Kristian Lunde

The Zend_Input_Filter is a very useful tool when you need to validate and filter the input to your application. It allows you to both filter and validate the input without a lot of hassle. One of the cool features it has is that it allows you to add the validators you need and meta commands to each validator. For instance you can set an Alnum validator to allow empty fields, set a default text and so on.

I came over this annoying issue the other day when I tried to setup the Alnum validator to allow white spaces and have a few meta commands attached to the validator chain. The manual says that you can do this:

Which I assumed would also work like this:

This does not work though. You need to remove the validator type string and replace it with an instance of the Zend_Validate_Alnum validator to get it to accept whitespaces and meta commands. This is the right way to do it:

The entire script ends up looking like this:

The other day I had a frenzy at amazon and ordered quite a few books I have had on my shopping list. The books are of course all computer and web related. The books I ordered was:

• Building Scalable Web Sites by Cal Henderson
• High Performance MySQL
• JavaScript: The Good Parts by Douglas Crockford
• Don’t Make Me Think!: A Common Sense Approach to Web Usability by Steve Krug
• Cocoa Programming for Mac OS X by Aaron Hillegass

I am halfway through the building scalable web sites and it is really good, even if you are a seasoned web developer I think you can learn quite a bit from it. I have also started to read the MySQL book and can’t wait to learn more about database replication, that is something I really want to find out more about. The “Don’t make me think” book will hopefully assist me on building more user friendly web sites, and hopefully the javascript book(still in the mail) will help me to brush up my js skills.

The Cocoa book was on sale, and you never know when you have to do a bit of programming for a mac

Yesterday I had the “pleasure” of merging two code bases of the same application. The code bases had been developed in two different parts of the world, but shared a common foundation. I got access to a development version of the code base a few weeks ago, and the final delivery of the application was done late last week. No version control system was shared between myself and the contractor which made the merge a bit more cumbersome. Unfortunately I could not wait for the contractor to finish the development before I started to add features and bug fixes to the application; this eventually resulted in two separate versions of the code base.

I was aware that this merge would going to happen from the very start so some precautions were taken before I started my own branch of the source code.

1. I separated all new features out in separate directories and added symbolic links to these in the existing code base. This worked very well and we had no problem at all adding the new features to the final delivery.

2. I tried to be very careful and keep track of all the bug fixes and changes done to the original code.

Trouble

I realized that we would have trouble with the final merge not long after I received the first development version, it was cluttered with bugs and issues which made it impossible to even run it in my development version. To get the application up and running I had to make a bunch of changes to the code.

In addition to the initial bugs I soon realized that the front end of the application (read: html and css) was a complete mess. The site was not browser compliant, nothing validated and it was impossible to go through. These issues would not be resolved by the contractor and since the project was on the clock it needed resolving as quickly as possible. This ended up in a complete rebuild of the front end which modified 300+ files.

1st Attempt – Failure

1. Created a git branch of my development code
2. Added the final code from the contractor to the branch

This ended up in a complete mess, nothing working, a complete mess.

2nd Attempt – Success

When the final delivery from the contractor came through the two code bases was in completely different states, most of the bug fixes I had was still needed.

1. Created a git branch of my code base
3. Found the differences from the initial development version we got and the final delivery

Where dev is the directory of the untouched development version we got access to, and final is the directory of the final delivery. This resulted in a complete list (changes.txt) of files which differed between the two original versions. It also identified files that was obsolete in and new files that was added. An example of the content in the changes.txt can be seen below.

4. Once I had this overview I added all the new files from the final version into my git branch.
5. Updated all the files I knew had not been changed. I had a list of all the core files which had been changed.
6. I manually had to go through all the core files that had been changed and compare them with the files from the final delivery.
7. Remove all old files which only were present in the development delivery.
8. Manual comparison of all the front end files, updating and merging these files by hand. Diff can not be used here since the entire front end has changed, and it would only result in a complete difference, still there might have been changes that I needed to incorporate with the new front end.

I still have approx 150 front end files to compare, it is time consuming and frustrating labor, but it seems to be the only way to do it. I keep testing the application while doing the update and so far all of the changes and updates has been successful.

The positive flip of this is that I get a good overview of the code and understanding of the application when I have to go through much of the code from the final delivery.

I might not have chosen the best solution and I would love to hear your approach if you have done similar things or have an opinion about it.

In Orange Bus we are currently busy building a new web shop for a clothing company. We are building this web shop on Drupal 6 and Ubercart 2. While I was doing some tuning of the product page (built as a node template) on this site I suddenly realized that even though you can get most of the information needed in from the $node object, you are unable to get the default options of each attribute.

In my case this attribute was the sizes of the products (small, medium, large and so on), the node object contained all the attributes but not the default options. It is not at all complicated to get this information but you do need to add some custom code to get a hold of the default options. I would argue that this should be included in the default node object, which really should not be a big deal adding. I guess I should add a patch for this, instead of going around the problem which is what I do and describe here.

To get a hold of this I had to call a ubercart specific function called uc_product_get_attributes function. This function takes a node id as parameter and return all an array of all the attributes related to the node. The array contain a set of attributes objects and these object contain all the information available on each attribute.

My solution was to call the uc_product_get_attributes function and get the default_option variable from the attribute object, see code example below.

It is simple, but it took me about an 30 minutes to determine the problem and adding a solution. Hopefully this will save someone the job of solving the same problem.

Back when I was at the university we had a course called “Programming languages”, there we learned a little something about a lot of known and less known programming languages. One of these languages was Standard ML, and I remember that I was quite fascinated with that language, it was so different from everything else we had learned. Since then the functional languages have become a bit more common, with Erlang, F#, Clojure, Scala and Haskell as some examples (more functional languages can be found here: http://en.wikipedia.org/wiki/Category:Functional_languages). I have not used any functional languages since then and I thought I would just briefly refresh my memory by installing Standard ML and try the most basics of the language.

Installation

I am currently using a Mac so installing sml-nj was really simple. I downloaded the mac .dmg package from http://www.smlnj.org/ and ran the installer. the system was installed by default at /usr/local/smlnj-110.68. I added the path to my .profile file, which enables me to start sml without being in the sml bin root folder.

When that was done I could start the sml shell (just type sml in your shell):

Example 1: Start standard ML

(To exit the sml shell use key combination: CTRL + D).

First touch – Hello World

I always do a Hello World programming in a new language. Even though I have been playing around with Standard ML before I do not remember a hole lot of it, so I start from scratch.

Example 2: Print “Hello World”

The – is the sml prompt, to end a expression the semi-colon is used. So to write Hello World all you have to do is to apply quotes around the text and end it with ; and hit enter. The result gives us the text and the data type.

The first function

To do a Hello world proved to be quite simple, so lets take it a bit further and write a function which prints the hello world text.

Example 3: The first function

The function itself is a one liner seen on line 1 in the example above. The function is created using the fun keyword, the function is named hello and have no parameters which result in the (). The function return a result of the data type string, this is defined with the :string element, The content of the function start after the equal sign, and is just a print of the hello world text. To end the function close semi-colon.

When creating a function which is compiled we get the response seen in line 2. This tell us that hello is a function and that it return a string. I believe the unit text mean that the function does not take any parameters (I might be wrong).

To execute the function just type the name of the function, see line 3 in the example above, this result in printing out the “hello world” text as seen in line 4. Line 4 tell us that the result of the function is “Hello World” and the data type is a string.

Functions with parameters

Now we have created our first function, but a function usually need one or more parameters, so let us have a look at that. The next function is a simple echo function which just print the text to screen.

Example 4: Function with parameter

Line 1 in example 4 define the function, it takes one parameter s as a string, the return data type is also a string and it just output the string to the shell. When the function is executed in line 3 the parameter is “Hello World” and the result is seen in line 4.

To add more than one parameter just add a comma between the parameters. Remember to define a data type on all the parameters.

Example 5 is a function which takes to parameters and sum the two parameters together before returning the result.

Example 5: function with multiple parameters

Lambda expressions

Lambda expressions is also known as anonymous functions, and create a function without any name. This is used quite frequently in sml and are written as seen in example 6.

Example 6: lambda expression.

The example 6 do not do much except print out the Hello world text when it is called. Naturally a lambda expression must be called as part of another function or code snippet.

Load a function from file

To load sml code from a file just use:

Where you replace ../sml/myfile.sml to point to your file.

Resources

This is the best online introductions I have found so far are:
www.pllab.riec.tohoku.ac.jp/smlsharp/smlIntroSlides.pdf
http://www.cs.cornell.edu/riccardo/prog-smlnj/notes-011001.pdf

A short FAQ:
http://www.smlnj.org//doc/FAQ/index.html

I really have not showed anything of the fancy stuff you could go about and build with Standard ML, but hopefully I am able to spend some more hours playing around with standard ML and write another blog post.

In Orange Bus we have been looking at our coding style lately. We have created our very own coding standard. Since we base most of our applications on the drupal we chose to use the drupal coding standard as our main source of inspiration.
During our process of creating this coding standard we found a few good links I thought we should share.

Mike @ Orange Bus found these two articles about beautiful and practical code, both these are a must read:

http://www.wilshipley.com/blog/2007/05/pimp-my-code-part-14-be-inflexible.html

http://www.perforce.com/perforce/papers/prettycode.html

Another blog post about line density worth reading is:

http://paul-m-jones.com/?p=276

I’ve been hearing this a lot lately, that most framework sucks, well do they?

Mr. Paul M. Jones has a really good article about the subject, he says that when a developer has to do a major change in his mindset and development routines to get used to a new framework, the developer often think that the “framework sucks”.

Personally I’ve been the kind of developer who like to write my own frameworks from scratch, and yes that also mean that I’ve written a couple of frameworks for myself, and threw them away. Since I like to write things from the scratch I’ve also been a bit critical to other frameworks,and I do understand term “all frameworks sucks”. When you’ve written your own framework, you know how it works, and it works just the way you want it to, at least that was the goal of writing it in the first place. It also gives you the possibility to change or add functionality in the core of the framework rather easily.

The advantages with a “off the shelf” framework can sometimes be intriguing, with a little bit of effort you can become darn efficent with this kind of framework, that will of course require a bit from the developer to learn the framework. Another bonus about learning a new framework is that you pick up on some of the bright ideas the developers have implemented in their framework.

I do not think that all frameworks sucks but, there are some frameworks out there that do not match my mindset at all, there is no secret that I’m not a huge fan of large enterprise frameworks with a wide extent of xml files and structures (I’m not naming any names, but the Java world have a few of these). Why on earth would you need to define a new page in three different xml files to get it working?

I’ve heard a lot about Code Ignitor and it sounds like a promising framework, I have not had the time to have a look at it yet. I am familiar with the Zend framework and EZ components which probably are more of a set of building bricks than frameworks, both of these are quite good and comfortable to work with.

Recently I’ve started to look at the Drupal. I realize that Drupal is more of a content management system than a framework, but it has its similarities to a framework. So far I still think Drupal “sucks” but I do however like the simplicity of writing modules. What I do not like at all is the “lack” of OOP, and yes I know Drupal have its own way of implementing OOP, but I still feels thats is a little bit awkward, I am a bit of a OOP junkie
Anyway I see the potential of Drupal and look forward to getting to know it better. I believe I eventually will like Drupal because it is easy to extend, you get a lot of stuff for free because someone has already written it for you and it is a big community around it with a lot of smart developers. There is probably a reason why Drupal is one of the largest PHP framework out there.

Developing MVC (Model View Controller pattern) applications in PHP or any other language often require a lot from the view tier. The view needs to process data received from the model tier and form it into presentable data, it also has to manage user input and form that into data understandable for the model tier.
This might not be a big issue while working with small application, but when it comes to midscale and large applications the view helper pattern can be of great help. The view helper pattern is one of the J2EE core patterns and the documentation can be found on:

http://java.sun.com/blueprints/corej2eepatterns/Patterns/ViewHelper.html

What does the helper pattern do?
First of all the helper pattern adds an extra tier to the system, this tier can be seen as a mid tier which has some understanding of the logic of the system, it knows a little bit about the view and a little bit about the model. Another cool thing is that the view helper pattern makes your code more reusable. When moving complex structures from the view and into a view helper it can with ease be used by other views.

Example:

You are writing a web application where the user writes a review of some product, the application should do auto saving of the user input every 20 second using Ajax functionality. The application should of course also save the user input then the user submits the data. The ajax request and the user submit does almost the same thing but the when the user submits the data the view should also store a rating of the product. This require the ajax request and the user submit to be two different views, or one complex view.

In an ordinary MVC system you would have to implement two views with very much of the similar behavior or one complex view. Using the view helper pattern you extract the storage of the user review in a helper which can be reused by both the ajax request view and the user submit view.

I have written a very simple implementation of the example in PHP. The implementation is not complete at all, but it is meant as a proof of concept that the reusability of code in your application can increase using the view helper pattern.

I am sure that the view helper pattern has helped me to write better and more organized code, which is easily understandable and very reusable.

If you do not use the view helper pattern, and still have solved the problem with reusability of code in the view tier please feel free to leave me a comment describing your solution.

Dansnetwork has a short an simple article explaining the simplest way of securing user passwords on the web. If you are new to authorization on the web, this article will give you a quick introduction to hashing methods and what not to do when dealing with authorization information.

URL: http://blog.dansnetwork.com/2008/07/15/unsafe-password-storage-practices/

Still this article is a bit to basic, since it does not discuss rainbow table attacks, which could with ease break most of the passwords. My previous article discuss how to avoid rainbow table attacks.

A recent post on dzone.com linked to a article about “password encryption using PHP” written by Stefan Ashwell on total.php.com. In this article he illustrate a how to save user passwords and authenticating users using the sha1 hashing algorithm.

First of all lets all agree that hashing passwords are basics requirements for a secure web application, but is a simple hashing of the password enough? I do not think so.

Here is the scenario, Someone breaks into your system (not through the web application, but for instance through an ssh connection), they get access to your user database or file where you store user account information.  The intruder is now in possession of the password and user name of all your users, but still the passwords are hashed with md5, sha1 or an similar hashing method. If the intruder is determined to get into your system and mess up, he may now try to decrypt the passwords using a  dictionary word file and brute force (also known as rainbow tables). This method is quite common and is not advanced at all, all it does is looping through the dictionary file, which contains all words and common password phrases, do a md5 or sha1 hashing of these words and see if it matches up to the hashed password, if it does it has found a match, and the intruder is able to log into the account.

Even though this brute force method might take some time, he will eventually get the passwords and get full access to the users account. There are however methods to complicate this and even make it impossible for the intruder to get the password using brute force method and that is called salting your password.

Example:

As you can see the salt is an secret string which is only used by your application, it is prepended and appended to the password. You could of course also go the extra mile and split the password in two and add the salt in the middle of the password, but there might not be any point in doing that.

This makes the word not like any word you will find in an dictionary and therefore the brute force method will not find the password.

The point is that if the intruder get a partial access to some of your system, for instance the user database, it will not be enough to get access to the total system because the security system is layered, one layer in your code, and one layer in your user database.

I do not say that this method is a 100 percent secure but it is is way more secure than not using a salted password.