Archive for the ‘Uncategorized’ Category

While doing a little Sunday afternoon browsing of Twitter, I noticed Amy Stephen warning about a bad technique for using Joomla! with AJAX-style requests. I followed the link (WARNING: don’t use this code!) and found security vulnerabilities right away. Since the blog in question doesn’t support comments, I’m forced to respond here.

First, as Amy pointed out, the technique creates another entry point into Joomla. While this can be used effectively if you know what you’re doing, it’s totally unnecessary for a casual application of asynchronous JavaScript. Next, class, who can tell me what’s wrong with this piece of code?

cExt( $_POST['func'] );

That’s right, we’re passing data straight from our HTTP request (which can come from anywhere in the WORLD) into our application’s logic. Once we get into the the cExt function, the variable is used to execute code with no filtering whatsoever:

function cExt($func = ''){

    $cext = null;

    if(!empty($GLOBALS['cExt']))

        $cext = $GLOBALS['cExt'];

    else{

        $GLOBALS['cExt'] = new plgCommunityExt();

        $cext = $GLOBALS['cExt'];

    }

    if(empty($func))

        return $cext;

    else{

        if($GLOBALS['ajax'] == true)

            $cext->$func();

        else

            return $cext->$func();

    }

}

Please, regardless of whether or not you use Joomla, don’t do this! It is a totally insecure way of writing code. Instead, if you are using Joomla, you can at least filter this variable using the following code:

$func = JRequest::getCmd('func', '');

This code will filter the func variable from the request and make sure it only includes numbers, letters, or underscores. Additionally, you should filter $func to make sure a corresponding public function in the plgCommunityExt class exists before attempting to use it to actually execute that function.

As a side note, $GLOBALS is being used an awful lot here. While this isn’t a security risk in and of itself, it is a bad practice that can lead to insecure coding. If the register_globals setting in PHP (going away in PHP 6) is turned on, this becomes a huge security risk as anyone in the world can set the value of cExt to anything.

The post ends with this quick jibe:

I’d argue that the author of this blog post would not only benefit from reading a book about CMS development, but one on basic PHP security. The technique he describes is insecure in any PHP-based framework or CMS.

Fortunately, you don’t even have to run to the bookstore to find examples of the correct way of doing these things. Louis Landry has a quick example of how to return JSON formatted data simply and securely on this thread, without having to create a special component view. If you do want to use a view, this blog post will show you how to do it.

Finally, if you do want to learn how to add AJAX-style requests to Joomla (without necessarily using JSON), I’ll shamelessly plug my own book. But you don’t even have to buy it, because the sample chapter is indeed the one on JavaScript and Joomla (start on page 168 if you already know Joomla! MVC).

Yesterday, one of my clients requested an invoice for my services. This is not an unreasonable request by any means, but it is oddly one that doesn’t happen very often. I initially fired up OpenOffice.org and started writing one, but had difficulty getting the layout I wanted. After OpenOffice crashed (I had an older version), I posted a message to Twitter. Suddenly I had friends suggesting FreshBooks, Zoho Invoice, Billable, and some homebrew solution. Many of these were good suggestions, but I was really just looking for a nice clean invoice template; I already have my own system for tracking hours and payments.

Unfortunately, I have a very bad case of NIH and decided to roll my own using HTML and CSS. Fortunately, it only actually took an hour and I’m quite pleased with the results. So pleased, that I’m now sharing the results for all of the Internet to plunder. Have a look. It is released under a Creative Commons Attribution-Share Alike 3.0 license, so feel free to modify it and use it for invoicing your clients. If you redistribute this in HTML form, please maintain the copyright notice in the comments. If the final medium is a PDF export for printing or emailing to a client, you do not have to maintain the copyright notice.

I created a PDF of this using my Mac’s “Save as PDF” function under “Print…” on Firefox 3.5 and it worked perfectly. Safari wanted to print headers and footers with the source URL and didn’t pick up my backgrounds. I have not tested this in Internet Explorer.

Enjoy!

Basic HTML/CSS Invoice by Joseph LeBlanc is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.

I released a stable copy of Podcast Suite 1.5 today, go get it. On the forums, we managed to find bugs regarding the MIME type being set in the HTTP headers. We also fixed a bug where languages other than English would not get their code in the RSS feed. A few other fixes and enhancements made it in. Thanks goes out to everyone who’s reported bugs on the forum and even offered solutions!

It seems as though the tech conference season starts off every year with SXSW in Austin, comes to a peak in May, then takes a vacation until September. So far, this year has been no different. I recently had the opportunity to attend three conferences within four weeks of each other. A small taste of each follows…

JSConf

Back in February, I began seeing tweets for JSConf on April 24th-25th: the first conference for JavaScript developers. I recently began digging into JavaScript for more than simple effects in jQuery so this sounded interesting. The venue was a mere two metro stops away from my apartment, so I knew I would be kicking myself if I didn’t go.

JSConf absolutely blew me away. The sessions were not simple “here’s how to use jQuery for form validation in your next project” talks. These were the first presentations I saw of JavaScript being used for backend programming as well as frontend. There were speakers representing Objective-J/Cappuccino, Dojo, jQuery, YUI, CouchDB, Titanium, and many other projects. This was also the first I had seen a formal presentation on BOSH and XMPP.

Although there were the presentations about using JavaScript in the backend, the current mainstream use is in the front. Consequently, most of the attendees had expertise in languages other than JavaScript. JSConf managed to get Ruby, PHP, Python, .NET, and other developers in the same room. This really made the conference for me: we were forced to talk about our tools without hiding behind fanboyism.

Another highlight of JSConf was running into Chad Auld and Ozgur Cem Sen from the MiaCMS project. MiaCMS is a fork of the Mambo codebase that has some promising features developing. The JavaScript for the entire codebase has been rewritten in YUI. MiaCMS also sports a REST-style interface you can use to do things like update your site from an iPhone.

Aside from the incredible technical content, the accomodations and after parties were fantastic. Chris and Laura poured a lot of effort into putting this and thought of all the details. They made sure that outlets and wifi were plentiful. The venue they picked was just the right size for shuffling between sessions, uncon talks, hallway tracks, and break room hacking. They even organized a “significant other” track where spouses and children were able to tour DC and Old Town together.

There may be some who would say that this was great for a first year conference; I thought it was amazing for a second or third year conference. I know first hand how difficult it can be to pull off a tech conference, but Chris and Larua passed with flying colors. The sponsors were also incredibly generous and helped the event shine. Looking forward to JSConf 2010!

WordCamp Mid-Atlantic

While people may know me as “the Joomla! guy” in the DC tech community, I’m currently happily using WordPress to power this blog. WordPress is the best tool for doing a stand-alone blog, which is what Design vs. Develop has become. So I felt this was as good an excuse as any to show up for WordCamp Mid-Atlantic on May 18th. (On the other hand, Keith has never used WordPress and simply attended to steal ideas.)

WordCamp Mid-Atlantic (with the rather long Twitter hashtag #wordcampmidatl) was a nice mix between sessions about writing, marketing, and coding. A couple of big announcements from SixApart and the WordPress core team hit that day (TypePad Connect and WP 2.8 beta respectively). The venue was accessible and well-suited for formal talks as well as hallway tracks.

I applaud Aaron’s decision to move the event from DC to Baltimore and refocusing it as a regional conference instead of a city-centric event. DC’s tech community is now much more firmly established than 3-4 years ago. While it would have personally been more convenient to have something located in DC, we’re definitely at a point where we need to connect talent regionally as well as locally.

While the vast majority of the people attending were WordPress users, many were also proficient in Drupal, Joomla!, and other PHP-based systems. The recurring conversation seemed to be that we like using WordPress for straight-up blogs and simple sites, then reach for something else when we want something more involved. Although WordPress is billing itself as a publishing platform as well as a blog, I think we’ll continue to see people using different platforms for different sites. It’s gotten to the point where most are using WordPress for very simple sites (just pages with content), but using something else when integrated shopping carts and forums are wanted.

php|tek

Finally, I flew out to Chicago for php|tek ’09. The guys over at MTA are seasoned conference organizers, with this event being no exception. There was a wide variety of talks: from using XMLReader, to alternative databases, Zend Framework hacks, and even an unconference session on PHP-GTK. As many have commented, php|tek is a nice blend between the PHP developer community and business community.

We had a hackathon where people were writing PHP tests for TestFest, but somehow I was convinced to write patches for Phergie instead. Ok, so I was sitting at the table and was curious more than anything. Phergie is an IRC bot maintained by Matthew Turland that hangs around #phpc on Freenode. It’s quite a non-traditional use of PHP: you have a long-running process that essentially sits in one big loop. It was nice to sit down and write some code purely for fun

Aside from the hackathon, you can read about the events and what I thought of them on joind.in. I didn’t get around to rating all of the sessions I went to, but most of the sessions seem to have been ranked by at least one person.

Unfortunately, the wifi was a bit of a wash. I ended up paying for the hotel’s package the first day as I had some side work that needed to go out ASAP. The other days I was usually able to connect, but had difficulty during the hackathon and in the back rooms. However, I think most of the issue with wifi at conferences is the sheer number of heavy Internet users all hitting the same access points at once. As I’ve been telling everyone I meet, Apple should pioneer “conference mode” where you tell your laptop to stop doing backups, software updates, and any other non-crucial network activities.

The biggest announcement at the conference was that php|works, usually held in the fall, will be revamped as CodeWorks 2009 and held in 7 cities (not all at the same time!). It will be an affordable, two-day conference held on a two-week, cross-country tour. I’m planning on going to the one here in the DC area.

In addition to MTA’s CodeWorks, StackOverflow DevDay will be held later that month. More tickets have been opened, so it’s not too late to register!

I downloaded the concrete5 CMS a couple of weeks ago and intended to write a critique earlier, but am only now getting around to doing so. Since then, this article was released on CMS Wire and Joomla! fans on Twitter began talking.

What’s good

One common pitfall of CMSes is to abstract away the concept of a page. concrete5 avoids this and very much embraces pages. A+ in my book. While it’s true that some layer of abstraction can be helpful in certain cases (usually when you’re building an application inside of your CMS), it adds extra work for most webmasters.

Editing pages is also very straightforward. Once you’re in edit mode, all of the blocks (similar to Joomla! modules) appear with dotted borders. Clicking on one gives you several options for editing the block, including dragging and dropping the block to a new position. Very nicely done.

The features built around content5 are thoughtful. Versioning is built in and outputs diff-style coloring when comparing revisions. There are also extensions to help you embed videos, Google Maps, slide shows, and RSS feeds.

About 70% of the functionality you’ll need on a regular basis is contained in the toolbar that appears as you’re editing individual pages. For the rest, there’s a specific “dashboard” backend where you can go to manage themes and files, get reports, and perform other administrative tasks.

Theming is okay

The theming system is reasonable. Like Joomla!, you can add specific themes to specific pages. Closer to Drupal, your theme can define several different page types, which might eliminate the need for separate themes. However, concrete5 requires theme designers to instantiate objects within their markup, then call member functions of those objects to display output. This bothers me. It seems like static function calls or embedded tokens would handle this more elegantly.

Also, the greensalad example theme uses the “header.php at the top, footer.php at the bottom” style of breaking up the markup—I loathe this. There’s no reason to use this error-prone method for theming: you end up with tags that are opened in one file and closed in another.

What’s annoying

While the simplicity of editing individual pages is definitely something I prefer, concrete5 has sacrificed some features to get there. I was not able to find any kind of feature to create a blog-style index of content made up of blurbs from other pages. Add-ons are scarce: if you’re looking for a forum or shopping cart, you might be in for a wait until they attract more developers to the platform.

I ran into a few speed bumps when installing concrete5 locally. After downloading it and going to the installation screen, there was a checklist of PHP configuration settings necessary to run concrete5 (not unlike Joomla!’s). Most of them were good to go after tweaking folder permissions, but I did not have the GD library setup on my self-compiled version of PHP. I was a little surprised that the system would not let me continue installation. While I’m sure there are features in concrete5 that use server-side image processing, this doesn’t strike me as something so vital as to halt installation. (I was able to successfully install both GD and concrete5 on my spare Ubuntu machine.)

Although the GD dependency was annoying, the halted installation uncovers something even more so. If the installer detects even the slightest issue with your configuration, an advertisement for professional installation is displayed. Quite tacky; they could have at least provided a link to their installation forum.

Which brings us to community. This company oozes a know-it-all attitude. In sharp contrast to the websites of other CMSes, their official About page openly bashes Joomla!, Drupal, and WordPress; painting all three in rather broad strokes. This is very disappointing, unnecessary, and ultimately counter-productive. I’m all for making bold statements, but they’re driving away the very people who could help their platform grow quickly.

Final word

concrete5 is a very promising CMS that does the basics very well. The interface is picked up quickly and things are easy to find. However, if they’re earnest about building a community around their code, they might want to tone down the self-worship a smidge. And is content management really a human right?

Podcast Suite 1.5 RC1 is now available for download here. A lot of validation issues are fixed, multiple feeds should be working, and a German translation of the UI is bundled. Thanks goes out to everyone using it and waiting for help on the forum! You’ve helped me catch a lot of issues, which has made the suite better software.

This coming Friday at 1PM Eastern US time, I’ll be giving a talk about Avoiding Joomla! Pain. Recently, I’ve been running into PHP programmers tasked with maintaining Joomla! sites they didn’t set up. Some dig in and get busy, while others become frustrated when things don’t work the way they expect. In this talk, I’ll go over a few things to help you get a handle on how Joomla! works and how to extend it.

Fortunately, you don’t have to be anywhere near DC or even buy a ticket: it’s a part of the php|tek 2009 free webcast series. You must register to see the webcast, but registration is free.

If there’s something about Joomla! you’ve always wanted to know but have been afraid to ask, let me know in the comments and I’ll work it into the talk.

Keith Casey tagged me about a month ago and I decided to go for it. However, I went a little overboard with the editing, thinking, and pulling out all sorts of tangents, so it took me a while.

Anyway, here are seven things you might not know about me:

I’m a former SimCity addict - I don’t play many video games, but the one I’ve played the most by far has been SimCity. I’ve played every version for PC: classic, 2000, 3000, and 4. The user interface on 4 is supposedly unusable; evidently I didn’t notice as I kept on playing. Now that it’s available as an iPhone application, that gives me another reason to (not?) buy an iPhone. The iPhone version appears to be based on the 3000 engine from the screenshots I’ve seen. Hmmm… we’ll have to see. No deep lesson here about life, the universe, and everything; I just wish I had spent more time reading books instead.

Nearly electrocuted myself with a Capsela set – Capsela sets  were these plastic balls with gears inside that you would connect together to build machines. You could also connect wheels or floatational extensions to make cars and amphibious contraptions. The power for your model came from a AA battery compartment with wires that would connect to specific plastic balls with powered gears. The set came with a sort of tutorial you could walk through to learn about the basics of physics and electricity. When I was 8, my dad and I read through one of the lessons; I believe it was either about positive and negative charges or AC vs. DC. We finish reading through the lesson and he walks off to work on the computer (which I had crashed earlier that day). I start building something with the set, then start wondering “what would happen if I stuck each of these wires coming from the battery compartment into the holes of the electrical socket over there?” The answer to that could have been a lot worse than what happened: there was a loud pop and the battery shattered inside of the compartment. I was pretty shaken that day, but I wasn’t injured. I thank God that I’m still here today to tell this story! I guess the lesson here is to check your voltages and to explore carefully!

Blog: Carless in South Tulsa – When I started blogging, I was just out of college and living in suburban Tulsa without a car. I was also (and still am) keenly interested in urban development, so why not write a blog about this? I just so happened to not have a car and wanted to show other people what it was like to live without a car in a heavily suburban environment. It probably would have made a halfway decent blog if I had spent the time writing it. I ended up just going with a self-titled blog and published it with Mambo, then Joomla!, and finally now WordPress. I eventually did change the name of the blog to Sidewalk Advocate for a while and tried my hand at covering urban development topics. However, there are much better sources for that like Planetizen. I’m now becoming enamored with the small house movement, but that’s another blog post.

The rules (I broke #3 slightly as I don’t know where everyone’s blogs are. If you’re on Facebook, you can write a note.):

1. Link your original tagger(s), and list these rules on your blog.
2. Share seven facts about yourself in the post – some random, some weird.
3. Tag seven people at the end of your post by leaving their names and the links to their blogs.
4. Let them know they’ve been tagged by leaving a comment on their blogs and/or Twitter.

Last Friday, Lynda.com released another volume of Joomla! videos created by Jen Kramer McKibben. Now, in addition to watching videos about all of the major content management systems, you can also learn how to create Joomla! templates and CSS with Jen. Head on over to Lynda.com now and preview some of the free videos.

Right around Thanksgiving, my mother will usually email asking for a list of Christmas gifts. This previously presented a messy problem: we would have to sit down, come up with a list, send it to Mom, then she would have to circulate the list and coordinate who was buying what. Instead of doing that this year, I told Mom to wait a week. Ten days later, I managed to scrounge up enough time to dash off a Joomla!-based system to handle all of this. Joomla! took care of the basic interface and user management tasks, leaving me to finish off the rest as an MVC component.

First, I installed a standard copy of Joomla! 1.5 with no sample content. I adjusted the parameters of the default rhuk_milkyway template so that it would have green links and headers (Color Variation) with a solid red background (Background Variation). I could have ditched the Joomla! logo in the header, but was lazy and just left it in.

Next, I added an instance of the Login module and unpublished the main menu. Although the main menu was unpublished, I left it in the system as a holding place for the default menu item. I also set Joomla! to disallow account self-registration: only seven specific people would ever be logging into this site and I didn’t want any passers-by creating accounts. I created an additional menu and set the access level to registered users only; no need to show the world any piece of our application. This menu included a link to the User Form Layout which I titled “Change my password” (even though you can do more than change your password from this form).

Finally, I cobbled together a custom MVC component to handle the lists. Before writing a lot of code, I created a menu link pointing to the component on the main menu, then adjusted the login module to redirect to this menu item after authenticating. This makes the login process seamless: you don’t see any parts of or links to the list component before you are logged in. Your only options are to either log in, retrieve your username, or retrieve your password. Once you’ve successfully logged in, you’re immediately taken to the component.

After configuring the login module, I continued to build the component. Before calling the controller, I used this code to make sure the user is logged in before continuing:

if (!$user->id) {

    global $mainframe;

    $mainframe->redirect('index.php',
      'No peeking! You have to log in first.');

}

Next, I have controller sets the default view to ‘mylist’. This view lists all of your requested items and provides a form for entering more. To set the default view, I overrode the display() function for the controller like this:

function display()

{

    $view = JRequest::getVar('view', '');

    if ($view == '') {

        JRequest::setVar('view', 'mylist');

    }

    parent::display();

}

This way, if ‘task’ in the request is empty, the component automatically calls display(), finds that ‘view’ is also empty, then sets it to ‘mylist’. Now, while the ‘mylist’ view lists all of our requests, it does not display the purchase status of those gifts. In addition to the ‘mylist’ view, there is an ‘item’ view providing a form where you can edit gifts you’ve already added. Links to the ‘item’ view are provided from the ‘mylist’ view.

In contrast to ‘mylist’, the ‘otherlists’ view displays all of the gift requests from all the other users, while listing gift purchases. It also has links you can click to mark yourself as having bought a specific gift. This way, people know not to buy something you’ve already purchasing. The code also makes it possible to mark multiple people as chipping in on a gift.

While the ‘item’ view simply loads a single row from the database, the ‘mylist’ and ‘otherlist’ views have their own data models. The data model for ‘mylist’ is very simple and has only one function, but the ‘otherlists’ model has functions for getting a list of all users, getting the buyers for each item, and getting all of the items listed by everyone else.

While there is more code I would like to add (such as gift suggestions for people who are slow about building their wishlist), following the MVC pattern now will make it easy to do that later. In the meantime, here’s a link to the code as it stands today (NOTE: this is not an installable Joomla! package. Drop com_christmaslist into the frontend components folder, run the .sql, then make an entry into jos_components if you want).