Sunday, September 18, 2011

NCDevCon: Presentation Slides and Code

The NCDevCon 2011 conference is on its way to be concluded. Many interesting and well rounded presentations. Meeting friends from all over again and chatting about the best and worst way of doing things.
I am continuing to be impressed what the team (Dan Wilson, Jim Priest, Shawn Dunning) is able to do with so little resources. Way to go team.

As promised I am posting the links to the slides to my presentations:
Practical Application Security:
Practical Application Security Slides
I posted the code for URLEncoder on RIAforge as open source project.

Client Side MVC with Sencha Touch:
Client Side MVC with Sencha Touch Slides
Download Sencha MVC code. Please review the Readme_first.txt file on how to get this going.

Please feel free to explore code and slides.
The conference also posts the video of the presentations.

Cheers,
 -B.

4 comments:

MJClemente said...

Hey, I saw you at NC Devcon. Wondering your take on giving form fields the same name as corresponding table in DB? Security risk or ok? Thanks!

Jake Munson said...

Hi Bilal,

I am the manager of the Boise ColdFusion User's Group. I am looking for speakers to present at my group remotely using Adobe Connect. I especially need a speaker next month, but if that doesn't work we can fit you in the schedule later. I saw the description of your talk at NCDevCon and it looks interesting and relevant to my group. Would you be interested in presenting your topic for my group?

bman said...

@MJClements:


MJ:
unfortunatly the short answer is "Yes".
Your form field naming can be exploited especially if it corresponds to database table and field names.

You will need to build an abstraction layer. Some people plug this into their ORM layer. A simpler thing is to build a form helper library. The library can work on an encryption basis or reference basis (look up). There is much leeway in the contruction of such a helper component.

For example if you had a User.lastName (table/field). And a helper component named "FL" for Form Library ;o) You could have a form helper function for getting field names that generates properly abstracted (non sequential) names and call it like so:


input type="text" name="#FL.getName('User.firstName')#"...

could produce:

input type="text" name="F2AB83RR4"

Whether you use this or not depends on your auditors approach to security. Most apps I have seen do not go to this length.

bman said...

@Jake:

It should be possible to do a remote presentation.

I am pretty booked the later part of October so the early part would be better.
Please email me if you want to discuss.
my email is: firstname.lastname@gmail.com