Posts Tagged ‘dcphp’

FirePHP and Joomla

I have another How To Joomla article up: How to debug our Joomla code with FirePHP. Just recently, I discovered a plugin that painlessly adds FirePHP to your Joomla site. After installing it and doing some tests, I decided to write an article. In the midst of writing the article, I went to the FirePHP wiki and found another FirePHP plugin for Joomla released by the Kunena team. This one is even better, with tighter integration into the Joomla environment. I see many possibilities for model debugging and exception handling down the road.

Drupal and WordPress also have FirePHP plugins, as do most of the major stand-alone PHP frameworks. Have a look to see if your favorite is listed before trying to hack FirePHP into your next project.

Working with Content plugins in Joomla 1.5

Earlier this week, I made my debut on HowToJoomla.net with an article on How to Fix Joomla Content Plugins. If you’ve used Joomla since the 1.0 days, you may recall that content plugins acted on both articles and Custom HTML modules. In 1.5, this behavior changed so that Content plugins only act on articles from the Article Manager. Fortunately, there are several options for regaining and controlling this functionality, which I outline in the post. Head over and let me know what you think!

The way NOT to do JavaScript in Joomla!

While doing a little Sunday afternoon browsing of Twitter, I noticed Amy Stephen warning about a bad technique for using Joomla! with AJAX-style requests. I followed the link (WARNING: don’t use this code!) and found security vulnerabilities right away. Since the blog in question doesn’t support comments, I’m forced to respond here.

First, as Amy pointed out, the technique creates another entry point into Joomla. While this can be used effectively if you know what you’re doing, it’s totally unnecessary for a casual application of asynchronous JavaScript. Next, class, who can tell me what’s wrong with this piece of code?

cExt( $_POST['func'] );

That’s right, we’re passing data straight from our HTTP request (which can come from anywhere in the WORLD) into our application’s logic. Once we get into the the cExt function, the variable is used to execute code with no filtering whatsoever:

function cExt($func = ”){
$cext = null;
if(!empty($GLOBALS['cExt']))
$cext = $GLOBALS['cExt'];
else{
$GLOBALS['cExt'] = new plgCommunityExt();
$cext = $GLOBALS['cExt'];
}
if(empty($func))
return $cext;
else{
if($GLOBALS['ajax'] == true)
$cext->$func();
else
return $cext->$func();
}
}
function cExt($func = ''){

    $cext = null;

    if(!empty($GLOBALS['cExt']))

        $cext = $GLOBALS['cExt'];

    else{

        $GLOBALS['cExt'] = new plgCommunityExt();

        $cext = $GLOBALS['cExt'];

    }

    if(empty($func))

        return $cext;

    else{

        if($GLOBALS['ajax'] == true)

            $cext->$func();

        else

            return $cext->$func();

    }

}

Please, regardless of whether or not you use Joomla, don’t do this! It is a totally insecure way of writing code. Instead, if you are using Joomla, you can at least filter this variable using the following code:

$func = JRequest::getCmd('func', '');

This code will filter the func variable from the request and make sure it only includes numbers, letters, or underscores. Additionally, you should filter $func to make sure a corresponding public function in the plgCommunityExt class exists before attempting to use it to actually execute that function.

As a side note, $GLOBALS is being used an awful lot here. While this isn’t a security risk in and of itself, it is a bad practice that can lead to insecure coding. If the register_globals setting in PHP (going away in PHP 6) is turned on, this becomes a huge security risk as anyone in the world can set the value of cExt to anything.

The post ends with this quick jibe:

That was pretty easy wasn’t it, in order to get quick results you just have to find these shortcuts which will spare you the time and pain of having to read some Joomla-, or pick your favorite, CMS book.

I’d argue that the author of this blog post would not only benefit from reading a book about CMS development, but one on basic PHP security. The technique he describes is insecure in any PHP-based framework or CMS.

Fortunately, you don’t even have to run to the bookstore to find examples of the correct way of doing these things. Louis Landry has a quick example of how to return JSON formatted data simply and securely on this thread, without having to create a special component view. If you do want to use a view, this blog post will show you how to do it.

Finally, if you do want to learn how to add AJAX-style requests to Joomla (without necessarily using JSON), I’ll shamelessly plug my own book. But you don’t even have to buy it, because the sample chapter is indeed the one on JavaScript and Joomla (start on page 168 if you already know Joomla! MVC).

Podcast Suite 1.5 Release Candidate 1

Podcast Suite 1.5 RC1 is now available for download here. A lot of validation issues are fixed, multiple feeds should be working, and a German translation of the UI is bundled. Thanks goes out to everyone using it and waiting for help on the forum! You’ve helped me catch a lot of issues, which has made the suite better software.

Avoiding Joomla! Pain – March 13th

This coming Friday at 1PM Eastern US time, I’ll be giving a talk about Avoiding Joomla! Pain. Recently, I’ve been running into PHP programmers tasked with maintaining Joomla! sites they didn’t set up. Some dig in and get busy, while others become frustrated when things don’t work the way they expect. In this talk, I’ll go over a few things to help you get a handle on how Joomla! works and how to extend it.

Fortunately, you don’t have to be anywhere near DC or even buy a ticket: it’s a part of the php|tek 2009 free webcast series. You must register to see the webcast, but registration is free.

If there’s something about Joomla! you’ve always wanted to know but have been afraid to ask, let me know in the comments and I’ll work it into the talk.

DC PHP ’08 Highlights

Earlier this week, we had the 2008 DC PHP Conference at George Washington University. A lot of new faces showed up this year and we had quite a few speakers from the local community. Here are some of the sessions I found particularly interesting:

Automated Unit Testing. Mike Lively presented PHP Unit, which I will definitely be using the near future. His presentation on Monday morning was very helpful and made Unit Testing seem much more approachable. He had an afternoon session as well with more PHP Unit tricks (like mock objects and database testing) that I’ll have to look into on down the road.

Fed Up of Framework Hype? Tony Bibbs had a lot of straight-talk about how to choose a framework, why you might want one, and when you could stand to roll your own. He brought up the fact that you need to keep is flexible enough so that your highly talented programmers can stay productive, while keeping it consistent enough for less experienced coders.

SPL Iterators. A lot of Eli White’s presentations I’ve previously seen have been about scaling challenges he’s worked on at Digg. He seemed just as excited to talk about beautiful code :). One of his samples was so short and succinct, I ended up tweeting (forgive the 140 character formatting) it.

Security Centered Design. In his own words, Chris Shiflett hijacked a security talk to cover User Experience. However, he did a good job of tying everything back to security; people have certain expectations for how a web application should behave when they’re logged in. He also plugged myVidoop: the secure, passwordless OpenID provider that some friends of mine work for :).

Also, Keith Casey moderated an IDE/text editor panel. He asked a good set of questions and fortunately there was no physical violence, or even shouting. :D

This was also my first conference where Twitter was out in full force, except when it was down early on Monday morning. You can catch up on most of the tweets here.

PHP TestFest

The PHP/QA team has announced TestFest. I’m trying to organize an event in the DC area, any takers? Post to the list or add a comment here if you’re interested.

January-February 2008 meetings

Tech events in DC for 2008 are getting off to a fast start. First, there’s Widget DevCamp DC on January 25th (Friday evening) and 26th (all day Saturday). BarCamp DC was a great time last Fall where lots of web/programming techniques were shared. Widget DevCamp hints that there may be some actual coding going on! (of course, this depends on who shows up and what ideas are kicked around).

The regular DC PHP Developer’s group is scheduled to meet on February 13th. This will blow away all other tech events for the year, because we will be having a face-to-face text editor war! I’m so psyched! Go Textmate!

Finally, Web Content Mavens will be having an Open Source Content Management System discussion on February 27th. I’ll be representing Joomla!, Keith Casey will talk about Drupal, and other people will talk about Alfresco, WordPress, and Textpattern.

See you at all of these events!