• 01 Aug 2012

    DOs and DON’Ts of PHP and MySQL

    Posted under: php 0 comments

    During the latest project at work I’ve been doing a lot of PHP with MySQL, and as usual had to search around for a few specific things (fun with multiple LEFT JOINs anyone?) . What surprised me is the sheer amount of bad information out there, and people who are just getting into writing PHP and SQL queries will assume it’s all great and copy it.

    So I’d like to present a very simple DOs DON’Ts post here, it’s by no means complete and it’s more of a resource for people who may not entirely understand what the code is doing, and want to be sure they’re copying something that won’t leave big security holes in their software. I won’t be explaining the problems of SQL injection etc. here, there’s plenty of details on the web.

    DON’T use the mysql_ functions

    < ?
    $username = $_POST['username'];
    $password = $_POST['password'];
    $sql = "INSERT into users (user,password) VALUES ($username, $password)";
    mysql_query($sql);
    ?>

    Still DON’T use them, even if you escape your input

    < ?
    $username = mysql_real_escape_string($_POST['username']);
    $password = mysql_real_escape_string($_POST['password']);
    $sql = "INSERT into users (user,password) VALUES ($username, $password)";
    mysql_query($sql);
    ?>

    DO use PDO and prepared statements

    < ?
    $stmt = $db->prepare("INSERT into users (user,password) VALUES (:user, :pass)");
    $stmt->bindParam(':user', $_POST['username']);
    $stmt->bindParam(':pass', $_POST['password']);
    $stmt->execute();
    ?>

    DO better and validate your input as well

    < ?
    if(is_valid_username($_POST['username'])) {
       $stmt = $db->prepare("INSERT into users (user,password) VALUES (:user, :pass)");
       $stmt->bindParam(':user', $_POST['username']);
       $stmt->bindParam(':pass', $_POST['password']);
       $stmt->execute();
    } else {
       die('Invalid username');
    }
    ?>

    (more…)

  • 03 Apr 2012

    Changing Hosts

    Posted under: site 0 comments

    It’s been a good run with Hostgator, but since I’ve been using Django for more projects, it’s been frustrating working with only v1.2, as well as issues with performance.

    My new host of choice is WebFaction, who so far are so far above any other shared hosting packages. The big difference is that you get to install apps to your home directory yourself, rather than relying on a shared instances. Not only that, but you get access to Apache config files, proper error logging, and a lot more. If you’re looking for somewhere to host your projects as a developer, definitely give them a look.

     

    Django-debug-toolbar

    As a result of changing hosts (i.e. actually having an up-to-date version of Python and Django) I’ve been able to try out Django debug toolbar which was recommended to me. It’s almost been worth the switch in web hosts purely to use this, and I already uncovered a mistake that was slowing down a site by a factor of 10. (I was counting objects with len(Thing.objects.all()) rather than Thing.objects.count() - silly mistake, but with the toolbar it pointed it out right away)

     

    I’ve got a busy few weeks coming up, but after that regular updates should resume.

  • 24 Feb 2012

    Django bits-and-bobs

    Posted under: django site 0 comments

    I’ve spent the last week or two working on a new Django site, and learning a lot at the same time. I thought I’d post a few small little tips on how to do a few things that people still getting into Django may not work out so easily. The documentation is generally very good, but sometimes it’s not clear on which method or combination of methods to use to achieve something.

    (Note: I’m stuck back on Django 1.2 so some of these things have changed in 1.3 and dev)

     

    Getting current URL

    To get the current URL you need to reference the request object, but you’ll find this isn’t available by default in your templates. To have access to this, be sure to adddjango.core.context_processors.request to your TEMPLATE_CONTEXT_PROCESSORS setting.

    You can get the current URL with request.build_absolute_uri

    Moderate comments by default

    The built-in comments framework is great, and even better when I found it had the capability for moderation. However I found it strange that once enabled, comments weren’t hidden by default. You’re supposed to be able to specify auto_moderate_field and moderate_after settings to make them require moderation after a set time since the post was written, but it had no effect. So the solution, override the moderate() method as below (moderate() in docs)

    class BlogPostModerator(CommentModerator):
   email_notification = True
   enable_field = 'can_comment'
   def moderate(self, comment, content_object, request):
      return True

    I’ll add a few more later and hopefully they’ll help some Django newbies out there.

    The game

    I’ve not had much time to work on anything with the HTML5 game lately, but I still intend to – right now I’m in the middle of getting NPC movement and map scrolling working well, somehow between all the ideas of loot and inventory screens and baddies, you forget about the less-fun maths part of game programming.

    Here’s a screenshot as of a week ago. You can see the random map generation, using Binary Space Partitioning to split into sections (indicated with the shades of grey) and then rooms placed inside each section. The plan is to make the rooms varied shapes rather than just 4 sided boxes. Each room then gets joined together with its sibling and so on until there’s a playable map. More updates soon!

  • 23 Oct 2011

    Some shiny new tools

    Posted under: site 0 comments

    I’ve been using a few new bits of software lately that deserve some love so I thought I’d share a few links (sorry Windows fans, they’re for mac)

    Sublime Text 2
    After being an avid Textmate user for a while now, a bunch of us at work recently switched over to using Sublime Text 2 instead, and so far it’s doing the job perfectly. A few features I like: split column views, ‘distraction-free’ mode, the autocomplete addon which scans your JS library to autocomplete your own objects, and generally it seems more stable when dealing with large files and projects.

     

    Sequel Pro
    For a long time I used web-based MySQL admin systems – PHPMyAdmin at first, then SQL Buddy – but recently I’ve switched to using a native application – Sequel Pro – and it has some very nice features, and also has the nice addition of being free to download. It does everything you’d expect in a database admin tool so I won’t list the obvious features, but it’s a very polished app and well worth a look.

     

    Crashplan
    Not quite a dev tool, but I bought a Crashplan subscription quite a while back now, and although I’ve (thankfully) never had to restore a dead computer, it’s been doing a great job of silently backing up all my worldy digital possessions onto their remote servers, ready for the day when my Mac Pro has had enough. Sure, Time Machine is good, and it’ll give you a simple way to restore a dead drive, but I get very paranoid about my data, and if the Time Machine drive got stolen, or broke, then it’s gone. Crashplan gives you a way to backup everything remotely without that worry. They do a 10GB plan as well as Unlimited (yes, actually unlimited).

    At some point I’ll add commenting to this blog so anyone reading can actually contribute, as there’s probably a whole lot of apps I’ve never even heard of that some of you can’t live without.