Janko in a Jar

I am making some portal. It is a sort of the portal where people will need to register and fill in some info. They have to have an option to login at any later date and modify their info but this will not be like everyday or even every month thing. It seems stupid to me that people have to create and remember a new username/password for every utility that they need limited access to very rarely then.

So I am making some variant of user authentication system for them that doesn’t use usernames or password. The point is that it’s much more minimal to make and use than the standard hog of stuff you have to do to make a usable user authentication system.

So what elements does normal system need:

• verification email with a link and functionality to accept verification
• login (username/password) form and functionality
• forgot password link, form and functionality
• change password form and functionality
• logout link

This no-login system is basically like a one-time-password system where it is not limited to one-time, because it would be impractical and it has no reason to be.

So how does it work: When you register to the web-app you receive an email. In it there is a link, you click it and you are “logined” into the web-app. When you need that web-app user area again you open the email and click it again (or you bookmark it, or whatever). But you can delete (loose) the email at any time and when you need access again you go to web-app and fill in your email into “get me a new key” form and you receive another link on email that you can use as long as you want and then delete too (if you want).

So what elements does this system need:

• sending out email with the link - 80% the same for the first time (registration) and for all “get me new key” times
• “get me new key” form and functionality
• logout link

you don’t need verification via email - because the email with the key link is also a verification of their email
you don’t need login form and functionality - obviously
you don’t need forgot password link, form and functionality - because you are meant to forget it and you use “get me new key” anyway
you don’t need change password form and functionality - because there is no password

So it has some pluses, but I will see how it performs in real. If you see any weaknesses go ahead and tell me!

After some kicking and biting FotoLOAD - midi finally works nicely and stable on all 5 test servers. It was tested with photos up to 6MB and with 100 pics to upload at once and it finally works as it should. And even if server fails on some image or you internet connection blinks you can nicely continue where you dropped off. This week it will be used for real at first photo studio.

The last problem was that resampling of >3MB photo to a thumbnail crossed the RAM usage limit at some shared hosting providers but after we found out what was the problem for upload failing at the end quite simple solution was found. In short.. now we do imagecopyresized from (for example) 2000 X 2000 px to 350 X 350 px and then do imagecopyresampled to 100 X 100 px . If you look at the docs you will see why this uses A LOT less resources and gives the same quality at the end.

I always think that programmers that hide what they code because someone is gonna steal it! People are evil!* aren’t totally up to date. But I was hiding this too… I was hiding it for long time and I felt stupid every time when I thought, “uh I mustn’t write the name! I must write ’something I am making’ or ‘project xxx’ or ..”.

I was hiding that I am making “Ask Robi”, yes ASK ROBI. I couldn’t dare to say ASK ROBI because I was amazed that for once the primary domain I want is not yet taken and askrobi.com wasn’t. So yesterday when I made the askrobi do a fullround client server trip, I bought the domain and now I can nag you about it! This is the first ugly screenshot of the client

Client is made with Adobe AIR and server and brains with Factor. They communicate via STRPC. I will post more about it soon.

Not that I don’t think that no-one can steal ideas. Just look at casual games market. The thing is that most people think their ideas are cool and ideas of others well aren’t so why steal them. There are also exceptions but if someone is so stupid that it has to steal ideas I feel sorry for him anyway.

Finally, I am about to release FotoLOAD mini. I had the app almost ready for months, my sister made the website design now and it looks that the thing will get out of the house in the next week or so. Website is still not totally finished but here it is..

The page and app is in Slovene language for now, but it is already being translated to English and some other languages. It’s an application that photo-studios can use to offer their customers fast and simple way to upload photos for printing. I made such web-app for one studio like 7 years ago (with PHP and REBOL), I later made better one for another studio few years back, but this solution is made for “them all” and brings big improvements to the previous two. FotoLOAD mini is a mini and is somewhat limited but also free. There is also a non-mini which won’t be free , but I think it will still be very accessible.

So if you have (or know anyone who has) a photo studio, test it out and tell me what you think. English version will be out before fifth may also.

I didn’t have real time to further experiment with Factor for the last month or more. I only took one Sunday weeks back and wrote a really mini mini CMS like thing to see my still very crude and young web-dev Factor libs in action for the first time.

Factor has it’s own webdev framework/libraries (and you should check it out), but I am experimenting a little here so I am making a sort of lower level and minimalistic libraries of my own. I don’t have time to install a VPS with Factor currently so I just made a quick video of it and posted the code at Factor’s paste. Here is the video..

And here is the Factor code + HTML templates.

It consists of roughly 27 lines of Factor code, 14 lines of HTML template code and 19 lines of JavaScript. For a cms to be somewhat useful I would need to add some user authentication also. Basically you can display, create, edit and delete pages and you get a flat menu for navigating them.

My almost 2 year old son is sick with a fewer so he is just trying to sleep but wakes up every few minutes coughing. Really depressing when your kid is sick and anything you do doesn’t really help him much… For few hours I was staring in the air in minutes when he sleeps but now I got of my ass and wrote these slides to tell somethin more concrete about ex. tinyIMS that I mentioned yesterday and which I now named IMSGY. It’s all WIP..

Source: WikipediaI finally committed itmchat sources to the google code. The whole thing is a work in progress. I rewrote a lot of it so that it has more features and will be easier to extend in future. Right now I am testing and debugging it. I would like to stabilize it and put it online so this version gets tested in real too. Then I intend to add some new features and then clean it up and optimise it.

The 0.01 version is running on some portal for few months now and hadn’t had any problems so far. I wasn’t in the name-making mood when I was opening the Google code project so the name is a little stupid, but who cares.

Itmchat is written in Haxe (server, flash client) and some javascript(JS client) and uses Haxe remoting for all comunication.

Factor gets a lot of bashing at reddit. That is not that bad because traction always produces more energy and output than a soapy you are OK, I am OK, we are all OK stuff.

Few days back certain Factor non-fan amongst many other things wrote:

Because such Forth-like untyped languages have been around for decades and I was using them around 1990. Adapting the concept to 2008 may be fun for you and help you suck in a few naive developers but it doesn’t make it a serious platform; read up a little

While people on factor’s irc channel look highly educated programmers to me I recognised myself in this. Not that I am proud, but reality is I am sort of naive developer and I did get sucked into Factor. I am not formally educated as a programmer. I am more like the guy who once jumped into the river and managed not to sink, and then just stayed there, gradually improving his swimming, but never took time to learn the official butterfly stroke because he was too busy catching the fish.

Well I am “naive developer” in some way but I am also very pragmatic because the “useful working maintainable output” vs. the “sh*t that went into making it” is the only thing that matters to me at the end. I don’t code to learn, I learn to code.

And that’s why I now think that Factor will be my web-dev tool? Because I have tested and got very good results with 3 sides of web-development so far:

As my first Factor lines of code I tried to see how I could extract some data out of text. This simple and small vocab is what I came up with, and was amazed by cleanness and obviousness. So I see that making nice vocabularies that will help me parse strings will reall NOT be a problem with factor.

"i:1;name:Jon;age:3;surname:Wu;;i:2;name:Jill;age:9;surname:Huan;;"
      "i:2" cut-to "name:" cut-off ";" snatch-to
      "surname:" cut-off ";" get-to .s
! "Jill"
! "Huan"

So factor can read, but can it generate? Next, I wanted to se how I can generate SQL, this came out so far:

: get-users ( -- )
   SELECT*
      "users" FROM
      "enabled = 1" WHERE
      "username" ORDER get-rows ;

get-users
! SELECT *  FROM users
! WHERE enabled = 1  ORDER BY username ;

: get-users-of-group+ ( orderby group fields -- )
   SELECT
      "users" FROM
      swap "enabled = 1 AND group = ##" ##1' WHERE
      swap ORDER ;

"email" 51 "email, username" get-users-of-group+
! SELECT email, username  FROM users
! WHERE enabled = 1 AND group = 51  ORDER BY email ;

: change-email ( id email -- )
   "users" UPDATE
      "email = ##" ##1' SET
      swap WHERE-id exec ;

123 "j@a.com" change-email
! UPDATE users  SET email = 'j@a.com'
! WHERE id = 123 ;

Then I tried to make the XHTML forms generating vocabulary:

: show_user-form ( -- )
   "post" "./user" start-form
      "your info" start-fieldset
         "Email" label (*) endlbl
            "email" "" "class='big'" text-input endrow
         "Name" label  endlbl
            "name" "" "size='12'" text-input endrow
         no-label endlbl
            "action_add-user" "Save" "" submit-input endrow
      end-fieldset
   end-form show! ;

The code creates the first form on this page.

Any part of my web-dev toolkit I tried to create in Factor so far was better looking than the ones I had developed in other languages. That’s why I will continue with Factor. I know and used only the “primitive” stuff of Factor until now so I am excited to see what’s ahead.

I use XML+XSLT instead of MySQL+PHP on 2 of my websites. For some reason I always imagined XSLT is fast. Yesterday I added something made with X+X combination to QUBIDRAW also so I decided to do a small comparison because my “is fast” assumption was based on.. well, nothing.

I made two scripts called tablepush that pushes some tabular data and shape it into html table. One script uses basic mysql functions and then php to do the html shaping:

<?php
$link = mysql_connect('localhost:3307', 'root', 'rootp');

mysql_select_db('mlvsx');

$query = 'SELECT * FROM '.$_GET['data'];
$result = mysql_query($query);

echo "<table>";
while ($line = mysql_fetch_array($result, MYSQL_ASSOC)) {
    echo "<tr>";
    foreach ($line as $k => $col_value) {
		$tag = '';
		if ($k == 1) $tag = 'strong';
		else if ($k == 2) $tag = 'em';

		$t1 = ''; $t2 = '';
		if ($tag) {
			$t1 = "<$tag>";
			$t2 = "</$tag>";
		}

        echo "<td>{$t1}{$col_value}{$t2}</td>";
    }
    echo "</tr>";
}
echo "</table>";

mysql_free_result($result);
mysql_close($link);
?>

The other loads XML and uses XSLT to turn it to html table:

<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
 <xsl:output method="html" encoding="iso-8859-1" indent="no"/>

	<xsl:template match="things">
		<table>
		<xsl:apply-templates />
		</table>
	</xsl:template> 	

	<xsl:template match="thing">
		<tr>
			<td><xsl:value-of select="@id" /></td>
			<xsl:apply-templates />
		</tr>
	</xsl:template> 	

	<xsl:template match="aaa"><td><strong><xsl:value-of select="." /></strong></td></xsl:template>
	<xsl:template match="bbb"><td><em><xsl:value-of select="." /></em></td></xsl:template>
	<xsl:template match="ccc"><td><xsl:value-of select="." /></td></xsl:template> 	

</xsl:stylesheet>

Results using http_load to do the load test on my local (older) computer are :

Table with 3 rows

my-php : 25 requests / sec
X-X : 49 requests / sec

Table with 50 rows

my-php : 21 requests / sec
X-X : 39 requests / sec

Table with 350 rows

my-php : 11 requests / sec
X-X : 13 requests / sec

So it seems XSLT is quite fast. I will keep using it for the cases where it makes sense (like a lot of discrete data with known and non-frequent relations). It’s funny to me that XSLT is in a way quirky and hackish and yet elegant. you can find complete sources and data to do the test here: LAMP XSLT .

It would be interesting to test some other platforms too…

Source: FlickrI believe there is a lot of Slick in Ruby on Rails. People that are smarter than me like it so there must be. So I finally looked at doing a project in it, but decided I won’t use it after all. I like library approach more than framework one. That is the core problem why I kept away from all the Rails-like systems for so long.

So what don’t I like? I don’t want to learn or use some framework specific abstractions for things that stand on their own. I want to see XHTML as XHTML, client side JS as JS and work with DB via SQL or in a SQL like manner. Second… I looked at example code and it was nice but I like how I code right now more.

//RoR example from onlamp.com
def update
@recipe = Recipe.find(params[:id])
@recipe.date = Time.now
if @recipe.update_attributes(params[:recipe])
flash[:notice] = 'Recipe was updated.'
redirect_to :action => 'show', :id => @recipe
else
render :action => 'edit'
end
end

//this is how I do something like it in php
function update($d)
{
if ($this->db->update(array(
'set' => array_merge($d, array('date' => '#noQuote#NOW()')),
'where' => "id = {$d['id']}"
)))
$this->addMsg('Recipe was updated.');
}

I like Ruby’s syntax 10x more than PHP’s and Ruby is much more advanced (in ways that I care) as a language. But there are several problems why I personally don’t want to code as it is coded above.

• Why do I have to find the record, change it and store it back? Databases have UPDATE right?
• Why use a external language’s API method for creating current date to store in a DB (and think about formats and all sorts of stuff) if DBs have NOW() and other functions for this?
• Can one action create only one flash notice?
• Why does a method that makes modification to the database (a backend method) handle where user will get redirected after the action??? This is total crap, this method should only update the DB and not have any effect on the frontend, so it can be called from anywhere you need it (admin panel, some ajax call, RPC, frontend..) … I didn’t even bother digging into MVC because I found it too extreme and impractical from what I saw on the surface and my code never does that.
• How can it be that DSL-s (domain specific languages) are oh-so-cool and at the same time ORM’s, Active Records and similar stuff that puts wrappers around them is also oh-so-cool?
• Isn’t Active Record so MS Access 98?

I am not saying RoR is crap. First, there were hundreds of MVC+templates+ORM+… frameworks out-there before RoR and RoR obviously did many things better because now there are thousands of (RoR-ishy) frameworks there. People do report massive productivity boosts in using it. And productivity is the whole point of improving various development routines and methodologies. So, live and let live…

(edit: zemantified also)

I did all web-dev in PHP last years. Because PHP deployment is “there”. It proved itself as a practical solution from the smallest shared hosting websites to the huge ones like Flickr.

But PHP as a language is not such pearl and built-in API is very inconsistent. I keep checking out a lot of non-typical PLs and see a lot of good concepts. I would like to find a real web-project to use them on, and make a step forward in my PL experience but I have a tons of PHP code to write right here.

I got depressed about this yesterday, and then I started doing something that I will probably find is a waste of time, but anyway… I started hacking a PHP script that “compiles” some made up language to PHP. I named it PHEW and it even somewhat works… Basically it’s a PHP-ish “language” with modifications where things itched me when working with it..

source PHEW code:



class Users extends Base

	fun getFullName(u)
		return u\:name . " " . u\:surname;

	fun show_hi()
		var usr = #getUserById(@@:auth.getUserId());
		return "Hi {{#getFullName(usr)}}!";

	fun getUserById(id)
		return DBs::selectRow(@@:dbc, [
			:from = @@:t\:users,
			:where = "id = {id} " ,
		]);

generated PHP code:

classUsers  extends Base {

	function getFullName($u){
		return $u['name'] . " " . $u['surname'];

		}
	function show_hi(){
		$usr = Users::getUserById($_GLOBALS['auth'].getUserId());
		return "Hi " . (Users::getFullName($usr)) . "!";

		}
	function getUserById($id){
		return DBs::selectRow($_GLOBALS['dbc'],  array(
			'from' => $_GLOBALS['t']['users'],
			'where' => "id = {$id} " ,
		));

Click to see sample, generated code and a list of changes

Well it’s all in flux, I will keep playing with it probably and see if anything useful comes out.

I am sure, if you tried to make a Java applet in last 3 years, you were told that:

While graphical rendering of a Java applet is somewhere around Flash’s its computational speed is magnitudes higher than that of Flash.

So why is it dead then? Because applets sometimes make browser unresponsive, and occasionally crash it. But flash..

Well, but… Java is growing a Consumer JRE which supposedly will not block nor crash –and– as Flash is becoming more powerful it sometimes blocks too, and it even crashes my browser at special occasions. I think at the end when flash will perform even better than now and Java will have Consumer JRE both will be more or less in the same spot — they only came there from the two totally opposite directions.

What does all this have to do with JavaScript? Well, In this Web 2.0 that we all love JavaScript is used and pushed further and deeper, so even JavaScript started blocking and crashing. And this is not even rare. Certain web services crash my FireFox on exit 50% of times. So I repeat:

At the first post on this topic I wrote a list of known vulnerabilities of a typical LAMP web-app. Plan is to investigate where exactly does each of them apply to the web-app I am making more secure and patch them.

In the process I realized that there is another perspective/question here that is also very important. One is to fix “all” the holes, but you also have to ask yourself.

“What am I really trying to prevent here?”

In our case. We need to prevent anyone getting to (identifying) personal information of the users. That is the most important thing and all others are magnitudes of less important. Every other data we hold, if it gets “stolen”, meh.. if they delete, change it, we have the backups. But the privacy of the users is sacred. Too bad I can’t say what exactly we did now in this regard.

The analogy is this. You have area of people infected with some virus X. You can put roadblocks, test and disinfect all outgoing people, spray their cars, forbid mail communication, put fences to prevent wild animals to spread it but sooner or later something will get through. Or you can focus on a virus and find a way to prevent itself from spreading.

You can try to prevent the problem to get “out” , or you can try to remove the problem in the first place

Well, nothing is as perfect as theory so we do both.

QUBIDRAW (the early release) is online for a while now. I have very little time to push the development forward but nice things happen on it anyway. Here are few of the pictures that kids have drawn:

QUBIDRAW is a online concept of my KUBI game. I plan to make many more activities and polish the thing up few times. Flash part is being made in Haxe, webpart in PHP. They communicate via my tiny RPC spec STRPC - SoTinyRPC.

input data related to DB (SQL injections, wrong unexpected data..)

SQL injections threat is system wide and is best to be solved on a systematic level on all the communication with the database. We use PHP PEAR DB’s quoteSmart on all the queries. In addition all function in our database level have explicit checking for type of input variables and script is stopped if it doesn’t match.

An example of such back-end function is:

function getItemsOfMusic($musicId)
{
	Validator::mustBeInt($musicId);			

	return $this->db->selectRows(array(
		'from' =>'abt_music_items',
		'where'=>"id_musics = $musicId",
		'order'=>'sort, is_set, name'));
}

All this fuss about SQL injections in a little stupid with php+mysql anyway since the core function (mysql_query) doesn’t support multiple queries anyway and you need that I think to do SQL injection.