Mr Leong 梁先生

Web server support for TRACK and TRACE may make it vulnerable to attacks. I came across Chris Mahns’s script while searching for tools to check web servers. The script is written in Perl but I cannot run it on my machine because of missing Perl libraries. Since I have PHP and CURL installed, I ported the script into PHP. This is what I have done,

#!/usr/bin/php
<?php
#===============================================================================
#
#         FILE:  test4trace.php
#
#        USAGE:  ./test4trace.php <host> <port>
#
#  DESCRIPTION:  Test for the existence of the TRACE method on a web site.
#				 Adapted from http://bit.ly/qIvvVK. Original Perl version
#				 written by Chris Mahns.
#
#      OPTIONS:  ---
# REQUIREMENTS:  PHP 5, CURL
#         BUGS:  None Found Yet
#        NOTES:  ---
#       AUTHOR:  Leong Hean Hong (https://about.me/hongster)
#      COMPANY:  Stream Media Pte Ltd
#      VERSION:  0.3
#      CREATED:  2011-08-24 17:08:00
#     REVISION:  ---
#===============================================================================

$help = "Usage: {$argv[0]} <hostname> <port>";

$host = isset($argv[1]) ? trim($argv[1]) : FALSE;
if ($host === FALSE) {
	echo "$help\n";
	exit;
}

$port = isset($argv[2]) ? (int)$argv[2] : 80;
$scheme = ($port == 443) ? 'https' : 'http';

echo "First we test for Trace...\n";
test($scheme, $host, $port, "TRACE");
echo "Now we test for Track...\n";
test($scheme, $host, $port, "TRACK");

function test($scheme, $host, $port, $method) {
	$url = "$scheme://$host:$port/";

	$ch = curl_init();
	$options = array(
		CURLOPT_URL => $url,
		CURLOPT_SSL_VERIFYPEER => FALSE, // Skip SSL cert check
		CURLOPT_RETURNTRANSFER => 1,
		CURLINFO_HEADER_OUT => 1, // To get the request header
		CURLOPT_TIMEOUT => 10,
		CURLOPT_CUSTOMREQUEST => $method,
		CURLOPT_USERAGENT => "test4trace-pci-auditor/v0.3",
		CURLOPT_HTTPHEADER => array(
			$method,
			"Test",
		),
	);
	curl_setopt_array($ch, $options);
	curl_exec($ch);
	$response = curl_getinfo($ch, CURLINFO_HEADER_OUT);
	$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

	if (curl_errno($ch)) {
		echo "Curl error: ".curl_error($ch)."\n";
		curl_close($ch);
		return;
	}
	curl_close($ch);

	switch ($http_code) {
	case 200:
		echo "======this is what you sent======\n";
		echo $response;
		echo "=================================\n";
		echo "$method is working\n";
		break;
	case 403:
		echo "403: Forbidden\n";
		break;
	case 404:
		echo "404: Not Found\n";
		break;
	case 405:
		echo "405: Method Not Allowed\n";
		break;
	case 501:
		echo "501: Not Implemented\n";
		break;
	default:
		echo "Response code: $http_code\n";
		break;
	}
}

?>

As a software project manager, I am responsibled for gathering user requirements from users and communicating it to the developers. I find it useful to capture requirements by documenting use cases. In school, I was taught UML Use Case Diagram. I find it too abstract and too simple to be considered useful to customer, me, and the developers.
user-web-1. User can broadcast a message to his/her friends.
Preconditions:

This is an example of an use case. Each use case has a unique ID (e.g.  ”user-web-1″), which makes it easy to communicate among team members. An use case title consists of an actor and an action. The actor indicates the types of users that will be using this software (it is usually an user role). The action describe what the user wants to achieve (e.g. register an account, post a message, send an email). Optionally, there may be a list of preconditions, which describes some perquisites/assumptions/context. The steps are a series of physical actions that user has to perform to achieve an objective. I will talk more about the steps later. Postconditions describes the consequences of carrying out these steps. Use case is written in such a way that an end user can easily understand. When the software is developed, an user can performs the steps in each use cases to verify if the software meets the requirements.

Listing Steps

This is not a technical specification, use case should not contain technical detail. The steps should not describe the UI (i.e. layout, color, fonts). The purpose is to capture user experience. Designer should design effective UI to enable such interaction, developer should implement features that deliver this functionality. Each steps can be further broken down in finer detail. There is no rule on how detailed the description should be. I make sure it is as simple as possible (giving room for designer and developer to express their creativity), and detailed enough for me to communicate with both user and developer.

Advantages of use case:

• Gives insight to user experience. Developers can review the use cases and suggest improvements to user experience.
• Testable by user. Both developer and user can perform the steps to verify that the developed software meets the user’s requirements.

Disadvantages of use case:

• The use case does not contain technical information. Developer needs define technical specifications based on this use case.
• Use case is useful for testing usability, it cannot be used to test technical requirements (i.e. stability, performance).

During the requirements gathering phase, all the use cases are documented in an Use Case Document (UCD). Whenever the implementation of an use case is completed, the tester (user) will use the UCD to verify that the implementation meets user’s requirements. Before each software release, there is a code freeze period where all documented use cases will be tested as part of the QA process.

2 weeks ago I conducted an Android Training Workshop for CodeAndroid Singapore meetup at Google office. I have designed a tutorial to teach newbies the basic concepts of Android development. In this tutorial, developers learn the basics of Activity, View, Intent, and HTTP request. Developers were taught to create an application called QRTalk.

QRTalk allows user to type in some text message. It uses Google Chart API to encode this message and generate a QR code image. This image is then displayed in a WebView.

URL imageURL = new URL("http://chart.apis.google.com/chart?cht=qr&chs=350x350&chl=hello+world");
Bitmap qrBitmap = BitmapFactory.decodeStream(imageURL.openStream());
imageView.setImageBitmap(qrBitmap);

This is what I have learned while developing the tutorial. With 1 line of code, I am able to make a HTTP request and turn the HTTP response into a Bitmap object instance.

Lesson learned:

1. Use more images in slides. Too much words on slides make it hard for people to absorb, and makes the presentation very dry.
2. Cannot assume audience knows what is QR code.

Links

• Source code: http://code.google.com/p/qrtalk/
• Step-by-step instruction: http://bit.ly/qrtalk
• Slides: http://bit.ly/g82fxS

Few days ago I was asked to debug someone’s code. The problem lies in a small function that contains around 5 lines of code. Its purpose is to grab an URL from a src attribute in an img tag, within an RSS feed. This is a PHP project. It was done using a mixture of substring and str_replace. First, the tag name and portion of the attribute are replaced by empty string e.g str_replace('<img src="', '', $input). Finally, a substr is used to extract the URL.

When the application was not working, I was asked to help debug it. In the end, I found out that there where some extra white spaces in front of the extracted URL string. In the end, we fixed it by using applying a trim function. I dislike this solution.

In this particular situation, the task is to extract an image URL from a RSS feed. The best solution is to use an XML parser, such as SimpleXMLElement, to locate and extract the attribute value. Using simple string searching functions is bad, because a slight change in the input can easily cause a bug. A XML parser can be used to extract content accurately, even if there are irregular spacing, and minor change in tags arrangement.

For unstructured text, regular expression is a good alternative solution. The sad thing is, many programmers do not know regular expression. Regular expression may be hard to learn, but it is an extremely powerful tool for string searching! I am not going to talk about why regular expressions are so powerful, there are many articles on this topic already.

NOTE: I am not implying that regular expressions and XML parser are the best solutions to all string searching problems. It depends on the requirements. Although The PHP’s native string searching functions are less flexible, but they are generally much faster then regular expressions. When making a decision, I will consider the performance, and how structured the input is.

Lunar Lander is a sample game distributed with the SDK in <SDKDIR>/platforms/android-2.1/sample/ folder. It is available since Android 1.5. This project introduces 2D drawing on Canvas, handling KeyEvent, and using Thread. I think it is a good starting point for me to learn Android game programming.

For Lunar Lander, the main components are main LunarLander (Activity), a LunarView (SurfaceView), and a LunarThread (Thread). The layout XML defines a LunarView (for displaying the game scene), and a TextView for displaying in-game message (i.e. “Press up to play”, “Press up to resume”).

The LunarView contains a innerclass, LunarThread. LunarThread is the game engine. It runs the game loop and performs all the drawings and physics (game logic). LunarView delegates all KeyEvents to LunarThread.

As I am developing a game, I have used the Lunar as a template. There are some slight modifications. Instead of inner class, I made the game engine a separate class on its own. I want to separate the View from game engine.