Firefox 3.0.1 Encoding Change (Bug?)

So, FF 3.0.1 was seriously pissing me off today. I’ll spare details as not very many people are VFP developers but it came down to something fairly simple.

When a request comes into my web app, I check the CONTENT_TYPE header. Most browsers send this…


Firefox 3.0.1 is sending…

application/x-www-form-urlencoded; charset=utf-8

…which completely threw my program off when using FF3, while IE6/7, Opera, and Safari were working just fine. The program is using jQuery, the form plugin, etc so the problem could have been anywhere.

I finally broke down and asked for help. Rick was nice enough to point out the flaws in my logic and get me back on track.

2.5 hours of pulling my hair out. Grrr!

Ajax Calendar with Visual Foxpro and jQuery

Per a request and for a little bit of fun, I created a flat ajax calendar with jQuery and Visual Foxpro for use with the Web Connection framework. This demo allows you to load a calendar and it’s navigation via ajax and edit events without time consuming page reloads.

You can add an event to each day by clicking the small ‘edit’ button next to the day number. I haven’t included anything like security, users, authentication, etc. but I think it is flexible enough too. This comes straight out of my intranet app, so may be a little rough around the edges as I had to generalize it for demo purposes.

Update (08/06/2008): Fixed the download link. Oops.

Continue reading

Image Magick with Visual Foxpro

ImageMagick is versatile enough to use from a multitude of languages. Back in January of 2006, I used it in Visual Foxpro 7 to create thumbs and mid size images for an image gallery that ended up not being used. Here is the source to do that.

loMagickImage = Createobject("ImageMagickObject.MagickImage")
lcSourceFile = "C:\uploads\"+Alltrim(gFileList.FILENAME)
lcThumbnailFile = "C:\uploads\thumb_"+Alltrim(gFileList.FILENAME)
lcMidFile = "C:\uploads\mid_"+Alltrim(gFileList.FILENAME)
loMagickImage.Convert("-resize", "x128", lcSourceFile, lcThumbnailFile)
loMagickImage.Convert("-resize", "x512", lcSourceFile, lcMidFile)
loMagickImage = .Null.

Make sure that you check the option labeled “Install ImageMagickObject OLE Control for VBscript, Visual Basic, and WSH” during the install or else you won’t be able to call it from VFP or any other language.

MD5 hashes and salt

I originally wrote this in a discussion over at the West Wind forums. I’m reposting it here for informational purposes.

MD5 can easily be reversed using a lookup of ‘known’ hashes. So if user ‘Bob’ made a choose a password of ‘abc’ and we encrypted it on the client then sent it to the server we could store it in the databases as a hash instead of plain text. Hashing something without a salt would lead to a problem when the table got stolen or a man in the middle attack occurred. The bad guy could then take the hash and look it up in the reverse table then would have Bob’s password in plain text. Salt is when you combine Bob’s password with something else. For example, create a hash of his last name, DOB, and UserId…append it to the end of the password hash his browser sent and hash them together to compare with the hashed password.

Hmm…that didn’t make a lot of sense to me…I need more Code Red. I’ll try this way:

Bob signs up for your site with user name ‘Bob’ and password ‘1234’
Password in plain text: 1234
Password hash (1234, easily reversed): 81dc9bdb52d04dc20036dbd8313ed055
Password hash with salt (1234+Bob, not as easily reversed): 27d5c234335b9762416808e2ace80842
Password hash with salt + GUID: (1234+Bob+791ae620-e2f5-11db-8314-0800200c9a66, very hard to reverse): 34e25923be3cad2bb140c8c508f59e16

Store the hash of 1234 in your table, then when it is time to compare, make sure you concatenate consistently to get the right result.

I found an MD5 program by Gilles Patrick that works really well off of the VFP Wiki. It produces results that agree with the client side JS MD5 program I linked to above.

Hashing a single word is not nearly as secure as hashing that word plus some random (but consistent) text. More and more people use the same password for their email, system, start page, etc and I think my users appreciate it when I tell them up front that I don’t know their password. Recovering a users password can be a little tricky in that they have to create a new one instead of you telling them what it is, but security questions and using the email address on file works out good for recovery.

I’m no expert on this stuff, but here are some people that are.