user1 = {:name => "Shanison"}
user2 = {:name => "Lin"}

Above codes actually only creates 1 symbol object, 2 strings object and 2 hash objects. Imagine that you are creating a lot of hash, the :name symbol would save a lot of object creation. You can even query all the symbols in your program:

Symbol.all_symbols # return an array of symbols

Enough about the introduction to symbols. What I want to talk about is actually about Hash. When constructing a hash, you would use symbol as the keys quite often. Probably due to this reason, in Ruby 1.9 it introduced a new Syntax for Hash.

user1 = {name: "Shanison"}
user2 = {name:  "Lin"}

At first glance, this looks pretty much like syntax for defining javascript object. Looks great. However, take note that the colon must be right after the key without any space. So it is not exactly the same as javascript object syntax.

user1 = {name : "Shanison"} # This will cause syntax error

This shorten syntax sometimes looks short and sweet when you pass it as a parameters.

server = Server.new(
addr: "192.167.123.1",
user: 'id_'
)
# Compares to Below
server = Server.new(
:addr => "192.167.123.1",
:user => 'id_'
)

However, do note that this syntax only works for symbol keys. So if you want to use strings or numbers as the hash keys, you can’t write the syntax in this way. e.g. Below code would return you error:

user1 = {"name": "Shanison"}  # Give Syntax error
user2 = {1:  "Lin"} # Give Syntax error

You can even mix the syntax when your hash has both symbol and numbers as keys, although the combination looks funny.

user1 = {name: "Shanison", 1 => "one"}

However, when your value is also a symbol, this syntax looks really funny:

user1 = {name: :source}

Due to above reasons, I still prefer the old syntax. It is just an options and personal preference, so there is no right or wrong in which syntax you adopt.

Below code is working fine on my local machine under ruby 1.8.7 with nokogiri version 1.5.9:

require 'nokogiri'
require 'open-uri'
require 'net/http'

doc = Nokogiri::HTML(open('http://shareinvestor.com'))
puts doc.text

However above code is giving me problems on production servers with ruby 1.8.7 and nokogiri version 1.5.9. The last line returns empty string instead of the whole html. The only difference between the two servers is the ruby patch levels:

my local machine: ruby 1.8.7 (2011-02-18 patchlevel 334) [i686-darwin10.6.0]
production server: ruby 1.8.7 (2009-3-1 mbari 8B/0×8770 on patchlevel 72) [i686-linux]


So I thought the open-uri.rb might be different, checking the open-uri.rb found out that they are exactly the same. So I can’t think of any cause that is causing this problem.

Anyway below is the fix if you met this issue. You have to use File.read to read the html opened by open-uri.

require 'nokogiri'
require 'open-uri'
require 'net/http'

doc = Nokogiri::HTML(File.read(open('http://shareinvestor.com').path))
puts doc.text # this one now returns the correct html

The whole project structure has changed quite a lot between Rails 2 and Rails 3 especially with the introduction of asset pipeline and bundlers. The easier way to upgrade your apps is to create a blank new Rails 3 apps and move in all the new folders into your old Rails 2 apps. For the files with the same names under same directories e.g. config/environments.rb, config/environments/production.rb, there are some API/format changes, so you need to compare the contents and see how to merge them. After you have done that, you can try to start your rails applications, which I believe the server can’t even be started. You should check every single error messages shows up in the console and fix them one by one until everything is fine. Below are some major changes that I met with.

1. For the app/controllers/application.rb, it should be named as application_controller.rb now. Otherwise ‘uninitialized constant ApplicationController’ would be thrown.
2. ENV['RAILS_ENV'] is now deprecated, use Rails.env instead.
3. Rails.root class used to be String. Now it is changed to PathName. So you can’t do things like below:

   File.read(Rails.root + "/config/streaming_config.yml")

4. lib folders are not auto loaded. So you will see some missing constant errors. To auto load the lib folders add below two lines to the config/application.rb.

   config.autoload_paths += %W(#{config.root}/lib)
   config.autoload_paths += Dir["#{config.root}/lib/**/"]

5. filter_parameter_logging is no longer available. To filter out the parameters you can do it in the config/application.rb.

   config.filter_parameters += [:password]

6. You cannot access controller methods in the view with @controller anymore. You have to use controller instead.
7. For action view rendering, you no longer need to call h(string) to escape HTML output, it is on by default in all view templates. In Rails 2 you need to do below to escape the parameters, if not, you are vulnerable for XSS attacks.

   <%= h @params[:user_name] %>

   In Rails 3, this html escape is on by default. However if the variable or contents you are trying to render contains html, and you want to render the html you have to explicitly call raw methods or html_safe method.

   <%= raw @page.content %>

   <%= @page.content.html_safe %>

   I forget to put raw or html_safe in some of the views, and it renders escaped html instead. So you may want to check across the whole site to make sure everything is alright.

8. For form_tag and form_for, you need to use <%= %> instead of <% %>, otherwise the form won’t be rendered at all.
9. will_paginate 2 won’t work with Rails 3. Have to upgrade to will_paginate 3 otherwise uninitialized constant ActiveRecord::Associations::AssociationCollection error will be thrown.
10. Array.paginate will throw error.The Array#paginate method still exists, too, but is not loaded by default. If you need to paginate static arrays, first require it in your code: require ‘will_paginate/array’
11. For active record, save(false) changed to

    save(:validate => false)

12. request.request_uri changed to request.url
13. REXML::Document is not auto loaded, need to explicitly require it before using.

    require 'rexml/document'

14. rake API changes. The :needs => :environments is deprecated. In Rails 2 :

    task :task_name, :argument_name, :needs => :environment do |t,args|
        # ...
     end

    In Rails 3, you have to do the following:

    task :task_name, [:argument_name] => :environment do |t,args|
        # ...
     end

15. params[:path] used to be an array of the path split by slash. e.g. you might see the value as ['user', 'details.html'], now it is a string /user/details. Note that params[:path] doesn’t contains the format.
16. interpreate_status is not in use any more. You can use Rack::Utils::HTTP_STATUS_CODES[status_code] to do the same thing.
17. Mailer API changes. In Rails 2, you would call deliver_welcome_email or create_welcome_email. This has been deprecated in Rails 3.0 in favour of just calling the method name itself. So you can call Mailer.welcome_email.
18. Mail API changes. In Rails 2 you define a mailer like below (this example is copied from rails guide)

    class UserMailer < ActionMailer::Base
      def welcome_email(user)
        recipients    user.email
        from          "notifications@example.com"
        subject       "Welcome to My Awesome Site"
        sent_on       Time.now
        body          {:user => user, :url => "http://example.com/login"}
      end
    end

    However in Rails 3 above codes has to be changed to below:

    class UserMailer < ActionMailer::Base
      def welcome_email(user)
        @user = user
        @url =  "http://example.com/login"
        mail(
            :to            => user.email
            :from       =>    "notifications@example.com"
            :subject    =>   "Welcome to My Awesome Site"
            :date        =>       Time.now
        )
      end
    end

19. If a action name is not defined in the controller but the corresponding views file exists, in Rails 2, it will call method_missing. However in Rails 3, it won’t call method_missings. Thus in the help controller we can’t use the method_missing to dynamic rendering the views.

If you are thinking of investing in gold or buying gold, here are a few things you can do in Singapore.

Buying Physical Gold

If you are thinking of buying physical gold, the easiest way is buying jewelry, where you can easily find those jewelry shops in Singapore especially in Little India as Indian loves buying gold. The other way is buying gold coins or gold bar. There are some trading companies doing this e.g. GoldPrice You can either keep the gold at home or some bank. DBS provides Safe Deposit Boxes service, where you can store your golds there without worrying about being stolen.

Trading gold in this way is troublesome and inefficient. There are some company that allow you buy gold bullion online at live gold prices. You may want to check out gold at BullionVault.

Gold ETFs

Exchange-Traded Fund (ETF) is an investment fund that can be traded like stocks on stock exchange. There are many physically backed gold ETF in the world. One of the most popular ones is SPDR Gold ETF Trust. SPDR® Gold Shares is the first gold-backed exchange-traded fund to be listed in Asia. Sponsored by the World Gold Trust Services LLC, the SPDR® Gold Shares are designed to track the price of gold and trade like any stock on the exchange. Below is the share price for SPDR Gold Shares, from the charts you can tell that it follows the actual Gold price.

SPDR Gold Shares Price

Gold Miner Stocks

Invest in Gold miner stocks can be an alternative way to invest in Gold. However, do note that Gold Miner Stocks’ share price won’t follow Gold price exactly. If gold price go up 10%, the share price could go up possibly 20%. If gold price drop 10%, the share price could drop more than that. So in another word, investing in gold miner stocks is more risky. High risk comes with higher returns. If you expect gold to be as bullish as previous few years, then investing in gold miner stocks may be a good options.

LionGold Corp is an SGX-listed investment holding company focussing on gold mining, mine development and exploration. The company changed its name from Think Environmental to LionGold after adopting its gold-focused strategy in 2011. From the chart below, you can also tell that it is much more volatile than gold. So trade with caution.

Lion Gold TA Chart

This article is not meant to give you suggestion on what ETF or stock to trade but some general information on how to buy gold in Singapore. So trade at your own risk. Interesting thing is that Warrant Buffet said that he will never invest in Gold.

“When we took over Berkshire, it was selling at $15 a share and gold was selling at $20 an ounce. Gold is now $1600 and Berkshire is $120,000. Or you can take a broader example. If you buy an ounce of gold today and you hold it at hundred years, you can go to it every day and you could coo to it and fondle it and a hundred years from now, you’ll have one ounce of gold and it won’t have done anything for you in between. You buy 100 acres of farm land and it will produce for you every year. You can buy more farmland, and all kinds of things, and you still have 100 acres of farmland at the end of 100 years. You could you buy the Dow Jones Industrial Average for 66 at the start of 1900. Gold was then $20. At the end of the century, it was 11,400, and you would also have gotten dividends for a hundred years.” – Warrant Buffet

From investing perspective, I agree with that invest on stocks may give you better return, however, stock market comes with much higher risk. So diversify your investment in stocks, gold, bonds and property is much more ideal for me personally. The weight to invest in each, of course, depends on your risk appetite.

Poor Configured Response Headers

You can see that from the response header I can tell that the website is hosted using Apache server and furthermore it is using Phusion Passenger V 3.0.11. If there is any vulnerability issue with this version of Passenger, the hacker can easily use this information and hack the website! So the solution is to hide this kind of information.

To do that you have to use the Apache Header Directive. Basically this Header Directive is processed just before the response is sent back to the network, so it allows you to overwrite/modify the response header set by your application.

Load Apache Headers Module. First, make sure you have header module installed, use the following command to see all the loaded modules:

httpd -M

Check headers_module is in the list. If header module is not loaded, you have to load it in the httpd config.

Locate your httpd config files. If you are not sure where is your config files, run the following command to show the compile settings:

httpd -V

It should show HTTPD_ROOT as well as SERVER_CONFIG_FILE. In my case, the following is the output for this two settings:

-D HTTPD_ROOT=”/usr/local/httpd”

-D SERVER_CONFIG_FILE=”conf/httpd.conf”

From here, you knows that your httpd.conf location is /usr/local/httpd/conf/httpd.conf. After you locate httpd.conf, edit this file and add the following line to load the header module

LoadModule headers_module modules/mod_headers.so

Now, do httpd -M again, you should see the loaded modules include headers_module.

After headers_module is loaded, include the following lines of config in the httpd.conf, if the settings are there, make sure it is the correct value.

ServerSignature Off
ServerTokens Prod

Normally apache would display a trailing footer line, which includes information like server name, version etc,  under server generated documents, e.g. error message etc. So ServerSignature Off would turn this off. So it won’t include this trailing footer line. ServerTokens Prod will only return “Apache” in the Server header without any version number.  For details explanation, refer to this apache documentation.

Further more, we should totally unset the Server header and X-Powered-By header, so include the following lines in the httpd.conf as well.

# If mod_headers module is included, we will disable the Server response header totally
<IfModule mod_headers.c>
  Header unset Server
  Header unset X-Powered-By
</IfModule>

With the above changes, you should have already unset or removed those apache response headers that expose important security informations.

SQL Injection are the top one web application security risk ranked according to Open Web Application Security Project (OWASP) . Basically it allows the attackers to attack the database through a website. If the vulnerability is present, hacker could get any data or even drop your database! Basically it grants the hacker DBA roles. Probably one interesting thing is to look at how we could attack an application using SQL Injection. Let’s talk about a basic example. I am going to use PHP as an example, although I don’t quite like using PHP (personal preference). If you are using Ruby on Rails, you shouldn’t meet this kind of problem.

"select name from users where id ='$user_id'";

The problem lies the direct input of the user input of $user_id in the sql statement. If the user submit the $user_id as follows, it can do any thing:

shanison';update users set is_admin=1 where id='shanison

With this input, the above sql becomes:

"select name from users where id ='shanison';update users set is_admin=1 where id='shanison'";

And this is how you can make yourself becomes admin. This is fundamental idea be hide the SQL Injection. However if you do this for a php application connected with oracle with the following codes, what would you get?

$statement = oci_parse($connection, "select name from users where id='$user_id'");
oci_execute($statement);

You will get the following error ORA-00911: invalid character. The problem lies with the sql statement separator ;. Oracle has a protection that it won’t allow multiple statements to be exectued at the same time, which makes the above attack impossible. However, there is one smart way to bypass this this limitation, here is one sql statement you can use:

shanison' and (select dbms_xmlquery.newcontext(' declare pragma
autonomous_transaction; begin execute immediate ''update users set
is_admin = 1 where id=:usr'' using ''shanison''; commit;
end;') from dual) is not null or '' = '

May Market Performance (Source-http://seekingalpha.com)

The Dow Jones recent high of 13338 was actually on May 1 2012. It closed April at 13213 and at the end of May it closed off at 12393. The Dow Jones lost 820 points for 2012 May, that was 6% dropped in May. Yesterday was the beginning of June, and it continued to plunged 2.22%.

The Halloween Indicator is a variant of “Sell in May and go away”. “It is the belief that the period from November to April inclusively has significatnly stronger growth on average than the other months.” (source – Wikipedia) So the strategy to take is that before November you should start to buy some stocks. Of course, you can use Technical Indicators to judge your best entry points in the market instead of following this stock market edge blindly. After that you keep for a few months and before May, you find a chance to take your profit.

If we were to follow this, we would have made quite a lot of profit for the past half a year. Crisis are sometimes opportunities. For long term investors, the recent sell off may be a good chance to accumulate some stocks. We may see more sell off in June due to possibility of Grexit.

But the important thing to learn is that every time in crisis, you should get your shopping list ready. Check the stocks that are deeply undervalues and will be able to survive though the crisis. The most important thing is that you must have cash ready! If you have bought a lot of stocks in April this year in the hopes that it may go much higher although since the beginning of 2012, the stock market has rallied so much, you won’t have much money left when there are some good bargain buys. This is human psychology. When everyone is greedy, you are greedy as well. When everyone is fearful, you are more fearful. So you buy at high and sell at low. You can only contribute money to the rest of stock market players.

So let’s get your cash and shopping list ready. “When everyone is greedy, you should be fearful! When everyone is fearful, you should be greedy”.

Llya Grigorik from google gave a very interesting talk on how to build a faster web using various technics. If you are experiencing slow website problem, you may want to check out his slides at Building a Faster Web.

There are also a lot of interesting topics that were discussed during the conference e.g PUBSUB infrastructure, Client Slide Templating, Using Redis to improve site performance, CoffeeScript etc.

Red Dot Ruby Conference 2012

In order to do cross domain ajax request, there is one way to do it using JSONP. JSONP, which is short for “JSON with padding” is a complement to the base JSON data format. It provides a method to request data from a server in a different domain. This is viable because there is no restriction on including third party javascript files in the website. So here is how it works. E.g. you are requesting a server http://sampleserver.com/sampledata.json to return the following json

{ "name" : "Shanison" }

Instead of directly requesting this using XMLHttprequest, you use javascript to insert a script tag in the html,

Now the browser would send the requests and download the response, but the problem is that the response is JSON instead of javascript. So the trick here is that for server instead of returning JSON, it returns a function call with the JSON:

callBack({ "name" : "Shanison" })

After the javascript is downloaded, it will call the method callBack, which will takes the JSON as a parameter. Inside this callBack method, you can get the response of the JSON and do what ever you want.

So if you are using RAILS and JQuery, here is what you can do. Jquery provides a way to directly call ajax with JSONP as requested dataType and you don’t have to do the things as create a call back methods and create the script tag and inserted into the html. If you use jQuery, this is what you normally do ajax Request:

    $.ajax({
      url     : 'http://sampleserver.com/sampledata.json',
      type    : 'GET',
      dataType:  'json',
      success : function (response) {
        if (response['success'])
        {
          loadData(response['html']);
        }
      }
    })

To change it to use jsonp, you just need to change the dataType to ‘jsonp’, everything else remains the same. Jquery will do the magic I described for you. At the same time, it will send a parameter ‘callback’ to the server, which is the call back methods name that is generated by jQuery, it is a random name.

    $.ajax({
      url     : 'http://sampleserver.com/sampledata.json',
      type    : 'GET',
      dataType:  'jsonp',
      success : function (response) {
        if (response['success'])
        {
          loadData(response['html']);
        }
      }
    })

Now the only thing needs to be changed is on the application server. The application needs to make sure the response can return JSONP instead of JSON. If you are using Rails, to render the response in JSON, you usually do:

render :json => {:success => true, :html => prices_html}

To render the response with JSONP, which would wrap the JSON with the callback method submitted by the javascript:

render :json => {:success => true, :html => prices_html}, :callback => params[:callback]

With all this, you should be able to do Cross Domain Ajax Request using jQuery.

mysqldump -uuser -ppassword database_name > backup.sql

If you need to dump a single table, you can do the following:

mysqldump -uuser -ppassword database_name table_name > backup.sql

This should generate a bunch of Create Table and Insert Sql statements in the .sql files.

So how do you import the database from your sql dump files. Let’s say you have the backup.sql in your computer now. First thing you need to do is upload this dump to the database server. To do this, you can use scp command to copy the files and do a secure file transfer.

scp -rP port_num backup.sql root@server_name:/root/backup

After that you have to go to the mysql command tools by :

mysql -uroot -ppassword database_name

After authenticated, you run the following again to import:

source /root/backup/backup.sql