Jump to content


gizmola

Member Since 06 May 2003
Offline Last Active Aug 23 2016 11:23 PM

#1535873 TWIG Security

Posted by gizmola on 10 August 2016 - 12:10 AM

Twig code is compiled into php code, at least when used in a symfony project. There is absolutely no way you should have twig template files under the web root as Jacques commented earlier. Quite frankly with a front controller, there is really no code other than the front controller and static assets that should go under the webroot.


#1534061 delete all but latest 6 rows

Posted by gizmola on 27 June 2016 - 11:02 PM

I tested my query before posting - it does work. Provided it is unique, you can substitute the timestamp for the id.


Hey Barand,
My comment was addressed to the original post, not to your answer. I actually didn't see your answer until after I had posted --- we were posting at approximately the same time I guess.


#1533487 Laravel ORM (Eloquent) and the real world

Posted by gizmola on 08 June 2016 - 04:06 PM

My experience mirrors Kicken. I had worked on a large symfony1 app, as well as a big ZF1 project before symfony2 and ZF2 became things.
I used various database libraries and ORM's on those projects, Propel for the Symfony1 project as I recall.

At that time Doctrine1 existed, and then the symfony2 project came out with a much higher binding to Doctrine2, in borrowing some of the things that the Doctrine2 people had created for annotation and event handling.

Whenever you are dealing with an ORM it takes a bit of time to change your thinking, because ORM's are concerned with "objects" and not tables. Often that is advantageous (see Kicken's example Doctrine2 code) and once you start to use all that baked in goodness you really come to appreciate what it can do for you.

With that said, it is not always the most efficient code, nor memory friendly, and people that just want to write raw sql have a hard time dealing with it. To have it work properly you have to design your tables and relations the right way, and it helps save time if you use their conventions, or you have to do extra configuration.

Instead of thinking about the relationships between tables, you have to think about the relationships between objects, and the ORM will often have default behavior that tries to do all sorts of things that make it simple for you to deal with data, but sometimes you realize that it's doing lots of queries you don't want it to do.


Ok, so much of that has to do with doctrine2 and symfony2, which I used on a project to build a pretty complicated (not to mention supposedly scalable) social network application that included social graphs and lots of the the stuff you expect in those types of apps. We also threw in MongoDB and built a hybrid app where some of the data was in a relational store, and some data was in mongo.
Doctrine2 allows you to use the same basic model and repository classes which was very helpful in stitching everything together.

I also have worked on several Laravel projects, and Eloquent has similar capabilities, but is far less ambitious.

To understand Eloquent, the main thing you need to know is that the goal of Eloquent is to implement ActiveRecord. ActiveRecord is a design pattern proposed by Martin Fowler where there's more or less a one-to-one relationship between a class and a table, and each object represents a single row in a table. You then have methods like $obj->save(); My take on Eloquent is that it does the bare minimum to be an Active Record implementation, and there's nothing wrong with that approach. Like most ORM's it has a querybuilder component that often strikes people who are used to hand crafting their SQL as being an annoyance and not worth the trouble.

However, once your application begins to get more complex and you have components that implement pagination and integrate with caching libraries, and in general becomes more sophisticated, you start to see the value of having an ORM that often supports and integrates with the component libraries.


#1527737 Morfy Website

Posted by gizmola on 09 December 2015 - 05:18 PM

Flat files for content management? Really?

 

For a lot of mostly static sites, this could be a great solution that removes the need for databases and subsequently caching etc.

 

There are also small footprint embedded systems and kiosks that might make use of this.  

 

At the end of the day, if the CMS is well done, other storage engines could be added using plugins I suppose.




#1527736 Morfy Website

Posted by gizmola on 09 December 2015 - 05:16 PM

Hi Sergey,

   This looks like an amazing project.  Your site is really slick and modern, and I see that you've made it responsive.  

 

While it looks great there are a few small concerns I have:

 

Check this 403 I got, not sure why:  https://sidecar.gitt.../sidecar.js.map

 

When you first hit the site, it's not immediately obvious that you can scroll down to see the real meat of the site.  While the universe and subtle animation is cool, I'd be worried about the marketing aspect of it more.  At the bottom I'd really want to have some visual clue that was less subtle that insured the user will scroll down to see the other sections.

 

I would also suggest a couple of additions:

 

  1. A section that lists features of the CMS that are focused on end-user functionality rather than the nicely done list of design and technology features you already have.
  2. A screenshot gallery of administration and basic screens
  3. A gallery of sample templates/sites using morfy.

 

Overall, the site is already a great representation of the project and your github integration is nicely done.

 

 

Just out of curiosity, why did you integrate the fenom templating engine rather than twig or blade?   




#1527732 Ticket reservation system, array assistence needed

Posted by gizmola on 09 December 2015 - 04:50 PM

Hey Barand,

   Seems from the post there are no rows, so you only have to deal with gaps.

 

@jiros1:

 

Seems like these are your requirements:

 

 

  1. There are only seat numbers (not rows) so I only have to make sure that the seatnumbers are assigned to the guests as close as possible.
  2. ... fit the number of visitors in between the seats that are already taken. If there are more seats available then I have to assign the lowest seatnumber.
  3. If there is no room for the visitors to sit to each other then I have to look elsewhere, where to fit them.  (E.g: if there is no room for 7 visitors to each other then I have to find a place where there can be 6 and the 7th will sit elsewhere.)
  4. If it’s not possible I’ll return null instead of the array.

 

I can't think of any specific array functions that will help you with this other than array_merge for building the initial master seating array from the list of reserved seats and the entire theater.  What does occur to me is that a data structure that stores seat openings from first to last might be helpful.  If you generated something like this:

 

 

$gaps[] = array('start' => 1, 'end' => 4, 'count' => 4);

 

Then you could traverse that looking for blocks of seats that are >= the size you need.

 

Obviously your function would need to traverse the master array once it's loaded with reservations and generate the $gaps array.




#1527354 Getting statistics from 3 different tables using foreign keys

Posted by gizmola on 30 November 2015 - 08:25 PM

Here's the group by example, just for reference:

SELECT m.gender, m.count(*) as countOf
FROM team_players as tp
LEFT JOIN teams_info as ti ON (ti.team_id = tp.team_id AND ti.entry_year = 2015)
LEFT JOIN members as m ON (m.members_id = tp.members_id)
GROUP BY m.gender



#1527332 Preventing emails being sent from website with user's FROM email from ini...

Posted by gizmola on 30 November 2015 - 06:34 PM

Hi NotionCommotion,

 

Just to clarify what you are doing, albeit for ostensibly understandable reasons, is one or both of "spoofing" or "relaying" which are considered highly undesirable by spam classification systems.  

 

They also, depending on the implementation, open your site up to blacklisting, because nefarious individuals often exploit these features, which used to be common but are now considered a "really bad idea"  to send spam, using your systems.

 

So first relaying:

 

When you are the Mail transfer agent (MTA) for a domain or even several domains, that is something that is configured in DNS, in your MTA settings, and typically has SPF and DKIM settings wired in.  These are things the sysadmin configures, and there are also reverse DNS settings that come into play.

 

In summary, the only emails your MTA is supposed to send on your behalf are emails from user@yourdomain.xyz.   If your MTA sends out emails or relays emails from user@someotherdomain.com, then you are "relaying" emails for that domain, and that is not supposed to be possible, and is an exploitable problem that degrades email for everyone.  That will get you on blacklists.

 

I'm not sure how you are sending out emails, as it is possible to send them directly from an app server, but that is also a great way NOT to get your emails delivered.  Sure they will go out and even be received by some sites, but many more will blackhole your emails (receive and silently delete them) or grade them with high spam scores that are sent to the end user's spam box.  You can also again, get your site on blacklists for doing this.  

 

You should only send email out via a valid MTA for your domain!

 

Many sites also, often by necessity use remailing services, especially if they are hosted on cloud services, as many of these services (AWS for example) severely limit the number of emails that can be sent out of their network directly via SMTP protocol.

 

The one trick that people often try and use to get around the problem without entirely violating the rules and spoofing the from address, is to send emails out as a valid user for your domain, but add the "from user" as the reply to email header.  I know that's not what you're trying to do, but is about all you are typically allowed to do without raising your spam score to the "this is spam" level of most classification systems.

 

I know this is not what you wanted to do, but you simply can not spoof a from address and send it out of your domain and not suffer repercussions that will at very least have the majority of your emails going into the receivers spam box, or more often than not, simply rejected or silently deleted.

 

This is because spoofing from addresses is harmful to the email ecosystem at large, and is a huge red flag for spam classification systems.  It can also cause the receiver's system to erroneously spray error replies to domains that had nothing to do with the email, not to mention the fact, that inherently you are not able to prove to anyone that the email address you are claiming the email is coming from, is actually the person who owns the email in question.

 

This is one reason why the good old html mail tag causes the browser to invoke the user's configured mail client, so that they can send emails out through their own system as it is the only way to legitimately do what you're hoping to accomplish, and have it taken seriously by the receiving email systems.

 

Sorry to be the bearer of the bad news, but the bad people ruined email for the rest of the world a long time ago.




#1527331 a little help please

Posted by gizmola on 30 November 2015 - 06:12 PM

No, I'm sorry, I thought display_form() was a predefined function, sorry. 

 

 

No, sure isn't.  Keep in mind you can always use the php.net site.  It supports a rewrite for every function via  http://php.net/function_name.  So for example:

 

http://php.net/date_format

 

Worth trying when in doubt.




#1526215 Controller or Model

Posted by gizmola on 11 November 2015 - 07:43 PM

It really depends on the capabilities of the Model system you are using.  If it was for example, something like Symfony2 and Doctrine2, the typical answer would be that the validation rules are attached to the model.  Of course with that said, form processing rules can get quite complicated, and since the form object lives and dies inside the controller, you will typically have the actual validation check occurring specifically in the controller logic.

 

 

Something like:

 

if ($form->validate()) {
    // Persist the data
    // Redirect as desired
} else {
  //redirect back to form, adding the error data
}



#1526211 PHP with Java | C/C++ | Python

Posted by gizmola on 11 November 2015 - 07:37 PM

I'm not going to go into the "which is best" question.  The answer always depends on a lot of variables that are typically unique to the circumstance.  Obviously c++ is often used for compiled software, and java is often used due to it's availability on a platform (Android for example) or in the enterprise where one or more application servers are desired.  

 

In my experience, for server side web development, Python, Ruby, PHP, Java and Node.js are all popular choices that typically come down to the preference of the Lead developer.

 

In terms of intermixing languages, specifically with PHP one popular way to do that is to use Gearman.  For example, I worked on a project where there was a computation engine written in Java.  The website MVC and additional computation and presentation code was created in PHP using a popular PHP framework.  PHP utilized gearman to send data to the Java computation processes as needed (this had to do with crunching large amounts of historical stock price information) and received the results back for presentation within the PHP framework.  

 

You can also build your own queueing sub/pub applications using many different technologies, and achieve similar separation of work.  This type of architecture is frequently used where scalability is a significant concern.  An example might be a system like Youtube, where the video encoding or post processing is going to be separated from the front end, and clustered. The clustering and DevOps scaling will be separated from the web application code, and since processing of that type is cpu and IO intensive, you won't have that code running on the same server(s) where the PHP code resides.




#1522147 Open sourcing a website, good idea or?

Posted by gizmola on 02 October 2015 - 07:15 PM

Thank you guys SO MUCH for your help and for being so nice to explain the Git stuff ! Unfortunately my hosting doesn't support Git, however I will start to study it ( for now I only know as much as to publish and commit repositories in GitHub ) and I will try to kick FTP and use Version Control.
 
Thank you again to all of you!


Start by installing on your workstation and using git for your development work. You can also set up a free account on bitbucket, that will allow you to make private repositories. You can utilize it as a free backup.

-Develop locally, git commit your code each time you have a working build
-Git push to your bitbucket remote


Doing this will get you started and familiar with git as well as giving you the benefit of having change control of your projects. Many a person has accidentally deleted or overwritten an important file. Git will bail you out on those mistakes. It also helps you diff so you can see what you changed revision to revision.


#1520348 Open sourcing a website, good idea or?

Posted by gizmola on 06 September 2015 - 03:49 AM

Git is one of the most important software development technologies to emerge in the last decade. It's pervasive use has given rise to github, and it has basically taken over version control, as well as vastly improving the effectiveness of open source projects.

Yes version control is indispensable in my opinion, not to mention something that differentiates professional developers from hobbyists.

It's also an excellent tool for pushing code to production, especially for small companies.


Old way:

Develop (locally perhaps?)
Figure out manually how many scripts were changed.
Use some tool to FTP files. Do you trust file stamps? Maybe use ftp tool, and pray that you don't have a burp in the middle.
Oh crap! It's not working, did we miss a file? Sit down and try and get it working again by manually going through the list of files trying to remember what exactly you changed.

With Git:

Develop, iterate, push to git branch. For simplicity/1 person you can just use master branch.
Time to deploy? -> git pull (on production machine). Did something go wrong? Git is atomic -- all files will be deployed or none.
Something wrong? git checkout {previous commit#} We are back to where we were, and you can relax and figure out what went wrong on dev!


And of course version control answers questions for you along the way like-- what did I change last month in that module? Did that other programmer add a regression, even though he said he didn't change anything? What is the change history of this file?

Just an amazing tool, from Linus Torvalds, that when all is said and done, will probably be more important to the future of software engineering than Linux.


#1520199 Open sourcing a website, good idea or?

Posted by gizmola on 03 September 2015 - 04:51 PM

For those employers putting weight on things like this, you get more credit for contributing code to other projects.

Don't get me wrong, if you want to be good at something like using git for VC, you have to actually use it, so you could make a bitbucket account and store your full site code in a private repo, and I'd suggest that you do so, but not for the benefit of potential employers.


#1519292 Refactoring Code: does the concept of refactoring exist purely because human...

Posted by gizmola on 20 August 2015 - 01:16 AM

Here's what often happens:

 

You join a company/project that is trying to build some software to do a number of things, as set out in the goals/design/specifications.  

 

You break things up into tasks and different members of the team start working on them.

 

Frequently there is a framework being used, and hopefully some conventions, but frequently there is a lot of uncertainty.

 

People start plowing away, and the way Programmer A does things vs. Programmer B might be substantial.

 

Now you have 2-3 semi-working pieces of the product and you start looking at the code, and right away it's obvious that this code was produced by two different people.  

 

As "hypothetically" I might have been one of the people involved, even as I was coding my piece, I realized along the way that there were some things my code did, where given more time I might have made it more reusable, or had a better design, so if I'm lucky I might stashed a few comments or TODO in my code.

 

Now we're on to more items, and programmer 2 is doing something very similar to the first item, and there's a lot of copy and pasting involved.

 

We do some code reviewing, and it's clear to everyone that this is not DRY.  There is a lot of code being repeated.

 

Programmer 3 just joined, and now has to do something very similar to what Programmer 1 did, and I did, but the problem is, that even though they are similar items, the team has not agreed which is the best way to do it, so Programmer 3 basically has to just pick someone to emulate (if we're lucky) or maybe decides that everyone else was an idiot and does the new component in a completely different way than the two previous components.

 

The PM and QA are reviewing things, and everyone is super excited because we're only three weeks behind the original schedule (of completion in 6 hours) and the system basically seems to do the things that it was supposed to do.

 

The only problem is, that the underlying code now looks like it was assembled by a chimp with ADD, and there are 12 new features planned for next week....

 

 

If you're lucky, maybe there's a lead dev, who goes in and adds a couple of much needed unit tested components, and redoes one of the sections and this then becomes "the reference" for how to do something similar.  

 

If you're lucky, there's some design patterns being used.

 

If you're lucky there are code reviews.

 

If you're lucky people go back before anyone notices and refactor things to be consistent.

 

If you're lucky you have appropriate roles and responsibilities and some division of labor.

 

Programmers that care about the overall quality of the underlying design, or are incented to insure it has minimal bugs, or have to maintain it or keep it running are going to be interested in refactoring.

 

Then there are situations where someone is brought in to start working on legacy code, and they realize that what they've just been assigned to work on is a rat's nest of rotten spaghetti, and those three things that "the old guy never got around to adding but should be easy right?" are actually close to impossible to add given the original architecture (or lack thereof) and the fact that doing just about anything to it has the potential to create side-effects that will break unknown areas of the system, causing everyone to question the new programmer's basic competence.

 

No, I would not say that refactoring is related to understanding someone else's code, and thus used as an excuse because you can't understand what they were thinking.