Archive for the ‘Software’ Category

Keeping data secure in Google App Engine

Thursday, April 10th, 2008

While going through the “Getting Started” documentation provided for Google App Engine, I noticed something interesting in the “Using the Datastore” section. The datastore included in the App Engine is not a relational database, but it has some similarities. When querying the datastore, you can use GQL, which is similar to SQL. For instance:

greetings = Greeting.gql("WHERE author = :1 ORDER BY date DESC", users.get_current_user())

Notice the parameter replacement where “:1” is replaced with the value of “users.get_current_user()“. The documentation states:

Unlike SQL, GQL queries may not contain value constants: Instead, GQL uses parameter binding for all values in queries.

As Wikipedia points out, using a parameterized statement like this GQL parameter binding is one way to mitigate an SQL injection attack. The SQL injection is mitigated because the parameter value can consistently be properly escaped within the execution of the parameter binding. I find it very interesting that Google decided, in implementing GQL, to enforce the use of parameter binding. This must have been a conscious decision to help App Engine developers to make their apps more secure. I think that this is a good decision.

Worked through the Google App Engine “Getting Started” introduction

Tuesday, April 8th, 2008

I just finished trying out the Google App EngineGetting Started” introduction. I haven’t programmed in Python for a very long time. The introduction was pretty cool.

Except for the problem with Windows in the static file CSS example. I found a discussion about the issue by Googling “App Engine InvalidAppConfigError”. They have a simple work-around to get the sample to work. But it looks like there will have to be fix in the API for the problem to be resolved.

But all in all, this is a pretty neat framework. I look forward to playing with the SDK some more.

(And being a pilot, I am a bit biased toward the App Engine logo. You can see it at the home page. It is a jet engine with wings and a vertical stabilizer. 🙂 )

My first Butterfly program… success!

Monday, April 7th, 2008

My first program, Blinky, from the “C Programming for Microcontrollers” book has been downloaded to my Butterfly ATMega169 and works. The program cycles through 8 LEDs, turning one LED on at a time. It looks like the Cylon robots (old school – or the newer Cylon Centurions from the new series) robots. (Or the original KITT from “Knight Rider”.)

I had a problem initially with downloading the “hex” file to the Butterfly. It appeared to be the serial port… ahhhh, serial ports. So, if you get the Butterfly++ Mini-Kit, you get a DB-9 female connector and some wire. The “Butterfly++ Mini-Kit Assembly Instructions”, and the book, instruct that you are to wire the DB-9 connector to certain holes on the Butterfly. The instructions indicate that you cross the transmit and receive lines from the Butterfly to the connector. Okay, all is good… so far.

It is very hard to find a serial cable now: USB rules. But I did find a USB-Serial adapter at Best Buy. One end is a USB connector and the other end is a DB-9 male connector. I installed the driver, for Windows XP, and installed the cable. It installed like a charm as “COM5”. I was able to use the terminal program provided on the CD with the book and use “COM5” and communicate with the built-in Butterfly program to set my name for the “name tag” function of the factory-programmed Butterfly.

But then when I used the provided AVR Studio to try and download the Blinky program to the Butterfly, AVR Studio couldn’t find a suitable device. Hmm. It appeared the AVR Studio provided on the book’s CD wasn’t working with the USB serial device. I even tried upgrading to the latest AVR Studio downloaded from the Atmel site. It still wouldn’t program.

I did have a “real” serial port on my computer, which is a DB-9 male connector. But I couldn’t find a DB-9 M-F connector in my collection of cables. I had null modem DB-9 F-F and DB-9 M-M (null modem cables have the transmit and receive links cross-linked). Then I thought, wait! The Butterfly has a DB-9 female connection and the computer has a DB-9 male connector; just hook them together. The problem is the Butterly DB-9 female connector is connected to the Butterfly with about 2.5 inches of wire. So it took a bunch of rearranging to get the Butterfly close enough to the serial port on the computer, which is in the back of the computer. But I was able to get the Butterfly, the power supply, and the breadboard with the LEDs for the Blinky project close enough. Now, with the Butterfly directly connected to “COM1”, the AVR Studio found the device. I was able to download and program the Blinky.hex file. After successfully downloading to the Butterfly and cycling the power to the Butterfly (and moving the joystick “up”), Blinky started up and blinked the LEDs, sweeping back and forth.

So it appears that I need a DB-9 M-F “straight through” serial cable. (I have seen this type of cable referred to as an “extension” serial cable too. No wonder everyone likes USB better-it just seems to work, but it is more complex at the signal and component level.) I was able to find at Cables for Less a six foot DB-9 male to female cable for $1.89. I ordered it. With shipping the total came to $8.48. Hopefully it will come soon so that I can get the Butterfly out from behind my computer. But at least I have successfully tested the ability to program the Butterfly.

(I think that there is some way to download the hex file using avrdude instead of the AVR Studio. This may allow the USB-Serial adapter cable to work on “COM5”. But I haven’t had a chance to try that yet.)

Butterfly++ WORKS!

Saturday, April 5th, 2008

AVR ButterflyI had purchased a “Book + Butterfly + Projects Kit” from Smiley Micros some time ago. The AVR Butterfly is a demonstration board for a Atmel AVR ATmega169PV microcontroller. The package that I purchased included, in addition to the Butterfly, a book and some components in the “project kit” to execute the samples from the book. The first thing that you have to do is add a connector it the board so that you can add a serial port connection. The serial port connection is used to download code to the microcontroller. The kit includes some wires and a female DB-9 connector which you get to solder together. I did it (successfully). The kit also includes a battery pack that you get to mod to add an LED as a power indicator and some headers to solder to the Butterfly to make it easier to attach and reconfigure wires to the device.

After performing this preliminary soldering, I followed the test procedures to make sure that it works. I was able to power the Butterfly from the external battery source and download my name via the serial port to the Butterfly. (The Butterfly has a sample program that will display your name on its LCD display.)

Now that the preliminary work is done, I can try the samples from the book… (I am finally putting my EE degree to use!) and maybe write my own code. (Yeah, I do write code, like web applications, for a living. Not usually something as cool as making blinking LEDs!)

Akount “revision 10″ released

Saturday, March 22nd, 2008

I released “revision 10” of my personal finance web application moments ago. This release provides a visible indication if a transaction is a future transaction. Future transactions have a gray background and are in italics. I also added a confirm dialog before deleting a transaction. (I accidentally deleted a transaction the other day. This wasn’t a problem before, but with the recent feature enhancement to allow transaction to be duplicated, there is now a link to duplicate a transaction right next to the link to delete a transaction. I accidentally clicked the delete instead of the duplicate link. Oops. This is now fixed.)

Akount “revision 8″ released

Saturday, March 22nd, 2008

“Revision 8” of my personal finance application “akount” has been released.

This new release includes enhancements to the login process. The login process has for a while supported username and password authentication or OpenID authentication. The login form showed both forms for username/password authentication and OpenID authentication. Now, only one or the other forms is shown and you can toggle between the two forms. Once you successfully authenticate, a cookie is set to remember the type of authentication that you used. Then, the next time you access the application and have to log in, the form displayed will be the one that you last used.

The code was also cleaned up a bit, consolidating the username/password and OpenID authentication into one PHP controller. (I have tried to use a model-view-controller (MVC) pattern in developing akount.)

Akount “revision 7″ released

Sunday, March 16th, 2008

“Revision 7” of akount has been released. (Productive evening–6 and 7 in one night.) In this update, transactions in the account transactions view can now be duplicated (copied). There is a “Duplicate” link that will open the “add transaction” view with the “Date” set to the current date and the “Description”, “Amount”, “Tag”, and “Transfer” duplicated from the original transaction. This feature will hopefully be helpful for entering recurring transactions that happen each month.

Akount “revision 6” released

Sunday, March 16th, 2008

I just released “revision 6” of akount, my personal financial management web application that is in “limited beta”. (Okay, very limited beta. I am the only user. 🙂 )

This release added support for a user to configure how many “items per page” are displayed on the account transaction pages. Prior to this, the number of transactions shown per page was 10. Now a user can choose between 1 and 99 items per page in the “My Info” page available from the account summary page.

Bruce Lee could be an agile developer

Friday, December 14th, 2007

So I am reading “The 4-Hour Workweek: Escape 9-5, Live Anywhere, and Join the New Rich“. (It seems to be pretty popular in the blog-o-sphere lately.) In the book, which is filled with quotes from famous people, I found this one by Bruce Lee.

“One does not accumulate but eliminate. It is not daily increase by daily decrease. The height of cultivation always runs to simplicity.”

I thought that this sounded very agile development-ish. (And he would be a good GIMP plug-in developer. GIMP is scripted with something called Script-Fu.) This is also very “Getting Real“-ish, popularized by 37signals.

…just a random thought.

Here is my ID

Saturday, October 20th, 2007

OpenIDThis blog now functions as my ID. It is my delegate ID for OpenID. I got the idea for this from Sam Ruby‘s post “OpenID for non-SuperUsers“. As he states, you just have to add this to the head of the HTML for the blog:

 

<link href="http://www.myopenid.com/server" rel="openid.server" />
<link href="http://cubeinhabitant.myopenid.com/" rel="openid.delegate" />

My primary OpenID provider is myOpenID. They provide free OpenIDs. If you view the source of this blog, you will also find:

<meta http-equiv="X-XRDS-Location"
      content="http://www.myopenid.com/xrds?username=cubeinhabitant.myopenid.com" />

The form of this markup comes from the myOpenID information about “Using Your Own URL“.

As Sam states in his post, this allows me to use the URI “http://www.jpeterson.com/” as my OpenID identity. The myOpenID servers will actually provide the authentication. If for some reason, I need to change OpenID providers, I just need to update the delegate information in my blog and the identity provider will be changed. I don’t have to update all of the services that I registered my OpenID with. (That’s because I use “http://www.jpeterson.com/” instead of the URI for the OpenID provider when I register.)

Currently, our team at work uses Basecamp as a collaboration tool. Basecamp recently supported OpenID credentials. This was the impetus for me to set up my blog to be my OpenID URI. I have witnessed more adoption of OpenID lately. Hopefully this uptake will continue.