Blog Archives

lastChild is null in FireFox works in IE invalid nodeType javascript c# asp .net

This issue alluded me at first as it works in IE but not in FF. See code below.

//pass in table, last cell number and style to apply to it. call this on hover and blur for cell highlight effects. alternatively you can determine last cell number as well and this function could be rewritten to work solely for the purpose of modifying specific cells rather than last cell
function ChangeTableCellStyle(tableid,cellnumber,mystyle) {
if (document.getElementById)
{
var selectedElement = document.getElementById(tableid);
selectedElement.className = style;
//change style on end cell by drilling into table. this will become deprecated by css3.
if (selectedElement.tagName.toLowerCase()=="table")
{

var tbody = selectedElement.lastChild;
if (tbody!=null)
{
var tr = tbody.lastChild;
if (tbody !=null)
{
var tr = tbody.lastChild; //BUGGED IN FF!

//nodetype should be 1 for element type. in FF it is 3. see reference link at bottom for list of types.
if (tr.nodeType!=1) {
tr.tbody.getElementsByTagName("td");
tr[cellnumber].className+= ' ' + mystyle;
} else {
tr.lastChild.className+=' ' + mystyle;
}

}
}

}
}

}

//example usage
ChangeTableCellStyle("table1",3,"cellend"); //will append the class cellend to the last cell in table1 if table1 only has 4 cells per row

In you’re interested in reviewing other approaches to styling your table cells, see my similar article here.

Defend and Fix your site attacked by “lizamoon” and other types of SQL Injection

Before I discuss some of the more technical details regarding defense against “lizamoon” and similar attacks, an important note I would like to make to any business executives who may stumble across the article or hear it secondhand:

PCI

if you’re doing ecommerce… is a must!

In an ideal scenario, all developers should follow good coding practice such as SQL Command Parameterization, but realistically, especially depending heavily on the coding language behind used, sometimes this is either difficult or simply forgotten.

PCI Compliance, or at least awareness of OWASP and PCI DSS 2.0 security standards should be an important thought for anyone who is currently in or looking to get into ecommerce.

These standards help outline specific safeguards, and in the case of compliance, certify these safeguards with assessment scans that help developers identify and fix potential security flaws.

lizamoon

This latest exploit, currently live and in the wild at the time of writing this blog, is getting quite some fame for it’s scope of number of businesses affected.

As far as rarity or complexity, the attack is simply some cleverly crafted SQL Injection, which can be avoided altogether using SQL Command Parameterization.

However, if you were victimized by this attack and are utilizing a system which your developers did not implement, you’re in a much tougher scenario since you probably cannot modify the code directly or even identify the attack’s point of entry.

As a quick fix and temporary workaround until a patch for your system is release, to resolve this, go through the following checklist:

1) Find out which ecommerce or web platform you’re using which has been compromised and open a support ticket/initiate a support call with your vendor.
2) Research with your webmaster, provider or IT department if you are using shared or cloud hosting, virtual dedicated hosting or dedicated.
3) If you are using shared hosting, begin migration to a virtual dedicated or dedicated host, since you will not be able to make the necessary changes for the workaround fix on a shared or cloud host.
4) If you are on a virtual or fully dedicated plan, or newly migrated from shared hosting, note if you have a Windows or Linux machine.
5) On Windows, navigate to C:\windows\system32\drivers\etc\, on Linux go to /etc/. Note this path.
6) On Windows, open up notepad (right click and run as administrator if on Vista or later), on Linux open your favorite text editor as root or superuser.
7) In your text editor, open the “hosts” file located at the path you noted in step 5.
8) Add a new line pointing the lizamoon domain to your loopback address. (see code below)

127.0.0.1  lizamoon.com

How this works:

The hosts file maps machine names and domains to IP Addresses (although not vice versa), and overrides the resulting IP address you would otherwise receive from your DNS provider.

In terms of your ecommerce site, this translates to users clicking on a link on your site affected by the exploit, but instead of being directed to lizamoon.com like the attackers intended (no one knows yet why they are doing this..), the users will instead be bounced back to your site root (usually the homepage).

This gives you enough time to hunt down or wait for a more permanent patch, without putting your shoppers at increased risk and at least averting danger temporarily. I would highly advise anyone affected by this attack however to consider PCI auditing or at least security consultation regarding their ecommerce or web application.

Follow

Get every new post delivered to your Inbox.