PHP is not my first choice when creating a web application, but I am frequently called upon to work with an existing app that was created in it. I know that there is no reason to think that PHP coders are any 'worse' than any others overall, but the realities are such that when my creative/marketing agency clients had to find someone to create a web app for their clients before they knew me, they took what they could find.

So, first; I can't recall the last PHP app I've worked on after someone else which did not have obvious SQL Injection vulnerabilities in it. Pretty much every SQL command is built by concatenating strings, and if we're lucky, some attempt is made to escape some of the input, some of the time. I can not count on one hand the number of times in the last year I've been asked to fix an error in an app that was discovered when someone typed in a value that had a single-quote in it. I've also seen too many apps that set a simple sesson cookie value (such as a cookie "Admin" with the value "1") to denote that someone has logged in to the CMS.

I can understand how it happens that someone is lazy or ignorant, and things like the above happen. But something I came across last week flabbergasted me. So much that I had to wonder; is there something I'm not seeing here?

More...

In talking with various business relationships I have who have gotten into social networking sites like Facebook recently, one common series of complaints involves all of the 'fluff' that can be found there. Invites to multiple games each day; their home page feed littered with updates from these same games, or other apps they simply are not interested in. One worry of mine, personally is that these complaints seem to be of the, "if I can't figure out this stuff, I'll probably stop using Social Networking altogether" variety.

So I've been planning a simple blog post to detail some of the tools Facebook provides to help here. But then today, I came across a Blog challenge from Tim Ford, otherwise known as the SQL Agent Man (link). The Blog entry was titled, "Whose Blog Is It Anyway?" (link) and the challenge is inspired by the game "Scenes From a Hat" from the improv show "Whose Line Is It Anyway?". I considered starting over and writing something else but then I thought to myself, I've started, so I'll finish!

More...

I came across a post the other day where someone stated a misconception; That you can only host one HTTPS web site per IP address available on a server. I think most fairly experienced web server admins know that this is not actually the case, and also know why the misconception came to be. Most web server documentation I've seen tells one how to exceed that false limit, but of course it does not say so in exactly so many words!

Like pretty much everyone else who was ever a teenager, when someone says, "you can't do this", I want to know why. And I want to know why for the same reason I wanted to know why, as a teenager, I could not stay out past X time: so I can find a way around it. The long-and-short of the story is this: The actual limit for HTTPS sites is one per TCP socket, not IP Address. So, for every combination of IP address and TCP port, an HTTPS site can be hosted. Note that Host Headers have nothing to do with this. However; For a number of public uses of HTTPS sites, varying the standard TCP port is not a good option here, meaning the "one HTTPS site per IP" is still an effective standard.

More...

Sometimes a software uninstall might not complete fully on a Windows system, and you'll be left with an entry in Add/Remove Programs, even though the program files are no longer present. Attempting to remove the program from that list again sometimes will generate an error, and the entry will not be removed, leaving you with an annoying orphan. IntelliAdmin has a freeware program called Add/Remove Programs Cleaner (link) which removes entries from that list.

Important Note: This tool does not do anything toward actually uninstalling a program's files, shortcuts, or registry or profile data. It only removes the item in the Add/Remove Programs list, and it should only be used on a program which you know has been uninstalled, but which Windows won't remove from the list when you try via the normal means.

The Cleaner works on Windows NT, 2000, XP, 2003, 2008 and Vista, and may work on Windows 7; I believe it does not work on Windows 98 (seriously, you aren't still using that, are you?) It does not require an installation; it is simply a single executable file that you run.

I've had a recurring issue with a client's web server and the local installed instance of SQL Server 2005 Express, in this case, but this issue applies to all versions of 2005 and 2008. The behavior was that the service would fail to start automatically once the system was rebooted, but once I connected via the RRAS VPN and then Terminal Services for remote management, the service would start up just fine. The Windows Event Log had the following SQL Server error messages, immediately back-to-back in order (SQL Server itself has the same messages in its own logs):

- Server failed to listen on x.x.x.x <ipv4> xxxxx. Error: 0x2741. To proceed, notify your system administrator.
- TDSSNIClient initialization failed with error 0x2741, status code 0xa.
- TDSSNIClient initialization failed with error 0x2741, status code 0x1.
- Could not start the network library because of an internal error in the network library. To determine the cause, review the errors immediately preceding this one in the error log.
- SQL Server could not spawn FRunCM thread. Check the SQL Server error log and the Windows event logs for information about possible related problems.

The server was configured to listen on only certain IP addresses, on port xxxxx. 127.0.0.1 was the primary address for the local web sites to use, and x.x.x.x was the private IP address assigned to the RRAS server; this was for remote management of the SQL Server via the VPN connection. Hopefully your light bulb is going off over your head more quickly than it did mine!

More...

Regionerate is an open-source add-in for Visual Studio which enables developers to easily apply code layout rules in C# source. I've been using it for a few months now, and have found it to be incredibly useful, with only two issues; one not really even worth mentioning, but the other could be a problem for some.

First, though; what it does! From the Regionerate Introduction page:

Regionerate is an automated tool which helps you to preserve your code's layout over time. Regionerate lets you define regions in your code and determine the way members (fields, methods, properties etc.) should be placed inside them.

Regionerate is a zero-friction tool - when setting up, you can choose a Code Layout (the way you want your code to look) or just use the default Code Layout. From that moment on, Regionerate will make sure your code follows that Code Layout.

So, I can get pretty aggravated by the most simple things!

I was doing some coding in Visual Studio 2008, and suddenly found that Intellisense was not working on the StreamReader object instance I was coding. I verified that I had declared the object correctly; It was a very small and simple bit of code which read a text file line-by-line. Not only that, the code compiled and worked.

When you frequently code in VS, the Intellisense popup can become like an old friend. It pops up and disappears constantly as you type code. Even when you don't need it to know what members an object has, its constant flicker lets you know you are doing OK.

This is the code I was working with:

More...

So, it's been roughly two years now since I 'officially' became a web developer for hire. Formerly, my development work was either not web-related, or it was for my employer or my own business/personal projects. In that time, I've learned some lessons. I post them to remind myself of these lessons, mostly. But if you come across this, and learn something from it - I'll be very happy to have done some good.

Background

My work for hire has been almost exclusively for micro-to-small businesses or organizations. Most of the time, I am working for entities where a very small number of persons have the ability to approve things. Every client of mine I can think of right now has between 1 and 100 employees, with the average probably being 10. I mention this because this is going to make a difference in my thoughts and advice.

The type of web development work I do could be summed up as developing web sites with custom Content Management Systems (CMS). I generally provide end-to-end service; including hosting, administration, database design and development, and the like. I do not do design myself; I am either hired to work with a design provided otherwise, or I secure the services of a designer to provide that. I usually do the 'cut up' of a design into XHTML/CSS, and everything thereafter.

More...

I got my grubby paws on a brand-new Verizon HTC Ozone at the local Alltel-turned-Verizon store on Friday, three days before the official brick-and-mortar store release date of tomorrow. It has been for sale online since the 29th, and we're not exactly talking about an Apple iPhone or Palm Pre here, so it just took a small amount of whining to get it. The Verizon store being swamped with folks taking advantage of the special deals to switch their Alltel accounts to Verizon (our situation) probably helped, too.

The Ozone is a down to business, Windows Mobile 6.1 smartphone made for those who, like me, might have been considering something like a Blackberry Pearl for Verizon's 3G EVDO rev A network. However, it's known as a 'World Phone', which apparently means that it also works on GSM, GPRS and EDGE networks. Also radio-related; It is Wi-Fi enabled, so you can connect to a wireless computer network (802.11b/g) if, for example, the EVDO signal is not available (or if you happen not to have a data plan).

More...

I have read, very conservatively speaking, at least 200 books about web-based programming frameworks and languages. I won't even try to put a number on how many web pages/sites I've read on the topics. Through that time, I've seen mentions of the basic difference between GET and POST requests as relates to web applications. As a side-note, a few comments are usually made concerning the security implications. Many of those brief remarks are, IMHO, not especially helpful. In essence, those remarks often boil down to, "GET is less secure because the data is visible on the query string". I say 'not especially helpful' here, rather than, 'patently incorrect' because one could make a somewhat convoluted case that what the authors are talking about sort of means the same thing I'm about to write about. But I think it's too clear that they mean the statement literally - that the fact that a user can 'see' the query string is the cause for concern, as opposed to the fact that POST data is not visible in a web browser.

More...