Extremely Poor Style of Objects
August 18, 2005
Our business deals alot with implementing features into peoples old applications that other companies online developed for them. While doing this we run into a ton of poorly coded applications.
This current one I am working on attempts to use the variable $this as you would in an object when assigning a class wide variable. Take a peak at this example code:
$this->c=mysql_query("select * from users where uid='$myuid'");
$this->d=mysql_fetch_object($this->c);
Now this is extremely wrong. First of all this file is not an object. While mysql_fetch_object creates an object that would be correct to simply use a variable called $d. But yet again your variables should be descriptive…. Also the usage of the variable being inputted to mysql to login has no variable checking at all. This user id is part of the session and could easily be manipulated from the login… Here is the source of this:
$username = $_POST['username'];
$password = $_POST['password'];
$query = “SELECT * FROM users WHERE username=’$username’ AND password=’$password’”;
As you can see this could quite easily be manipulated if magic_quotes are off. There is also no checking of the values which can flag notices if nothing is inserted and/or no checking on the values themselves. In this case it is not but still there should be no assumptions with this type of data.
Assuming magic_quotes are off you could simply put use the username as ‘ or 1=1 and the same thing for password. Now you will be authenticated to move on to the next section. This is much easier if you know a username because then you can access authenticated users.
A better way to write those two code snipplets is as follows:
$myuid = "'".mysql_real_escape_string($myuid)."'"; //add the quotes in this step around the data.
$query = mysql_query('select * from users where uid='.$myuid);
$resultObj=mysql_fetch_object($query);
//I would add more complex checking with regular expressions in this data but just a quick example.
if (empty($_POST['username']) || empty($_POST['password'])) {
exit(’No input for username and/or password!’);
}
$username = “‘”.mysql_real_escape_string($_POST['username']).”‘”;
$password = “‘”.mysql_real_escape_string($_POST['password']).”‘”;
//add in a limit to only select one. I would also only select the data you need!
$query = ‘SELECT * FROM users WHERE username=’.$username.’ AND password=’.$password.’ LIMIT 1′;
This should help for a quick example. Remember although to do a better job of filtering 
Deskzilla - Bugzilla in a friendly way
August 18, 2005
Deskzilla is a program that brings bugzilla to your desktop, although it is not free for corporate or business users, if you have an open source project or only use bugzilla for open source projects you can get a license for a year. The usability of this application is absolutely wonderful, even although I am using it for open source right now I am probably going to buy a license for this innovative new application.
Not only does this application allow you to browse through bugzilla, but also login, post comments, post new bugs and much more. I am not usually one to rave about a product but this application makes me happy to know there are people out there still delivering high quality software that actually solves a problem. Most of what we see today is one company releases a product then there are around 20 more like it within a few weeks.
You might want to view the screenshots to look at how professional the GUI is. Also they show not only the features but the limitations of all the products as well. This will be a handy tool to keep around and keep your eye on!
Zend Certification
August 12, 2005
I have scheduled a time to take the Zend Certification Exam on September 7th, 2005. This should be pretty interesting to see what they put on the test. I feel really comfortable going to take the exam but I will definitely need to study up a bit. For instance the string functions that never really get used and possibly database drivers I have never had a need to use… For instance take a look at oracle if you thought they were all the same.
This should turn out as a very good thing showing that we truely know what we know! Also after this I plan to take the MySQL certification (just the core and then the professional). There are some other certification exams that look likely to take in the future, mainly some more DB specifics such as Postgre and Oracle.
AJAX Toolbox
August 8, 2005
In the mist of starting to write our own Javascript AJAX library to be more functional than the others ones out in the wild, I stumbled upon a really nice AJAX library that already implemented in the way I was thinking to (well not exactly but really close).
This one utilizes javascript objects and simply sends the request. It is your job to write the return function(s). The library is very well thought out and brought into a very nice functioning library (sorry to say but more functional that my v1 was going to be)!
Here is an example of how they run the process:
AjaxRequest.get(
{
'onSuccess':function(req){ document.forms[0].pageSource.value = req.responseText; }
}
);
Basically what you are doing is initializing a get request and onSuccess that function is ran. Very simple and not complex. Most of the time implementing AJAX by using a different library may cause many faults as the complexity of the library requires building php objects or js objects for each individual item. This I find is much easier and much easier to maintain. It really goes to show that the KISS rule is definitely a must!
Go see the Ajax Toolbox
