still alive, but since we had so many days off school the past few weeks, I didn’t feel like uploading one last week. Maybe I’ll do one next week too, to stay on schedule / appease Brad / etc.

http://www.carloangiuli.com/graphics

LiveGraphics3D is an awesome Java applet that allows real-time rotation of 3D objects in a web browser. I have written this Perl/HTML wrapper to make it usable for anyone, not just people who can figure out how to run Java classes. A much better explanation and a whole bunch of graphics can be found at the URL above.

If you have some graph you’re just dying to see, but you don’t have Mathematica, you can leave a comment here and I’ll put it up for you. I’m nice like that.

ELECTRONS DON’T MOVE BACKWARDS IN TIME

ELECTRONS DON’T MOVE FASTER THAN THE SPEED OF LIGHT

ELECTRON ORBITALS ARE PROBABILITY DISTRIBUTIONS NOT PATHS

AP Chemistry

Too much to do, too little time.

DreamHost just totally lost its mind and permanently upped current accounts to 200 GB of storage and 2 TB of bandwidth. And today only, you can buy one of these accounts for $20 for a whole year.

Where do they get this sort of capacity from?

We finished our first packets! All 74 pages!

*collapses in exhaustion*

I suppose I should also do homework this weekend.