Jingly Jing

String type parameter in Crystal Report imposes a critical security threat

2011-08-15T14:30:00.002+10:00

Recently, we discovered the string type parameter used in Crystal Report is open for script injection i.e., a regular expression can be sent via these string type parameters and ran against the system database directly. But this only happens when the string is used with LIKE keyword in the SQL query.

For example, the query may look like this:

SELECT ComanyName

FROM Customers

WHERE CompanName LIKE {?CompanyParameter}

We have solved this issue by eliminating the special characters in the string which may impose threat before we send the string to Crystal Report. Hope this can be done in the future in Crystal Report itself and to prevent this major security threat from happening to any of the Crystal Report users.

Daylight saving offset is not available in SQL scripting

2011-08-14T17:22:00.001+10:00

We discovered a drawback by using SQL script and Crystal Report where the conversion against all the GMT date time fields in our database to local time does not cater for the daylight saving offset.

Unfortunately, the only way we found to overcome this issue is to create a new table which will record all the daylight saving information at different locations. Therefore, when we build Crystal Report, we can use the SQL query to check the daylight saving offsets and apply them correctly on different dates.

A google search link indicates that Crystal Report may have this function in place in version 2011.

LogiXML limitation - Using text type parameters

2011-06-08T17:00:00.000+10:00

When use text type parameters in LogiXML, we have to make sure the parameter values are compliant with the URL standards since LogiXML use the post back on the webpage to send the parameter values.

The following web page shows what characters should be encoded when passing through URL:

http://www.blooberry.com/indexdot/html/topics/urlencoding.htm

There are several ways to go around this problem:

1. Encode and decode the text at the SQL script since we only use these values to refresh the charts on dashboards.

SQL functions to encode and decode URL strings:

http://sqlblog.com/blogs/peter_debetta/archive/2007/03/09/t-sql-urlencode.aspx

http://sqlblog.com/blogs/peter_debetta/archive/2007/03/09/t-sql-urldecode.aspx

2. Use JavaScript to encode and decode the text before and after the post back.

System.Windows.Form.MessageBox control is not extensible

2007-11-13T14:30:00.000+10:00

Windows.Form.MessageBox control is not extensible since it is provided by the operating system. It is a static a class with private constructor. However, we could do something to customise this class by digging deep into Win32 API i.e., a 'hook' could be built to listen to the window events related to creating and activating the MessageBox, etc.

References:
http://msdn.microsoft.com/msdnmag/issues/02/11/CuttingEdge/default.aspx#S9
http://www.thescripts.com/forum/thread446492.html

What are your work/life dreams? Set some goals today

2007-11-13T08:15:00.000+10:00

When it comes to goals, bigger is not necessarily better. Understanding the difference between a goal and dream is about understanding what's achievable now — and how to break down a technicolour vision into manageable steps.

''I like thinking big. If you're going to think anything, it might as well be big.''

So said Donald Trump, the man with a nice looking property portfolio (sometimes overshadowed by his questionable-looking hair). And most people would probably assume he was right. After all, nobody ever built a 58-floor high-rise in Manhattan by thinking small.

Sometimes, though, thinking smaller is precisely what's necessary — particularly when it comes to setting goals. ''You might have the ambition to become the CEO of your company,'' says Narelle Milligan, a professional member of the Australian Association of Career Counsellors. ''But when you're the receptionist it can feel like a pipe dream. Long-term goals need to be broken down so that they're more manageable.''

Simply sitting at your switchboard burning with desire to take over the board won't get the job done. Instead, work out how you're going to get there. What steps do you need to take to get to the next level? Is there a course you can take, a mentor you can approach, a promotion you can secure?

''Goals are both short- and long-term,'' says Milligan. ''The short-term ones are the steps to get us to the bigger picture.''

In his book You Inc, real estate guru John McGrath writes of the importance of dumping the ''tomorrow fantasy''.

''Some people talk a lot of 'gonna','' he says. ''You know, they say, 'One day I'm gonna do this', or 'Next year I'm gonna do that'. The reality is, if you're not doing it now, you're probably not going to do it. So do it now — start with a small step today.''

But how?

''Goal setting is not that difficult,'' says Milligan. ''All you need is a quiet space and something to write on, or your computer.''

Now reach inside yourself and think about what you want for yourself in your life — your whole life, not just your career.

''The modern approach to career development is to try to integrate your work into your life,'' says Milligan. ''The income we get is a means to an end. I would strongly recommend setting life goals — work is just one subset of that.''

Other areas you might consider are finance, relationships, health, spirituality, study, travel … the whole shebang. How you prioritise your list is up to you.

''Dream about where you would like your life to be, translate those dreams into goals, and then work out the actions required to achieve the goals,'' says McGrath.

If your dream is to work in a different industry to the one in which you're currently stuck, your short-term goal might be to initiate contact with someone who works in that industry. Your first step to achieving that goal is to ask your network of friends if anyone knows anyone you could ring for a chat. See, you can do that!

If it were that easy, wouldn't everyone do it?

''We do need some self-insight to set attainable goals,'' says Milligan. ''While I'd never underestimate human determination and spirit, we're not all going to be world-class ballet dancers, for instance.''

One of the criteria that defines a goal is that it's achievable — otherwise you're back in dream territory again. But if your goal is to be Margot Fonteyn and your genetics say that you're more in Lauren Jackson territory height-wise, you may need to assess the reality of your aspirations. Which is not to say that you can't massage your goals as you go.

''If it's impossible to be a ballet dancer, go to dance classes, watch the ballet, or get involved in the organisational side of a ballet company,'' says Milligan.

I feel I'm getting nowhere

It doesn't always follow that if you work hard you'll reach your goals. As John Lennon said: ''Life is what happens when you're busy making other plans''. But don't let that put you off.

''Life deals us circumstances over which we have no control,'' says Milligan. ''Goals must be flexible and they need to be reviewed regularly. I'd look at them annually, and every time there's a big change in your life, like graduating uni, marriage, children, moving house, redundancy …''

Look at your skills, where you're going, whether you're on track to achieve what you want in life — because it does change. The goal you had at 21 to be chief executive at 30, might have changed by 30 to become something entirely different. Like a yoga teacher. Or a property tycoon — with fabulous hair.

By Allison Tait, October 2007

From: http://yourlifeworks.ninemsn.com.au/article.aspx?id=306383

How do I convert a string to a byte array and vica-versa in VB.NET and C#?

2007-11-05T15:18:00.000+10:00

Convert String to Byte[]

' VB.NET to convert a string to a byte array
Public Shared Function StrToByteArray(str As String) As Byte()
Dim encoding As New System.Text.ASCIIEncoding()
Return encoding.GetBytes(str)
End Function 'StrToByteArray

// C# to convert a string to a byte array.
public static byte[] StrToByteArray(string str){
System.Text.ASCIIEncoding encoding=new System.Text.ASCIIEncoding();
return encoding.GetBytes(str);
}

Convert Byte[] to String

' VB.NET to convert a byte array to a string:
Dim dBytes As Byte() = ...Dim str As StringDim
enc As New System.Text.ASCIIEncoding()
str = enc.GetString(dBytes)

// C# to convert a byte array to a string.
byte [] dBytes = ...string str;
System.Text.ASCIIEncoding enc = new System.Text.ASCIIEncoding();
str = enc.GetString(dBytes);

Ref.: http://www.chilkatsoft.com/faq/DotNetStrToBytes.html