Some of them might be differ from yours as they come from my laptop. For example, the value of IE8 involves .NET notations. That’s because I’ve installed .NET platform version 2.0, 3.0, 3.5 and 4.0. Thus, please don’t care about it.

Although there are more browsers, I think major browsers are already dealt.

Header Fields for HTTP Request

Most database management system enacted on RDBMS(Relational Database Management System) base. The keyword is “Relational.” The way how to make relations mostly determines the whole performance.

There are 3 types of relation – 1:1, 1:n and n:m. Let’s take a look for each.

One-to-One(1:1) relation
Although it is rarely used as all 1:1 relations can be expressed as one composite dataset, understanding the concept would help to see the connections more clear. A student and his student ID match is an example. One student has one ID and one ID is possessed by one student.

One-to-Many(1:n) relation
It is the most common relation that most hierarchical structure can be represented with it. For example, suppose that 16 full-time employees are working in a company. Then the company has 16 employees, and each employee belong to one company.

Many-to-Many(n:m) relation
This relation is the most complicated structure among relations so it requires the performance overhead. It traverses N*M times to search for data while One-to-Many relation does it N times. One of good examples is the relation between class and student. Students take many classes and each class has many students.

The key is that, avoid Many-to-Many relation to maximize performance. If it is inevitable, count the number of data records and control it with discussion. The performance is not to be ignored in web service.

There are two categories of user input: from character devices like keyboard and mouse, from inner process. An example of inner process is network packet-capturing. Anyway, I got to quote some code related to the first type of capture below. (Actually I don’t intend to post about the second type) Those implementations are actually in object-oriented structure. It is not that difficult so I just focused on the main issue rather than abstraction matter.

int idHook = NULL;
HHOOK hHook = NULL;

bool SetHook(HOOKPROC HookProc, HINSTANCE hInst) {

ClearHook();
hHook = SetWindowsHookEx(idHook, HookProc, hInst, 0);
return (hHook != 0);

}
bool SetHook(HOOKPROC HookProc, HINSTANCE hInst, DWORD dwThreadId) {

ClearHook();
hHook = SetWindowsHookEx(idHook, HookProc, hInst, dwThreadId);
return (hHook != 0);

}
void ClearHook() {

if (hHook) {

UnhookWindowsHookEx(hHook);
hHook = NULL;

}

}

It’s very simple idea to register or clear hook process. To get inputs from character devices, we can use WH_JOURNALRECORD for idHook variable. It hooks all the messages from keyboard and mouse, returns the specific values in HookProc event handler. SetHook function gets 2~3 arguments which are hook procedure, Window instance handle and not necessarily, thread ID. I set the HookProc like this.

LRESULT CALLBACK JournalRecordProc(int code, WPARAM wParam, LPARAM lParam) {

if (code >= 0) UserInteractionProc(wParam, lParam);
return CallNextHookEx(hHook, code, wParam, lParam);

}

JournalRecordProc seems to be simple and concise. UserInteractionProc represents an abstraction for disposal of the input message. That looks finished the implementation, however, there is a missing point. If user sends interrupt message, then the hook procedure would cease the operation. And the interruption easily occurs as Ctrl+ESC or Ctrl+Alt+Del key composition would make such an interruption. To retrieve the operation, you need to interleave a snippet of code lines.

// Here is message loop in Windows application
while (GetMessage(&msg, NULL, 0, 0)) {

// Retrieve the hook procedure here!
if (msg.message == WM_CANCELJOURNAL) SetHook(JournalRecordProc, hInst);

TranslateMessage(&msg);
DispatchMessage(&msg);

}

I checked out that it works well in Windows XP. For Vista and 7, additional authorization process needed. For more information, see the MSDN documentation here. It refers the User Interface Privilege Isolation (UIPI) and integrity in the lowest part of the document and you can get an answer for it.

Traditional programming process has its entry point, like main() function in C and the structure adopts the one way, imperative design. But life is not that simple for many events occur in every second. It is the reality, and traditional model is not proper solution for complicated world nowadays. That is the point that event-driven programming can be a solution. In the context, each event makes its entry point and may call the handler procedures.

Event is a sort of interaction and process is the thing which does something intended and planned in advance. The role of programmer is just to plan the structure and to connect events to pertinent procedures. Limited input devices are prevailing that it is so lucky to developers that they don’t need to concern matters out of the range.

A good example of event-driven development environment is web. Server application listens to any request and do something for client who wants response expected. It is not a kind of new thinking but does a great role in even a cloud computing technology and other new coming edges. Believe it or not, I convince that this model would survive more than 20 years for it is the very simility to human nature. The change would be in how to weave the abstraction and how to capsulate the inner model and contents.

High expectation yields abundancy in the reality. And you know what? Expectation is a kind of event as well. Service and experience is a looming keyword in the 21st centuries industry going through the main stream now. It is the era of interaction and it accords with new trend like SaaS and PaaS. No one-way, broadcasting level communication anymore.

The basic concept of multi-threading is this: divide and conquer. But you should not consider it of a speed-up engine which improves performance in proportional to the number of processors. There’s a way to determine the limit on the performance gaining from adding cores: Amdahl’s law. You can calculate total speed-up rate by using the formula below.

Speed-up-rate = 1 / (S + (1-S)/n)

Where S is the time spent executing the portion assigned to a thread or a processor and n is the number of processors. It shows that the speed-up rate would be decreased as the number of cores increases. Maximumly, if n goes to infinite, speed-up rate would converge to 1/S. For example, a task is divided into 10 parts and n is 2(dual-core), the speed-up rate for the task can be derived here: speedup = 1 / (0.1 + (1 – 0.1) / 2) = 1 / 0.55 ~= 1.8. (For quad-core, performance would increase more than 3 times according to the formula)

The actual importance is on its implementation. Even though the number of processor cores is numerous enough, the implementation may get down its performance. Parallelizing programming supports the hardware specification strongly and it’s ineluctable to increase performance. I’ve implemented a multi-thread processing library recently. And I want to reveal it in the part of running and waiting thread model which is implemented in C/C++ and Windows API.

First, I wrote the task class. It has 4 major member variables: a pointer for thread handler, that of parameter structure, thread handle, and its state. And the next, task manager class. It supports some methods to add/remove task objects, run, and wait. Now I open the code for Run and Wait functions.

// Run: run all of the waiting tasks
// _max_thread is determined by the number of processors
void wc_task_manager::Run() {

size_t thread_count= _active_tasks.size();
// if thread pull is not full and any waiting task exists, assign a waiting task to the idle thread
while(thread_count < _max_thread && _wait_tasks.size() > 0) {

wc_task* task = (wc_task*)(*_wait_tasks.begin());
task->_complete = running;

_wait_tasks.erase(_wait_tasks.begin());
_active_tasks.push_back(task);
thread_count++;
// CreateThread function is available only for windows.
task->_hThread = CreateThread(NULL, task->_stackSize, (LPTHREAD_START_ROUTINE)task->_handler, task->_param, 0, &task->_hID);

}

}

// Wait: wait for threads
// it uses 3 container member variables: wait_tasks list, active_tasks list, and complete_tasks map
void wc_task_manager::Wait() {

// do while active task exists
while(_active_tasks.size() > 0) {

// count the waiting objects
size_t numberOfCurrentHandle = _active_tasks.size();
if(numberOfCurrentHandle > MAXIMUM_WAIT_OBJECTS)
numberOfCurrentHandle = MAXIMUM_WAIT_OBJECTS;

// fill in the array of HANDLE
HANDLE hList[MAXIMUM_WAIT_OBJECTS];
int index = 0;
for(list<wc_task*>::iterator pt = _active_tasks.begin(); pt != _active_tasks.end(); advance(pt, 1)) {

wc_task* task = *pt;
hList[index] = (HANDLE)(task->_hThread);
index++;
if(index == numberOfCurrentHandle) break;

}

// waiting for signals
// _clockWait is set to 1 and that means it checks active threads each msec
DWORD signal = WaitForMultipleObjects((DWORD)numberOfCurrentHandle, hList, FALSE, _clockWait);

// if some task has been completed
if(signal != WAIT_TIMEOUT) {

wc_task* task = NULL;

// if some task finishes in success, set the state to complete
if(WAIT_OBJECT_0 <= signal && signal < WAIT_OBJECT_0 + numberOfCurrentHandle) {

HANDLE target_handle = hList[signal - WAIT_OBJECT_0];
task = GetActiveTask(target_handle);
if(task) task->_complete = complete;

}
// if abandoned, set the state to abandoned
else if(WAIT_ABANDONED_0 <= signal && signal < WAIT_ABANDONED_0 + numberOfCurrentHandle) {

HANDLE target_handle = hList[signal - WAIT_OBJECT_0];
task = GetActiveTask(target_handle);
if(task) task->_complete = abandoned;

}

// if task exists
if(task) {

// set the task to be complete and scheduling new task
pair<HANDLE, wc_task*> p(task->_hThread, task);
_complete_tasks.insert(p);
_active_tasks.remove(task);
Run();

}

}

}

It’s not perfect but well-tested version. The reason why I don’t open the rest of the code is that there might be lots of troubles to overhaul so as to avoid exceptional errors. But the above 2 functions are the core factors of the library and it can be refered into the other applications.

I couldn’t find any solution but a key structure. If you find some method that suffices the condition, you may get one of the most beautiful working solutions in the world. The simple is this: from randomly generated server-side private key Ks = { s1, s2, …, sk }, compose server-side public key Kf(s1, s2, …, sk). Client receives it and make a client-side private key Kc = { c1, c2, …, ck }. Lastly, client-side public key Kg(c1, c2, …, ck) should be bound to initial packet to server. The key solution is, a function list H = { H1, H2, …, Hk where Hi(Kg, si) = ci }. Now we can regulate it as below.

• Server generates server-side private key Ks and public key Kf.
• Client receives Kf and compose client-side private key Kc and public key Kg.
• Server gets client-side public key and takes Kc from Kg and Ks with function list H.

Let x be an original data packet. Then we can encrypt it into a cipher E = Encrypt(Kc, x). (Function Encrypt should be reversible and its reversed function may be Decrypt) If server knows or gets Kc (as both server and client have Kf, and Kg and server is able to compose Kc from H), then server can decrypt the message by calculating x = Decrypt(Kc, E). Then the transfered message is safe from sniffing and eavesdropping.

Here’re some preconditions each key generation must keep in.

• Client-side public key Kg must not be decrypted to private key Kc by public keys.
• Ks should not be predictable from public keys.
• Encrypt function should not leave any clue to be decrypted.

Famous algorithms like RSA, Diffie-Hallman exchange protocol also have this rule. I’ll keep researching for the algorithm and hope to find a great solution so that every web solution may have secure interactions between server and client. For more information about this issue, see http://en.wikipedia.org/wiki/Public-key_cryptography.

I introduce a security issue for web developers as I’m a web developer too. If you’ve researched about web security, you may have heard about XSS. What is XSS? XSS is acronym for cross-side script. You may ask, “Why not CSS but XSS?” Yes. That’s because CSS means Cascading Style Sheets which is used to dispose HTML document and its components. To avoid confusion with duplicated terms, we often call cross-side script XSS. The document, CERT Adversory CA-2000-02, is talking about XSS. And I’ll abridge the report and explain how to avoid malicious script insertion.

In the beginning, let’s define a key term. What is script? Script includes javascript, VBScript, etc. It would be dangerous if someone seeds his script for malicious intention in your site. By the reference, its impact can be huge enough even to expose SSL-encrypted connections. Attackers are able to steal your cookies. They can modify the behavior of forms, including how results are submitted. Javascript rules domain based security policies but it would be broken with XSS attack.

Then how can we escape? Users can do nothing for this problem. Oh, there’s one. Disabling scripting languages would work. But, I think nobody want to do it. The real solution is in the hand of developers. They should recode dynamically generated pages to validate output. That means whenever user’s input text is revealed, replace original one by safe one. Now, I show you characters which can be a risky factor.

• In the content of the block-level elements, special characters like “<”, “>” and “&” operates as a tag.
• In attribute values, quotation marks should be checked.
• In URLs, non-ASCII characters (especially “%”) should be filtered.

These facts can be solved with the following solutions.
http://www.cert.org/tech_tips/malicious_code_mitigation.html

C++ Example

BYTE IsBadChar[] = {
0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,
0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,
0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,
0×00,0xFF,0xFF,0×00,0×00,0xFF,0xFF,0xFF,0xFF,0×00,0×00,
0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,
0×00,0×00,0×00,0×00,0xFF,0xFF,0×00,0xFF,0×00,0×00,0×00,
0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,
0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,
0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,
0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,
0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,
0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,
0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,
0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,
0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,
0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,
0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,
0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,
0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,
0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,
0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,
0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,
0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,0×00,
0×00,0×00,0×00
};

DWORD FilterBuffer(BYTE * pString,DWORD cChLen) {
    BYTE * pBad = pString;
    BYTE * pGood = pString;
    DWORD i=0;
    if (!pString) return 0;
    for (i=0;pBad[i];i++) {
        if (!IsBadChar[pBad[i]]) *pGood++ = pBad[i];
    };
    return pGood-pString;
}

JavaScript Example

function RemoveBad(InStr) {
    InStr = InStr.replace(/\</g,”").replace(/\>/g,”");
    InStr = InStr.replace(/\”/g,”")replace(/\’/g,”");
    InStr = InStr.replace(/\%/g,”").replace(/\;/g,”");
    InStr = InStr.replace(/\(/g,”").replace(/\)/g,”");
    InStr = InStr.replace(/\&/g,”").replace(/\+/g,”");
    return InStr;
}