Yup, it’s 2014 and there are countless articles written about security your PHP code. Hell, most people use a framework. Today, I took over from another developer on a rather large internal quoting system, from another company. The company, rather ironically, class themselves are “the web experts”. The following gem was written on 23/10/2014. I present the following in all it’s scary, insecure glory:
Whilst I don’t usually come into contact with the Heart Internet people too frequently (I only use them for a couple of domains personally and have experienced past annoyances with SSH/Shell access to a Heart Internet account), I did this morning. I have no issue with their manner, as the person I spoke to was very polite.
Heart Internet Support Ticket Statistics
There are some rather painful statistics that this ticket resulted in:
||17/11/2014 at 11:09
||22/11/2014 at 15:54
||5 days, 1 hour, 43 minutes
|Number of ticket updates:
|Number of support staff involved:
||12 (not a typo, 12 different people)
|Issue ultimately resolved:
|Phone calls made (by myself):
|Times Heart Internet blamed PyroCMS:
|Compensation offered by heart Internet:
||3 months free hosting
|Times Heart Internet apologised:
|Amount of my own time wasted:
In short, I had a run of the mill MySQL connection error. PyroCMS was complaining, saying:
mysqli::real_connect(): (HY000/1045): Access denied for user 'THE USER NAME'@'10.0.44.120' (using password: YES)
Unfortunately, when all the connection details are correct in the script, there is little choice but to raise a support ticket. I raised a detailed ticket, provided locations to where the site was connecting to the database and a location to the error log (which was a nicely formatted, CodeIgniter log file). I explained everything in detail.
Just came across this gem, that I’m sure anyone who works in development can appreciate:
As developers need to look at problems from a different standpoint, software projects
cannot be accelerated by spending more time in the office or adding more people
to a project. Development is not just about timelines and assigned tasks. If you visit
the development centers of world-famous software companies such as Google and
IBM, you’ll see that there are many opportunities for spending time away from the
keyboard for developers. Programming questions have to be thought of in the context
of the real world
This morning, I was part of a fairly normal client meeting discussing potential new work. The client started to discuss about what constitutes a good and bad service in relation to web development. In a similar fashion to lots of customers I encounter, they all have their own horror story of working with another developer or agency. This client was no different in that respect. The client had issues with work not being completed and promised missed deadlines in the past.
Recently, I’ve been looking for ways to streamline and improve my workflow with frontend assets. This is the first article in a mini series, where I’ll be explaining my updated workflow with Bower and GruntJS. Part one covers Bower, a package manager for frontend assets and packages – this article is short Bower tutorial for the uninitiated.
Bower is comparable to Composer (a dependency manager for PHP), except for frontend assets. This is great news for any project as Bower allows for stress free management, tracking, finding and updating of all frontend assets for a project.
Previously, you may have manually copied in an updated version of say Twitter Bootsrap or JQuery into a skeleton project, or even have left and older version that has been blindly copied over. Even in medium sized projects, this process of manually setting up each package quickly becomes tiresome. Checking the version, downloading the package, updating references to any changed files etc. Instead, let Bower take away this work.
Web Developers & Designers alike can rejoice! As of 12th January 2016 Microsoft will no longer provide security patches and updates to dated versions of Internet Explorer. In an official announcement, Microsoft said:
.. only the most recent version of Internet Explorer available for a supported operating system will receive technical support and security updates.
Recently, the latest website security saga in the news has been Hotelhippo.com. I won’t try and top Scott Helme’s article as he does an excellent job at explaining the saga in exhaustive detail, along with the other glaring issues he discovered. There’s another great article by Neil Stud that is definitely worth a read too. However, I’ll be covering the issue purely from a web development perspective, because as a developer myself, I find the whole situation scary/insane.
The issue I will be covering concerns an error that any web developer, even a junior, cannot excuse – the ability to change query string data and view private information without authentication. A site as big as Hotel Hippo and one that that stores a lot of personal customer information should frankly, be ashamed of themselves for such a basic breach.
At a recent business networking event I got talking to another web developer, who has just started using Laravel 4. We got chatting about Laravel in general and how awesome it is.Of course, the subject of IoC cropped up. The other developer commented on IoC, saying, “you need to be really careful with the IoC and passing an instance of the $app into the closure for performance reasons, the $app shouldn’t really be passed through at all ideally”. His argument also focused upon the fact that injecting the “Laravel 4 Facades” (
config/app.php line 151) into controllers as it is faster.
Personally, I think he’d missed the point of IoC here. The only point he does have at a push, I assume, is if the object doesn’t need an instance of the $app, then don’t pass it through the closure – but that’s pretty obvious?
During application development sending test emails can usually be a pain, even when using a modern frmaework like the excellent Laravel 4. During development it is very desirable to debug emails without actually sending them.There are a few options I’ve come across:
- Use Laravel 4’s Mail pretend feature. Simply set the configuration key “pretend” to true in app/config/mail.php. Laravel will now not send emails, instead write the content of each email to the application log
- Manually change the “to” email to your own so emails are delivered to your favourite email client – again, messy if sending lots of emails and if you ever made a mistake
- Print out the email data directly to the screen, but don’t send the actual email – the worst solution in my opinion
Options 2 and 3 are particularly fraught with issues. For instance, assume the application was to send out 1000 member renewal reminders and during development the route that sends out the emails was hit. Very soon, we’d have some very real (and confused, annoyed etc.) customers contacting you – disaster!