Djangoアプリのデプロイに関するプラクティス / Deploy django application
2 likes12,781 views
This document contains notes from a meeting on web application security. It discusses several common vulnerabilities like SQL injection, cross-site scripting (XSS), and clickjacking. It provides examples of how these vulnerabilities can occur and ways to prevent them, such as sanitizing user input, enabling CSRF protection middleware, and using the X-Frame-Options header. Keywords discussed include MySQL, Docker, Kubernetes, Ansible, and various attack vectors like CSRF, XSS, SQL injection, and clickjacking. The document aims to educate on security best practices for Python and Django web applications.
1 of 70
Downloaded 11 times
![FROM python:3.7
MAINTAINER Masashi Shibata <contact@c-bata.link>
RUN pip install --upgrade pip
ADD . /usr/src
RUN pip install -r /usr/src/requirements.txt
WORKDIR /usr/src
EXPOSE 80
CMD ["gunicorn", "-w", "4", "-b", ":80", "djangosnippets.wsgi:application"]
$ docker build -t djangosnippets .](https://image.slidesharecdn.com/deploy-190518063233/85/Django-Deploy-django-application-30-320.jpg)
![from django.utils.decorators import method_decorator
from django.views.decorators.csrf import csrf_exempt
:
@method_decorator(login_required, name='dispatch')
@method_decorator(csrf_exempt, name='dispatch')
class UnsecureView(View):
def get(self, request):
comments = Comment.objects.all()
html = Template(_comment_list_template).render(
Context({"comments": comments}))
return HttpResponse(html)
def post(self, request):
comment = Comment(content=request.POST[‘content'],
posted_by=request.user)
comment.save()](https://image.slidesharecdn.com/deploy-190518063233/85/Django-Deploy-django-application-50-320.jpg)
![from django.http import HttpResponse
_form_html = """<form method="get">
<input type="text" name="q" placeholder="Search" value="">
<button type="submit">Go</button>
</form>
"""
def xss_view(request):
if 'q' in request.GET:
return HttpResponse(f"Searched for: {request.GET['q']}")
else:
return HttpResponse(_form_html)](https://image.slidesharecdn.com/deploy-190518063233/85/Django-Deploy-django-application-56-320.jpg)
![def sql_injection(request):
if 'snippet' not in request.GET:
html = Template(_form_html).render(Context())
else:
snippet_id = request.GET['snippet']
sql = "SELECT id, title FROM snippets WHERE id =
'{}';".format(snippet_id)
snippet = Snippet.objects.raw(sql)
html = Template(_snippet_list_template).render(Context({'snippet':
snippet}))
return HttpResponse(html)](https://image.slidesharecdn.com/deploy-190518063233/85/Django-Deploy-django-application-64-320.jpg)
![MIDDLEWARE = [
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
# 'django.middleware.clickjacking.XFrameOptionsMiddleware',
]](https://image.slidesharecdn.com/deploy-190518063233/85/Django-Deploy-django-application-67-320.jpg)
Ad
Recommended
Django の認証処理実装パターン / Django Authentication Patterns
Django の認証処理実装パターン / Django Authentication PatternsMasashi Shibata The document discusses Django's built-in authentication forms and view classes, detailing a custom email authentication backend implementation. It includes code snippets for user authentication and validation, highlighting the use of Django's user model and custom validators. Additionally, it references GitHub links for further examples and modifications related to the authentication process.
Django REST Framework における API 実装プラクティス | PyCon JP 2018
Django REST Framework における API 実装プラクティス | PyCon JP 2018Masashi Shibata The document discusses various topics related to APIs and pagination in Django REST Framework. It covers:
1. Pagination techniques in Django REST Framework including PageNumberPagination, LimitOffsetPagination, and CursorPagination.
2. Rate limiting techniques including AnonRateThrottle, UserRateThrottle, and ScopedRateThrottle.
3. Authentication techniques including TokenAuthentication and the djangorestframework-jwt package for JSON web tokens.
4. Other API design topics like HATEOAS, versioning, and specifying media types.
DDD x CQRS 更新系と参照系で異なるORMを併用して上手くいった話
DDD x CQRS 更新系と参照系で異なるORMを併用して上手くいった話Koichiro Matsuoka より詳細なCQRSに関する資料はこちら
https://little-hands.hatenablog.com/entry/2019/12/02/cqrs
参考資料:http://little-hands.hatenablog.com/entry/jjug2017fall
社内新規プロダクトでDDD, CQRSの思想をベースとしたアーキテクチャを構築し、コマンド(更新系処理)ではSpring Data JPA(Hibernate)を、クエリ(参照系処理)ではjOOQを採用しました。
結果としてそれぞれのORMの良いところを生かした組み合わせのアーキテクチャが構築できたので、その経緯と得られた知見についてお話ししたいと思います。
以下のようなトピックを考えています。
・CQRSの定義とメリットデメリット
・DDD,CQRSを検討するにあたってのORMの選定ポイント
・構築したアーキテクチャ
CQRSはDDDと切り分けて単独でも適用することができるので、DDDについてご存知ない方もご覧いただけます。日本語の文献は意外と少ないので、この辺りの分野に興味がある人の参考になれば幸いです。
PostgreSQLモニタリング機能の現状とこれから(Open Developers Conference 2020 Online 発表資料)
PostgreSQLモニタリング機能の現状とこれから(Open Developers Conference 2020 Online 発表資料)NTT DATA Technology & Innovation PostgreSQLモニタリング機能の現状とこれから
(Open Developers Conference 2020 Online 発表資料)
2020年12月19日
株式会社NTTデータ
鳥越 淳
池田 真洋
BuildKitによる高速でセキュアなイメージビルド
BuildKitによる高速でセキュアなイメージビルドAkihiro Suda https://build.connpass.com/event/98947/
ツール比較しながら語る O/RマッパーとDBマイグレーションの実際のところ
ツール比較しながら語る O/RマッパーとDBマイグレーションの実際のところY Watanabe JJUG-CCC 日本Javaユーザーズグループクロスコミュニティカンファレンス 2018/12 登壇資料です。
At least onceってぶっちゃけ問題の先送りだったよね #kafkajp
At least onceってぶっちゃけ問題の先送りだったよね #kafkajpYahoo!デベロッパーネットワーク Apache Kafka Meetup Japan #3 https://kafka-apache-jp.connpass.com/event/58619/ 発表資料
Amazon Cognito使って認証したい?それならSpring Security使いましょう!
Amazon Cognito使って認証したい?それならSpring Security使いましょう!Ryosuke Uchitate This document contains code snippets related to Spring Security configuration and authentication. It defines classes and methods for configuring security, processing login requests, loading user details, and authenticating users. Key aspects include configuring security filters and authorization rules, processing username/password authentication, validating login credentials against encoded passwords, and loading pre-authenticated users based on access tokens.
Mavenの真実とウソ
Mavenの真実とウソYoshitaka Kawashima JJUG CCC 2019 fall g3のセッション資料です。
「ちょっと凝ったことをしようとすると大量のXMLを書かなきゃいけない」「プラグインを並べてもうまく動いてくれない」など、Mavenは誤解され敬遠され、Gradleなどの他のビルドツールにシェアを奪われてきました。
が、依然としてMavenはJavaのデファクトスタンダードなビルドツールに位置づけられており、マスターする価値は十分にあります。そして良く学んでみると、そもそもXMLで過度なカスタマイズしようというのが誤った使い方だったのに気づきます。そこへ至るにも、タスクランナーの延長線上にある他のビルドツールと異なり、Maven独特なライフサイクルとプラグインの関係性もきちんと理解しておかなければなりません。
世界一わかりやすいClean Architecture
世界一わかりやすいClean ArchitectureAtsushi Nakamura Visual Studio Users Community Japan #1
で発表した資料になります。
https://vsuc.connpass.com/event/143114/
Vacuum徹底解説
Vacuum徹底解説Masahiko Sawada PostgreSQL Conference Japan 2021の講演資料です。
https://www.postgresql.jp/jpug-pgcon2021#T3
Dockerからcontainerdへの移行
Dockerからcontainerdへの移行Kohei Tokunaga NTT Tech Conference 2022 での「Dockerからcontainerdへの移行」の発表資料です
https://ntt-techconf.connpass.com/event/241061/
訂正:
P2. .
誤:
```
Ship docker run -it --rm alpine
Run docker push ghcr.io/ktock/myalpine:latest
```
正:
```
Ship docker push ghcr.io/ktock/myalpine:latest
Run docker run -it --rm alpine
```
OpenID ConnectとAndroidアプリのログインサイクル
OpenID ConnectとAndroidアプリのログインサイクルMasaru Kurahayashi タイトル:
『OpenID ConnectとAndroidアプリのログインサイクル』
概要:
GoogleやFacebook、Yahoo! JAPANの提供するOAuth、OpenID Connectのシングルサインオン(SSO)を利用する上でトークン、ログイン状態の管理が必要になります。ログイン、ログアウトに加えアプリによってはマルチアカウント利用やアカウント切り替えを必要とするケースもあります。スマフォアプリではネイティブ、WebViewでSSOの認証方法が異なり、実装パターンは多岐にわたります。
これまでID連携の設計や実装サポートしてきたナレッジをもとに、AndroidアプリにおけるSSOからログイン状態の管理まで、アプリの要件にあった実装方法をご紹介します。
Developers Summit 2015 【19-C-5】 Feb. 19, 2015
URL: http://event.shoeisha.jp/devsumi/20150219/session/654
Spring Boot の Web アプリケーションを Docker に載せて AWS ECS で動かしている話
Spring Boot の Web アプリケーションを Docker に載せて AWS ECS で動かしている話JustSystems Corporation JJUG CCC 2018 Fall 登壇時の資料です。 #jjug_ccc #ccc_g1
ソーシャルゲーム案件におけるDB分割のPHP実装
ソーシャルゲーム案件におけるDB分割のPHP実装infinite_loop ソーシャルゲーム案件におけるDB分割のPHP実装
~とにかく分割ですよ。10回じゃ足りない。20回くらい分割。~
株式会社インフィニットループ 佐々木 亨基
2013/7/15にPHPMatsuri2013内で発表された講演のスライド
MySQLレプリケーションあれやこれや
MySQLレプリケーションあれやこれやyoku0825 2018/01/26 第2回 オープンソースデータベース比較セミナー
https://osscons-database.connpass.com/event/74688/
【修正版】Django + SQLAlchemy: シンプルWay
【修正版】Django + SQLAlchemy: シンプルWayTakayuki Shimizukawa Simple Way with Django + SQLAlchemy
AT PyCon JP 2020
https://pycon.jp/2020/timetable/?id=203756
質疑応答
> Ryuji Tsutsui から全員に: 02:58 PM
> INNNER JOIN
> Nが1個多い?
ほんとだ。slideshareにあげた資料、直せません!
> Taku Shimizu から全員に: 03:00 PM
> 「ドキュメントに記載されていない」なかなかのパワーフレーズですね
でしょー
> uranusjr から全員に: 03:04 PM
> g2の別名はT3になるのはなぜですか?
Djangoが自動的にテーブルを2回JOINすることもあって、そういう場合自動的にテーブル名の別名が付けられます。T2,T3,T4と連番で増えていきます。
たぶん、登場する3つ目のテーブルだからT3なのだと思います。
`annotate(g2=FilteredRelation(...)` のように名前指定しているのに使われないのは、バグなのかどうなのか追ってません。SQLは動作するので、バグとはいえないかも。
> Manabu から全員に: 03:17 PM
> SQLAlchemy の モデルクラスを直接書いていましたが、 automap_base() は使わないのですか?
全テーブルを使いたいわけではないのと、用途の目的から、SQLAlchemyでForeignKeyを独自に追加定義したいなどもあるため、個別に書いています。
automap_base()を使っても良いと思います。
> c-bata から全員に: 03:19 PM
> DBのマイグレーションはalembicを使う感じでしょうか?
Dango ORM側で全てマイグレーションするか、それ以外(alembicや生DDL)でマイグレーションするかは統一すればよいと思います。
Django ORM側でやるのが楽だと思いますが、Redshiftなどの場合生DDLでやるしかなかったりするし、そういう環境でこそこの方法が有用だったりします。
> あ、基本的にDjango ORMを使っていて、難しいクエリだけSQLALchemyで
SQL生成している感じですかね。
はい。そういう感じです。
GoによるWebアプリ開発のキホン
GoによるWebアプリ開発のキホンAkihiko Horiuchi Golang勉強会 in Kagawa
http://gdgshikoku.connpass.com/event/26262/
Git
GitSurya Sreedevi Vedula This document discusses version control and Git. It defines key terms like VCS, check-in, check-out and commit. It explains how version control allows versioning of files, manages changes from multiple users by storing files in a central repository. It describes how Git is different from other VCSs in that the repository is seen as a whole rather than individual files, branches are versions of the repository rather than copies, and the entire repository can be accessed locally. It also covers the basic Git commands and workflows for working with files, branches and remote repositories.
MySQL 5.7にやられないためにおぼえておいてほしいこと
MySQL 5.7にやられないためにおぼえておいてほしいことyoku0825 2015/10/03 phpcon 2015
updated at 2016/01/13 about default_password_lifetime's default will be 0
こわくない Git
こわくない GitKota Saito 「マージがなんとなく怖い」「リベースするなって怒られて怖い」「エラーが出て怖い」
Git 入門者にありがちな「Git 怖い」を解消するため、Git のお仕事(コミット、ブランチ、マージ、リベース)について解説します。
Introduction to backbone presentation
Introduction to backbone presentationBrian Hogg This document provides an overview and introduction to using Backbone.js for building JavaScript applications within WordPress. It discusses the basics of Backbone including models, collections, views and routing. It then walks through an example plugin that uses Backbone to manage WordPress post titles and status in an admin panel. Key files and functions are explained, showing how models, collections and views are defined and tied together to populate and update the data.
Flask – Python
Flask – PythonMax Claus Nunes This document provides an overview of Flask, a microframework for Python. It discusses that Flask is easy to code and configure, extensible via extensions, and uses Jinja2 templating and SQLAlchemy ORM. It then provides a step-by-step guide to setting up a Flask application, including creating a virtualenv, basic routing, models, forms, templates, and views. Configuration and running the application are also covered at a high level.
More Related Content
What's hot (20)
ツール比較しながら語る O/RマッパーとDBマイグレーションの実際のところ
ツール比較しながら語る O/RマッパーとDBマイグレーションの実際のところY Watanabe JJUG-CCC 日本Javaユーザーズグループクロスコミュニティカンファレンス 2018/12 登壇資料です。
At least onceってぶっちゃけ問題の先送りだったよね #kafkajp
At least onceってぶっちゃけ問題の先送りだったよね #kafkajpYahoo!デベロッパーネットワーク Apache Kafka Meetup Japan #3 https://kafka-apache-jp.connpass.com/event/58619/ 発表資料
Amazon Cognito使って認証したい?それならSpring Security使いましょう!
Amazon Cognito使って認証したい?それならSpring Security使いましょう!Ryosuke Uchitate This document contains code snippets related to Spring Security configuration and authentication. It defines classes and methods for configuring security, processing login requests, loading user details, and authenticating users. Key aspects include configuring security filters and authorization rules, processing username/password authentication, validating login credentials against encoded passwords, and loading pre-authenticated users based on access tokens.
Mavenの真実とウソ
Mavenの真実とウソYoshitaka Kawashima JJUG CCC 2019 fall g3のセッション資料です。
「ちょっと凝ったことをしようとすると大量のXMLを書かなきゃいけない」「プラグインを並べてもうまく動いてくれない」など、Mavenは誤解され敬遠され、Gradleなどの他のビルドツールにシェアを奪われてきました。
が、依然としてMavenはJavaのデファクトスタンダードなビルドツールに位置づけられており、マスターする価値は十分にあります。そして良く学んでみると、そもそもXMLで過度なカスタマイズしようというのが誤った使い方だったのに気づきます。そこへ至るにも、タスクランナーの延長線上にある他のビルドツールと異なり、Maven独特なライフサイクルとプラグインの関係性もきちんと理解しておかなければなりません。
世界一わかりやすいClean Architecture
世界一わかりやすいClean ArchitectureAtsushi Nakamura Visual Studio Users Community Japan #1
で発表した資料になります。
https://vsuc.connpass.com/event/143114/
Vacuum徹底解説
Vacuum徹底解説Masahiko Sawada PostgreSQL Conference Japan 2021の講演資料です。
https://www.postgresql.jp/jpug-pgcon2021#T3
Dockerからcontainerdへの移行
Dockerからcontainerdへの移行Kohei Tokunaga NTT Tech Conference 2022 での「Dockerからcontainerdへの移行」の発表資料です
https://ntt-techconf.connpass.com/event/241061/
訂正:
P2. .
誤:
```
Ship docker run -it --rm alpine
Run docker push ghcr.io/ktock/myalpine:latest
```
正:
```
Ship docker push ghcr.io/ktock/myalpine:latest
Run docker run -it --rm alpine
```
OpenID ConnectとAndroidアプリのログインサイクル
OpenID ConnectとAndroidアプリのログインサイクルMasaru Kurahayashi タイトル:
『OpenID ConnectとAndroidアプリのログインサイクル』
概要:
GoogleやFacebook、Yahoo! JAPANの提供するOAuth、OpenID Connectのシングルサインオン(SSO)を利用する上でトークン、ログイン状態の管理が必要になります。ログイン、ログアウトに加えアプリによってはマルチアカウント利用やアカウント切り替えを必要とするケースもあります。スマフォアプリではネイティブ、WebViewでSSOの認証方法が異なり、実装パターンは多岐にわたります。
これまでID連携の設計や実装サポートしてきたナレッジをもとに、AndroidアプリにおけるSSOからログイン状態の管理まで、アプリの要件にあった実装方法をご紹介します。
Developers Summit 2015 【19-C-5】 Feb. 19, 2015
URL: http://event.shoeisha.jp/devsumi/20150219/session/654
Spring Boot の Web アプリケーションを Docker に載せて AWS ECS で動かしている話
Spring Boot の Web アプリケーションを Docker に載せて AWS ECS で動かしている話JustSystems Corporation JJUG CCC 2018 Fall 登壇時の資料です。 #jjug_ccc #ccc_g1
ソーシャルゲーム案件におけるDB分割のPHP実装
ソーシャルゲーム案件におけるDB分割のPHP実装infinite_loop ソーシャルゲーム案件におけるDB分割のPHP実装
~とにかく分割ですよ。10回じゃ足りない。20回くらい分割。~
株式会社インフィニットループ 佐々木 亨基
2013/7/15にPHPMatsuri2013内で発表された講演のスライド
MySQLレプリケーションあれやこれや
MySQLレプリケーションあれやこれやyoku0825 2018/01/26 第2回 オープンソースデータベース比較セミナー
https://osscons-database.connpass.com/event/74688/
【修正版】Django + SQLAlchemy: シンプルWay
【修正版】Django + SQLAlchemy: シンプルWayTakayuki Shimizukawa Simple Way with Django + SQLAlchemy
AT PyCon JP 2020
https://pycon.jp/2020/timetable/?id=203756
質疑応答
> Ryuji Tsutsui から全員に: 02:58 PM
> INNNER JOIN
> Nが1個多い?
ほんとだ。slideshareにあげた資料、直せません!
> Taku Shimizu から全員に: 03:00 PM
> 「ドキュメントに記載されていない」なかなかのパワーフレーズですね
でしょー
> uranusjr から全員に: 03:04 PM
> g2の別名はT3になるのはなぜですか?
Djangoが自動的にテーブルを2回JOINすることもあって、そういう場合自動的にテーブル名の別名が付けられます。T2,T3,T4と連番で増えていきます。
たぶん、登場する3つ目のテーブルだからT3なのだと思います。
`annotate(g2=FilteredRelation(...)` のように名前指定しているのに使われないのは、バグなのかどうなのか追ってません。SQLは動作するので、バグとはいえないかも。
> Manabu から全員に: 03:17 PM
> SQLAlchemy の モデルクラスを直接書いていましたが、 automap_base() は使わないのですか?
全テーブルを使いたいわけではないのと、用途の目的から、SQLAlchemyでForeignKeyを独自に追加定義したいなどもあるため、個別に書いています。
automap_base()を使っても良いと思います。
> c-bata から全員に: 03:19 PM
> DBのマイグレーションはalembicを使う感じでしょうか?
Dango ORM側で全てマイグレーションするか、それ以外(alembicや生DDL)でマイグレーションするかは統一すればよいと思います。
Django ORM側でやるのが楽だと思いますが、Redshiftなどの場合生DDLでやるしかなかったりするし、そういう環境でこそこの方法が有用だったりします。
> あ、基本的にDjango ORMを使っていて、難しいクエリだけSQLALchemyで
SQL生成している感じですかね。
はい。そういう感じです。
GoによるWebアプリ開発のキホン
GoによるWebアプリ開発のキホンAkihiko Horiuchi Golang勉強会 in Kagawa
http://gdgshikoku.connpass.com/event/26262/
Git
GitSurya Sreedevi Vedula This document discusses version control and Git. It defines key terms like VCS, check-in, check-out and commit. It explains how version control allows versioning of files, manages changes from multiple users by storing files in a central repository. It describes how Git is different from other VCSs in that the repository is seen as a whole rather than individual files, branches are versions of the repository rather than copies, and the entire repository can be accessed locally. It also covers the basic Git commands and workflows for working with files, branches and remote repositories.
MySQL 5.7にやられないためにおぼえておいてほしいこと
MySQL 5.7にやられないためにおぼえておいてほしいことyoku0825 2015/10/03 phpcon 2015
updated at 2016/01/13 about default_password_lifetime's default will be 0
こわくない Git
こわくない GitKota Saito 「マージがなんとなく怖い」「リベースするなって怒られて怖い」「エラーが出て怖い」
Git 入門者にありがちな「Git 怖い」を解消するため、Git のお仕事(コミット、ブランチ、マージ、リベース)について解説します。
Similar to Djangoアプリのデプロイに関するプラクティス / Deploy django application (20)
Introduction to backbone presentation
Introduction to backbone presentationBrian Hogg This document provides an overview and introduction to using Backbone.js for building JavaScript applications within WordPress. It discusses the basics of Backbone including models, collections, views and routing. It then walks through an example plugin that uses Backbone to manage WordPress post titles and status in an admin panel. Key files and functions are explained, showing how models, collections and views are defined and tied together to populate and update the data.
Flask – Python
Flask – PythonMax Claus Nunes This document provides an overview of Flask, a microframework for Python. It discusses that Flask is easy to code and configure, extensible via extensions, and uses Jinja2 templating and SQLAlchemy ORM. It then provides a step-by-step guide to setting up a Flask application, including creating a virtualenv, basic routing, models, forms, templates, and views. Configuration and running the application are also covered at a high level.
Web-Performance
Web-PerformanceWalter Ebert This document summarizes techniques for improving web performance, including:
- Using output caching, compression, browser caching and CDNs to reduce page size and load times
- Optimizing images, CSS, JavaScript and databases for faster loading
- Leveraging caching, minification, concatenation and deferred parsing to improve front-end performance
- Implementing techniques like service workers, resource hints and responsive delivery to optimize the user experience
Build Your Own CMS with Apache Sling
Build Your Own CMS with Apache SlingBob Paulin This document provides an overview of building a content management system (CMS) using Apache Sling. It discusses how Sling uses OSGi and the Java Content Repository to provide a RESTful framework. Example uses of Sling include content CRUD operations via the Sling Post Servlet and resource resolution. The document then demonstrates how to set up a Sling development environment and build sample pages that include a WYSIWYG editor and image uploads using Sling and technologies like JavaScript, jQuery, Bootstrap and Groovy.
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)Igor Bronovskyy The document provides an overview of Node.js, Express, and AngularJS, highlighting their features, advantages, and examples of use. It discusses Node.js's non-blocking I/O model, Express's routing and middleware capabilities, and AngularJS's two-way data binding and directives. Additionally, it includes practical code snippets for creating server applications and managing data, along with links to further resources.
Taking your Web App for a walk
Taking your Web App for a walkJens-Christian Fischer The document outlines a presentation by Jens-Christian Fischer on developing mobile applications with a focus on key technologies such as HTML5, CSS3, and responsive design. It details six steps toward mobile app development, introduces various frameworks like jQuery Mobile and Sencha Touch, and discusses strategies for offline capabilities including caching and local storage. The document includes code snippets and examples of how to set up a mobile app interface and manage tasks within the app.
Exploring Symfony's Code
Exploring Symfony's CodeWildan Maulana The document provides an overview of the MVC pattern and how it is implemented in Symfony. It discusses how Symfony separates code into models, views, and controllers and layers these components. It also describes common Symfony structures like modules, actions, and templates as well as tools like parameter holders, constants, and autoloading that are frequently used.
Rails 3: Dashing to the Finish
Rails 3: Dashing to the FinishYehuda Katz This document provides an overview of routing changes in Rails 3, including:
- Matching routes using "match" instead of "map.connect" and optional segments.
- Namespaces, scopes, and constraints for organizing and restricting routes.
- Default RESTful routes and generating resources.
- Redirects can now be specified as Rack apps or Procs.
- Mounting other Rack endpoints at specific paths.
WordPress as the Backbone(.js)
WordPress as the Backbone(.js)Beau Lebens This document discusses using WordPress as a backend for building mobile and web applications. It introduces WordPress' REST API which allows accessing WordPress content via HTTP requests. It then outlines how to build a simple mobile-first app called WROPE using the WordPress REST API and the JavaScript library Backbone.js, including setting up models, collections, views and routing to retrieve and display WordPress posts.
前端概述
前端概述Ethan Zhang The document provides an overview of front-end technologies including HTML, CSS, JavaScript, Ajax and jQuery. It discusses how the front-end interacts with the user's browser and backend servers. It describes the roles of HTML, CSS and JavaScript in content, styles and behaviors. It then covers HTML tags and structures, CSS, JavaScript basics and its use in browsers with BOM and DOM APIs. The document also summarizes Ajax and how it enables asynchronous JavaScript requests, and introduces jQuery and how it simplifies DOM and Ajax operations.
AnkaraJUG Kasım 2012 - PrimeFaces
AnkaraJUG Kasım 2012 - PrimeFacesAnkara JUG The document provides an overview of PrimeFaces, a Java EE component library designed for ease of use with a small footprint and zero configuration. It highlights its features such as a variety of UI components, AJAX support, accessibility, and theming options. Additionally, it discusses PrimeFaces' community engagement, development roadmap, and various platforms for deployment and integration.
Django Vs Rails
Django Vs RailsSérgio Santos The document provides an overview of the Django and Ruby on Rails web frameworks. It discusses their initial configuration, project structure, database and model components, controllers and views, administration features, extensibility through plugins/applications, and testing support. Example code snippets are provided for common tasks like defining models, views, form handling, and database migrations in each framework.
Using RequireJS with CakePHP
Using RequireJS with CakePHPStephen Young This document discusses using RequireJS, an asynchronous module loader, to better organize JavaScript code in CakePHP applications. It recommends breaking code into modules that map to sections of the application. A layout is changed to load modules instead of a single bootstrap file. The AppController is modified to set a JavaScript module name variable. RequireJS is then configured to load dependencies and a build tool like r.js can concatenate modules for production.
QConSP 2015 - Dicas de Performance para Aplicações Web
QConSP 2015 - Dicas de Performance para Aplicações WebFabio Akita The document provides insights into web performance optimization strategies, particularly in Ruby on Rails applications. It includes code samples for caching, asynchronous job processing, and using third-party services like Cloudinary for asset management. Additionally, it covers best practices for handling user uploads and monitoring performance metrics.
TurboGears2 Pluggable Applications
TurboGears2 Pluggable ApplicationsAlessandro Molina This document discusses using pluggable applications with TurboGears2. It provides an overview of TurboGears2 features like object dispatch, declarative models, and XML template engines. It then demonstrates how to quickly start an application and explore options to add photo galleries, blogs, and wiki pages by plugging in additional applications and customizing templates and models.
Rails 3 overview
Rails 3 overviewYehuda Katz Rails 3 provides a concise overview of changes in Rails 3 including maintaining MVC structure and RESTful routing while improving areas like file structure, block helpers, routing and constraints, ActiveRecord querying, resources routing, and ActionMailer delivery. Key changes include a more Rack-like implementation, chainable ActiveRecord scopes, and pagination and layout support in ActionMailer.
Using WordPress as your application stack
Using WordPress as your application stackPaul Bearne This document discusses using WordPress as a web application framework. It outlines reasons for and against using WordPress, including that it is stable, supported by a large community, and scales well, but also has some code debt and uses PHP. It then explains how to build applications with WordPress, including using actions and filters, developing a JSON API, integrating jQuery and Backbone, leveraging the template hierarchy, and using custom post types and metadata. It also provides examples of caching external API requests and using transients.
Learning django step 1
Learning django step 1永昇 陳 This document provides steps to build a basic web app using the Django framework in 30 minutes. It covers creating a Django project and app, defining models, views and templates, configuring settings, creating a database, and testing the app locally. The goal is to create a simple blog application with post listing and detail pages to demonstrate fundamental Django concepts and workflow.
WordPress Structure and Best Practices
WordPress Structure and Best Practicesmarkparolisi The document discusses the directory structure, core files, database structure, plugins, themes, and templates in WordPress. It provides information on actions, filters, widgets, modifying plugins, and best practices for developing WordPress sites and plugins. Key points include the directory locations for core files, plugins, themes, and uploads, as well as the main database tables like wp_posts and wp_options.
Modular Test-driven SPAs with Spring and AngularJS
Modular Test-driven SPAs with Spring and AngularJSGunnar Hillert The document discusses creating modular test-driven single page applications (SPAs) using Spring and AngularJS. It provides an overview of AngularJS concepts and how to integrate AngularJS with Spring, including building and deploying AngularJS apps, modularization, and testing. It also covers AngularJS basics like models, views, controllers, directives, and modules.
Ad
More from Masashi Shibata (19)
MLOps Case Studies: Building fast, scalable, and high-accuracy ML systems at ...
MLOps Case Studies: Building fast, scalable, and high-accuracy ML systems at ...Masashi Shibata This document discusses three case studies for MLOps:
1. Building a memory-efficient Python binding for LIBFFM using Cython and NumPy C-API to implement their own Python binding.
2. Implementing a transfer learning method for hyperparameter optimization using Optuna and CMA-ES to exploit previous optimization history.
3. Accelerating a prediction server and addressing challenges of high throughput and low latency by using Cython to speed up inference processing, improving throughput by 1.35x and reducing latency by 60%.
実践Djangoの読み方 - みんなのPython勉強会 #72
実践Djangoの読み方 - みんなのPython勉強会 #72Masashi Shibata The document summarizes a presentation about the book "Practical Django: Authentic Web Application Development with Python". It includes:
1. An overview of the book's structure with chapters covering topics like models, views, templates, forms, testing, authentication, and APIs.
2. Details on specific chapters, highlighting chapters 2 on models and queries, 6 on testing, and 7 on authentication as particularly important.
3. Advice for readers to focus on deepening their knowledge beyond specific frameworks by reading code and participating in open source projects.
CMA-ESサンプラーによるハイパーパラメータ最適化 at Optuna Meetup #1
CMA-ESサンプラーによるハイパーパラメータ最適化 at Optuna Meetup #1Masashi Shibata Optuna Meetup #1
https://optuna.connpass.com/event/207545/
サイバーエージェントにおけるMLOpsに関する取り組み at PyDataTokyo 23
サイバーエージェントにおけるMLOpsに関する取り組み at PyDataTokyo 23Masashi Shibata PyData.Tokyo Meetup #23 MLOps〜AIを社会に届ける技術での発表資料
https://pydatatokyo.connpass.com/event/210654/
Implementing sobol's quasirandom sequence generator
Implementing sobol's quasirandom sequence generatorMasashi Shibata 社内論文読み会資料。
ACM TOMS ALGORITHM 659: Implementing sobol's quasirandom sequence generator
DARTS: Differentiable Architecture Search at 社内論文読み会
DARTS: Differentiable Architecture Search at 社内論文読み会Masashi Shibata This document summarizes the DARTS paper, which proposes differentiable architecture search (DARTS) to relax the discrete search space of neural architectures into a continuous space. DARTS uses continuous relaxation to replace the discrete choice of architectures with a softmax over all possibilities. It then performs bi-level optimization over the architecture hyperparameters and network weights to find optimal architectures. DARTS searches over architectures made up of repeating building blocks called cells, and achieves state-of-the-art results on CIFAR-10 using 8 normal cells and 8 reduction cells.
Goptuna Distributed Bayesian Optimization Framework at Go Conference 2019 Autumn
Goptuna Distributed Bayesian Optimization Framework at Go Conference 2019 AutumnMasashi Shibata 1. The document describes using Goptuna, an open source Bayesian optimization library for Python and Go, to optimize hyperparameters for an ISUCON competition application.
2. It shows how Goptuna can suggest values for various configuration parameters like MySQL, Nginx, and Go application settings to optimize the application performance.
3. Running the optimization with Goptuna over 100 trials was able to find parameter configurations that improved the ISUCON score from 9560 to over 10,000 points.
PythonとAutoML at PyConJP 2019
PythonとAutoML at PyConJP 2019Masashi Shibata The document discusses various aspects of automated machine learning (AutoML) in Python, covering feature preprocessing, model selection, and hyperparameter optimization techniques. It references notable tools and frameworks, such as Auto-Sklearn, TPOT, Hyperopt, and Optuna, while highlighting methods for feature selection and data cleaning. Additionally, it presents insights from multiple research papers and tutorials related to the advancement of AutoML methodologies.
RTMPのはなし - RTMP1.0の仕様とコンセプト / Concepts and Specification of RTMP
RTMPのはなし - RTMP1.0の仕様とコンセプト / Concepts and Specification of RTMPMasashi Shibata The document discusses RTMP streaming and AbemaTV's use of RTMP. It provides information on RTMP protocol basics, AbemaTV's streaming infrastructure which uses RTMP, and code samples for parsing RTMP network packets. Key technologies mentioned include RTMP, MPEG-DASH, HLS, encoders, and media servers.
システムコールトレーサーの動作原理と実装 (Writing system call tracer for Linux/x86)
システムコールトレーサーの動作原理と実装 (Writing system call tracer for Linux/x86)Masashi Shibata This document discusses AbemaTV and includes code snippets and documentation on Linux/x86 systems. It covers three main topics:
1. The Linux/x86 Application Binary Interface, system call numbers, and CPU registers.
2. The strace tool and examples of its output tracing system calls like execve, write, and exit_group.
3. The ptrace system call, how it is used for process tracing, and a link to a process tracing tool called systracer on GitHub.
Golangにおける端末制御 リッチなターミナルUIの実現方法
Golangにおける端末制御 リッチなターミナルUIの実現方法Masashi Shibata The document discusses terminal input/output and window resizing in Go. It covers terminal modes like canonical, non-canonical, and raw modes. It describes the termios struct and how it is used to configure terminal settings. It also discusses VT100 escape sequences for color and formatting text. Finally, it mentions using ioctl with TIOCGWINSZ to get the window size and handling SIGWINCH signals to detect resizes.
How to develop a rich terminal UI application
How to develop a rich terminal UI applicationMasashi Shibata This document discusses how to develop rich terminal user interfaces in Python. It covers two important aspects: receiving keyboard input and controlling terminal output. For keyboard input, it explains using the basic input() function but notes its limitations, and recommends using raw mode input to receive keystrokes without interpretation. For terminal output, it discusses VT100 escape sequences to control text attributes like color and formatting. The document provides examples of reading keyboard input in raw mode and using escape sequences to style output, with the goal of helping developers create high-quality terminal-based applications and user experiences.
Introduction of Feedy
Introduction of FeedyMasashi Shibata This document introduces Feedy, an open source Python package for collecting data from RSS feeds. It describes how Feedy works by fetching the HTML content of each feed item using BeautifulSoup. It also demonstrates how to use Feedy to collect images from RSS feeds and add multiple RSS feeds. Plugins can be installed to add additional functionality, like getting social share counts. The document encourages users to contribute to Feedy on GitHub through pull requests and issue reporting.
Pythonistaのためのデータ分析入門 - C4K Meetup #3
Pythonistaのためのデータ分析入門 - C4K Meetup #3Masashi Shibata Pythonでデータ分析をしていく際のツール、注意点、コツなどを解説
https://gist.github.com/c-bata/068e1d421dc7eb242546
Introduction of PyCon JP 2015 at PyCon APAC/Taiwan 2015
Introduction of PyCon JP 2015 at PyCon APAC/Taiwan 2015Masashi Shibata It is the slide for lightning talk at PyCon APAC/Taiwan on June 6.
Ad
Recently uploaded (20)
原版一样(ISM毕业证书)德国多特蒙德国际管理学院毕业证多少钱
原版一样(ISM毕业证书)德国多特蒙德国际管理学院毕业证多少钱taqyed 鉴于此,办理ISM大学毕业证多特蒙德国际管理学院毕业证书【q薇1954292140】留学一站式办理学历文凭直通车(多特蒙德国际管理学院毕业证ISM成绩单原版多特蒙德国际管理学院学位证假文凭)未能正常毕业?【q薇1954292140】办理多特蒙德国际管理学院毕业证成绩单/留信学历认证/学历文凭/使馆认证/留学回国人员证明/录取通知书/Offer/在读证明/成绩单/网上存档永久可查!
如果您处于以下几种情况:
◇在校期间,因各种原因未能顺利毕业……拿不到官方毕业证
◇面对父母的压力,希望尽快拿到;
◇不清楚认证流程以及材料该如何准备;
◇回国时间很长,忘记办理;
◇回国马上就要找工作,办给用人单位看;
◇企事业单位必须要求办理的
◇需要报考公务员、购买免税车、落转户口
◇申请留学生创业基金
【办理多特蒙德国际管理学院成绩单Buy International School of Management Transcripts】
购买日韩成绩单、英国大学成绩单、美国大学成绩单、澳洲大学成绩单、加拿大大学成绩单(q微1954292140)新加坡大学成绩单、新西兰大学成绩单、爱尔兰成绩单、西班牙成绩单、德国成绩单。成绩单的意义主要体现在证明学习能力、评估学术背景、展示综合素质、提高录取率,以及是作为留信认证申请材料的一部分。
多特蒙德国际管理学院成绩单能够体现您的的学习能力,包括多特蒙德国际管理学院课程成绩、专业能力、研究能力。(q微1954292140)具体来说,成绩报告单通常包含学生的学习技能与习惯、各科成绩以及老师评语等部分,因此,成绩单不仅是学生学术能力的证明,也是评估学生是否适合某个教育项目的重要依据!
BASICS OF SAP _ ALL ABOUT SAP _WHY SAP OVER ANY OTHER ERP SYSTEM
BASICS OF SAP _ ALL ABOUT SAP _WHY SAP OVER ANY OTHER ERP SYSTEMAhmadAli716831 BASICS OF SAP - WHY SAP
Transmission Control Protocol (TCP) and Starlink
Transmission Control Protocol (TCP) and StarlinkAPNIC Geoff Huston, APNIC Chief Scientist, delivered a remote presentation on 'TCP and Starlink' at INNOG 8 held in conjunction with the 2nd India ISP Conclave held in Delhi, India from 23 to 28 May 2025.
Global Networking Trends, presented at the India ISP Conclave 2025
Global Networking Trends, presented at the India ISP Conclave 2025APNIC Jia Rong Low, APNIC Director General, presented on 'Global Networking Trends' at INNOG 8 held jointly with the India ISP Conclave 2025 held in Delhi, India from 23 to 28 May 2025.
Make DDoS expensive for the threat actors
Make DDoS expensive for the threat actorsAPNIC Awal Haolader, Network Analyst / Technical Trainer at APNIC, delivered a presentation titled 'Make DDoS expensive for the threat actors' at Phoenix Summit 2025 held in Dhaka, Bangladesh from 19 to 24 May 2025.
history of internet in nepal Class-8 (sparsha).pptx
history of internet in nepal Class-8 (sparsha).pptxSPARSH508080 It tells about the history of computers and internet. Explained breifly
B M Mostofa Kamal Al-Azad [Document & Localization Expert]
B M Mostofa Kamal Al-Azad [Document & Localization Expert]Mostofa Kamal Al-Azad Mostofa Kamal Al Azad
Document & Localization Expert
原版澳洲斯文本科技大学毕业证(SUT毕业证书)如何办理
原版澳洲斯文本科技大学毕业证(SUT毕业证书)如何办理taqyed 2025年极速办斯文本科技大学毕业证【q薇1954292140】学历认证流程斯文本科技大学毕业证澳洲本科成绩单制作【q薇1954292140】海外各大学Diploma版本,因为疫情学校推迟发放证书、证书原件丢失补办、没有正常毕业未能认证学历面临就业提供解决办法。当遭遇挂科、旷课导致无法修满学分,或者直接被学校退学,最后无法毕业拿不到毕业证。此时的你一定手足无措,因为留学一场,没有获得毕业证以及学历证明肯定是无法给自己和父母一个交代的。
【复刻斯文本科技大学成绩单信封,Buy Swinburne University of Technology Transcripts】
购买日韩成绩单、英国大学成绩单、美国大学成绩单、澳洲大学成绩单、加拿大大学成绩单(q微1954292140)新加坡大学成绩单、新西兰大学成绩单、爱尔兰成绩单、西班牙成绩单、德国成绩单。成绩单的意义主要体现在证明学习能力、评估学术背景、展示综合素质、提高录取率,以及是作为留信认证申请材料的一部分。
斯文本科技大学成绩单能够体现您的的学习能力,包括斯文本科技大学课程成绩、专业能力、研究能力。(q微1954292140)具体来说,成绩报告单通常包含学生的学习技能与习惯、各科成绩以及老师评语等部分,因此,成绩单不仅是学生学术能力的证明,也是评估学生是否适合某个教育项目的重要依据!
我们承诺采用的是学校原版纸张(原版纸质、底色、纹路)我们工厂拥有全套进口原装设备,特殊工艺都是采用不同机器制作,仿真度基本可以达到100%,所有成品以及工艺效果都可提前给客户展示,不满意可以根据客户要求进行调整,直到满意为止!
【主营项目】
一.斯文本科技大学毕业证【q微1954292140】斯文本科技大学成绩单、留信认证、使馆认证、教育部认证、雅思托福成绩单、学生卡等!
二.真实使馆公证(即留学回国人员证明,不成功不收费)
三.真实教育部学历学位认证(教育部存档!教育部留服网站永久可查)
四.办理国外各大学文凭(一对一专业服务,可全程监控跟踪进度)
Top Mobile App Development Trends Shaping the Future
Top Mobile App Development Trends Shaping the FutureChicMic Studios Our Flutter App Development Services deliver high-performance, cross-platform apps with a single codebase. We build visually stunning, responsive apps that run seamlessly on both iOS and Android.
COMPUTER ETHICS AND CRIME.......................................................
COMPUTER ETHICS AND CRIME.......................................................FOOLKUMARI DONT LOOK AT ME
Slides: Eco Economic Epochs for The World Game (s) pdf
Slides: Eco Economic Epochs for The World Game (s) pdfSteven McGee The REAL QFS - DeFi Quantum Financial System structured data AI symbols exchange derived from Net Centric Warfare, Battlefield Digitization for the World Game (s) Great Reset - Redesign: "End state = "in the beginning state" "Start at end state & work backwards" FutureMan
#quantum #financial #system #QFS #patent #Cryptocurrency #Tariff #TradeFi #commodity #wars #patent #law #AI artificial Intelligence Github: https://github.com/Beacon-Heart
Dark Web Presentation - 1.pdf about internet which will help you to get to kn...
Dark Web Presentation - 1.pdf about internet which will help you to get to kn...ragnaralpha7199 Dark web
Djangoアプリのデプロイに関するプラクティス / Deploy django application
- 1. 2019.05.18
- 4. 1 2 3 4
- 5. Topic 1 Web server / Database wsgiref, uWSGI, Gunicorn KEYWORDS MySQL, Replication
- 13. : https://dev.mysql.com/doc/refman/8.0/en/replication-solutions-scaleout.html
- 15. : https://dev.mysql.com/doc/refman/8.0/en/replication-solutions-scaleout.html
- 21. Topic 2 keyword1 Ansible / Packer / Terraform KEYWORDS Docker / Kubernetes
- 28. $ docker pull mysql:8.0 $ docker images REPOSITORY TAG IMAGE ID … mysql 8.0 7bb2586065cd … $ docker run -d —name sandbox_mysql > -e MYSQL_DATABASE="snippets" > -e MYSQL_ALLOW_EMPTY_PASSWORD="yes" > mysql:8.0 $ docker ps
- 29. $ docker stop mysql_sandbox $ docker ps -a CONTAINER ID IMAGE COMMAND … STATUS NAMES 3ccb1576a066 mysql:8.0 "docker…" … Exited (137) sandbox_mysql $ docker rm mysql_sandbox
- 30. FROM python:3.7 MAINTAINER Masashi Shibata <[email protected]> RUN pip install --upgrade pip ADD . /usr/src RUN pip install -r /usr/src/requirements.txt WORKDIR /usr/src EXPOSE 80 CMD ["gunicorn", "-w", "4", "-b", ":80", "djangosnippets.wsgi:application"] $ docker build -t djangosnippets .
- 31. version: '2' services: django: build: context: . environment: - MYSQL_HOST=mysql - SECRET_KEY - MYSQL_PASSWORD links: - mysql ports: - "8000:80" mysql: image: mysql:8.0 environment: - MYSQL_USER=shibata - MYSQL_DATABASE=snippets - MYSQL_ALLOW_EMPTY_PASSWORD=yes - MYSQL_PASSWORD ports: - "3306:3306" volumes: - ./mysql:/etc/mysql/conf.d
- 32. $ docker-compose up -d $ docker-compose logs -f django $ docker-compose exec mysql /bin/bash $ docker-compose down
- 36. runtime: python37 entrypoint: bash -c "python3 manage.py migrate && gunicorn -b :$PORT myapp.wsgi:application” includes: - app-secret.yaml handlers: - url: /static static_dir: static/ - url: /.* script: auto env_variables: MYSQL_HOST: /cloudsql/project:asia-northeast1:foo USE_GCS_BACKEND: 'true'
- 37. Topic 4 SLI Logging KEYWORDS CSRF (Cross Site Request Forgery)
- 44. Topic 4 SQL Injection Clickjackling KEYWORDS CSRF (Cross Site Request Forgery) XSS (Cross Site Scripting)
- 50. from django.utils.decorators import method_decorator from django.views.decorators.csrf import csrf_exempt : @method_decorator(login_required, name='dispatch') @method_decorator(csrf_exempt, name='dispatch') class UnsecureView(View): def get(self, request): comments = Comment.objects.all() html = Template(_comment_list_template).render( Context({"comments": comments})) return HttpResponse(html) def post(self, request): comment = Comment(content=request.POST[‘content'], posted_by=request.user) comment.save()
- 51. <!— attack.html —> <html lang="ja"> <body onload="document.attackform.submit();"> <form name="attackform" action="http://127.0.0.1:8000/csrf/" method="post"> <input type="text" name="content" value="THIS IS A CSRF ATTACK!!!"> <button type="submit"> </button> </form> </body> </html>
- 52. <html lang="ja"> <head> <title>CSRF </title> <meta charset="UTF-8"> </head> <body> <p> </p> <iframe width="0" height="0" src="attack.html"></iframe> </body> </html>
- 56. from django.http import HttpResponse _form_html = """<form method="get"> <input type="text" name="q" placeholder="Search" value=""> <button type="submit">Go</button> </form> """ def xss_view(request): if 'q' in request.GET: return HttpResponse(f"Searched for: {request.GET['q']}") else: return HttpResponse(_form_html)
- 57. <script>alert("XSS ")</script> Safari Chrome Webkit XSS Auditor JavaScript
- 59. # https://github.com/orf/django/blob/abb636c1af7b2fd00a624985f60b7aff07374580/ django/utils/html.py#L33-L52 _html_escapes = { ord('&'): '&', ord('<'): '<', ord('>'): '>', ord('"'): '"', ord("'"): ''', } @keep_lazy(str, SafeText) def escape(text): return mark_safe(str(text).translate(_html_escapes))
- 60. # https://github.com/orf/django/blob/abb636c1af7b2fd00a624985f60b7aff07374580/ django/utils/html.py#L55-L77 _js_escapes = { ord(''): 'u005C', ord('''): 'u0027', ord('"'): 'u0022', ord('>'): 'u003E', ord('<'): 'u003C', ord('&'): 'u0026', ord('='): 'u003D', ord('-'): 'u002D', ord(';'): 'u003B', ord('`'): 'u0060', ord('u2028'): 'u2028', ord('u2029'): 'u2029' } _js_escapes.update((ord('%c' % z), 'u%04X' % z) for z in range(32))
- 63. from django.db import models class Snippet(models.Model): title = models.CharField(' ', max_length=128) class Meta: db_table = 'snippets' # snippets
- 64. def sql_injection(request): if 'snippet' not in request.GET: html = Template(_form_html).render(Context()) else: snippet_id = request.GET['snippet'] sql = "SELECT id, title FROM snippets WHERE id = '{}';".format(snippet_id) snippet = Snippet.objects.raw(sql) html = Template(_snippet_list_template).render(Context({'snippet': snippet})) return HttpResponse(html)
- 65. '; DELETE FROM snippets WHERE '1' = '1 sql (Pdb) sql "SELECT id, title FROM snippets WHERE id = ''; DELETE FROM snippets WHERE '1' = '1';" ※sqlite3 Python slqite3 execute https://docs.python.org/3/library/sqlite3.html#sqlite3.Cursor sqlite3.Warning: You can only execute one statement at a time.
- 67. MIDDLEWARE = [ 'django.middleware.security.SecurityMiddleware', 'django.contrib.sessions.middleware.SessionMiddleware', 'django.middleware.common.CommonMiddleware', 'django.middleware.csrf.CsrfViewMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', 'django.contrib.messages.middleware.MessageMiddleware', # 'django.middleware.clickjacking.XFrameOptionsMiddleware', ]
- 68. <html lang="ja"> <head> <title>ClickJacking </title> <meta charset="UTF-8"> <style> .target { position: absolute; opacity: 0; } .attack { position: absolute; width: 200px; height: 50px; z-index: -1; } </style> </head> <body> <button class="attack"> </button> <iframe class="target" src="http://localhost:8000/clickjacking/"></iframe> </body> </html>
- 70. THANK YOU