Archive for the ‘PHP’ Category

Изкарах alpha2 release на Tangra Framework for PHP

2009-04-02   

След два месеца нон-стоп "копане", най-накрая, дойде моментът за пускане на версия alpha2 на Tangra Framework for PHP.

Най-важното в нея е, че инфраструктурата за дистрибуция на модулите вече работи и можете да си ъпгрейдвате сайтовете по много по-лесен и удобен начин. Тази инфраструктура се състои основно от два елемента:

  • tangraframework.net -- в админ панела на сайта е включена Modules release management система, чрез която се публикуват новите версии на модулите. Генерирането на пакетите (zip) става автоматично като сорсовете се вземат от svn repository-то, т.е. най-новите промени са налични. Отделно има функция за генериране на пакет от всички модули за така наречените AIO releases (досега всички releasе-и са AIO (All in one));
  • Tangra Control Center (TCC) -- В него, освен обновяването на информацията за наличните локално модули (което си го имаше и преди) е добавена функционалност за проверка за нови версии онлайн, като има възможност да се добавят неограничен брой module repositories. Към момента, единствено online repository е http://www.tangraframework.net/mods/, но се надявам, че в бъдеще се появат и други. Осигурена е функционалност за download на новите версии и разпакетирането им локално (и съответно добавяне на информацията за тях в TCC).
Другите новости в alpha2 са:

(more…)

Tangra Framework Alpha1 Release

2009-01-17   

След като месеци наред се занимавах с TangraCMS-а, сайтове за клиенти и разни мои лични SEO простотии (mlbticketsstore.com, nflticketsstore.com и други), най-накрая дойде време да обърна повече внимание на самият framework. Предишният release (dev5) беше преди повече от 6 месеца и се оказа, че съм позабравил как се подготвят някои от нещата. За щастие си намерих записките във вид на txt файл и лесно си припомних (баща ми има един лаф, който му е бил казан от някой от неговите шефове докато е бил младо инженерче: "Умните пишат, глупавите помнят").

Alpha1 release-а представлява основно bugfix-ове и (more…)

Ела, изгрей -- TangraCMS. CMS за SEOs.

2008-12-05   

След 2-3 месечно яко "копане" най-накрая позакръглих CMS-a, който пиша като модул към Tangra framework for PHP. В пристъп на вдъхновение и нечувана оригиналност съм го кръстил TangraCMS. Какво наложи появяването под слънцето на още един (yet another) CMS (би могъл да попита случайният непредубеден читател -- и с право)? Както се казва в много вицове за Шерлок Холмс: елементарно Уотсън. Ето какво: (more…)

Да напишеш насила captcha модул

2008-07-11   

В последните дни за занимавах да направя user registration модул за моя Tangra Framework for PHP. Както и се очакваше -- грандоманията в мен отново надделя и вместо на спретна набързо едно модулче с проста формичка за user details, аз се отплеснах и направих чудовищна форма с всички възможни полета за които се сетих, че е конфигурируема отгоре на това (т.е. може да се избере като се настройва сайта кои полета да се показват и кои да са задължителни).

Както и да е, направих регистрацията, админа и т.н. но в един момент покрай правенето на страница за "Resend activation email" е усетих, че злонамерени келеши могат да я използват за много успешна DOS атака. Налагаше се да сложа captcha.

Разрових се из интерсвинщината, (more…)

Нов release на Tangra framework -- 2.0.0dev5

2008-06-27   

Днес беше хубав ден за публикуване на новата версия на Танграта.

От няколко дни се глася да я пусна, но все не оставаше време покрай други задачи.  Добре, че се появи един разработчик, който постна 2 бъг доклада в тракера, та се присетих и общо взето цял ден се занимавах с подготвянето на release пакета, обновяване на wiki-то и най-вече поправка на някакви глупави проблеми, които сам си създадох покрай прочистването на Control Center-а -- бях забърсал директорията, която съдържа страниците за първоначална инсталация.

Имаше едно правило, че е добре да се публикуват нови версии по-начестичко, нищо, че не предлагат кой знай какво ново. Това е много добра идея най-малко по две причини: (more…)

Най-накрая release

2008-01-03   

С новата година идва и първият release на моя Tangra Framework for PHP.

Разработката му започна 2003, когато PHP5 беше още бета. Това е преди повече от 4 години. Честно казано не бях я правил тази сметка и малко се поуплаших -- мислех си, че не са минали повече от 2, максимум 2,5 години от началото…

Това, че стана бавно има две страни:

(more…)

Задаващото се PHP6. Какво ново и ще има ли полза?

2007-04-23   

Преди доста време излезе "протокола" от една сбирка в Париж на PHP разработчиците в който се описва какви са идеите за PHP6 (Minutes PHP Developers Meeting) . Този пост ще коментира някои от точките от гледна точка на разработчик, който пише на PHP.

(more…)

За Тангра PHP framework-а

2007-04-11   

Изминаха повече от две години откакто започнах да пиша моя PHP framework.

Ще изминат вероятно още две докато го добутам до public release.

Когато го започвах, честно казано, не мислех, че ще отнеме чак толкова време -- по-скоро бях се настроил "ей сега, още 1-2 месеца и готово". Тия "още 1-2 месеца" обаче си стоят 1-2 откакто се помня (едва ли не) и вече сериозно започва да ми писва. Та се замислих -- "И какво правим сега?!"

Общо взето в подобни ситуации, когато някой проект се забатачи (не че този се е забатачил в обичайния смисъл, просто работата се оказа бая повече от тази, която може да свърши сам човек) сядам и разписвам всички оставащи за вършене таскове, после се опитвам да им дам приоритет и след това ги нахапвам един след друг.

Към настоящия момент списъкът е:

  1. Довършване на сайта и преместването му на tangraframework.net
    1. Редактиране на общите приказки за "какво е", "защо е", история и т.н.
    2. Да се напише един прост news модул
  2. Довършване на API reference (това май ще се окаже най-лесното -- с помоща на phpDocumentor нещата стават доста лесно, макар че кода се пълни с бая излишни като за там коментари, но това е отделна тема, която ще засегна в отделен пост)
  3. Написване на "Quick start" (квик старт :-))
  4. Пакетиране в един общ all-in-one tar.gz/zip
  5. Release 2.0RC1

Това горното го виждам да стане до 1-2 месеца. :-)

The three little PHP pigs and the big bad cracker-wonna-be wolf

2006-11-08   

You all know the classic story about the three little pigs and the big bad wolf. Something similar happens when novice and inexperienced developers develop dynamic web sites.

The story goes like this:

Once upon a time there were three little pigs and the time came for them to leave home and seek for their fortunes.

Before they left, their mother told them "Whatever you do, do it the best way you can because that's the way to get along in this world."

Pigs left their house, waved at their mom and headed to the big city to become PHP developers.

The first little pig was a web designer who wanted to evolve to developer. He already had created some beautiful static web sites that featured nice graphics, javascript menus and, of course, flash. The first little pig was very proud of himself.
He bought a "good" PHP book and started to learn. After a month he created his first dynamic web site with shiny login and some other simple features like user postings and comments. The site had very good design, but was buggy. Nevertheless it started to gather more and more visitors.
The first little pig was even more proud. He invited his brothers to browse the site. They pointed that it is not very secure and well-built, but the first little pig did not pay attention. "It works", he said.

The second little pig was a novice PHP programmer. He had heard about some security issues, efficient practices, design patterns and so on, but he was not quite understanding them. He googled the net, found some interesting articles and started to educate himself. Somewhere at that time the first little pig showed his website. The second little pig was kind of frustrated -- "OK, his site is buggy and not secure, but it works and it has visitors. I will start to develop my site right away to catch up and after that I will educate myself and fix the things that don't look good".
So the second little pig developed a site, as fast as he could, installed it on a shared hosting and showed it to his brothers.
"It is not as pretty as mine", said the first little pig.
"Yes, but it is not so buggy and has a lot more functionality like picture uploads", answered the second pig.

"OK, it is better than the first site, but I still see some things that are not made the right way", said the third little pig.
"Name one?"
"This picture upload, why are you moving the uploaded files into a directory that is directly accessible? And also: are you changing the permissions after move_uploaded_file? Do you check if the uploaded file is really a picture?", asked the third pig.
"Uuuuh, what?", the second little pig felt kind of offended. "Yes… I mean -- no… I mean -- yes… Why are you asking me such questions, do you know how much time I spent on this site?! I know that it is not polished, but I was in a hurry, OK? I will take a good sleep this week and after that I will fix the things."

So, the second little pig relaxed for a week, then he had some urgent work to do, then he had to visit his mother, then more urgent work and so on. He never had time to look back at the sources and he was too busy to review and approve the uploaded pictures. His site was also successful and pulled some users from the site of the first little pig.

The third little pig had a completely different approach. He wanted to start the development of his own website only when he felt confident that he knew exactly what he wanted and how to achieve it. He read all the articles about good programming practices. He talked with experienced developers and learned from them. He reviewed some of the most successful PHP libraries and sites. After one(!) year he felt that he was ready. He developed THE site using template engine, database abstraction library, MVC framework, security logs and tripwires and so on, and so on. He installed the site on a dedicated server. He was veeery proud. He did not show the site to his brothers -- they were incompetent to comprehend it.
Well, the site was good, but it did not have many visitors because the sites of his brothers were already working for more than a year.

Enters the big bad wolf.
In fact he is not a pig. Also he is not bad. He is just a bored and frustrated teenager with some knowledge about PHP. He also knows few/some sites with articles about cracking and that is his dream -- to become a REAL cracker like his cousin Duke Wolfenstein.
One day he came across the website of the first little pig and decided that it was a good practicing target.
The first thing that he tried was SQL injection. He added an apostrophe after ?posting=235 in the address bar and voile: the server started printing ugly message "MySQL query failed: select content from postings where id = 235′"…
Obviously the SQL injection worked. You can imagine what happened next -- in no time the database was ruined and because the first little pig had not backed it up (he did not even know how to back-up the DB) -- the site was lost.

Then the big bad wolf sought for similar sites and he found the second pig's website. He tried again the SQL injection, but this piggy was smarter -- GET parameters are properly escaped. Wolf scratched himself between the ears and started to examine the site. He found the picture upload and in a few minutes of playing with it he discovered a flaw -- files were moved to a directory directly accessible via HTTP request and also were not even checked for valid image extension. He prepared a small PHP file del_curr_dir_content_ha_ha.php that erased everything in the current directory, uploaded it and then pointed his browser to "http://3thlittlepig.com/images/del_curr_dir_content_ha_ha.php". The result? An entire directory content was erased and all users' uploaded pictures were lost.
After some time the second little pig found that the site was corrupted and started to seek for the last made backup. When he found it, it turned out that the backup was made 3 months ago. He recovered the site using the back-up but that brought more problems than it solved -- users were angry that their content was lost and a lot of swearing and cursing took place. The result -- most of the users abandoned the site.

The wolf started to feel himself as a real cracker but then he hit the third little pig's site. He tried SQL injection, sought for upload vulnerabilities, tried every trick he knew but without any success and then he gave up.

Is this the end of the story? Is this a happy end?
No.

After two months, the wolf's cousin -- Duke Wolfenstein, the real cracker, came for a visit. He was slick. You know -- with custom made sunglasses, exact replica of Neo's from Matrix, with black hat (with holes for the ears, of course), black clothes, etc…
Our teenage wolf told his cousin about the unsuccessful attempt for cracking the site of the third pig. Duke was not impressed. He sat in front of the computer and started to do his "magic". The little wolf sat next to him and absorbed everything with wide-open eyes.
The PHP application, however, had been designed and developed with security in mind. After the first unsuccessful attempts, tripwire was triggered and warning email was sent to the third little pig but he did not pay much attention -- after all, he received such emails almost every day (a lot of crackers out there, eh?). He just banned the source IP from accessing the web site.
Duke got pissed off.
"Enough with this PHP shit. I will bring the heavy artillery."
At this stage story gets kind of blurry. It is not known what actions took place, but at the end rootkit was installed on the dedicated server, several thousands emails with ads for viagra and porn sites were submitted. In this particular case, one thing is known for sure -- the security breach did not come from the PHP part, but from the linux part. The third little pig did not even had a chance -- he was inexperienced in linux administration.

This is the end of story.

The moral?
Well:
1. There are a lot of sites out there, which are buggy but have big audience. We, as users, have to recognize those sites and avoid them -- sooner or later such sites will be breached and destroyed.
2. This web development thing is getting more and more rushed. Web developers are chased by unmeetable deadlines, unstable requirements, pressure by bosses and so on. In result some crucial development activities are often overlooked, well-known bugs are left aside intentionally because no one has time to fix them and this leads to low-quality websites. Of course -- this is not an excuse not to do our job better, but this is the reality of the highly competitive market. We, as web developers, have to try to lower the pace to a level that will allow us to do our job better without the current stress and sacrifices of our personal time.
3. Web sites/applications are getting more and more complicated. It is not possible for a single person or even a group of persons with similar profile (for example PHP programmers) to be able to create quality and secure product without the help of additional experts like experienced sysadmins, DB designers, tools masters, trained testers, javascript programmers, etc. The lack of qualified people is already a heavy problem for most of the countries and this will get even worse.
A few years ago web development required knowledge of some server side scripting language, SQL, HTML and a little bit of javascript. It was not a problem for a single person to learn those technologies.
Then came Macromedia Flash. Then ActionScript was improved to useful levels. Now we have also video clips embedded into flv files. Let's not forget about the ajax fuzz. Also, at server side И we have CGIs, perl, PHP, .Net, Python, Cold Fussion and God knows how many more… The word, that I think of, is "dispersion". Developers and effort are dispersed in too many directions and in the light of lack of qualified people that is a real problem. Maybe it is time that we -- as an industry -- start thinking about some unification.

Note: This story is also posted at http://dotgeek.org/ and it is part of CodeBlog Bingo. If you liked it, please visit dotgeek and vote for it.