J_K9 @ Linux

Open Source Project Management: Common Pitfalls

J_K9 — Wed, 19 Sep 2007 14:16:03 +0000

Many people have innovative ideas about projects they would like to implement but simply do not have the programming expertise to realise them. So, in order to produce the application and still guide its development, they turn to the Open Source community for help.

I am such a person. I have a lot of experience with web development, but when it comes to developing software for the desktop I am absolutely hopeless. The Open Source community, however, has many individuals—developers—who are willing to give up their free time to help a worthy cause and to build the codebase for such applications under the guidance of a project manager. This is advantageous for both parties because the project manager gets to realise his creative concept and the developers receive some fame and recognition for their work, particularly in the Open Source community. They may also be offered incentives such as a share of the donation money; a steady source of income out of gratitude for the work they have accomplished.

However, many Open Source projects fall apart before they see the light of day, mostly due to management reasons. You are receiving this directly from someone who has had an Open Source project disintegrate (by the name of HyperGet) and has had to pick up the pieces, so the common pitfalls listed below are frighteningly genuine and happen to the most motivated of project managers. They all, ultimately, result in developer dropout and thus the death or dormancy of the project.
(more…)

The Problem With PHP Application Security

J_K9 — Sat, 13 Jan 2007 20:40:06 +0000

PHP application security and the vulnerabilities which are often found in PHP apps have already been discussed at length. PHP is a great language, but it suffers in that it provides no simple method of escaping special characters when handling input and thus leaves many budding programmers’ web applications vulnerable to remote file inclusion (RFI) exploits, Cross Site Scripting (XSS), SQL injection and a host of other remote exploitation techniques which may allow the attacker to steal confidential data (such as clients’ credit card details), disrupt services and cause many other problems. These techniques allow the attackers to use the web application to do things it was not originally designed for.

The programmer in question can be blamed to a certain extent for not reading up on how to secure their web application, but the problem is that many new programmers are not aware of the fact that they need to escape and clean the data they receive from the application’s inputs in order to stop it from doing what it was not designed to do. They are probably unaware that such types of attacks exist anyway. However, PHP provides limited, complex and slightly obscure functions to secure input handling which are usually insufficient and lack the functionality required to prevent certain attacks. Worse still, many books and tutorials written to teach people with no previous experience how to code in PHP usually omit secure data handling techniques or tips, and provide examples thoughout the book/tutorial which are vulnerable to the attacks mentioned above! This is irresponsible on the authors’ behalf: it’s no wonder that PHP application vulnerabilities accounted for 43% of the security issues found in 2006.

However, all hope is not lost. The Open Web Application Security Project (OWASP) have produced a set of PHP filters which allow the newest of PHP programmers to secure their input data handling methods. Doing so is a simple as downloading the filters, including them in the web app (with a command such as require_once(’sanitize.inc.php’)), storing the input into a variable and then sanitizing the data as shown on the project’s homepage.

It would be better if the PHP developers added functions such as OWASP’s PHP filters into the PHP code itself and if the authors of PHP instruction material added sections on securing input handling, but these filters are far better than nothing

Breathing Life Back Into HyperGet

J_K9 — Fri, 12 Jan 2007 20:18:37 +0000

Some of you may have heard of a project I started over a year ago called HyperGet. What you may not know is that it died in the cold of January 2005 - all but two developers lost contact with the rest of the team (and have not replied since), and the project lost its direction completely as the Lead Developer was one of those who left. However, against all odds, it’s under development again and we’re hoping to release v0.1 (with fairly minimal features) in a few weeks’ time. The description on the project’s homepage is a little out of date, as its functionality has changed and the way in which Xiro (the application which downloads the files) interacts with the PC without internet access. How has it changed? Well, just before the project died, I contacted the excellent developers of Synaptic and the Lead Developer agreed to consider implementing Fido (the package management and dependency resolving part) once v0.1 of Xiro was out. Whether the Synaptic team still want to implement Fido I don’t know, but I’m keeping my fingers crossed! It has been a year since we were last in touch, after all.

Although the LSB Packaging group is working hard to produce a universal package format to make it easier for third-party developers to distribute packages, I suspect it shall be at least another few months (if not longer) until such a package format and its related management system appear and are implemented by most Linux distributions. So, HyperGet will be safe until then - and, after that, we may even be able to alter HyperGet to work with that package format instead of the current .deb, although that will depend on the specification of the package format and management system (ie. how dependencies are handled) that the LSB create.

And, before I finish, I must give my thanks to llama love (now HyperGet’s Lead Developer) for inspiring me and for working so diligently on our project. Keep up the great work

Project X In Full Throttle

J_K9 — Mon, 18 Dec 2006 02:07:35 +0000

I’m currently working on a commercial web project (written in PHP, of course) which will be released at 00:00 GMT on the 25th December. I shall earn 50% of the profits (booyah :P) which, considering that it was my idea and I both designed and coded it is not a bad deal! Hehe… In case you’re wondering who the remaining 50% will go to, it will go to my father who is has funded the project (by renting a (dv) server from (mt), purchasing the SSL certificate, ~~Mint~~ (I paid for that) and a laptop to code it on) and managed the business side of things (such as setting up a bank account for the project and touching up the legal documents which I had drafted).

I can’t reveal too many details (ie. anything), so I’ll just say this: I thought of it by following some advice I read somewhere - by lying down on a sunbed with my notepad and a pen and just waiting for the thought to hit me.. Oddly enough, it did, and from there I developed the idea into a grander project.

I haven’t finished coding it yet and I’ve only got seven days until it debuts - crap, I better get coding

Converting HTML To BBCode

J_K9 — Tue, 07 Mar 2006 21:01:26 +0000

I am currently learning PHP, so I set out to write an application which would convert my HTML-coded tutorials into BBCode suitable for forums. That goes without saying that my code failed miserably.. I was not too far off though; I got the general gist of it. So, I decided to ask the wonderful guys and gals on the ‘General user’ PHP mailing list (which, by the way, means what it says about being of very high volume!), and they came up with a solution.

(more…)