james mckay dot net

Since I am at our annual Faith Camp this week and spending copious amounts of time in a sheep shed with only a slow Internet connection over my mobile phone, I am spending very little time online this week. Hey, what do you expect? This isn’t RailsConf — there isn’t a MacBook or an Ubuntu T-shirt in sight…

I have found in recent months that spam comments are sneaking past my arsenal of defences at a rate of about three or four a week, so I have set my blog to moderate comments until I get back. So if you leave a comment and it does not appear immediately, please bear with me. Anything legitimate should be dealt with by the start of next week.

Comments closed »

Posted at 13:03 on 30 July 2007.
Tagged: blogging, faith

Automattic releases the WordPress Stats 1.1 plugin, and the next day, it is found to have a SQL injection vulnerability.

Fortunately, the vulnerability has been fixed, but it is this kind of bug that I was talking about earlier today. With a solid, well thought out database access architecture using parametrised queries, SQL injection vulnerabilities like this could be all but eliminated.

If the WordPress guys don’t change their tune about GoPHP5 sometime soon and come up with a firm action plan to rework their application architecture to use PDO and nail these things on the head, I’m looking for another blog engine.

(Updated: added link to the fix)

Comments closed »

Posted at 20:03 on 27 July 2007.
Tagged: security, wordpress

I’ve been thinking a bit more about what to do with my blog. More from a technical perspective than anything else, mind you — I have been wondering a bit whether WordPress is the best solution to use for it, and if not, what I should be using instead.

WordPress is very popular and very fully featured, but it has a poor reputation when it comes to security. Stefan Esser, of “Month of PHP Bugs” fame, is particularly critical — a week or so back he gave an interview on BlogSecurity.net about the problems with WordPress, citing architectural problems that make it difficult to write secure code.

I must admit that while there is a lot that WordPress does very well — it is a very full featured application, supported by a lively community — I find its codebase pretty tacky. Some of it isn’t too bad, but the admin section in particular is a right unholy mess, with HTML, PHP code and SQL statements bundled together haphazardly in a monstrous plate of gone wrong spaghetti bolognese on the loo.

Matt Mullenweg is pretty defensive about WordPress security, however. In a blog entry about a month ago, he made the point that (a) all software has bugs and security vulnerabilities, which is true, and (b) that the WordPress developers do a great job of tracking down and fixing bugs and security holes before releasing a new version, which is also true. However, he did not address the point that the overall architecture of WordPress makes the process of tracking down and eliminating bugs — and keeping out whole classes of certain bugs in the first place — unnecessarily difficult.

The fact that Mullenweg has stated his opposition to the long overdue GoPHP5 initiative and the end of life of PHP 4 is also far from reassuring. PHP 4 may still be amazingly popular, but it has some serious shortcomings as a language which make it much more difficult to write robust, secure and easily maintainable code — shortcomings which were addressed in version 5. It has no support for parametrised queries, for instance, forcing developers to adopt the dangerously insecure practice of concatenating SQL code and user input to construct database queries. In an attempt to protect against SQL injection attacks, PHP offers magic quotes — an ugly, naive, broken and widely criticised hack that causes more problems than it solves and doesn’t always work.

What makes this more serious is that these days, writing WordPress plugins and themes is for many people the introduction to the world of software development, and while it does need to be kept simple so that newbies can learn and participate to some extent, it also needs to show the way in terms of good programming practices and robust code, and when you are using a language that limits your ability to do so, it is not good.

So how could WordPress improve in this respect?

First of all, the WordPress core team needs to take PHP 5.2 seriously and sign up to GoPHP5. The new features of PHP 5 are not merely luxuries; they do make it much easier to adopt good programming practices and write robust, easily maintainable code. It would not make it more secure overnight, but it would make it considerably easier to evolve it towards a better, more secure, more robust and more easily maintainable architecture.

Secondly, it needs as complete a suite of unit tests and integration tests as possible. I know that there are moves afoot to add unit testing to some particularly error-prone parts of the application, but the automated tests need to go beyond this and cover as much of the code as is possible. These would not only increase confidence in the code quality dramatically, they would also make it a lot easier to track down and fix bugs that creep in during development. Automated unit and integration testing seems much less common in PHP open source projects than in their counterparts in .NET or Java, and if WordPress takes a solid lead in this respect, it will be a smart move and bring them kudos among serious developers.

This would, however, necessitate some fairly fundamental architectural changes. It is much more difficult to write meaningful unit tests for an application with a monolithic structure where HTML, PHP and SQL code are all wrapped into one than for an application that adopts a three-tier or Model-View-Controller approach. This does not have to be done all at once, and it does not have to become fully object oriented, but WordPress does need to move towards a more structured approach with a better separation of concerns between database access, network communications (such as e-mail and pings), business logic and the UI.

Finally, the upgrade process needs to be made as simple as possible for the end user. I wrote a while back about how we have moved to a scripted, single step process for one of our major projects, which makes the process of applying changes a doddle. WordPress needs to do something similar. It can be, and should be, as simple as pressing a button on your dashboard. Novice users certainly should not need to bother with making backups, FTPing some parts of the application and not others, and so on — it is an error-prone process that can be so daunting for inexperienced users that there are still a lot of blogs out there running WordPress 1.5, wide open to attack.

Comments closed »

Posted at 12:30 on 27 July 2007.
Tagged: security, wordpress

I got a new phone today. My old one died at the weekend but fortunately there was a spare one available at work that I have been given the use of. My mobile number is unchanged.

Unfortunately it is not an iPhone, but it does have some rather interesting features. One that I rather like is handwriting recognition, which even makes a reasonable attempt at interpreting cursive (joined-up) handwriting. It is accurate enough to be usable most of the time, and though it does make enough mistakes to slow you down, it seems to get more accurate the more you use it. It is certainly much easier to use it for texting than a tiny numeric keypad.

With technology like this, one wonders whether this means that the writing is on the wall for the keyboard as we know it. Speech recognition may have had a bit of a bad press, but it is improving all the time. We now have futuristic technologies such as Microsoft Surface and the iPhone either out or in the pipeline. Computer scientists at Cambridge University have even produced a device that can decode facial expressions.

Sure, all this may still be slow and resource intensive at present, but the technology is improving all the time, and while voice recognition may not be suitable in all settings (you wouldn’t make many friends using it in an open plan office environment), handwriting recognition is certainly rather promising, and it could well be a serious rival to the humble keyboard as our main data input device.

Having said that, I don’t think it’s curtains for the keyboard just yet. It comes into its own when you need to combine speed and accuracy. Skilled touch typists can reach speeds of eighty words per minute or more — speeds at which your handwriting would rapidly become illegible even to human readers. We developers will probably be the last ones to hang up our keyboards in the end of the day — the requirement for both speed and accuracy is paramount when you are writing code.

Comments closed »

Posted at 23:44 on 23 July 2007.
Tagged: typing

I got an e-mail yesterday from someone asking me this:

I have read one of your answers to a problem someone was having and you suggested to add a – Select – in the drop down list.

I had already done that, but how do I do the validator to check that this – Select – is not still there.

I think what she means is: “how do I add a validator to my ASP.NET web application to make sure that the user has not left a drop down list at the default option (“Select one” or whatever)?”

The answer is: use a RequiredFieldValidator control. Set its InitialValue property to the value of the default option in the list, that you don’t want your users to choose, and the ControlToValidate property to the ID of the drop down list.

But that is not the point of this blog entry.

I get questions like this every so often from people who have read something that I have written on some forum system or other. If you are good with computers and active in an online community, it goes with the territory, I guess. People see that you know your stuff and come directly to you for advice.

This is usually not the best idea. It is far better to post your question on a public forum where everyone can see it and have a stab at giving you an answer. There are several reasons for this.

First, someone else may be asking the same question as you and could also benefit from the answer.

Second, you are likely to get an answer much more quickly that way. On active developers’ forums, there are always hundreds of people online at any one time ready and able to answer your question straight away. On the other hand, we developers often have to prioritise, and questions from strangers asking for free advice tend to get pushed down to the bottom of the pile when we are busy.

Third, I might not be the best person to answer your question in the first place. There may be other people who know more about what you are asking than I do, or it may be the kind of question that requires some discussion in order to be resolved and clear up some misunderstandings.

Finally, I simply may not have time to answer your question. I may be facing a tight deadline, or on a camping holiday and offline for the week. As a rule, we developers only contribute to forums when we can give an answer off the tops of our heads. Time doing research and/or looking things up tends to be reserved for our paying clients, our day jobs, and our own projects.

I’m not writing this to whine, or to get at anybody, but to point people in the right direction. By participating in online communities such as forums, a lot of people can benefit who would not otherwise if it were just a private conversation between you and me.

Comments closed »

Posted at 08:30 on 18 July 2007.
Tagged: programming

So I finally succumbed to pressure from my friends and colleagues and got myself onto Facebook. This may come as a bit of a surprise given my rather low opinion of MySpace, but then again, while there are similarities, Facebook is not MySpace.

What is the difference? Two things. One is aesthetics. There are none of these awful seizure-inducing profile pages with illegibly tiny pink text on an orange background, and no annoying background music, and in their place is a slick, clean, responsive, easy to use Ajax driven interface.

The second — and much more important — thing: developers, developers, developers. MySpace has hitherto had something of a reputation for sending in the legal heavies after people who write widgets and add-ons for the platform. Facebook is the exact opposite, and positively encourages it, having released a complete API with full instructions on how to make a Facebook application.

This makes it the Swiss Army Knife of social networking websites, since there is so much that you can do with the platform. You can integrate Facebook with a whole lot of other services such as your own WordPress blog (my own blog posts get reproduced on my Facebook profile via the RSS feed) or even Wikipedia if you are that way inclined. A particularly useful application that has recently been launched is Google Reader Shared Items, which allows you to share interesting items in your RSS feeds with your friends very easily. Scoble loves it.

I think sites such as Facebook are also well placed to supplant e-mail as the primary one-to-one communication means of the Internet. Because you set up a network of friends, there is an element of trust there that makes it much easier to filter out spam, phishing and viruses. Of course, these nefarious characters tend to be a pretty crafty bunch, so vigilance is still necessary, but since there is an identifiable element of trust there, it is easier to filter it out or even block it altogether, by setting your profile so that only people you have accepted as friends can contact you through the system.

Comments closed (1) »

Posted at 23:22 on 16 July 2007.
Tagged: social networking

Can any of the masses of early adopters who succumbed to all the hype about the iPhone please tell me whether or not it acquires a life of its own the moment you put it in your pocket?

My present mobile phone (an Orange SPV C600) does exactly that. It has a very nasty habit of taking photos of nothing, filling my address book with mysterious characters called “dddddddd111111111″, and dialling all sorts of random numbers completely at random, including the emergency services, and it is getting extremely annoying. And yeah, I do lock the keypad before I pocket it, but it still misbehaves.

Those phones that flip open like the communicators from the original series of Star Trek are great in this respect. Because they flip closed over the keyboard, you don’t get your keys rubbing up against them and setting them off all over the place.

It is a fundamental and absolute necessity that my next mobile phone behaves perfectly in my pocket rather than like a spoilt child throwing a tantrum. The iPhone may be the coolest, hippest, trendiest gadget on the face of the planet, but unless I can have a rock solid guarantee that it meets this one essential criterion, I don’t want to know.

Comments closed (1) »

Posted at 19:12 on 9 July 2007.
Tagged: gadgets

Well just a couple of days after I reinstalled Windows on my laptop, the screen finally decided to die. This means that until I get it replaced, I’m offline in the evenings and at weekends. It’s about time I replaced my laptop anyway though. It’s now nearly four years old, and while it’s still perfectly serviceable, it’s beginning to get a bit geriatric in computer terms now. It weighs a ton and feels like having a fan heater sitting on your lap, it gets that hot.

I think this will give my wrists a bit of a well-earned rest. They’ve been getting a bit sore with my recent experiments with /(Dvor|Colem)ak/. Shai Coleman, the designer of Colemak, responded to a comment that I made on the Colemak forums saying that you do experience some discomfort initially, but it goes if you persist. However, I am still on qwerty at work and that isn’t likely to change now.

I’ll still be blogging when I get a chance, however. I’ll just be relying on pen and paper a lot more for the first draft of each entry. I think this speeds up the process somewhat though. I tend to be something of a perfectionist at times: I find it all too easy to either (a) over-research my blog posts, or (b) spend too long editing, chopping and changing them, and just having a pen and paper puts a bit of a restraining hand on me from both these tendencies, since I have to write it all offline in one pass without recourse to Wikipedia.

Comments closed »

Posted at 18:13 on 3 July 2007.
Tagged: blogging

Robert Scoble mentioned a few days back that large software companies don’t like their developers talking to the press. This, he says, is because their PR departments know fine that we developers (a) don’t tend to be all that good at PR kinds of things, and (b) have a tendency to tell “the unvarnished truth”.

I sometimes wonder if this is a bit self-perpetuating, somehow. That kind of thing means that your average enterprisey geek doesn’t get to see how PR operates, so they haven’t a clue. In a small company, it’s different. When you are sitting cheek by jowl with the PR department, you get a first hand experience of what not to say to the clients. You soon learn, for example, that expressing a lack of confidence in your own products is generally a bad move.

However, I think a lot of it is down to differences in perception. When you are a sales guy, your job is to get the clients to sign on the dotted line. You tend to make bold statements that instil confidence in the client. You don’t tend to worry if you’re promising them a holodeck, a dozen tricorders and a warp drive. Making sure that it actually can get you to Alpha Centauri in one piece in less than a week is Not Your Problem.

We developers tend to be much more cautious, however. We see what goes on underneath the covers: the stack of outstanding issues in the bug tracker, the multiple copy-and-paste jobs of four hundred line functions by the previous developer, and the fact that one of the other developers on the project is called Paula Bean. When you’re staring that in the face every day, the glowing statements by the PR guys start to sound like barefaced lies.

The other thing, however, is that just because a developer thinks that the code is rubbish doesn’t mean that it actually is. We tend to be an opinionated bunch, and we usually have pretty strong views on things such as what language to use, stored procedures versus dynamic SQL, or even tabs versus spaces. We tend to get into Religious Wars about this kind of things, and some developers even regard people who take an opposing stance to them as total idiots.

The fact of the matter is that the best developers are hopeless perfectionists for whom “good enough” is never good enough. We encounter so many bugs that we worry somewhat in case a disastrous one will slip through the net. Usually our worries are unfounded, of course — that’s why we have quality assurance guys — but we don’t want to be the ones that get sued if everything does hit the fan.

The time that you really need to worry is if a developer tells you, “There are no bugs in our software.” Every developer with more than zero experience knows that this is never true, and if he actually says it, it’s an indication that either (a) he is telling a bare-faced lie, or (b) his testing is woefully inadequate. (I speak from experience here. A while ago I got an e-mail from the lead developer of a commercial software package that said just that. The program was so buggy that it was almost unusable.)

Comments closed »

Posted at 21:45 on 2 July 2007.
Tagged: programming