Safe from hackers, safe from users.  Movable type takes Captcha to the next level!

I knew the market wasn’t quite what it was, but this job ad today surprised even me.

 

I’ve been using the free Squirrel SQL SQL client under windows for a month or so now.  It’s a good tool, though somewhat annoying to get working.  Today it stopped working.  The loading splash screen would display, the progress bar would get about halfway through and then Squirrel would exit without any messages.  I had no desire to recreate all of my connections or reinstall the various drivers again, so I really wanted to fix my installation.

After trolling through forums, there was a suggestion that the problem may have been preferences related. No precise solution was offered, but I began to experiment to see if this was my problem.

First, I found the preferences folder, which lives in Windows’ documents and settings folder (eg. c:\Documents and Settings\). Inside this folder will be Squirrel’s preferences folder, named ‘.squirrel-sql’. I renamed this and restarted Squirrel. Things looked good with the application starting, so it seemed I was looking in the right place. In order to troubleshoot further, I wanted to restore the state of the application, so I renamed the new preferences folder that Squirrel had created and tried to rename the old preferences folder.

No luck! Windows didn’t like me trying to rename the folder back to its original name. I ran Squirrel again, which caused Squirrel to create another preferences folder. I now had three folders – squirrel-sql.old, squirrel-sql.new and the current preferences folder ‘.squirrel-sql’. I opened the old preferences folder, copied the contents and pasted them into the ‘.squirrel-sql’ folder.

Looking inside the preferences folder, I could two folders ‘plugins’, and ‘logs’. I could also see a number of xml files. Now that I had found the broad area I needed to investigate, I wanted to only change one element at a time. As my main objective in resurrecting Squirrel was to not lose my database connections and plugins, I ignored the xml files that were related to these, and looked at the most interestingly named file – ‘prefs.xml’. I renamed this to ‘prefs.xml.bak’ and restarted Squirrel. Still no joy, so I closed Squirrel and restored the original name of the file..

I repeated this step for ’sql_history.xml’, thinking that this file might be dynamic enough to cause problems. Again, Squirrel failed to start correctly.

Next, was a file named SQLAliases23_treeStructure.xml. Suspiciously, this was zero bytes, which seemed odd for something that looked like it was supposed to contain some kind of data structure. I added a ‘.bak’ extension to this and restarted Squirrel again.

Success! I closed Squrrel and I could see that it had recreated the SQLAliases treeStructure file again, this time with data. I restarted Squirrel one more time to make sure that there wasn’t some recurring problem with my database aliases, and it happily started again with my connections and query history intact.

Otherwise, I might not be able to remember to buy it later.

Well, a new year is upon us, and I’d like to thank everyone who has checked in on my blog this year. As a rough guess, my readership has quadrupled or quintupled this year. Google Analytics gives me a nice perspective on this:

As a personal highlight, I stuck to the blogging commitment I made for myself at the beginning of 2007. This year, I’m hoping to get a little more reference material on the site. This will cover test strategy, testing heuristics and checklists. I’m also going to try and fix the styling on blog entries in the RSS feed.

I came across a few interesting real-world bugs in the last month or so. Without further ado, here they are. I’ve mapped them to some new-year resolutions.

Be discrete

Don’t show people anything you don’t want them to see.

This screenshot came from an online competition. I expect they’re showing me a little more than they expected to. URL hacking is your (testing) friend.

Don’t be negative

This one was interesting. I haven’t had time to investigate, but can imagine a few scenarios:

Finally, the classic. It turns out that the developer of this Sega title didn’t expect anybody to keep playing this tennis game after there was no further reward. Specifically, they didn’t expect anyone to troll through 70 more games of tennis when there was no longer any scope for player development.

The cool part of this bug was that I initially missed it. My points total was at 125, and I played another round. I saw the score go to 126 without realising that the score was actually minus 126. My initial thought was that the developer had simply limited the score to 126 as a maximum. But, like a true tester, I decided to play one more round just to make sure that there was nothing else strange going on. It was then that the score continued its overflowing, and went to minus 121. I had to look really closely to notice the minus sign, as my brain assumed that the dash was simply a separator between the point label and the point value. Pushing further made the bug more obvious. Now to find out if the overflow can overflow into anything important.

Anyone for 65,280 games of tennis?

Today I was trolling through my Yahoo mails, and noticed that a spam message had made it through to my inbox. I read through my mail, expecting to just delete the spam message when I eventually got to it. When I did, it struck me as unusual. In addition to the message body, there was the usual link. But it looked like this:

http://www.google.com/search?hl=en&q=inurl:ma…….ls&btnI=I=Im+Feeling+Lucky

I was surprised. It was a link to a Google search. I hovered over the link, and it wasn’t just a clever ploy to make me think I was going to Google. It was actually a spammer exploiting Google’s functionality to redirect someone unwittingly to the spam site.

If you want to see this in action (the link above won’t work), you can try this:

http://www.google.com/search?hl=en&q=inurl:quinert.com&btnI=I=Im+Feeling+Lucky

Now, you can probably filter this just by looking for the “Im+Feeling+Lucky” keyword, as the odds of anyone sending you a legitimate URL containing this are highly unlikely. But it does point to an interesting kind of exploit that we might need to be aware of when we’re developing websites. More generally, when we are testing a web-based product, when we think about security risks, we also need to think about how our website might help spammers.

The most common function of this type that leaps to mind are ‘Email to a friend’ type functions, where using tools like WebScarab, or hand-crafting your own html page, websites can be made to send anonymous or faked emails to anyone you like.

What others can you think of?

I wonder if Google testers think like this?

http://www.radaronline.com/from-the-magazine/2007/09/google_fiction_evil_dangerous_surveillance_control_1.php

I’ve been building tools for web service testing using Ruby and its SOAP libraries. I hope to write more on this later, but for now, a pointer to a simple problem that took up far too much time.

My test toolkit has three small programs, each providing different services. The first can be passed a list of named test conditions. It queries the database and returns identifiers for data which matches the test condition of interest. This list of identifiers is dumped to a file. The file is passed to the oracle program as input, generating expected results for the items requested. The list of identifiers is also passed to the web service. The output of the oracle and the web service are in the same format, so it’s then a simple case of automatically comparing the two outputs as files, using diff.

I can also use these tools interactively to run ad-hoc queries on the database and web service, so these tools give me a nice interface for exploratory testing, as well as being able to automate and integrate with the build if need be.

The simple batch file to execute all tests looks something like this:

————
‘ 1. Create the list of things to request from the web service
get_test_data_items > datalist.txt

‘ 2. Generate expected results using the list created, and dump the output to a file
generate_expected_results < datalist.txt > expected.txt

‘3. Query web service for the list of items
query_webservice < datalist.txt > actual.txt

‘4. Check that actual matches expected using Unix
diff actual.txt expected.txt
————
Note that the first three commands are ruby scripts, so windows kindly lets me omit the ‘.rb’ extension.

It turns out that this is a bad thing. Letting windows figure out the file association means that the command line fails to send the specified file as standard input to the ruby script.

The telltale error message for this problem is this:

D:/test/query_webservice.rb:32:in `gets’: Bad file descriptor (Errno::EBADF)
from D:/test/query_webservice.rb:32

The simple workaround is to bypass the ruby file association and explicitly invoke ruby:

ruby get_test_data_items.rb > datalist.txt
ruby generate_expected_results.rb < datalist.txt > expected.txt
ruby query_webservice.rb < datalist.txt > actual.txt

Now it all works.

There’s a more detailed description of the problem here: http://mail.python.org/pipermail/python-bugs-list/2004-August/024920.html

As a side note, I’m calling ‘diff’ from the Gnu utilities for Win32 (http://unxutils.sourceforge.net/) package, a collection of unix utilities to make the windows command line a little friendlier. Laziness is what got me into this problem in the first place. In the spirit of laziness, I’ve also installed a bash shell for Windows. By configuring bash to keep a history of the last 5000 commands, I get automatic logging of my test activities as well.

What do you think?