Archive for October, 2013

Getting Django running on CentOS 6

Trying to follow this guide:

epel6 rpms only seem to install 8.4 at this time, not 9.3 (strangely, since 8.4 isn’t supported anymore, so… I have many questions)

Official 9.3 installation go!

But WTF1: It was installed to /usr/pqsql-9.3, which wasn’t in the search path, so all the createdb and etc commands didn’t work.

Had to su postgres, cd /usr/pgsql-9.3/bin, ./createdb trailstest, ./createuser -P -s trails

And I only discovered it was in /usr/pqsql-9.3 because I did rpm -ql postresql93-server

yum install virtualenv step went fine

yum install libpq-dev python-dev was wrong, yum install postgresql93-devel python-devel was the correct command

pip install psycopg2 failed because pg_config wasn’t in $PATH – surprise surprise. export PATH=$Path:/usr/pgsql-9.3/bin fixed that… (Also, I discovered that there’s no spacing for a reason! Bash syntax!)

And then I got a gcc not found message. My bad, though it’s not a dependency of python-devel? a yum install gcc later, and we’re good…

And now it’s password authentication. I created a user, but it’s not working… even root is failing…

>Pizza Interlude<

So, had “Peer authentication failed” messages, and “Ident authentication failed” messages. I fixed the issue – remove everything from the config file, it defaults to connecting over the local UNIX socket, and using the username which it is running as, so the user has to exist in postgres. If I want it to work with a specific username/password combination, I’d have to edit the hba.conf file to get any other authentication scheme running.

Trying to get DNS working… new domain isn’t resolving on the UWaterloo DNS servers, but it’s showing up on other servers. Trying to get dig installed, but I’m getting yum timeout errors. Realised belatedly that I blocked outgoing HTTP connections. Rerun iptables rule adding with dport and sport swapped for input and output. Now everything is working, dig is showing the domain is resolving, so I’m just going to wait a while for UW to realise that a new subdomain exists…

Gunicorn is complaining about missing django project files when I try to run it and bind to port 8001. Mkay, noted. The Django dev server (python runserver gives me a
working page, and I can get to it, so Django is set up! Wohoo! Time to get some GPS encoded in EXIF images up…

No Comments

Django + Nginx resources

For SE Hack Day: looks the best (along with and are Django + FastCGI because postgres

No Comments

CSS animations/transitions

Posted a bunch of stuff I came across to the WaterlUX group page, figure I might as well document them here too: (Lovely lovely annotated source at – Memories of Overused Powerpoint animations spring to mind… But I can see using the attention getters & fadeIn/Outs on a webpage.

Also, for icons without retrieving icon/font files (ie. all in JS)


, ,

No Comments

‘Solving’ SQL injection in Java

So during the summer I worked on a large enterprisey Java program. (Singleton pattern ahoy!)

One of the annoying things (besides massive code duplication) was it used database queries that naively appended user input (particularly search queries) onto selects.

And from my web background, I knew that SQL injection makes wiping the table trivial. Or even dropping the database.

So I wanted to convert as much stuff to a prepared statement as possible.

I started off with this:

Statement stmt = conn.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
ResultSet rs = stmt.executeQuery("select * from view where date = ' "+ inputBox.toString() + " ' ");
if (rs.first()) {

Trial and error get me this:

PreparedStatement test = conn.prepareStatement("select * from viewCalendar where date = ?");
test.setDate(1, new java.sql.Date(inputBox.toString())); 
ResultSet rs = test.executeQuery(); if ( {

The hardest part was replacing the functionality of rs.first() – the rest of the code requires a ResultSet that’s started at the first row, but the ResultSet returned by the prepared statement wasn’t. But the Java API docs had the solution – next() “moves the cursor forward one row from its current position. A ResultSet cursor is initially positioned before the first row; the first call to the method next makes the first row the current row.”

Doing this also makes the code cleaner – instead of having

if (rs.first()){
  do {
    //bunch of stuff
  } while (;

The equivalent becomes

while ({
    // Bunch of stuff

which I consider a whole lot cleaner & easier to read.

So I got my fix – my naive selects were now using preparedStatements (also, possibly JDBC/MSSQL execution path caching?), hence the solved bit in the title.

However, searches are still an issue – due to the way the multiple criteria used resulted in a variable number of parameters, and PreparedStatement not supporting variable numbers of parameters, I didn’t see an alternative to assembling a string, even if I modified the logic to insert nulls – because that would just cause the database to return no rows, because the columns don’t have NULL in the rows that I would want.

Hence the quotes around solved. 🙁


And a bonus: When assembling a variable parameter where string, don’t use

if (where.isEmpty()) where = string;
else where += " or " + string;

For one or two parameters it’s ok. But for 20+ parameters, you’re going to have a stupid amount of if/else blocks. I used an ArrayList (variable length!) of type string, and then had a method called buildWhere(ArrayList<String>) that builds a string parameter by parameter with ORs in the appropriate places.


No Comments

I broke… Java?

A... C error. In Java.  Huh.

A… C error. In Java.

Something from my summer job. I found it horribly amusing.


And then I fixed it.


No Comments