DaveDevelopment::Dave Marshall

I saw this post via SlashDot and can’t help but think it’s a little overkill?

Content Security Policy is intended to mitigate a large class of Web Application Vulnerabilities: Cross Site Scripting. Cross Site Request Forgery has also become a large scale problem in Web Application Security, though it is not a primary focus of Content Security Policy.

In an ideal world, this would be great, but getting all the browsers on board and implemented may take a while. I was thinking about this the other day and I don’t see why the browsers/w3c can’t standardise on some sort of tag or conditional comments that says don’t execute any script in here. This would be simple to use and surely simple to implement. Browsers already know what to do with <noscript>

For Example:

<dontexecutescript>
    <?php echo $this->escape($userProvidedContent);?>
</dontexecutescript>

Or:

<!--[dontexecutescript] -->
    <?php echo $this->escape($userProvidedContent);?>
<!--[dontexecutescript]-->

I’m no expert on XSS, but I’m pretty sure this would solve most of the issues encountered.

Update:

Okay, so one obvious problem might be that the $userProvidedContent contains a closing </dontexecutescript> tag, but that’s just semantics. Unique identifiers for each block, ignoring tags that don’t match up, these browser developers are clever, they could come up with something.

If anybody missed it, the last few days has seen plenty of buzz around a new proposal on how to solve the problem with URL shorteners. I kind of got lost in all the different methods and proposals people are discussing, suggesting or implementing, but I went ahead and added some simple logic to lnkd.in, to do a HTTP HEAD request to the given URL, looking for headers in a couple of the formats suggested. I figured that was going to get out of date pretty quickly, so I modified it to use the RevCanonical API, seems to work pretty well, returning a rev=canonical url wherever possible.

I also contributed a basic bit of code to Rob Allen’s Shorter Links plugin for wordpress, allowing users to specifying a base url, davedevelopment.co.uk isn’t all that good for short URLs. Just need to upgrade the plugin and decide on a short domain for my blog now.

Update: registerd daved.in, works a treat

I wanted my new job website to post a tweet to twitter every time we approved a posting.

Zend_Service_Twitter looks like it will be fairly comprehensive, but it’s not in the core yet and is probably a little overkill for my simple use case.

I then had a look at Zend_Rest_Client, which seemed to confuse me. I couldn’t actually get it to add the parameters I wanted to the call, I guess it’s better for interacting with Zend_Rest_Server or fully restful APIs.

To be fair, the manual actually states:

[Warning] Strictness of Zend_Rest_Client

Any REST service that is strict about the arguments it receives will likely fail using Zend_Rest_Client, because of the behavior described above. This is not a common practice and should not cause problems.

So here’s some simple code using Zend_Http_Client.

< ?php
require_once 'Zend/Http/Client.php';

$http = new Zend_Http_Client('http://twitter.com/statuses/update.xml', array(
    'maxredirects' => 0,
    'timeout'      => 10,
));

$http->setAuth(
    'twitter_username',
    'twitter_password',
     Zend_Http_Client::AUTH_BASIC
);

$http->setMethod(Zend_Http_Client::POST);
$http->setParameterPost('status', 'Your status message');
$http->request();

?>

At my current workplace, on a particular project we have not been allowed to use third party libraries, due to fears of licensing issues if and when we come to sell the product. The project is predominantly for the business, but it would be nice if we could convert the product into something we could market.

Despite multiple discussions and suggesting to management that open source software licensed under an MIT or BSD license would not have any implications, they would not have it. This has meant writing pretty much everything we need from scratch.

Recently, the managing director must have noticed the improved the user experience the little bit of JavaScript we use brings to the product. In previous conversations, I’ve mentioned to the MD that JavaScript is an area that the development team has little experience with, and this seems to have nudged him into letting us use a third party library or tool kit within the product. I spent a bit of time reviewing some of the frameworks and tool kits out there and basically boiled down to going with Dojo. Most of the frameworks reviewed provide similar features, Dojo came up on top because of the BSD license, recent announcement of a partnership with the Zend Framework and the added bonus of contributors having to sign a CLA. Looking forward to getting stuck into it and making our application a little easier on the eye.

The next task is to go about documenting the best way to include and use the tool kit in our application, will write about it if I get chance.

There’s been some discussion recently on why active record:

1. Sucks
2. Sucks – but not like that;
3. Doesn’t suck

I like the active record pattern, so I don’t think it sucks, but I do think it’s used a little out of context sometimes.

If you’re building a small lightweight app, then I think using your Data access layer as the M in MVC is a logical thing to do. It’s quick, it’s easy and you can extend either your active record in Rails, or extend your Table DataGateway in the Zend Framework and you wont go far wrong.

As soon as your app gets a little more complex, you might want to start creating custom
models that contain more business logic than simply pulling and pushing to the database. If your application is complex enough, chances are your model will need to interact with more than one database table, if not database, so at this point, like Bill Karwin pointed out, your model should be using the DAL, not being the DAL. Loosening the coupling between model and DAL, should also help with automated testing the business logic, in that mock objects could replace the DAL.

The only problem is, I don’t know the best way to do it.

I’m currently learning the ways of the Zend Framework and would be interested to see how people think the best way to implement this kind of complex model. I’m currently leaning toward something like this. I’ve included a Zend_Form object, to show how the Persons model encapsulates more logic than just pushing to and from the database. I think the biggest benefit of Zend_Form is validating input, which I consider domain logic, so should be part of the model. But I’m not sure the best way to make things easily testable, without pushing into the realms of fancy Dependency Injection and what not, which I’m not all that familiar with.

File: application/models/Persons.php

<?php

class Persons
{
    public function findByEmail($email)
    {
        $table  = self::getTable();
        $select = $table->select()
                        ->where('email = ?', $email);
        return $table->fetchAll($select);
    }

    public static function getTable()
    {
        // add some dependency injection?
        return new Persons_Table();
    }   

    public static function getForm()
    {
        // add some dependency injection?
        return new Persons_Form();
    }

    // ...
}

File: application/models/Persons/Table.php

<?php

class Persons_Table extends Zend_Db_Table
{
    protected $_name = 'persons';

    // ...
}

File: application/models/Persons/Form.php

<?php

class Persons_Form extends Zend_Form
{
    // ...
}

At first it may seem that the Persons model just ends up acting as a proxy to the Persons_Form and Persons_Table, but once you start writing methods that use both together, you’ll start seeing fatter models and thin controllers, which is all good.

This really is a request for comments really, as I’m personally not sure about the best way to go about this. Would be interesting if any of the people using the MVC part of the Zend Framework in the real world go about this?