Twitter Weekly Updates for 2010-02-14

  • Hmm tesco sell semi invisible diesel too. Needle didn't move after refuel, stopped to put more in and then it caught up. Stupid car. #
  • Random diesel prices : independent 111.9p/l, sainsburys 113.9p/l, tesco 115.9p/l. Tescos were the only one open at 7am on Sunday. :-/ #
  • Hmm weather advisory for heavy snow on my birthday (17th). Convienant. #birthdaysledgingwouldbenice #
  • I'm wondering how I managed to hurt my ankle while asleep. It feels like it's almost sprained. Hop-along-David today :-/ #
  • Distinctly unimpressed brain – I shouldn't wake up at 1am thinking it's 5am and I've slept well. Now to try the sleep thing again….. #
  • Dentists enjoy making you wait. Do they overbook Deliberately? #
  • Today I did a total of 124 pushups thanks to the Hundred Pushups iPhone app. (Week 4, Day 2, Level 3) #100Pushups #
  • RT @glynmoody rupertg Chip and Pin bank card security cracked – http://bit.ly/9cVqqk #
  • I'm in awe of my competitors … http://www.birdandcocreative.co.uk/php-shorthand-if-and-else-assignments/ #php #fail #
  • Facebook chat over xmpp was easy to do. Thanks fb. #
  • Today I did a total of 152 situps thanks to the 200 Situps iPhone app. (Week 3, Day 2, Level 3) #200Situps #
  • RT @JohnPinner @europython EuroPython 2010 Registration & Talk Submissions open at http://europython.eu – Extra Early Bird rate for one week #
  • Well day 11316 has gone ok… Not long till day 11323. But what do I want? #
  • Today I did a total of 120 pushups thanks to the Hundred Pushups iPhone app. (Week 4, Day 1, Level 3) #100Pushups #
  • http://petitions.number10.gov.uk/Infant-formula/ #
  • A rabbit with a pancake hat…. http://www.myconfinedspace.com/2010/02/09/rabbit-with-a-pancake-on-its-head/ #
  • Time to find a star bucks with free wifi or something to tide me over to #phpwm At least I can drink tonight 🙂 #
  • Bus hat ftw. http://twitpic.com/12777q #
  • Meet or Die http://bit.ly/dbOocr clearly the authors were not against meetings or anything… 😉 #
  • RT @birminghampost rail delays between Birmingham and London http://tinyurl.com/y8s7dhf <- Is it just me that gets screwed by trains ? #
  • Today I did a total of 120 situps thanks to the 200 Situps iPhone app. (Week 3, Day 1, Level 3) #200Situps #
  • Trying to never eat 'lamb' curry dishes again …. mutton dressed as lamb. Spices of catshill – I'm looking at you.. Distinctly unimpressed #
  • Got the 3d glasses… Avatar had better be good #
  • 42 is the meaning of life…. and the number of pressups shall be 42. #100pressups #
  • Last night we swapped bed sides (perhaps just to f-ck with @rowangoodwin). I slept poorly. Who'd have thought which side mattered? #
  • Another week. Another brick in the wall. Two leads on php contractor front (neither agency related) *yey* #

Starbucks – Free wifi should not cost £5

Today, I went to London to visit a prospect customer – who we’ve done work for before – oddly the people I spoke to had no knowledge of the work we did (they paid for it all about 18-24 months ago… but nevermind), and it doesn’t appear to have been deployed either (“We heard someone talking about this X months ago; but thought it was just a suggestion / didn’t think work had been done”) … so I’ve probably thrown a spanner into their idea of migrating from ExponentCMS to something else (E.g. Drupal).

Anyway, I got back to Birmingham at about 17:00ish, at which point there wasn’t a lot of point in me sitting on the bus for an hour or more, only to arrive in Bromsgrove, and then drive back to Birmingham to do the phpwm meeting tonight…

So, while walking up New Street, I spot Starbucks with it’s “Free WIFI” advert in the window. Cool. Drink + Wifi = Win. Or not. I had to spend £5 to buy a ‘starbucks reward card’ – then use my iPhone to find out how to register (which wifi ssid etc) – and the starbucks.co.uk site didn’t make it obvious to find either.

So, suffice to say, now I am connected – and all traffic is being tunnelled out via

ssh -D 9999 david@my.server

<expletive begins-with=’f’ ends-with=’wits’/>

Twitter Weekly Updates for 2010-02-07

  • Wondering where to run to tomorrow. #
  • Rowan now has a facebook account to go with his Twitter @rowangoodwin and blog … (rowangoodwin.co.uk, Facebook.com/rowan.Goodwin) #
  • Haha msnbot it appears you are enjoying indexing a customers server a bit much. Have you heard of being 'nice' ? #
  • Today I did a total of 132 pushups thanks to the Hundred Pushups iPhone app. (Week 4, Day 3, Level 3) #100Pushups #
  • Rowan is still asleep. Lie in ftw. #
  • RT @loudmouthman What Woman will not tell you about pregancy is great breakfast reading http://bit.ly/caqaJL #
  • RT @jzy: @codinghorror you should try "Outside" sometimes. http://bit.ly/dsbcos – looks like a great game…. Cost? Hardware/platform? #
  • If only this developer knew database design. Adding (a) new table(s) for an additional dataset is just WRONG! #uneducated #heathen #
  • Today I did a total of 119 pushups thanks to the Hundred Pushups iPhone app. (Week 4, Day 2, Level 3) #100Pushups #
  • More sleep plz? Kthxzzzz #
  • Hmm aroundme's augmented reality looks cool; @moobert might kill me if i ask him to do it on the food hygiene iPhone app we're planning tho #
  • Don't you just hate it when you save data to a backend, only for it to silently vanish. (Apc + zend_cache. Perhaps apc needs more memory?) #
  • I am now 200 grams heavier. #chocolate #
  • Why do I need to FAX docs to apple to develop on the iPhone. FFS. What's wrong with email ? #fail #not1980sanylonger #
  • Today I did a total of 121 situps thanks to the 200 Situps iPhone app. (Week 2, Day 3, Level 3) #200Situps #
  • Interviewing possible php contractor this morning. I hope he's good – i've got work stacking up. #
  • *ding dong* "Time to wake up chuggers!" #
  • .RT @metofficeWMids ADVISORY of Heavy Snow for West Midlands valid from 0349 – 2359 Wed 03 Feb http://bit.ly/bBNkz0 #
  • RT @scottmac: Announcing HipHop for PHP – http://developers.facebook.com/news.php?blog=1&story=358 #
  • RT @grifferz Impregnation via the proximal gastrointestinal tract in a patient with an aplastic distal vagina: http://is.gd/7wvbe (via @jwz) #
  • Today I did a total of 102 pushups thanks to the Hundred Pushups iPhone app. (Week 4, Day 1, Level 3) #100Pushups #
  • Sleep little toddler. Sleep. #
  • Cold cold. Brrr. Snow melted tho 🙁 #
  • Well that was a crash course into learning mailscanner with exim on rhel. What next dear customers ? #
  • Hmm 144 bus turns up an hour and a half late. Chances of getting to Birmingham before 1030 – near zero. #
  • Bromsgrove looks a bit clogged up this morning. Stupid snow. Wondering if I'm going to make
    the train now. #
  • Today I did a total of 108 situps thanks to the 200 Situps iPhone app. (Week 2, Day 2, Level 3) #200Situps #

Still looking for a PHP contractor….

At work I’m still looking for a short term PHP contractor. Perhaps I’m being unrealistic in my expectations/requirements (rate/location/duration/skills etc), but nevertheless…. As I’ve not found anyone via normal channels (twitter/phpwm user group etc) I thought I’d turn to a random recruitment agency (who I’d spoken to a week or so ago).

Yesterday I interviewed one guy – who’d been a programmer for a number of years (10+) – using Visual Foxpro (whatever that is) – presumably it’s a dead language, as he wants to move across into PHP. He has very basic PHP experience (yet claims 2 years on his CV), figured out how to do FizzBuzz and Recursion without too much help – but didn’t know anything about object orientation, separation of concerns (specifically MVC), security (obvious SQL injection) or unit testing and failed to make any comment on what is almost the worst code I could find to present to him. This isn’t necessarily a problem – I would normally be happy to train someone – however, not when I’m paying him £25/hour and I’d be lucky if he was productive within a week. (Hint: students are better than this when they’ve only been in University for two years).

Today, I therefore continued hunting, with mixed success. I had three more CVs – all asking for more money, and one looked quite good – but had a requirement he worked remotely after the first few days (well he does live in Telford). Another, who is local, I’m interviewing tomorrow. Wanting to do some homework on him, I had a look at a couple of websites mentioned in his doctored CV  – the first is clearly .Net from the error message it throws when you pass a > into it’s search box – so either they replaced his PHP site quickly or his CV is misleading. The second has a PHP error on it – and is only (effectively) a themed wordpress site which looks like it’s slowly rotting. From these I found out his address (hint: whois $flamingodomain) and an invalid email address/domain (which archive.org seems to not do much with). Typing in his name into Google / LinkedIn, Facebook etc produces no obvious matches. So I know hardly anything about him, and for all intent he may as well not exist. Great sales job there.

From talking to the recruiters it seems it’s difficult to find decent PHP programmers – and anyone who may be decent will almost certainly not be programming PHP as their primary language (i.e. they’ll be doing web development in Java/.Net, and know PHP quite well). This seems a shame, but really only confirms what I already knew from interacting with others in the community. I’ve known for ages that I’ve effectively taken a large pay cut by running my own company, and doing PHP. It sucks that this continues to be the case. Clearly I’m a martyr or something.

So, if you happen to be a contractor looking for work, please make an effort. I’m not overly impressed so far, and may just end up stalling customers for another week/month instead.

(Oddly I wrote this post, posted it, and it vanished. What are you up to wordpress? Why do you want me to retype things in twice?)

Can you write a web app, like Ebay, for me?

Today I had a phone call which went along the lines of ….

Prospect: Do you develop web applications?
Me: Yes… <cue sales pitch>
Prospect: I’ve got a great idea, it’s like eBay…. I need a programmer….
Me: <thinking: oh not another….>
Prospect: I think it’s about 2 developer months worth of work….
Me: Well, we’d need to see your requirements spec to determine that.
<snip>
Prospect: Would you be willing to do the work for free in return for a stake in the resultant venture? How much would it cost?
Me: Well, I’ve not seen any sort of requirements specification; I’ve no idea what’s involved….. Just how long is a piece of string?

I don’t quite understand why people think they’ll be able to create an eBay/Amazon/Google/whatever killer/competitor with minimal funding, a couple of months development and also persuade me to do the work for free on the outside chance they’re successful (that’s like a <5% chance). I might consider reducing the price of the development in return for a share in any resultant company – but I’m sure as not going to commit to anything before I’ve seen any sort of business plan.

Perhaps tomorrow I’ll get someone wanting a site “like Facebook” costing a few thousand pounds… ‘cos we do PHP just like them… and it can’t be hard can it?

Rate limiting http traffic (mod_evasive and iptables)

A customer has a relatively busy web site, which contains lots of juicy information (business names, addresses, email address, phone numbers etc etc). Currently there is nothing in place to stop people spidering it – unless someone explicitly looks at the log files and does something.

Blocking annoying people who spider the site is easy enough –

iptables -I INPUT -s 80.x.x.x -j REJECT

However, I’d obviously rather automate this if possible – and ideally without having to change the PHP code (as each request would need perform some sort of DB lookup it’s part of a spidering attempt)

So, my first idea was to manipulate an existing rule I have to limit SSH connection attempts, giving something like :

iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 40 -j LOG --log-prefix "http spidering?" --log-ip-options --log-tcp-options --log-tcp-sequence --log-level 4

Annoyingly however, even though these are the first rules in the iptables output – and they should therefore work, they don’t – i.e. I’m not seeing anything being logged, when doing e.g. the following on a remote server :

while [ true ] ; do
wget -q -O - http://server.xyz/index.php
done

So, I’m still trying to avoid making changes to the code base – although doing so would produce the best user experience (namely we could display a captcha or something and if someone really can browse that quickly they’d not encounter any problems).

And as I’ve just found mod_evasive which claims to provide DoS and DDoS protection. Thankfully Jason Litka has packaged it – so I have no problems from an installation point of view 🙂 (yum install mod_evasive)

Installation on Debian doesn’t result in a config file – but it’s not difficult to create (see /usr/share/doc/mod_evasive). However, it’s not a shiney, sunny ending – mod_evasive appears to be “tripped” by people requesting images – and in my case the client has about 10-20 images per page; so it’s difficult to differentiate between a normal user loading a page or someone running httrack on the website and only requesting the “php page”. If only mod_evasive took a regexp to ignore/match… and I can’t seem to find anyway of fixing this.

So application logic it is :-/ Perhaps caching in APC may be the way forward ….

Twitter Weekly Updates for 2010-01-31

  • RT @glynmoody Facebook rewrites PHP runtime – http://bit.ly/ahwWiq to be released as open source #facebook #php #
  • Poop. Spoke too soon. Snow tap being turned off. F'ing weather god. Curse you. #
  • Decent snow. 4/10 perhaps. B61 #uksnow … Just keep up for an hour or two and perhaps i can sledge/snow fight. #
  • Looks like we had a token amount of snow last night. Looks cold too :-/ 14 miles here I run. Still, cybrosis ppdcast episode to listen to:) #
  • Our car has depreciated £1000 for every year (7) we've owned it. Perhaps it'll soon put on value when as it turns into a mobile pool? #
  • Today I did a total of 105 pushups thanks to the Hundred Pushups iPhone app. (Week 3, Day 3, Level 3) #100Pushups #
  • RT @stuherbert PHP 5.3 adoption: some numbers and talking points http://bit.ly/djJRos (please RT) #
  • Dogs have a very inefficient protocol for communication. Guessing lots of packet loss as they've been retransmitting for ages now. Woof woof #
  • The last apple in the shop should be avoided; keys are always in the last pocket you check. #lessonoftheday #
  • Today I did a total of 97 situps thanks to the 200 Situps iPhone app. (Week 2, Day 1, Level 3) #200Situps #
  • Twitterific appears to have won. Goodbye tweetdeck. #
  • Nice Run – roads (a38 etc) were almost empty, shame I'd have to get up at 5am to experience it more often :-/ #
  • 100 pushup thing is now hard; couldn't do last rep without two stops :-/ #100pushups weak puny arms get bigger! #
  • Today I did a total of 100 pushups thanks to the Hundred Pushups iPhone app. (Week 3, Day 2, Level 3) #100Pushups #
  • Today I did a total of 92 situps thanks to the 200 Situps iPhone app. (Week 1, Day 3, Level 3) #200Situps #
  • is giving tweetdeck a whirl… as a change from twitterific #
  • Shocked to receive apple MacBook he ordered online yesterday afternoon this morning. Win! #
  • Today I did a total of 80 pushups thanks to the Hundred Pushups iPhone app. (Week 3, Day 1, Level 3) #100Pushups #
  • Worringly I seem to like coffee (with chocolate biscuits) I wish there was no junk food in this house. I'd best help 'dispose' of it….. #
  • Today I did a total of 88 situps thanks to the 200 Situps iPhone app. (Week 1, Day 2, Level 3) #200Situps #

Verified by Visa …. what rubbish

On Wednesday I was trying to buy train tickets for an upcoming trip to London.

So, I book the tickets, and get to point of being asked for my card details … tap tap tap … kapow … Up comes the Verified by Visa payment screen (in a stupid iframe [how do I know this isn’t a phishing site?]). Well, it displays my ‘username’ correctly – a terrificly hard to guess one of MRDAVIDGOODWIN… I enter my details and it keeps decling them. Hmm.. Fine… perhaps I’ve incorrectly stored the password – “oooh look – reset password…” *click* – “You want me to enter my date of birth… is that the ONLY security check you’re going to do? WTF??? ”

Grr.. Why do they bother….

See also http://www.lightbluetouchpaper.org/2010/01/26/how-online-card-security-fails/

Random PHP project progress

Random php development musing

Initially when we founded Pale Purple all our new PHP development used a combination of Propel, Smarty and some inhouse glue. Over time we seem to have drifted towards the Zend Framework, but I’ve never been particularly happy with Zend_Db or Zend_View. Why the Zend Framework? Well, it has loads of useful components (Cache, Form, Routing, Mail etc) and it’s near enough an industry standard from what we see – and obviously I’d rather build on the shoulders of others than spend time developing an in-house framework no one else will ever use.

For one customer, we’re currently working on the next iteration of their code base – which incorporates a number of significant changes. When we inherited the code base from the previous developers we spent a long time patching various SQL Injection holes (casting to ints), moving over to use PDO’s prepared statements and trying to keep on top of the customer’s new functionality requests and support issues. There’s still a lot of horrible code to refactor, plenty of security holes (although none public facing) and we know we’re moving in the right direction – hopefully patching and duct tape will soon be a thing of the past as it will develop some form of architecture and look like someone has thought about design and long term maintenance.

I’ve started to properly do Test First Development – at least from a support perspective – as too often we’d find we would patch a bug, only for it to reappear again in a few weeks/months time. This has been especially useful with the SOAP interface the application exposes. The tests run every 5 minutes, and we all get emailed when stuff breaks – it took all of 30 minutes to setup and put in place – then it was just a case of actually writing the unit tests themselves (the tests take minutes to write; finding/fixing any bugs they pin point takes somewhat longer :-/ ). I’ve also abused Simpletest’s web testing ‘stuff’ to also act as an availability checker of the live site (i.e. hit a few remote URLs, and check that we don’t get error messages back and do see expected strings).

The original code base had no ‘model’ like layer (or MVC ‘compliance’) – files containing HTML, CSS, SQL, Javascript and PHP were the norm – we’ve added Propel to the project as the ‘model’ layer – which took a few hours; and then when reverse engineering the database we found a few oddities (tables without primary keys and so on) – anyway, moving the functionality from a handful of legacy objects across into the Propel ones seems to be well underway, and I for one will be glad to see the end of :

$x = new Foo(5);

Accompanied with code that does the equivalent of :

class Foo {
    public function __construct($id = false) {
        if($id != false) {
            // select * from foo where id = 5
            // populate $this; don't bother checking for the edge case where $id isn't valid
       }
       else {
           // insert into foo values ('');
          // populate $this->id; leaving all other fields as empty strings...
     }
     public function setBaz($nv) { // repeat for all table fields
         $this->baz = $nv;
         global $db;
         $db->query('update foo set baz = "' . $nv . '" where id = ' . $this->id);
     }
}

Finally, we have a meaningful directory structure – where some things aren’t exposed in the document root. Hopefully soon a front controller and some decent routing. At the moment a huge amount of code is just sat in the ‘public’ directory due to it’s nature. We hope to fix this in time, and move to using Zend Controller – once we get Smarty integrated with it.

Propel has added some nice new features since we last used it (effectively v1.2); it was a toss up between it and Doctrine (as obviously the ZF is moving in that direction) – but we already had knowledge/experience with Propel and it seemed the easier option.

I’m hoping that with time we’ll be able to get up to at least 60% test coverage of the code base – at that point we should be able to refactor the code far easier and with less fear. At the moment I doubt the unit tests cover more than 5-10% – although maybe it’s time I pointed xdebug or whatever at it to generate some meaningful stats.

My final task is to get some decent performance measurements out of the code base – so we can track any performance regressions. I’m fairly confident that moving to Propel will result in an speedup as duplicate object hydrations will be eliminated thanks to it’s instance pool, however having hard figures and nice graphs to point at would be ideal. So far I’ve knocked up my own script around ‘ab’ which stores some figures to a .csv file and uses ezComponents to generate a graph file. This seems to be a crap solution, but I can’t think or find anything better. Any suggestions dear Internet? Perhaps I should integrate changeset/revision id’s in my benchmarking too. Suggestions here would be exceedingly appreciated.

There, I should have ticked all necessary boxes wrt development practices now. Now to work on finding a contract PHP developer….

The PHP Security Journey begins…

Here’s the slides from the PHPWM talk I gave last week PHPWM Presentation – The Security Journey Begins ; thanks to DeanC on #phpwm for reminding me to upload them 🙂

The presentation focusses on security issues in web applications – specifically, PHP – although obviously other web facing languages face the same problems. It’s a very condensed version of what I normally give as a two day PHP security training course – so there are bits missing, and many things aren’t explained fully… and obviously the demonstration after the slides is missing 🙂

(250kb, PDF file… I think)