今日已更新 328 条资讯 | 累计 20300 条内容
关于我们

标签:#beginners

找到 345 篇相关文章

AI 资讯

Web Security Basics Every Developer Must Know (2026)

Web Security Basics Every Developer Must Know (2026) Security isn't just for security teams. Every developer needs these fundamentals to protect their applications and users. The Threat Landscape in 2026 Most common attacks targeting web apps: 1. SQL Injection — Still #1, still devastating 2. XSS (Cross-Site Scripting) — Steals sessions, defaces sites 3. CSRF (Cross-Site Request Forgery) — Actions on behalf of users 4. Authentication bypass — Weak passwords, session fixation 5. Sensitive data exposure — API keys in code, unencrypted data 6. IDOR (Broken Access Control) — Accessing others' data 7. SSRF (Server-Side Request Forgery) — Internal network probing 8. Dependency vulnerabilities — Compromised npm/pip packages Key principle: Defense in depth → Don't rely on one security layer → Multiple independent controls → If one fails, others catch it #1 SQL Injection Prevention // ❌ VULNERABLE: String concatenation const query = `SELECT * FROM users WHERE email = ' ${ email } '` ; // Attacker inputs: ' OR '1'='1' -- // Result: Returns ALL users! // ✅ Parameterized queries (always!) const user = db . prepare ( ' SELECT * FROM users WHERE email = ? ' ). get ( email ); // The database treats the input as DATA, not code. // With ORM (Sequelize/TypeORM/Prisma): User . findOne ({ where : { email } }); // Safe by default // Even with parameterized queries, validate input first: function isValidEmail ( email ) { return /^ [^\s @ ] +@ [^\s @ ] + \.[^\s @ ] +$/ . test ( email ); } if ( ! isValidEmail ( email )) return res . status ( 400 ). json ({ error : ' Invalid email ' }); // ⚠️ Dangerous: Dynamic table/column names can't be parameterized! const allowedTables = [ ' users ' , ' products ' , ' orders ' ]; if ( ! allowedTables . includes ( table )) throw new Error ( ' Invalid table ' ); #2 XSS (Cross-Site Scripting) Defense // Types of XSS: // 1. Stored XSS: Malicious script saved in DB, shown to all viewers // → Comment sections, profiles, product reviews // 2. Reflected XSS: Sc

2026-06-02 原文 →
AI 资讯

I Thought Figma MCP Could Recreate Any Design. I Was Wrong.

Introduction Since I started publishing articles on Dev.to, I've been working on a personal project to transform my old blog website—which is no longer actively maintained—into a portfolio site ♻️ As part of that project, I recently started learning Figma and UI design🎨 When I discovered Figma MCP , I imagined a future where generative AI could automatically create polished, modern, and visually appealing designs for me with minimal effort 😎 Unfortunately, reality turned out to be quite different . This article is a reflection on that experience and a reminder to my future self about what I learned along the way📝 TL;DR I wanted to design a portfolio website in Figma , but quickly realized that UI design was more difficult than I expected. I wondered whether using Codex and Figma MCP would allow me to outsource the design process to AI , so I decided to try it. I couldn't magically generate the polished design I had imagined while also maintaining a well-structured Figma file with globally managed variants and reusable components. I learned that defining design rules first and building components step by step helped produce results that were much closer to my original vision. Even then, the process was not dramatically easier than expected, so I eventually decided to keep things simple and build my portfolio around the design principles already provided by shadcn/ui . What I Tried with Figma MCP🎨 While planning the UI design for my portfolio website , I initially created simple wireframe-like layouts in Figma to explore the overall page structure and component placement before working on detailed designs. At first, I wanted to keep things simple. However, as I continued working on the project, I found myself wanting something more polished, more modern, and ultimately more impressive . The problem was that I have very little confidence in my design skills. I'm an in-house IT engineer, not a professional developer or designer, so I often struggle to judge what makes a

2026-06-02 原文 →
AI 资讯

Image vs. Container: The Ultimate Guide to Stop Confusing the Two

We've all been there. You're 45 minutes into a Docker tutorial, feeling great about yourself, and then someone casually drops: "Just pull the image and spin up a container." And you think: "...wait, aren't those the same thing?" First - this has happened to a good number of us if we are to be honest. Even almost every single DevOps engineer, cloud architect, and platform wizard you admire has typed the wrong term in a sentence at least once in their career. It's practically a rite of initiation. There should be a badge for it if you ask me. Why Does This Trip Everyone Up? Here's the sneaky truth: Docker commands blur the line constantly. You type docker run nginx and something called a "container" starts — but wait, didn't you just use an "image" called nginx ? Where did one end and the other begin? The confusion lives in the fact that they are deeply related — one literally gives birth to the other. But they are fundamentally, completely different things. Getting this distinction straight is your official rite of passage into DevOps. Once it clicks, the rest of Docker feels like cheating. Basically, A Docker Image is the blueprint : a frozen, static snapshot of everything your app needs - the OS layer, the dependencies, the config files, your actual code. It just sits there on disk, completely inert. You can't run a blueprint. A Docker Container is the house : the live, running instance that was built from that blueprint. It has processes running, files potentially being written, network ports being listened on. It's alive. And now, just like one blueprint can produce 10 identical houses on different streets - one Image can launch 10 identical Containers simultaneously; and that's where Docker's scaling magic comes from. # The image just sits here, unchanging docker pull nginx # Now we BUILD a house (container) from the blueprint docker run nginx # Build THREE houses from the same single blueprint docker run nginx docker run nginx docker run nginx Here is an exampl

2026-06-01 原文 →
AI 资讯

Your Job Search Is Not a Lottery

There is a special kind of productivity theater that happens during a developer job search. You wake up motivated, open LinkedIn, and apply to 27 positions before breakfast. You press the Easy Apply button with the precision of a professional gamer. By the end of the week, you have submitted 143 applications, updated a spreadsheet with several impressive numbers, and developed a minor emotional dependency on refreshing your inbox. Unfortunately, your inbox still looks like an abandoned shopping mall. No interviews. No useful feedback. No clear explanation. Perhaps two automated emails thanking you for your interest before informing you that the company decided to “move forward with other candidates,” a sentence that has become the corporate version of disappearing into the fog. So you decide to solve the problem by applying to another 200 jobs. This is not a strategy. It is email-based agriculture. You are throwing resumes into the soil and waiting for a recruiter to grow. Volume Matters. Blind Volume Does Not. Let us begin with an uncomfortable truth: getting your first developer job usually requires applications. Sometimes it requires many applications. The market will not discover your GitHub profile through divine intervention. A recruiter is unlikely to wake up in the middle of the night with a mysterious urge to search for junior developers who recently deployed a to-do list. You need to put yourself in front of companies consistently. However, there is a significant difference between applying consistently while improving your positioning and clicking every blue button on LinkedIn until one of you collapses. Volume is useful when it generates information. Blind volume only produces exhaustion. If you apply to 300 jobs with the same generic resume, the same generic portfolio, and the same vague explanation of your skills, you are not running 300 experiments. You are repeating the same experiment 300 times and acting surprised when the result remains unchanged.

2026-06-01 原文 →
AI 资讯

#javascript #webdev #beginners #codenewbie

Hello Dev Community! 👋 It is officially Day 8 of my journey to master the MERN stack! After spending the first week structuring with HTML and styling with CSS, today I finally started learning the core language of web logic: JavaScript . Moving from static designs to actual programming logic feels like unlocking a whole new level of web development. 🧠 Key Learnings From Day 8 Today was all about setting up the foundation in JavaScript and understanding how code runs in the browser. Here is what I covered: 1. The Browser Console & Execution I learned that every browser has a built-in environment to run JavaScript. Writing my very first console.log("Hello World"); and seeing it print in the developer tools console was the perfect start. 2. Variables: Storing Data Safely I learned how to store information using variables and the crucial differences between modern variable declarations: let : For values that can change later in the program (mutable). const : For values that must remain constant and cannot be reassigned (immutable). Note: I also read about var , but learned why modern JavaScript avoids it due to scoping issues. 3. Data Types Fundamentals Data needs a type so the computer knows how to handle it. Today I practiced with: Strings: Plain text enclosed in quotes (e.g., "MERN Stack" ). Numbers: Integers and decimals without quotes (e.g., 2026 ). Booleans: Simple true or false states (e.g., isLearning = true ). 🛠️ What I Actually Code / Experimented With Since I am just starting with core logic, I didn't write code directly into my HTML webpage layout today. Instead, I created a script.js file, linked it to my project, and built a basic script in the console that: Stores a user's name and learning status in variables. Dynamically calculates values (like years left until a milestone). Outputs formatted statements into the browser console. It is simple, but understanding how data moves in the background is incredibly exciting. 🎯 My Goal for Tomorrow (Day 9) Tomorr

2026-06-01 原文 →
开发者

Python Programming for Beginners – Day 9

Tuples, Sets, and Dictionaries in Python In the previous lesson, we learned about Lists and how they are used to store multiple items in a single variable. Today, we will learn about three important Python data structures: Tuples Sets Dictionaries These data structures help programmers organize and manage data efficiently in different situations. 1. Tuples in Python A Tuple is a collection of items stored in a single variable. Tuples are: Ordered Unchangeable (Immutable) Allow duplicate values Tuples are created using parentheses "()". Example languages = ( " Python " , " Java " , " C++ " ) print ( languages ) Output ( ' Python ' , ' Java ' , ' C++ ' ) Accessing Tuple Items Tuple items are accessed using indexes. Example languages = ( " Python " , " Java " , " C++ " ) print ( languages [ 0 ]) print ( languages [ 1 ]) Output Python Java Negative Indexing in Tuples Example languages = ( " Python " , " Java " , " C++ " ) print ( languages [ - 1 ]) Output C ++ Tuple Length The "len()" function returns the number of items in a tuple. Example numbers = ( 10 , 20 , 30 ) print ( len ( numbers )) Output 3 Why Tuples are Important Tuples are useful when data should not be modified accidentally. They are commonly used for: Fixed data Coordinates Database records Returning multiple values from functions 2. Sets in Python A Set is a collection of unique items. Sets are: Unordered Unchangeable items Do not allow duplicates Sets are created using curly brackets "{}". Example numbers = { 1 , 2 , 3 , 4 } print ( numbers ) Output {1, 2, 3, 4} Duplicate Values in Sets Sets automatically remove duplicate values. Example numbers = { 1 , 2 , 2 , 3 , 4 } print ( numbers ) Output {1, 2, 3, 4} Adding Items to a Set The "add()" method inserts a new item into a set. Example numbers = { 1 , 2 , 3 } numbers . add ( 4 ) print ( numbers ) Output {1, 2, 3, 4} Removing Items from a Set The "remove()" method removes an item from a set. Example numbers = { 1 , 2 , 3 , 4 } numbers . remove ( 2 ) print

2026-06-01 原文 →
开发者

How to Find a Prime Number in Python — A Thinking Journey

Introduction Understanding how to find prime numbers is one of the best ways to develop logical thinking in programming. It looks simple on the surface, but it teaches you how to break a problem into smaller steps, build a solution gradually, and then improve it into a clean and reusable structure. In this blog, we will not jump directly into code. Instead, we will start from basic thinking, slowly convert that thinking into logic, and finally refine it into a proper Python program using functions and loops. The goal is not just to find prime numbers, but to understand how programming logic is actually built in real development. 1. Understanding the Problem First Before writing anything in Python, we need to understand what a prime number actually means. A prime number is a number that: is greater than 1 has exactly two divisors: 1 and itself So the real question becomes: How do we check whether a number has any divisors other than 1 and itself? That is the core problem we are trying to solve. 2. Thinking Like a Human Before Coding Let’s take a number, for example 13. To check if 13 is prime, we naturally try dividing it by smaller numbers: 2 → does not divide 13 3 → does not divide 13 4 → does not divide 13 5 → does not divide 13 and so on If none of these numbers divide 13 completely, then 13 is prime. So the logic is simple: Try dividing the number by possible candidates and see if any divide it perfectly. 3. Turning Thinking into a Basic Algorithm From the above idea, we can form a basic structure: We need: a number to test a variable that moves through possible divisors a way to detect whether a divisor exists We start checking from 2 because every number is divisible by 1 anyway. We also do not need to check beyond half of the number, because a number cannot have a divisor greater than half (except itself). So the idea becomes: Start divisor from 2 Go up to number // 2 If any number divides it evenly, it is not prime 4. First Working Logic (Direct Implementati

2026-06-01 原文 →
开发者

🌐OS May Recap: Learning to Navigate the Open-Source Galactica

In May, I continued my "One Commit a Day" Challenge and spent more time contributing across different open-source projects. Compared to April, I was able to contribute a bit more and explore a wider variety of repositories. Repositories That Stood Out Some of the projects that left the biggest impression on me were: python-odpt Huggin Face Context Course Human Signal ML ScribeSVG A Stable Checkpoint One milestone I was happy about this month was reaching a stable checkpoint for my Tokyo MCP Server project. It is still a work in progress, but getting to a point where the project feels stable enough to build upon was a satisfying moment. Documentation Matters Another contribution that stood out was helping improve a python-odpt README documentation . It wasn't a large technical contribution, but it reminded me that making a project easier for others to understand can be just as valuable as writing code. Good documentation lowers the barrier for future contributors. Sometimes, a clearer README can help more people than a small code change. Learning Beyond Python One practical lesson I learned this month was that being a Python-focused contributor doesn't mean I can ignore the JavaScript ecosystem . While working with different repositories, I finally installed Node.js and started using npm . Many modern open-source projects rely on TypeScript-based tooling, build systems, or development workflows, and understanding those tools makes contributing much easier. The Biggest Challenge: Finding Information And Communication Matters The biggest challenge I faced wasn't coding. It was documentation. Every repository has its own way of organizing information. There are definitely common patterns, but every project also develops its own style over time. Sometimes the information I need is in the README. Sometimes it's in a wiki. Sometimes it's buried in a docs folder several levels deep. And sometimes it's spread across all three. Open Source Is Also About Navigation As a contri

2026-06-01 原文 →
AI 资讯

When Does the Information Overload Stop?

Every time I sit down to learn something, I find myself trapped in the same cycle. I start with a tutorial. Halfway through, someone says there's a better tutorial. I switch. Then I discover a book that supposedly explains the topic better than the tutorial. Then a YouTube video claims the book is outdated. Then a developer on social media recommends an entirely different resource. Before I know it, I've spent three hours researching how to learn instead of actually learning. Does the information overload stop or will there always be another resource, another course, another book, another video, another roadmap, another expert with a different opinion. The internet has made knowledge abundant, but abundance creates a paradox of choice. One person says to learn JavaScript from documentation, another says build projects immediately, another recommends a paid course, someone else insists that free resources are better. Every recommendation sounds convincing. Every path seems important. The result is paralysis. Instead of moving forward, I keep searching, instead of building I keep comparing, instead of learning I keep consuming. finished teaches more than a hundred bookmarked tutorials. At some point, every learner must accept a difficult truth that the goal is not to find the best resource it is to become better. Those are not the same thing. A person can spend months researching the perfect learning path and never write a meaningful line of code while another person can pick a decent resource, make mistakes, build projects, and improve every day. The second person wins not because they found better information but because they used the information they already had. I've started realizing that learning is a lot like fitness. At some point, reading about exercise becomes a form of avoiding exercise. The same thing happens in programming. Reading about coding becomes a way to avoid coding. Researching becomes a substitute for practice. The search for the perfect resourc

2026-06-01 原文 →
AI 资讯

JWT Explained: What's Actually Inside That Token (with a free decoder)

If you've ever worked with auth, you've seen a JWT — a long string like eyJhbGci... split into three parts by dots. It looks cryptic, but it's surprisingly simple once you see inside. A JWT has three parts header.payload.signature Header – tells you the signing algorithm, e.g. {"alg":"HS256","typ":"JWT"} Payload – the claims (the actual data), e.g. {"sub":"123","name":"John","iat":1516239022} Signature – verifies the token wasn't tampered with (needs the secret/key) The header and payload are just Base64url-encoded JSON — not encrypted. That means anyone can read them. So: ⚠️ Never put secrets in a JWT payload. It's signed, not hidden. Decoding one yourself You can decode the payload in the browser console: const [, payload ] = token . split ( " . " ); console . log ( JSON . parse ( atob ( payload ))); Or, if you just want to paste a token and instantly see the header + payload (without sending it to a server), I built a free decoder that runs entirely in your browser: https://forgly.dev/tools/jwt-decoder Decoding ≠ verifying Reading a JWT is trivial. Trusting it is not — you must verify the signature on your server with the secret/public key before relying on any claim. Decoding just lets you inspect what's there. That's the whole mental model: a JWT is a readable, signed envelope — not a locked box.

2026-05-31 原文 →
AI 资讯

How I Built Hidden Collector Game in Unity

As part of my game development journey, I recently created Hidden Collector , a Unity-based game where players explore levels and collect hidden items while progressing through different challenges. This project started as a way for me to improve my Unity and C# skills, but it quickly became an opportunity to learn about game design, UI systems, audio management, scene transitions, and player experience. What I Worked On While building Hidden Collector, I implemented: Player movement and interactions Collectible item systems Multiple game levels UI menus and game screens Audio and sound effects Progress tracking Game flow and scene management Challenges During Development One of the biggest challenges was making different game systems work together smoothly. Something as simple as collecting an item often required updates to UI elements, game state management, and progression systems. Debugging these interactions taught me a lot about organizing Unity projects and writing maintainable code. What I Learned This project helped me gain experience with: Unity Engine C# scripting Game architecture UI implementation Audio management Debugging and testing Most importantly, I learned that building complete projects teaches far more than following tutorials. Play the Game You can try Hidden Collector here: https://sinxcos07.itch.io/hiddencollector Screenshots What's Next? I'm continuing to improve my game development skills by building new projects, experimenting with different mechanics, and learning more about creating engaging player experiences. If you try the game, I'd love to hear your feedback. By Suryansh Sinha (sinxcos07) Connect With Me GitHub: https://github.com/sinxcos07 LinkedIn: https://www.linkedin.com/in/suryansh-sinha/ Play Hidden Collector: https://sinxcos07.itch.io/hiddencollector

2026-05-31 原文 →
AI 资讯

103. Agent Memory: Short-Term, Long-Term, and Episodic

Agent Memory: Short-Term, Long-Term, and Episodic Main Thumbnail Image Prompt: A human brain cross-section illustration in neon tones on dark background. Three regions clearly demarcated and labeled. The hippocampus region glows blue, labeled "Episodic Memory: what happened." The prefrontal cortex glows orange, labeled "Working Memory: what I'm doing now." A network of distributed nodes glows green, labeled "Semantic Memory: what I know." Arrows show information flowing between regions. Scientific but accessible, the memory architecture made neural and visual. Memory Architecture Diagram Image Prompt: Four storage boxes arranged vertically on dark background. Top: "In-Context Window (Working Memory)" — fastest, smallest, temporary, shown as RAM chip icon. Second: "External Vector Store (Semantic Memory)" — fast retrieval, persistent, shown as cylinder with search icon. Third: "Key-Value Store (Episodic Memory)" — structured facts, shown as database icon. Bottom: "Fine-Tuned Weights (Procedural Memory)" — slowest to update, most permanent, shown as brain with lock. Arrows showing read/write speeds between boxes. Clean, technical, the hierarchy is the insight. Memory Retrieval Flow Image Prompt: A query arrives at an agent on the left. Four parallel arrows go right to four memory sources: conversation history (short chat bubbles), vector database (semantic search visualization), structured database (table icon), model weights (brain icon). Each source returns relevant items. A "Memory Fusion" box on the right combines the results. The agent sees an enriched context. The retrieval from multiple stores is the architecture. Every conversation with an LLM starts from zero. You explain your project. You explain your preferences. You explain your constraints. You spend five minutes providing context. You come back tomorrow. You do it all again. The model remembers nothing between sessions. The context window closes. The state is gone. Every interaction is the agent's first

2026-05-31 原文 →
AI 资讯

Introduction to n8n: Beginner Course Summary

In this blog, I’ll give a clear brief summary of the n8n beginner course . You can watch the full video course on the official n8n website (link in the references below). What is n8n? n8n is a powerful workflow automation platform that combines AI capabilities with business process automation. It offers a node-based visual interface while giving you full control to write custom JavaScript or Python code directly in the canvas. APIs and Webhooks Understanding APIs An API (Application Programming Interface) allows different applications to communicate with each other. Almost every modern app has an API you can connect to. Example: Google Sheets API lets you read or update data in spreadsheets. When working with APIs, we make requests and receive responses . Components of an HTTP Request There are four main components: URL – The unique address of the resource (page, image, data, etc.). Includes: Scheme, Host, Port (optional), Path, Query Parameters (optional). Method – Defines the action you want to perform: GET – Retrieve data POST – Send data PUT / PATCH / DELETE – Update data (less common) Headers – Provide additional context (language, device type, location, etc.). Body – Contains data being sent (used mainly with POST requests). Authentication (Credentials) To prove you’re allowed to make a request: API Key (via query parameter or header) OAuth (most secure common method) HTTP Response Components Status Code – Tells if the request was successful: 200 = Success 401 = Unauthorized 404 = Not Found 500 = Server Error Headers – Metadata about the response (content type, length, expiration, etc.). Body – The actual data returned (usually JSON, HTML, or binary). What are Webhooks? Webhooks are used when an external service needs to notify your workflow automatically (e.g., every time a payment is made in Stripe). You provide a URL that receives a POST request when the event occurs. Nodes in n8n Nodes are the building blocks of every workflow. There are three main categor

2026-05-31 原文 →
AI 资讯

Great Stack to Doesn't Work Bonus: SQL vs NoSQL: Which One in 2026?

The honest decision framework, not another flame war. The SQL vs NoSQL debate has been running for 15 years and it still generates more heat than light. Here's the framework that actually helps you decide. The Real Question It's not "SQL or NoSQL." It's: what does your access pattern look like? If your application is mostly reading and writing related data through well-defined queries — orders with line items, users with addresses, products with categories — relational databases are purpose-built for this. JOINs are not expensive when they're indexed. Transactions are not slow when they're scoped correctly. PostgreSQL handles 50 million rows comfortably on a single node. If your application is reading and writing self-contained documents with predictable access by a primary key, and you rarely need cross-document queries — user profiles, product catalogs, content management — a document database simplifies your code. No ORM mapping hell. No migration files for adding a field. If your application writes massive volumes and reads by partition key with eventual consistency — time-series data, IoT telemetry, activity feeds at scale — wide-column stores like Cassandra were built for this specific workload. The 2026 Reality PostgreSQL has eaten NoSQL's lunch in many areas. JSONB support means you can store and query unstructured data inside PostgreSQL with GIN indexes. You get the document model flexibility without giving up transactions, JOINs, and a 30-year ecosystem. For 80% of startups and mid-size companies, PostgreSQL is the only database you need. MongoDB has gotten more relational. Multi-document ACID transactions (since 4.0), schema validation, aggregation pipelines that look suspiciously like SQL. It's converging toward what PostgreSQL already does, but with a different starting point. DynamoDB dominates serverless. If you're in AWS and your access pattern is simple key-value with known query patterns, DynamoDB's pricing model (pay-per-request) and operational s

2026-05-31 原文 →
AI 资讯

[Imposter syndrome] Back to the beginning (DevSecOps path)

I’ve been writing my project - Python port scanner for 9 months now. You might be wondering, “Why is it taking so long?” Most of the time was spent figuring out how raw sockets work, how to write a function for manually assembling a packet, calculating the checksum, packing the IP packet bytes, the TCP header, the pseudo-header using struct.pack, sending the packet, and how SYN scanning works. Why did I decide to take such a complicated route instead of just using Scapy? I’m a principled person and have a very exhausting yet useful skill—understanding everything. That’s how I got acquainted with big-endian, or “network byte order.” I won’t go into the details of big-endian logic, to be honest, I’m already mentally exhausted It took several evenings and nights to analyze and understand the principles—watching videos, reading RFCs, and looking at GitHub code (which I didn’t understand)—but what bothered me most was that I had to ask gemini for an explanation. As I mentioned above, I’m very principled; I can’t just copy code without understanding it, so I ask gemini for a prompt like this: “Don’t write the code for me. If I end up asking you for an example because I’m tired, explain it line by line.” Yesterday I realized I don’t fully understand Python (basics)—I don’t remember REPL—so I went to ask Gemini for advice; I don’t have anyone competent who could help me with advice. I’m not very sociable, and the only thing that’s interested me for the last four years is IT. I used to make music. Lately, something strange has been going on with my health, the day before yesterday I woke up because of a nosebleed; this has happened before, but on a larger scale. I stopped working on the scanner yesterday and decided to try writing a backup script in Python. I found an article and jotted down in Obsidian what the project should and shouldn’t do. Previously, the project used Docker, Prometheus, and Grafana. My questions: Am I a good developer, and am I even one at all? Should

2026-05-31 原文 →
AI 资讯

An Introduction to AI Hub, Part 2: Custom MCP Servers

Welcome back to a series of introductory articles on AI Hub, the new product feature currently in an early access program! (links: EAP Site for download, documentation ) In the last article, we covered how to create agents and agent tools directly in ObjectScript using the new %AI classes. However, sometimes, instead of creating a new agent, you just want to add some custom tools to an existing agent so you can ask your local claude code, codex, copilot or other agent of choice to query your data directly. This is where MCP Servers might come in. In this guide, we will walk through how you can create your own MCP Servers to access your data. Disclaimer: AI Hub is an early access preview, with features likely to change before production releases, any issues identified can be raised as issues on the documentation GitHub repo linked above. The EAP preview is not to be used in production settings. A very brief intro to MCP I'm going to keep this brief because there are loads of other good articles on MCP Servers Model context protocol (I recommend starting with this article from @pietro .DiLeo or this brilliant introductory video from InterSystems President Don Woodlock). Model Context Protocol is a transport protocol allowing external tools to be added to an agent . There is a discovery 'handshake' where the MCP server sends a list of tools to the MCP Client. After the tools are discovered, the agent can send requests for tool executions, including parameters, to the MCP server, which executes the tool call and returns the result. MCP servers can be remote servers, i.e. running on a different machine to a client, this usually uses a streamable http/https connection or Server-Side Events. Or MCP servers can be local servers, i.e. running on the same machine, usually using a stdio connection. An important distinction AI hub allows you to create custom MCP servers within your IRIS environment, allowing agents to access or monitor your IRIS databases, productions and statu

2026-05-31 原文 →
开发者

The Unlikely Journey from Bricks to Bytes

I'm a builder. I taught myself to run servers because freelancers kept burning my money. West London, 2021. I was standing on a site holding a cup of tea that had gone cold an hour earlier, watching a crew argue about where a wall should go. That's my actual job. Schedules, suppliers, the kind of problems that only exist at 7am when half the crew hasn't shown up and the client is already phoning. But my head was somewhere else. I'd been chewing on an idea for a classifieds platform for months. Not a grand vision, nothing with a business plan and projections. Just a gap I could see — a way to connect buyers and sellers that felt easier and more global than what was out there. The problem was that I knew nothing about programming. And I mean nothing. I didn't know what a database was. I'd never written a line of code. My entire technical CV was "reasonably good at not breaking my own phone." So I did what most people in my position do. I tried to buy my way in. The expensive year I found a ready-made classifieds script online. Looked professional, had features, didn't cost the earth. The smart shortcut, I told myself. Then I hired a freelancer to customise it. Then another one, when the first disappeared mid-project. Then another, when the second delivered something that worked on a good day and fell over on a bad one. Here's the thing nobody warns you about hiring freelancers when you can't read code: you can't judge the work. You can't tell the difference between someone who wrote something clean and someone who duct-taped it together to last until the invoice clears. Both show you the same thing — a screen where the button does what the button's meant to do. So you pay, you say thanks, you move on. And three months later the button stops working and the freelancer's gone. Meanwhile the bots had found me. Within weeks of going live, automated scripts were hammering the contact form, then the registration page, then the login. "It's normal," a freelancer told me. "Ha

2026-05-30 原文 →
AI 资讯

CSRF, and the cookie flag

<form action= "https://bank.com/transfer" method= "POST" > <input name= "to" value= "attacker" > <input name= "amount" value= "10000" > </form> <script> document . forms [ 0 ]. submit () </script> Five lines of HTML on a malicious page. When a user who's logged into bank.com in another tab visits this page, the browser auto-submits the form, attaches their session cookie, and ten thousand dollars leave their account. They didn't click anything. The malicious site didn't see their password. There was no XSS, no breach, no leak in the traditional sense. The browser did exactly what it was designed to do. That's CSRF — Cross-Site Request Forgery — and it's been the classic "confused deputy" attack on the web for two decades. Let's walk through what makes it work, why CORS doesn't help, and the one cookie flag that mostly killed it around 2020. Why the browser attaches your cookie to that request Cookies belong to a domain. When you log into bank.com , the bank sets a session cookie in your browser: Set-Cookie: session=abc123; HttpOnly From that point on, every single request your browser sends to bank.com carries that cookie. Every page load. Every API call. Every image fetch. The browser does it automatically, without asking, and regardless of who triggered the request. That last word is the door CSRF walks through. The browser attaches the cookie based on where the request is going , not where it came from . So when evil.com triggers a POST to bank.com/transfer , the browser sees a request destined for bank.com , looks up the cookies for bank.com , and attaches them. As far as the bank's server can tell, the request looks exactly like one the user submitted from inside the bank's own page. This is the "confused deputy" idea. Your browser is the deputy. It has authority on your behalf (your cookies). And it's been tricked into using that authority for someone else's benefit. The server has no way to tell the difference, because from its point of view, there isn't one.

2026-05-30 原文 →
AI 资讯

Quark's Outlines: Python User-defined Functions

Quark’s Outlines: Python User-Defined Functions Overview, Historical Timeline, Problems & Solutions An Overview of Python User-Defined Functions What is a Python user-defined function? You can define your own function in Python using the def keyword. A Python user-defined function is made when you write a def block in your code. When Python runs this block, it creates a function object. A function object has special parts. These include its name, its list of default values, and its code. It also keeps a link to the global names from the file where it was made. You can use this object to call the function later with any valid input. Python lets you create named function objects with the def keyword. def greet ( name = " friend " ): return " Hello, " + name print ( greet ()) print ( greet ( " Mike " )) # prints: # Hello, friend # Hello, Mike The function greet is now a user-defined function. Python stores its name, code, and default values for later use. What are the special parts of a Python function? A Python function holds many facts about itself. These are called attributes. For example, __name__ holds the function name. __defaults__ is a tuple of default values. __globals__ holds the global names it can see. __code__ is a special object that stores the function’s bytecode. Python functions store their details in special attributes. def square ( x = 2 ): return x * x print ( square . __name__ ) print ( square . __defaults__ ) print ( square . __code__ . co_varnames ) # prints: # square # (2,) # ('x',) These parts let Python understand and run your function later. A Historical Timeline of Python User-Defined Functions Where do Python’s user-defined functions come from? User-defined functions in Python build on ideas from earlier languages. They let you name blocks of code and reuse them. Over time, Python added new parts to function objects—like closures, default values, and metadata—to make them more powerful. People designed ways to name and reuse logic 1958 — Fu

2026-05-30 原文 →