Programming Tip: Assume Your Users are Idiots

Posted by Nessa | Tags: , | Posted on May 30, 2010

3

Any programmer knows the golden rule of programming – no matter how well you’ve coded an application, there’s always going to be something wrong with it. I’ve done enough development work to have a lasting suspicion that if there’s a bug or hole to be found, someone will stumble upon it and rub it in your face.

Here’s an interesting fact:

There’s no such thing as a bug-free application.

No amount of poking, prodding, testing, slurping, or caressing is going to find every possible fault that can exist in an application. Somewhere along the line, one of your users is going to trigger a problem and cause you to spend a few hours patching code.  It’s like idiot-proofing a microwave – you can’t reasonably predict every possible thing that a user can do, you just do what you can and hope for the best.

The good thing about these idiots is that they make us better programmers.  To be a better programmer, you have to think like an idiot and apply some basic principles:

1. Validation

Check and maybe even double-check all types of input and assume the worst. Sure, maybe that user didn’t know that Sex referred to gender, but you should have thought of that.  Always take into account blank, malformed, incorrect, malicious, and duplicate data.

2. Default Actions

Any time you use conditionals, always combine validation with a default action, in case something unexpected happens. Do you know what your application is going to do if a specified condition isn’t met?

3. User behavior

Some people do things you don’t want them to, but you have to be ready for it anyways.  Does your application work correctly if people hit the “back” or “refresh” buttons? Is it going to cause a problem if someone bypasses your lightbox and opens a link in a new tab instead? Or bookmarks a page that was meant to be accessed from a login screen?

4. Acceptance

Accept the fact that no matter what advice I give, you’re still never going to make it perfect.

And don’t forget – testing, testing, testing. While some people I deal with like to believe that I don’t actually test anything, I do – I just also know the golden rule of programming and that there’s no way around it.  Testing is an ongoing process and requires both automated and manual work. Don’t knowingly leave a bug or security flaw in place and assume it will go unnoticed – trust me, it won’t.  If there’s one thing idiots are good at, it’s making you look like an idiot.

ReviewMe Had an Oopsie

Posted by Nessa | Tags: | Posted on May 29, 2010

3

There’s a common understanding in the developer community that when you’re testing code, don’t do it on a live site. And if you do, make sure it’s transparent to the user.  This faux pas tends to be unforgivable when you’re a major review site getting thousands of hits per day.

I hope I don’t get sued for this.

The other night I was logged into my ReviewMe account to add one of my sites, and upon addition some code popped up that probably shouldn’t have:



It looks like someone was doing some testing and was echoing out some post variables as an array, and forgot to remove it.  This goes to show: don’t test this kind of stuff on a live site where your users will be able to see it.

PHP 5.3: Why We’re All Late to the Party

Posted by Nessa | Tags: | Posted on May 27, 2010

11

It’s been almost a year since the PHP 5.3 branch was released to the PHP community, and yet we’re all still in the shadow of PHP 5.2.  If you’re just a faithful customer wondering why your host isn’t getting with the times, I’ll tell you exactly why: We don’t stock enough diapers to keep up with that ish.

Let me talk about you, the common website owner, that runs a simple Drupal or WordPress site.  You didn’t sign up with your host to go around in circles over compatibility problems that could have been avoided by your host doing a little research. As a programmer, I would hold it to any site owner to check their site’s requirements and the offerings of their host before they unnecessarily waste a lot of time and money, but as a system administrator I frown upon shared hosting providers offering software with known compatibility issues just to be able to advertise as the “latest and greatest”. The latest isn’t always the greatest, and it won’t be until the community catches up with what the greatest has to offer.

I’ve had numerous discussions with my superiors about whether to upgrade to PHP 5.3, and the end result is pretty much the same – we’re just not ready. And neither are our customers, or the developers of the applications they use.  And trust me – this is normal. We all went through the same thing when PHP 4.2 came out, and again with PHP 5, and again with PHP 5.2.  That being said, this is why all the good hosts are now also holding off jumping on the PHP 5.3 bandwagon:

  • Lack of compatibility:  Many open source applications and frameworks (such as Drupal, Joomla, Magento, and even parts of WordPress) are not fully compatible with PHP 5.3 yet
  • No Zend Optimizer or Zend Guard support
  • It’s not required for PCI compliance yet, which is one of the main reasons why hosts upgrade PHP on their servers

PHP 5.3 does have a lot of new features and functions to offer, and it will eventually wiggle its way into mainstream hosting -  it’s just not ready for the shared hosting population yet until everyone else catches up.  Most hosts (including IMH) will still offer PHP 5.3 as an optional upgrade for customers on VPS or Dedicated servers, or as an optional move to a server that has that version. In the meantime, start upgrading your applications and keep tabs on your softwares’ developers to find out when php 5.3 support will be available.  PHP 5.2 will likely become obscure near the end of 2010 or early 2011 in favor of 5.3, and you should be ready when it is.

Command Line PHP: Part 3

Posted by Nessa | Tags: ,,, | Posted on May 25, 2010

4

This is part third and final part in my PHP command line tutorial series. If you didn’t see parts 1 and 2:

Command Line PHP: Part 1

Command Line PHP: Part 2

Command Line PHP: Part 2

Posted by Nessa | Tags: ,,, | Posted on May 21, 2010

3

This post is continuing on my three-part series on command line PHP programming. Missed part one? It’s right behind you. This part will go over command execution and processes.

Command Line PHP – Part 1

Posted by Nessa | Tags: ,,, | Posted on May 18, 2010

15

PHP isn’t just for websites anymore. In fact, almost every script I’ve written to perform server-side functions is either written in bash or PHP, rather than Perl or Python as preferred by my colleagues. It’s a common belief that PHP isn’t suited for CLI programming since it’s mainly used in web applications, but PHP has over a hundred functions specifically intended for system management.

These kinds of posts can be rather lengthy, so I’m making this into a series with three parts.  Part 1 will go over the basic filesystem functions. You can find a complete listing here, but I’ll just go over a few of the more important and common ones.

You do not have sufficient permissions to access this page

Posted by Nessa | Tags: | Posted on May 16, 2010

0

This was a particularly annoying error message that was occurring for one of my legacy plugins that I refuse to get rid of. There are a lot of sites that indicate the problem is with a failed upgrade or misnamed database tables,but for me it was simply an issue with an old plugin and wasn’t happening anywhere else.

My fix was to edit the plugin file and change instances of admin_head to admin_menu . It’s apparently just a compatibility issue with newer WP versions.

WordPress Thinks Network Solutions is Stupid

Posted by Nessa | Tags: ,,, | Posted on April 22, 2010

6

Quick quiz: What does a hosting provider do when they know they’ve messed up and don’t want to deal with the fallout?

You apparently blame WordPress.

Don’t get me wrong here – being behind the scenes of server management for a webhosting company makes you the target of a lot of accusations.  And yes, most of the time when a user’s site gets hacked it’s their own damn fault. But in this case, Network Solutions is apparently trying to push their issues off on WordPress because they don’t want to admit they f***cked up.

Well, WordPress is pissed.  I logged into my dashboard today and the first thing I see in my news feed is:

A web host had a crappy server configuration that allowed people on the same box to read each others’ configuration files, and some members of the “security” press have tried to turn this into a “WordPress vulnerability” story.

To highlight the best part:

I’m not even going to link any of the articles because they have so many inaccuracies you become stupider by reading them.

P.S. Network Solutions, it’s “WordPress” not “Word Press.”

Burned.

In short, Network Solutions acknowledged that most of the problem was due to users’ public_html and wp-config.php files being readable by other users on the server – something which could have easily been caused by the users setting the permissions of those files insecurely. But they took a shot in the dark and said that the problem was caused by WordPress putting cleartext database credentials in the wp-config.php file – something that just about every software developer does, as WordPress states:

WordPress, like all other web applications, must store database connection info in clear text. Encrypting credentials doesn’t matter because the keys have to be stored where the web server can read them in order to decrypt the data. If a malicious user has access to the file system — like they appeared to have in this case — it is trivial to obtain the keys and decrypt the information. When you leave the keys to the door in the lock, does it help to lock the door?

Good point. They also went on to say that a properly configured web server will not allow users to access the files of another user, regardless of file permissions. This is why most hosts have switched to using suPHP or phpsuexec, a technology which Network Solutions was apparently left in the dark on. At least now they seem to be taking responsibility for the problem and are attempting to handle it.

I’m also going to state, based on comments in popular blogs from users that don’t know what the hell they’re talking about, that unless someone has access to view the source of a PHP file, they can’t see the database credentials. PHP files are executed server-side, and only their output is sent to the browser. Since the username and password are stored as variables and are not echoed out anywhere, someone simply calling wp-config.php from a browser can’t access your login data.

You’re probably going to find all kinds of fixes on various sites that this story is covered on, but I’m going to give the same advice I do for all my customers that have had sites hacked:

  • Change your FTP and MySQL user passwords
  • Replace all files on your site from a ‘clean’ backup
  • Make sure the software on your site is up to date
  • Scan your PC for viruses
  • Choose a secure host

Remember that your site can get hacked regardless of who your host is or how secure they are, though your host has to take some level of responsibly for hacks that are caused by their own bad configuration, such as in the case with Network Solutions.

5 New Toys You May Not Know About

Posted by Nessa | Tags: | Posted on April 9, 2010

1

BlogSell

BlogSell is the next generation of managing blog income.  There are dozens of services out there that assist with buying and selling ads, but this one actually helps you keep track of all your banners and affiliate links, as well as various sources of blog income such as paid reviews, banners, and text links. Definitely a must-have for bloggers needing a more flexible platform for keeping track of their income sources, who want to do it all in one place.

Yola

Yola is offering something that most other web hosts and template services do not – free site hosting AND design for basic usage. The templates offered are actually very nice, but you can also purchase a series of upgrades based on what you actually need.  The price of custom design may be a bit steep for some people, but is still a lot less than hiring a freelancer.

FitClick

Move aside, Sparkpeople. No one really needs you anymore. FitClick is a free online weight loss service offering free weight loss programs, diet tips, and fitness/calorie trackers, with reportedly a much better user interface than Sparkpeople.  I’m not trying to call you fat, but umm…maybe you should take a look at this site.

MyPunchBowl

Party planning has never been sexier. MyPunchBowl is a free online party planner that lets you plan an event by recommending vendors, helping you to prepare lists, send out invitations, and shop for party favors and supplies. It even has a link to Facebook to help you promote your event.

ProjenyPM

This one was developed by a customer of IMH and introduced to me a couple months ago. It’s an online project management tool that goes above and beyond most other project management solutions out there, including the ability to manage employee timesheets, performance, and scheduling. This service is free for personal use, and moderately priced for business use.

10 Excellent Open Source Alternatives

Posted by Nessa | Tags: ,, | Posted on March 6, 2010

1

Those of you who are regular readers of my blog know that I’m a huge fan of open source software. I don’t think it’s smart for people to drop upwards to thousands of dollars on software unless they have that kind of money to waste, or have a need that isn’t being met by the open source community.  And then there are the less legal alternatives, which I’m not against, but then again I can’t promote them here, either =)

So here’s a nice list of open source alternatives for people who want to save money by using open source software.

1) Use Linux instead of Windows

The transition from Windows to Linux is not as hard as you may think it is. When people think Linux, they think of an ugly black and white command prompt. This may be true if you’re thinking of running Linux as a server, but as a desktop you have a GUI similar to Windows and Mac, in the form of KDE or Gnome.  If you have applications that require Windows, you can usually run them by installing a program called Wine.  It can take a little getting used to, but for those buying a new PC or refurbishing an old one, Linux is the route to go if you want to save money and get better performance, security, and stability than you’ll ever get with Windows.  For newbies, I’d recommend Ubuntu or Fedora.

2) Use Gimp instead of Adobe Photoshop

Adobe Photoshop will run you between $700 and $1000, maybe less if you purchase from an independent software distributor. If that’s a little steep for you, consider using Gimp instead. It has a lot of the same functionality of Photoshop, and can read files created in Photoshop (.PSD) as well.  My sister is a photographer and just when she thought she was used to Photoshop, I introduced her to Gimp so she can do her photo editing outside of school, and she said it does as good of a job as Photoshop does. Similarly, I hear that Inkscape makes an excellent alternative to Adobe Illustrator.

3) Use OpenOffice instead of Microsoft Office

My Dad, who has headed the IT department of his company for years, didn’t believe me when I told him that the thousands his company was spending on Microsoft Office licenses every couple years could be a waste of money, since OpenOffice has the same kind of functionality. The base package of OpenOffice contains alternatives to Word, Excel, PowerPoint, and Access, all of which have the same familiar interfaces and support for files created in their proprietary alternatives, but without the expensive licensing costs and resource requirements. The  software in OpenOffice also has a number of features that the other does not.

4) Use Thunderbird or Evolution instead of Outlook

Outlook sucks. I can’t tell you how many calls I got about it when I was in technical support, where email would suddenly stop working and the customer wouldn’t want to believe that their beloved Outlook was the problem. It usually comes bundled as part of the Microsoft Office suite, but you can buy it standalone. Why would you want to? Thunderbird is free, and a lot more efficient, feature-rich, stable, and secure than Outlook. Love the Outlook feel? Evolution is the Linux alternative to Outlook, only it doesn’t suck as much.

5) Use ClamAV or AVG Instead of Norton, TrendMicro, or McAfee

I’ve heard from many people that even though ClamAV is free, it’s better than its leading enterprise alternatives. It also works on Windows (Via ClamWIN) and Linux. Need a firewall too, but don’t want the steep cost of Norton Personal Firewall? Consider APF or Smoothwall.

6) Use Turbocash instead of Quickbooks or Microsoft Money

I personally haven’t used Quickbooks before, but I heard it’s comparable to Turbocash, which is perfect for smaller organizations or individuals needing software for finance management.

7) Use VirtualBox  instead of Microsoft Virtual PC, VMWare, or Parallels Desktop

I generally used Virtual PC in the past to play with other operating systems, but you may find a use for it if you’re a software developer or you have applications that work on one OS but not another. Virtual PC usually ends up being free quite some time after its initial release, but it only runs on Windows. VirtualBox is open source and runs on Linux, Mac, and Windows, and supports a large variety of guest operating systems.

8) Use OpenVZ instead of Virtuozzo

Virtualization with something like Virtuozzo isn’t the same as using something like VirtualBox in terms of mass-management of virtualized servers. If you’re offering VPS hosting or need to run multiple servers on one, you’ll want to use something like Virtuozzo.  Virtuozzo may be the best, but OpenVZ doesn’t fall far behind at all…and it doesn’t carry the multi-thousand dollar licensing costs.

9) Use OpenWorkBench instead of Microsoft Project

I’ve always found web-based software like dotProject to be more effective for project management, but if you need a more local solution for your PC, try Workbench instead of spending dough on Microsoft Project.

10) Use Partimage instead of Norton Ghost

Norton Ghost will generally cost around $70, but Partimate is free and essentially does the same thing. I’ll mention though that Norton Ghost only works on Windows, and Partimage only works on Linux. So Partimage is something you’d consider using if you’re switching from Windows to Linux and can’t use Norton Ghost anymore.