web notes - a blog

With the plethora of powerful open source applications available, the great premium on rapid development and deployment of sites, and the ever present threat of malicious server attacks, security is extremely important.

mod_security is an open source Apache firewall that places outstanding protection on the server, before site visitors ever get to the applications.

In addition to its power, it is easy to use. I installed it on XAMPP, configured it very lightly, and ran the two quick tests to ensure it was set up correctly. http://localhost/cmd.exe was blocked, as was an SQL injection attempt on the application.

mod_security operates with rules that allow you to customize it to run well with your server. There is a robust set of core rules. It has great logging capabilities.

To download it, you will need to register. It’s worth it, especially if you are running your own servers, with many applications, from many sources.

The associated link points to a nice extension I wrote and contributed for eZ publish 3.8+. It has been downloaded 600+ times.

Unfortunately, I don’t have time to maintain the code or test it with newer versions of eZ publish.

Which means, if people are relying on that functionality, and they upgrade eZ publish (by choice or because the hosting provider upgrades PHP), it may not work.

Since it is open source, and it is a very basic extension, anyone familiar with eZ publish should be able to upgrade it and share it. If they have time.

Now, imagine you built an entire system on community contributed modules. How will you keep the system current? What if the core functionality changes and you have to upgrade the core, risking the modules?

I really enjoy working with open source code and community contributions. They allow me to be much more efficient than I could be without them. Their code allows me to make beautiful sites in a fraction of the time.

I like to select established components and to work within their boundaries to use them. For javascript, I like dojo, for templates, I like Smarty, and for a PHP framework, Zend framework. I don’t modify the code, ever, because I trust the authors. If there is a bug, I may work around it, or upgrade later.

There is no absolute, perfect answer. For some people, the value of the contributed code outweighs the risks. For others, the assembly of a system is not worth it, and they prefer a single, integrated solution. A good example of this is Drupal (community contributed modules) and eZ publish (integrated solution).

One thing that is abundantly clear is that the collaboration of people, across all boundaries, is awesome, and benefits everyone.

… I really wish I had time to write a dojo extension for eZ … :)

This is a list of implied requirements recommended for all web pages.

• Page should render properly in all supported browsers. Identical is not required, but equivalent is.
• Client side code (javascript) must execute properly in all supported browsers.
• Site visitor must be alerted if they attempt to navigate away from the page without saving their changes, or if the session timed out and their changes have already been lost.
• If AJAX is used, authentication and access control must be applied to all requests. Client must handle server responses to these conditions gracefully.
• Client must validate the data fully before submitting it to the server. Client should alert user during entry if data is invalid. Think dojo.
• Server must perform appropriate escaping on all incoming data to avoid SQL injection and commandline attacks. Server should validate data with the same criteria as the client to limit the possibility of modified form data.
• User passwords should never be sent to the browser. Password recovery should be performed by generating a new password and emailing it to the account holder. User email addresses must be unique to support this.
• Options which are unavailable should be displayed differently than those that are available, ideally they should not be displayed at all. Inputs which cannot be modified should be displayed in such a way that the user understands the information cannot be changed.
• Layout should be managed primarily with CSS.
• Colors should be specified in a separate CSS file to allow the color scheme to change quickly.
• The majority of the layout should use divs, with tables used where appropriate.
• Only those files required to display the page should be delivered with it. Pages with complex CSS requirements should be supported with dedicated CSS files which are only loaded with that page. The same is true for javascript. Those files should be cached at the client.
• Care must be taken to ensure configuration data, particularly access information such as database name, username, and password cannot be displayed through a browser or visible to unauthorized users.

Project management software will not manage a project. It can help you identify issues, track costs, and do many valuable things, but it will not replace management.

Project management can be greatly simplified into the following statement:

With these resources, do this work, in this amount of time.

The resources can be people, money, time, or tangigble items like lumber and concrete.

Assuming there are adequate resources, the work should be completed within the timeframe.

Although cost isn’t specifically mentioned, again, it is assumed that if the project is done on time, the cost was within the budget.

The entire team must manage itself as individuals with the attitude that for a given task, they can use a finite amount of resources (time, materials, money). If each team member stays within budget, the project succeeds.

The budget usually represents estimates given. These estimates include assumptions about the scope of work. It is the responsibility of the estimator to clearly state important assumptions, and the responsibility of management to take them into consideration. Once the estimate is given, it is binding only within that context.

Definitions

• Social networking - The use of technology to connect people.

• Web 3.0 - The next generation of the Internet.

Predictions

• Ads - Advertising (like the Google ads on this site), will continue to get more and more engaging. Tools to create these ads, particularly interactive ones will become very powerful and popular. The objective will be to draw site visitors into the ad, and to a different site. Bland text ads will be the equivalent of generic product packaging.

• Content sharing - This will remain strong, allowing people to post material for others to access. The difference will be in the reduction of comments. Ratings are a good way to allow a site to self-police content, but comments are often of little to no value.

• Kids - Kids will follow the latest site with games and entertainment, as long as it stays fresh. Their loyalty will be very difficult to maintain as they age out of material and as new sites come on line. For that reason, youth oriented sites should consider the member life cycle, identifying where to attract new visitors from and where to spawn them to. Companies will begin to adopt a cradle to grave approach, probably through partnerships.

• Marketing sites - Sites used for public relations/marketing will remain strong, because they offer information of value.

• Partnerships - Web partnerships will become active, allowing people to move within a sphere of content, seamlessly.

• Social networking - Will be replaced by more resource oriented sites as people realize that connecting over the internet is actually very isolating. Much of the intent of social networking is to share information, however there is a wealth of information already available. Success will be sites that transition gracefully from open, ad hoc media into the organization of user-contributed content that better supports the site visitors. Improvements in search, content organization, automation of content management, and information professionals will be key. Point systems that don’t translate into tangible benefits will not be successful.

• Web 3.0 - Just a buzzword, means alot of different things to alot of people. The web is too diverse to categorize or assign version numbers.

• Web applications - Applications will rely increasingly on frameworks like Zend. The demand for more sophisticated sites will necessitate the use of frameworks for better quality in a timely manner.

• Web sites - Web sites will continue to become more polished. Site visitors will expect seamless application integration and advanced features. Simple HTML sites will be replaced by applications that are easy to manage.