And so it began...
Your own thoughts and comments are welcomed, so don't be shy to get in touch!!
Any of you who know me from the forums will know that I religiously code everything myself from scratch, since 3rd party scripts are usually poorly written from a number of standpoints (good practice, efficiency, code neatness) and rarely live up to expectation.
However, I needed a blog in a hurry (I'm going on a 3-week business trip to Italy tomorrow) and so had to grab something to do the job off-the-peg. BlogWorks XML, a GPL'd classic ASP blog script abandoned by its original author - and now kept alive (but unsupported) by Rick Hurst - seemed to fit the bill the best, so I downloaded it and had it up and running within 5 minutes. In the brief time that I've spent playing with it, I've been pretty impressed with the user interface, perceived speed, and overall sophistication that it offers, although I'm yet to delve into the code itself to pass judgement on how it's put together! lol
Anyway, what spurned me to start this particular post was that I just noticed that there's no commenting facility, which is a bit of a shame. As soon as I return from my travels I'll add this feature, but until then, I invite you to submit your comments (if any) to me via email.
EDIT: I take it all back! It turns out that BlogWorks XML *does* support commenting! I've edited the text of the links at the bottom of each of these posts to make it more obvious... so comment away!
Top ten web application vulnerabilities
OWASP last month published their list of the top ten vulnerabilities in web applications. Now how many of us can honestly put our hand on our heart and say "Yes! I have given serious consideration to each of these issues and how they might affect my new web application. No worries there." ??
Not me, that's for sure. Don't get me wrong. I would *like* to! There's nothing I hate more than having to cut corners on a project... but if you've barely been given enough time to implement the basic functionality that the project requires before it goes live, it's nigh on impossible to find the time to add anything beyond the most basic secruity features, let alone devote the time and effort throughout the entire project development process to cover the full spectrum.
Of course, by using a modular library of code that I've built up over the years, I have plenty of data validation (server-side and client-side), password hashing, and other security-related snippets of code that I can pull out of a hat and drop straight into an app, but that should only be a starting point, not the end of the security measures!
I think the biggest problem is perception - the powers that be seem to think that web applications are a quick 'n' easy alternative to developing a "real" application! They think it's all RAD (man)!!
Well I've got news... web applications ARE "real" applications - all the same rules apply! But there is a very important difference... you're not just exposing the application to your intended user base... if it's published on the WWW then anyone can have a go at exploiting it... and what's the business cost going to be if someone causes mayhem? A damn sight more than it would take to get it right in the first place, I'll bet!!
Ok, rant over.
I'd like to see more discussion on security throughout the web development cycle, so I've proposed that a new forum is created at Sitepoint forums to this end. Security should not be an afterthought. It should be there right from the start.
Some of you may know that I'm out in Italy on a business trip at the moment...
My journey out (yesterday) was rather nice, with magnificent views of the Alps from the plane as I neared Milan, and a magical night-time scene at Lake Como as I arrived at my hotel. I went for an evening walk, and enjoyed a wonderful 5-course meal at a local trattoria (a small family run restaurant), before a few DVDs in bed (on the laptop) before dozing off.
The lake was beautiful this morning, and the hills around it are quite something too. There's a funicular railway, and since I'm done for the day, I'm going to take a trip up to the top - hopefully I'll be able to catch the sunset from the summit...
Here's a few choice snaps:
More tomorrow! Arrivederchi!
I've dropped into an Internet café here in Venice, but alas it's not possible to post any more snaps at the moment (nor can I print out the Word document in my email which contains my hotel reservation information)... perhaps tomorrow.
The carnival is in full swing AND it's Valentine's day too, so Piazza San Marco is overrun with tourists! I must admit that I was slightly depressed at the thought of being in the most romantic city in the world on this particular day (travelling and eating alone is depressing enough as it is), but fortunately I met a lovely Venetian girl last night who has been showing me around a few less touristy places this morning, and she's promised to show me more this evening & tomorrow... and next weekend when I return! So perhaps today might not turn out to be so bad after all - and I hope you enjoy your evening too!! ;)
EDIT: corrected typo in title
Two to make (not that anyone complained, but I feel a little guilty).
Firstly, for those expecting to tune in to a technical blog, I have committed the cardinal blogging sin of hijacking it for personal, non-technical stuff - I promise that once I return to England (in 10 days) I'll make up for it with some quality posts (perhaps even before then)... in the meantime, perhaps my input (and that of others) in these posts/threads might be of interest to some of you (for some reason, closing/deallocating/reusing objects seems to be a hot topic at the moment, and things aren't always as you might expect)...
Secondly, for those of you who ARE actually interested in finding out how my travels are going, I'm sorry haven't been posting very regularly, however this is largely because it's been damn near impossible to get an internet connection in hotels. However, now I've finally sorted out an Italian ISP I should be fine for the rest of my stay, although since it's going on the company tab I can't use it as much as I would like to!! lol
Some more eye candy from Como last week:
Since my last post I've had a great time in Venice thanks to Orsola (last photo, with me & two of her friends), who has been kind enough to show me around (helping me avoid the hordes of tourists and bad restaurants along the way). We've got quite a lot planned for next weekend (when I return to Venice), including my attending a concert on Friday evening, where she is performing as part of a Venetian gospel choir. Other anticipated highlights should include the glassmaking island of Murano, the Basilica (best avoided until next weekend because of the 2hr queues), and perhaps another few churches.
Venice - damn cold, but very beautiful:
I left Venice on Sunday evening, I've been staying in a beautiful hotel in Mira (just outside Venice) since then, and will be moving to a hotel in Padova tomorrow. Expect another update in a few days!
Incidentally, I'm about halfway through my business trip (that is after all why I'm here), and I must say that I'm delighted with the way the trip has gone from a that perspective! For those of you that don't know, I've been migrating from a web developer role to a business analyst, and this is my first real taste of how things will (hopefully) be.
It's been *very* satisfying to be the person doing the actual systems analysis from scratch for a change, rather than being the poor sod that's got to work with a half-planned half-specified system that someone else has come up with and deal with all the things have been overlooked and inevitably turn up at the 11th hour during development!!
Naturally I have no illusions that I've managed some sort of "perfect" analysis or achieved an ideal technical specification, and I'm realistic about there being changes between now and project completion, but I reckon I've got 99.9% of it nailed down based on the information I've been able to extract from each consultation session, and I've really enjoyed the challenge of working with new people and new systems to get the job done. It hasn't just been about the creature comforts of being on a business trip abroad!!
This bodes very well for the future, and I'm looking forward to carrying on with everything tomorrow (for the third of four consultations). Perhaps I've spoken too soon - I hope not, but I guess I'll just have to wait and see...
And finally, I've booked my 9-day holiday to Florida for the end of March, and I can't wait! Hurray!!
BlogWorks XML missing features
There are a few missing features in this software, of which the most serious is the total lack of an image upload facility, something I hadn't checked out before I left for my trip!
So far I have been going through the relatively laborious process of uploading to my homegrown CMS (that powers my main site), then grabbing the URLs (of the uploaded image and the thumbnail that my CMS automatically generates), building an HTML table manually with the necessary hyperlink and image code, and then finally being able to publish the post. This is plain silly, and I'll develop something to sort this out when I return!
Similarly, I think it would be handy (for me at least) to be able to see all the comments (and trackbacks) in one place, ordered reverse-chronologically, rather than having to click the "comments" link at the bottom of each post. Although I've seen all the comments that have been posted so far because I've noticed them, once I've got quite a few posts up, it will cease to be practical to check them all manually. There are also a few bugs in the post preview feature which I'll fix while I'm at it.
Do any of you use BlogWorks? If you have any requests for new features/fixes, I'd be happy to have a go at them too.
Naturally, I will get in touch with Rick (who's currently looking after BlogWorks XML) and offer my modifications for integration/public use (if he wants to do so).
I'm now back in the UK and will get busy on a few posts over the next couple of days, but for the moment I'm just going to comment on a fairly major (IMHO) bug that I've found in BlogWorks XML...
Compare http://marcustucker.com/blog/ and http://www.marcustucker.com/blog/... what do you notice? Well, I'll give you a handy hint... all the comments disappear on the main pages (but are present on the comments pages accessed via the respective links)!
I haven't had a chance to look at the source, but it would seem that the code responsible for this is using absolute (rather than relative) URLs in the comments-related storage and lookup.. which doesn't make much sense to me, and is something I'll definitely have a look at pronto...