melbourne chapter

Sun have just put together another Sun Net Talk on Demand presentation for discussion almost a year ago since their last Sun Net Talk. The talk discusses the progress made since the historic agreement in April 2004 and is roughly 55 minutes long. Worth a watch to learn about the future of the two developers in interoperability.

Sun Net Talk

For those like me who have been using the powerful StarOffice microsoft-compliant office suite (No need for expensive office, this things kicks), you can also get a complimentary licence/serial (limited quantities - worth about $100 AUD).

Nothing seems more important to me than backing up my CVS Repository. The CVS repository contains all versioning of the application/source code that I produce, and allows syncronisation among my developers. If this was to be lost, it could cause havoc as I may loose a majority of older work. So my backup policy needs to be rock solid. I have recently being using BigPond’s Storage solution that costs around AUD$2 a month for a 100mb backup, with no traffic costs as I am using BigPond as my ISP (with no traffic counting towards my quota). I have also mirrored the server with a RAID like scenario, written Rsync tasks and mirrored the CVS to another workstation. So far this is working quite well for the forseeable future.

Amazon have recently announced a service called S3 (Simple Storage Solution) that will provide large amounts of online storage with fairly cheap prices (charged in traffic and the amount of storage they use). The prices are about US$0.15 per GB-Month used for storage and about $0.20 per GB Transferred and can allow people to backup about 5GB (about the size of a DVD). It is also noted to support HTTP, BitTorrent, SOAP and REST. This is not the first push that we have towards these sort of services. Yahoo, Microsoft and Google are all working for the infrastructure.
So doing the numbers on backing up 100mb a week (nightly) with Amazon should break down to something like this:

- 100mb per night * 7 = 700mb a week, * 4 weeks (generalised) = 2800mb per month in Transfer Cost

This should cost us about US$0.56 a month in transfer costs.

Next the storage calculation:

As our CVS can jump back to any date prior, we shouldn’t need a rotating cycle (?)

- 100mb for the month

The should cost us an additional US$0.02 a month for the storage of the data on the S3 servers. It would only cost us US$0.11 a month to have the backup on a 7 day rotating cycle (if need be).

The costs seem quite low, but we also need to consider how our ISP charges for traffic. Uploading 2.8GB of data a month would lower my available cable usage down 28% (a fair chunk), where paying the additional dolar storing with BigPond would mean that I would still have all that traffic available for normal usuage, and the backups are darn fast (as we are backing up to our internal network).

Once the compressed CVS becomes large (say 500mb) we may need to determine a new means of backing up the data and recompare the prices and quotas for your internet usage.

Once (major) downfall I have with Bigpond’s Storage service is that it does not support any additional protocols apart from HTTP. Yes that means (as far as I can tell) uploading must still be done through their HTTP protocol, or using their Windows XP software (which I hate, as my office development server is Linux and it would be great to have it perform the tasks for me automatically). - All we would need is FTP.

For people also interested in using an online free repository for collaborative work with people that might not be in your office, consider using freepository.com. I have found their service to be quite good, but you always have the implications of Network speeds when working on the Internet.

For Information on Bigponds Online Storage Product read here.

I have been enquiring recently into the ability to run Mac OS X on a PC. Something that I used to think was impossible. Recently I read a few articles about people that have successfuly run a Mac OS X install on VMWare and even people writing how to install and run it natively.

Steve Jobs recently announced the move from PowerPC chipsets to Intel architecture. To stop his computer hardware side of the business being crushed to competitors like Dell, being able to produce a much cheaper alternative to his Mac hardware systems, he announced the idea of a hardware security chipset embedded into the hardware. But, as most of us developers know, it is only a matter of days before the hardware developers create a way around it. - As seen in the piracy market with products that used to require a very expensive “dongle” being able to run very happily without it being present.
I have found an interesting article on BuilderAU regarding benchmarking the Mac OS X on an x86 Architecture. The results are promising, and after it is released as stable results should improve. Have a read here.

So for a web developer how does that help us? Well it may allow us to use some older architecture to boot into OS X for Compliance testing with our sites. It could also allow us to use our computers for a dual boot so you can work happliy natively in Mac OS X for work and maybe after hours switch back to PC for Gaming etc.

For a web developer the Mac OS X seems like the perfect solution. The most powerful feature is the fact that it runs on a FreeBSD/Darwin system which means that we get a very powerful little command prompt which we can use for CVS, running Apache/PHP/MySQL/Mail Server etc like a unix box, can get it to automatically remote syncronise our work to another server, Network Tunnel, perform intermittent tasks/jobs and archive/upload a backup through FTP. The list goes on. Some of these tasks can be setup using CYGWIN (sort of a bash shell for windows - check CYGWIN out here), which I have tried, but I think the ultimate is having the native system being BSD based.

It also means that we can on the same desktop we can run the full Adobe Suite (if you own it) and you can still run your Macromedia Dreamweaver (if you own/use it).

I will be [in the next month or two] formatting a Dell Laptop I own and setting it up to run off a Debian/Linux platform. I will discuss how this flavour of OS provides benefits to us (not only in the fact that it costs nothing), and talk about all the tools allowing you to Develop under this platform.

If you’ve ever needed to create an enquiries form chances are you’ve simply checked for empty fields and validated the email address then sent it on through using a mail() script like below:

<?php

$to=”enquiriesr@mysite.com.au”;

if (!isset($_POST[”send”])){

// no post data -> display form

?>

<form method=”POST” action=”<?=$_SERVER[’PHP_SELF’];?>”>

To: <?=$to;?> <br />

From (email): <input type=”text” name=”senderEmail”><br />

Subject: <input type=”text” name=”subject”><br />

Message: <br />

<textarea name=”message” rows=”10″ cols=”60″ lines=”20″></textarea><br>

<input type=”submit” name=”send” value=”Send”><br />

</form>

<?php

}else{

// found post data .. deal with it

$from=$_POST[’senderEmail’];

// send mail :

if (mail($to,$_POST[”subject”],$_POST[”message”],”From: $from\n”)){

// display confirmation message if mail sent successfully

echo “Your mail was indeed sent to $to.<br />”;

}else{

// sending failed, display error message

echo “Doh! Your mail could not be sent.<br>”;

}

}

?>

But there’s an issue here, what if a malicious user aka “spammer” inserts extra mail headers into one of the text fields. Below is the result of injecting extra mail headers into the form above :

To: enquiries@mysite.com.au

Subject: ahem

From: mr_spammer@hotmail.com

Cc: john_smith69@hotmail.com

Bcc: suzan123@yahoo.com,oz@yahoo.com

Buy Viagra online at…

At first glance you might only notice the body of the email, “Buy Viagra….” but look closer. Notice the extra “Cc:” and “Bcc:” headers and extra addresses?

There are numerous additional fields that can be specified in the mail headers (see RFC 822). In the form above the spammer has injected the “Cc:” (carbon copy) and “Bcc:” (blind copy) headers into the “From (email):” textfield, and as a result successfully spammed additional recipients.

Unfortunately in this type of form there is no limit to how many users the spammer can potentially spam. Abiding by RFC standards - which require every header to be separated by a linefeed character - the spammer simply injects additional headers by using the hexadecimal value of linefeed char (0×0A), and ultimately builds up a string he/ she then inserts into the “From (email): ” field:

“mr_spammer@hotmail.com%0ACc:john_smith69@hotmail.com%0ABcc:suzan123@yahoo.com,oz@yahoo.com”

Quite nifty isn’t it?

So how can we avoid this type of header injection?

There are a few methods floating around, but by far the easiest option in this case is to filter the vulnerable field for linefeed characters

$from = str_replace(array(”\n”, “\r”), ‘’, $_POST[’senderEmail’]);

We have now successfully avoided a major security risk in our enquiry form.

Conclusion:

Take a penetrative approach to SPAM - it will save you a lot of heartache.

This article is quite a good read about the growth of support for PHP with backing from IBM and Oracle.

Although the article hints at some of the supposed downfalls of Java, it is mainly to do with the complexity. Java is capable of doing everything where PHP is good at doing one thing; of course it is going to be more lightweight and quicker for developers. But it is great to see the support growing and realisation of its good use in the industry.
Have a read here.

Email validation in PHP can be done in a few strategies (some too exhaustive)
- Checking the syntax of the email address
- Providing the user two fields to repeat their address
- Providing an email confirmation
- Checking the domain MX records
- Verifying the mail account through communication with the MX

Usually that later few methods take too long to implement and can be open to many problems that we don’t want, such as reliance of the operating system, connectivity to the MX and DNS records (Which may cause people to get frustrated signing up with a legitimate email address). Where possible you should prompt the user for their email address twice to ensure that they have nominated the correct email free from typos that still pass basic syntax, eg. cmaeornmanderson@gmail.com opposed to cameronmanderson@gmail.com.

The syntax can be checked once again in two spots, the client side first (to give them an opportunity to fix) and then on the server side.

< input type="text" name="emailAddress" id="emailAddress" onchange="javascript:validate('emailAddress', emailAddressRegex, 'Please ensure your email address is correct');" />

As suggested in an earlier post, if we use Regular Expressions (perl) to check the format we can use the same syntax in JavaScript (for client side) as we do in PHP/VB/Java etc.

On the server side we can see that this can be compiled as a perl regular expression to match against their form submission:

< ?php

...

$emailAddressRegex = '/^[A-z0-9][\w.-]*@[A-z0-9][\w\-\.]+\.[A-z0-9]{2,6}$/'; // Could be in our standard library somewhere

$emailAddress = $_POST['emailAddress']; // Access the request->getParameter(’emailAddress’);
if(!preg_match($emailAddressRegex , $emailAddress)) {

// Add the error to our action errors

die(’Invalid email address detected’);

}

…
?>

We need to ensure we check the email address again on the server as it is quite easy for a legacy browser or browser with JavaScript disabled to submit the field (infact our method doesn’t stop the user from submitting for form if they know there is an error).

Your regex could be a lot more specific depending on the situation. When matching against formats it is best to read the RFC or similar. For email a good resource is located on Wikipedia.

I have had a fair bit of experience now with Payment Modules under osCommerce. I have used publicly available payment modules as well as writing my own (for Australian eSec/Securepay, Westpac Webadvantage and Mastercard Internet Gateway Services - MIGS).

I have to say that a lot of the modules aren’t correctly documented and often take the quickest approach to doing a problem, without considering future maintenance or implementing good industry practices. Overall the osCommerce package has, in my opinion, in general, become more of a nightmare than a solution for anything you want to do that slightly changes from the standard package they provide.

But instead of turning this into a “I am so over osCommerce” post I am going to discuss coding up a Payment Method that will suit the requirements of your client or your site.

The Payment Module

The payment module is a way of creating a custom hook point for handling payment by a specific means, such as accepting payment via PayPal or through an Online Credit Card Gateway. It is written flexible enough to cater for 98% of situations and has frameworked multilanguage support. A payment module is formed of two files, the Payment Module Language file as well as the Payment File Class.

The payment module language files are located in

“includes/languages/[english]/modules/payment” and should to correspond to the same name as your class file. It contains series of define(); calls to setup the various language requirements that you need.

The payment module class files are located in

“includes/modules/payment” and are typically named similar to “cc_via_whatever.php” or something more descriptive. This is the file that will handle our processing.

You will need to request from your payment gateway provider an integration guide. Any payment provider will be able to provide you this information and should provide sufficient support for you to diagnose the process.

The next step is to analyse the flow of the Payment Module Class. This is extremely important for you to understand as you will need to disect your payment integration into the correct functions of your Payment Class. Ensure that you protect your clients sensitive information and never rely on hidden form fields (!).
The order in which the payment module is executed occurs similar to below:

Constructor (function cc_via_whatever): Purpose is to initialise requirements of osCommerce. The variables that it wants you to configure include:

- $this->code = (same as your class file name prepend, eg, “cc_via_whatever”)
- $this->title = (Title of the payment module, EG “Payment Via Credit Card Facilities Online”, you will see this appear on your website frontend)
- $this->description = (a more verbose explaination of the payment module)
- $this->enabled = (This is very important to set true or false. I usually check to ensure all my Admin controlled variables are set before making this module enabled)
- $this->form_action_url = (Where to submit the form contents to once hit submit)
- $this->sort_order = (The sort order of this module in correspondance to others)

function update_status: Purpose it so check whether this payment module is available during runtime with an order.
Usually this method will analyse whether the payment module is valid within this clients zone. This is usually a generic call, so you can reference other example payment modules.

First Stage, Making Selection of the Payment Module

function javascript_validation: Purpose is to check the contents of the submitted payment details when this option is selected for payment.
This is usually fairly generic between the credit card modules, but you will need to ensure that your naming of your files remain the same as well.

function selection: Purpose is to provide a set of form information when the payment module is selected. The form information is used to render the form required fields, such as Credit Card number etc. The javascript validation provided in the above javascript_validation method will work off the field names setup here. If you are using a bank hosted integration model, or one that does not require user input of credit card you can return only the id and module. Check another payment module for the syntax.
function pre_confirmation_check: Purpose is to validate the details that have been submitted for the form that we created above. This needs to be very thorough. If you are using this payment method for the validation of a Credit Card you may like to make use of the validation class cc_validation.php bundled with osCommerce. Other payment modules will help you which its use. If the form fields don’t validate, this function will redirect the user back to the payment selection screen.

Second Stage, Confirming the order

function confirm: Purpose is to confirm to the user the details that will be used to process the order. Once again this is in an array format that defines keys that will be read in on the confirmation page.

function process_button: This allows us to place in hidden form fields into the confirmation page. These are provided to you by your payment gateway. You will need to carefully analyse which fields need to be placed here - as they are parsed through the request (only) to the next process:

Third Stage, Processing the payment

function before_process: This is where all of our actions go for processing the payment (prior to the order being saved). If you are using a Bank Hosted model this is called after the user has been to the bank and is returning. You will need to validate the request (eg, $_GET/$_POST) to ensure that the bank responded with the correct details. If you are submitting to the bank directly using CURL or similar, you will perform you actions here also to determine if the order should be continued to be processed, or to divert the user back to the payment details screen. This method doesn’t return a value, instead you will need to perform your validation and redirect if necessary. Otherwise allow the function to terminate and it will continue to process the order.

function after_process: This is called after the order has been saved. I don’t usually have a need for this method.

Misc Methods required for the payment module to integrate into osCommerce

function get_error: Create an associative array to house the error. Check syntax from existing payment module

function check: Checks whether the payment has been “installed” through the admin panel. You can determine this by checking for configuration_values which get inserted into the database when the user hits “install”.

function install: Installs the configuration keys into the database. This is where you define the fields to be collected from the adminsitrator user, such as Merchant ID’s etc.

function remove: Removes the configuration keys from the database, called when they hit “remove” in the backend.

function keys: Defines an array containing the configuration key keys that are used by the payment module.

For an example for one that I contributed to osCommerce for MIGS - ANZ, Bendigo use etc checkout the link to the payment module: MIGS Payment Module

I recommend for people to indicate on their module: Proper PHPDoc tags for functions, break up the method access into accessor style methods, try to leave a much notes for future developers (even yourself) such as “//” sections that indicate what you are doing etc. Also ensure to TODO notes where you have not completed a section of the integration, and also quote any documentation versions that you have used.

Lastly to complete the Payment Module you should include correct documentation that outlines how to install via FTP etc.

View the article

Excerpt: “US gamers have been asked to put their joysticks aside momentarily and sign up to a new political movement that opposes the mounting regulation of computer games.”

Something that I wish that Australian Content Advisory would take into consideration. Now the average age of a Gamer is 30, yet our laws prohibate any R18 games coming out onto the market, meaning that games have to be targetting between the 15-18 y.o age section. Apparently listenning to Hack on Triple J he asked the australian content advisory why this was the case and was responded with a bit of jargon about how when the states came under one law it had to abolish the R18 in game ratings. I think this sounds way out of date.

Featured on 60 Minutes on Sunday (12th March 2006) they followed the US gamer Fataility through some of his competition wins (once $150,000 in winnings) and they had discussed the future of Gaming over the next 30 years. Some respected parties even called some of the gamers elite athletes that take socialising to the next level. Maybe one day hours of gaming is something that may be more accepted by our partners, and not just something nerdy (which ultimately it still will be).

Well the Commonwealth games start today, tickets appear to still be on sale and event organisers say that more than 1.5billion people will be looking at Melbourne. The city has a lot of blue (between the police presence and the event volunteers dressed in the games colours) and weather was nice on the ride to work.

So far I am not planning on heading to the games. I will probably go along to some of the free shows/events they have on around the city. I have recently set up my Digital Set top box with my new TV. I am hoping that because Channel 9 are the official broadcaster that we will be able to make use of some HD footage. They are also said to be having a couple of channels coverage of the games so I don’t really think I will be missing out on much.

Official Games Site

(Claims powered by Microsoft generator is noted as SWMS:Redux looks ASP, uses ‘+’ as space delimeter for rewriting URLS, I thought it was better practice to be ‘-’ for spaces in URL and SEO ?)

The website has quite a lot of information and a heap of functionality which is very good to see in Event based websites. I will have to take note and upgrade some of the functionality for this years Jayco Herald Sun Tour 2006 website (October). Things like Festival Calendars, Streaming Video/Audio (see if we can get something online), Galleries and a dedicated Media Section to the site.