Twitter Weekly Updates for 2010-11-07

  • Bromsgrove 4ths lost match. Perhaps 3-1. Well done Ludlow. #hockey #
  • Clearly to balance out the karma (lie in), @rowangoodwin is having many wee-accidents. Two sets of clothes now used :-/ #
  • I have the cleverest son ever. He didn't wake till 830am (on a saturday). Result. #
  • Now @aypok has finally learnt how to cook sausages. #fail #
  • Lloydstsb I am beginning to hate you. This card reader boll–ks is not helpful. #businessbanking #fail #
  • The sausage cooking preparations begin. #FatMinions #SausageWeek #
  • Now wishing I'd not had quite so much to eat for dinner. I might be waddling on the hockey pitch. 🙁 #
  • ProTip: Application feedback/suggestion loops are unlikely to be working if the SQL contains "…. order by rand()" #
  • RT @PalePurpleLtd Apparently we're in sausage week. Co-op has been raided and cooking is underway. #
  • "Daniel trusted god". And that is why he failed.

    Why does @rowangoodwin want all the trains? http://twitpic.com/33iqau #

This afternoon on #phpwm

PHP Security, people still don’t get it right…

Without trying to repeat too much others may have already, this afternoon on the #PHPWM IRC channel one resident seemed to be having a ‘lolwut’ competition, well – posting links which showed ‘lolwut’s (In english: highlighting security problems in web sites).

Sure, you might think, so what ? There will always be a website somewhere with a security flaw…. Except the websites in ‘todays’ list were from the top 10-15 google results when searching for ‘PHP Development UK’. The sites returned should reflect companies or individuals who are offering (one would assume) professional PHP development, and should therefore be clueful about such issues….

SQL Injection at large
SQL Injection / XSS in a 'professional' website

We came across someone claiming 6 years of professional web development experience – who was vulnerable to an XSS attack (subsequently fixed as I write this post, so there’s little point in me including a screenshot).

Of course, Akrabat then chipped in with a “I hope my work site isn’t vulnerable” type comment – so obviously we had to have a go at breaking it, just to put his mind at rest … and we nearly succeeded – I found an error message in an error page which outputted mostly unescaped input – it seemed to have some filtering in place, but we worked around this by inputting %3D type characters, converting IP addresses to integers and so on – which was an amusing experience.

The rest of us seem to be running WordPress, and as funny as this may sound, I suspect it’s more secure (at least out of the box) due to the fact more people have tried poking and breaking it. Unless your hosting is with 123-reg …. in which case it seems you’re going to be in trouble.

<rant>

If you want to avoid Cross Site Scripting (XSS) holes – make sure you escape or filter what you’re writing out – using either something like htmlentities or strip_tags or htmlpurifier. This must include error messages – if they contain any user supplied data. Every code base we have audited for third parties have contained Cross Site Scripting or SQL Injection vulnerabilities. This sucks. I’ve blogged in the past (although this was probably on my old drupal based website) about how easy this is to fix from an architecture point of view, if you’re writing something bespoke (which the sites in question seemed to be) – follow the MVC design pattern and when assigning data to the ‘view’ make it so that it is escaped by default (e.g. override Smarty::assign()). To avoid SQL Injection’s either use prepared statements everywhere, or use an ORM layer like Propel.

</rant>

(For the record – all sites were informed ….)

One vaguely interesting outcome from the above is that it seems obvious to me that I need to re-do the Pale Purple website – as it’s not really changed in 2-3 years now… which is perhaps not good. This time I think I’ll use WordPress, as it’ll mean I can stop supporting Drupal

Twitter Weekly Updates for 2010-10-03

  • I sweat. A lot. #
  • I think minecraft is overtaking the office. There's already an internal server. *sigh*. #
  • Hello orange shop and xperia 10 mini thing. I'm glad it wont be my phone (horrible keyboard) #
  • It wouldn't be the Post Office if there was no queue. #
  • Once were warriors #oneofmyfavoritemovies #
  • Mystery solved:
    grep -i 'drop database mysql' ~/.mysql_history |wc -l = 1. *sigh* (not my server, I just need to migrate site off) #mysql #

Some good news

This morning I ran 3 miles.

This is good. I can now run again. Stupid Achilles tendon appears to be fixed again.

I’ve felt like a fat slob over the last 11-12 weeks, missed a marathon and rediscovered cycling.

Lesson learnt: Next time my Achilles tendon goes (as no doubt it will knowing my luck), carve it out with a scapel and wait for a new one to grow back. That’ll teach it.

Twitter Weekly Updates for 2010-09-19

  • Welcome @LeaseDeskDotCom to Twitter. They have a very nice looking application (PHP/MySQL etc) *cough* #
  • Php / mysql performance blog post – removing the need for a separate 'count' query when searching. #mysql http://bit.ly/caEXlx #
  • Swinging in the park. #
  • You know you're going to have "fun" reviewing code when you see foo.php foo.20090101.php foo_old.php etc etc. #
  • Logging in to a website with username of "' or 1=1 or '". Result! #sqlinjection #security #

Late to the performance party

Everyone else probably already knows this, but $project is/was doing two queries on the MySQL database every time the end user typed in something to search on

  1. to get the data between a set range (SELECT x,y….. LIMIT n, OFFSET m or whatever) and
  2. another to get the total count of records (SELECT count(field) ….).

This is all very good, until there is sufficiently different logic in each query that when I deliberately set the offset in query #1 to 0 and limit very high and find that the of rows returned by both doesn’t match (this leads to broken paging for example)

Then I thought – surely everyone else doesn’t do a count query and then repeat it for the range of data they want back – there must be a better way… mustn’t there?

At which point I found:
http://forge.mysql.com/wiki/Top10SQLPerformanceTips
and
http://dev.mysql.com/doc/refman/5.0/en/information-functions.html#function_found-rows

See also the comment at the bottom of http://php.net/manual/en/pdostatement.rowcount.php which gives a good enough example (Search for SQL_CALC_FOUND_ROWS)

A few modifications later, run unit tests… they all pass…. all good.

I also found some interesting code like :

$total = sizeof($blah);
if($total == 0) { … }
elseif ($total != 0) { …. }
elseif ($something) { // WTF? }
else { // WTF? }

(The WTF comment were added by me… and I did check that I wasn’t just stupidly tired and not understanding what was going on).

The joys of software maintenance.

August 2010

I would start with saying that not a huge amount happened in August… but then having thought about it, I’d be lying.

My right ankle is still in a state of disrepair – after hurting my achilles tendon … so no running, and I’m feeling fat / unfit as a result. I have got my mountain bike out of the shed and started to cycle again and found a few interesting routes around Dodford.

No running, means no Nottingham Marathon. They did however send me the running top – so I can at least pretend to people that I did it – “Look! I have the t-shirt to prove it!”. I am hoping to start running again within the next week …

In other news, Bromsgrove Hockey club started to do some stuff again, although my one big toe appears to have been broken in the first game back (hint: keep your feet out of the way). The second time out (last weekend) was on grass, which bought back some memories and was quite enjoyable (if only 30 minutes play in total).

Pale Purple moved office (yes, so don’t ask: “Did you do anything nice on the August bank holiday weekend?” …). The cost of the office is effectively the same, but now we have more room and it’s a far nicer (not dim and dingy).

I’ve also joined the local RoundTable group – although I’ve not coughed up any membership fees yet, so perhaps I’m premature in saying “joined”. The first event involved driving a motor bike around a rough field in the rain (good fun) and the second involved playing Discus Golf. All good stuff, and the guys seem a great bunch.

Rowan’s started to potty train; Anya smiles and makes cute noises. I’ve had a hair cut. Fun times.

Oh, and work’s been busy and somewhat stressful, but that’s all hopefully over with now (as $site_migration is complete).

Twitter Weekly Updates for 2010-08-29

  • Hammer and chisel = superior fridge de-icing 🙂 #
  • Well the new office's dsl connection seems to be 80% working. Just no dhcp response. :-/ #
  • Looks fun 🙂 What's your role @schwukette ? (@schwukette)http://yfrog.com/n1x5ejj #
  • Wish the Chav family here could resist smoking in the playground. Grr. #arrowvalley #
  • I have swingers shoulder. #
  • Waiting for @rowangoodwin to wake up. Then buy lunch, duck food and stuff before invading the park and stealing ice cream. #
  • If only "attaching a screenshot" did not involve a word document. #
  • The train may soon go on holiday. #
  • http://www.kingtonlions.org/EventDetail.asp?EventNo=3781&Section=Information – Aberystwyth to Kington bike ride; 5th sept. #
  • Patiently waiting for @bitesms to release a fix for the facebook vs bitesms issue #

Twitter Weekly Updates for 2010-08-22

  • Tonight I will be dreaming "single, double, king. £3". How can you keep shouting that continually for hours on end you horrible man? #
  • Come on. DVDs are £1… Roll up.. Roll up. #
  • A very fat woman just bought maternity trousers from. So glad I'm not her. #studley #carboot #
  • My poor toe. http://yfrog.com/7dsy0zj – moral: better trainers needed for hockey. #
  • Good hockey games. Body aching, toe nicely bruised. #
  • "hello? Happy birthday to you too. Bye!" #toddler #phoneconversation #
  • Why won't @rowangoodwin say "[flash] gordon's alive!"… #
  • -> RT @dick_turpin iphone users have more sex than Android users http://ping.fm/sRDjd <- oh really? Why do my employees want 'droids? #
  • Facebook places eh? 4sq might soon be made redundant. Wish the updated iphone app worked for me tho. #
  • We have a new weapon against automated sales calls. tt-weasels and tt-monkeys. Thanks #asterisk #
  • Why can't a uni compsci dept. put a form online? Must i really print, write on dead tree and scan it in to submit/email. Grr. #aber #fail #
  • Today I did a total of 101 pushups thanks to the Hundred Pushups iPhone app. (Week 3, Day 2, Level 3) #100Pushups #
  • #WhatWouldYouTellYour18YearOldSelf Here are the lottery numbers for the next month 🙂 #
  • Who'd have known… Dodford is quite good for mountain biking 🙂 Nutnells wood and Pepperwood -good evening 🙂 http://osm.org/go/euw@v@f4- #
  • To cycle or run; that is the question of this evening. #