Secure PHP

For all of you out there who are writing PHP code, I suggest reading Writing secure PHP and its part 2 by Dave.

I also strongly recommend using something like the quote_smart-function described in the PHP documentation (scroll down to example 3) when saving user input in the database.

The importance of writing secure code cannot be emphasized enough. Even if you’re writing a helper application for yourself someone, somewhere might try to crack it. And practising secure programming in even small projects will help you when you work on larger and more important projects. It’s all about the discipline.

Summer is coming…

… accompanied by devils and dust.

Jalo in a cloud of dust

A dusty Flippe

As you can see, we were out with the boys and ended up with two very dusty Flat-Coated Retrievers. For once, Kassu was the cleanest of the bunch. At least there’s still some snow on the ground in which the dogs can clean themselves. Until the lakes melt and it’s time to swim.

Congratulations to all of the Kuukkeli winners.

Trusting prospective employers

While I’ve been following the job market in ICT here in Finland for quite some time. Because most of the open positions have been in the Helsinki area, I was positively surprised to see several open positions here in Joensuu. While I read through the position descriptions in the paper I noticed the familiar name of an ex-boss. He was the CEO of a company that went (practically) bankrupt. It got me started on thinking on how previous experiences with people and their web presence are used in establishing credibility and trust.

The company that I worked for was a typical startup of the nineties and dot-com bubble. Lots of money flowing in from venture capitalists and fast-and-furious spending. As was the case when the bubble burst, we noticed that we don’t have enough real customers and the expenditures were way too high. So the lay-offs started. At this point I should mention as a disclaimer that I was laid-off in one of the final rounds.

I feel that the CEO and management of the company were very much responsible for the bankruptcy. Of course, in every company the ultimate responsibility lies with the management and board, but the dot-com bubble gave many people a handy way out — it was the market’s fault. The scariest part about it all was the way management and marketing kept spinning words and phrases so that nothing seemed to be wrong and we had many good customers who paid us a lot of money. They were quite good with their shovels.

Now I see a company with the same CEO and immediately my suspicions are triggered. The position that’s open is interesting and the previous relationship I’ve had with the CEO would give me visibility for pay increases and promotions but I can’t help think that the position should be avoided at all cost. So I turn to the web to see what the new company is doing and is it in any way viable.

So, type the company name into Google and see what results are obtained. A Google search doesn’t find the company’s own site, just some descriptions of presentations the CEO has given in industry events. It now seems that the new company is working on mobile stuff (same as the previous) and interactive television. Now red flags start popping up all over my head — especially after reading the synopses of the presentations’.

I can hear the same marketing-speak that I remember hearing several years ago. Sure, the buzzwords have changed, but the content is too similar; too filled with castles built in the clouds. I decided to still give the company the benefit of the doubt and looked at the Finnish company registry (YTJ) and found the email address of the CEO (why wasn’t it in the position listing I wonder). Using the domain of the email address as a web address worked – now I had the company pages open.

The company web site was more of the typical corporate speak that most company sites are. We build great products, have a excellent team of professionals and management that knows what they are doing and we have values. The product descriptions were sketchy at best and the only customer they have listed is a TV channel (who is also mentioned in a recent press release). None of this instills any confidence in me.

I’m still wondering why one companies site can increase my confidence in them while another’s just decreases it. Am I just prejudiced because of past experiences and mentions of technology that I don’t like? I don’t know, but I’d like to know what kinds of experiences others have had in the same way. How can a corporation create a website that fosters trust in prospective employees?

And BTW, the O’Reilly Radar has a good piece on marketing speak on the back-cover of books.

A decade (or so)

During the last couple of months I’ve written several versions of my resume for various job applications. Some of which I’ve submitted, some which I haven’t, and some that I’m still thinking about. But in all of them I’ve noticed one recurring theme. It’s already a bit over a decade from when I made my first web page.

Try as I might I can’t remember exactly when my first foray into HTML and the web development was submitted to public scrutiny. I remember that it was in the autumn of 1994 when a friend of mine got his own server in the University of Joensuu’s network and gave me a user account on it (it was an old DEC). Initially I used it for email and IRC, but soon I heard of this new thing called the World Wide Web. I was a senior in high school at the time. And one of the class nerds (both of us are in IT still).

It’s a odd feeling to be under thirty and think back at the old days. I won’t say good old days. But there is a lot of Internet history that I remember. But what I remember most is when I really started to fiddle around with web development and tried to figure out what can and can’t be done with HTML. At that time HTML 2 was out, HTML 3.2 was being worked on and emerging, and Internet Explorer 3.0 was already making a mess of things. Yes, we’re talking about late 1996/early 1997 here.

Even then I felt that open standards as those created by the W3C were the only way to go. After all, I was living strongly in Linux land at the time and none of the fancy plugins were available to me (even thought they were created for Netscape). The browser wars were a no-brainer for me. My choice was clear — Netscape and later on Mozilla. Yes, I complied the first versions available — no, I haven’t hacked at the code.

From Mozilla I switched to Galeon and back to Mozilla for several times. I tested Opera every now and then (but it had those stupid ads…). When Phoenix first came out I tested it and went back to whatever I was using at the time. When Phoenix changed to Firebird I was just about ready to switch. Slightly before the change from Firebird to Firefox I made my final switch to the current browsing configuration I have now: Firefox for everything except the odd test in Internet Explorer (various versions).

I was active in upgrading my browser to the latest version available – if only to try to get CSS support to work a bit better. I remember working on my first CSS sites in 1998 and cursing the stupid browsers that didn’t support it well enough. I’ve been an early adopter all the time and learned the standards the hard way: by reading the specs and trial-and-error.

I won’t even go to all of the various versions of my homepages that I’ve built. The first version was very early-web: a single picture of me and some text with links. When I started browsing the web more, the amount of links increased and there was even some more content. Back then no-one really cared about privacy so much — usernames and finger data were readily available. I also remember the days of table-based layouts (out of necessity, see above) and images as menu buttons. And weird backgrounds. But I was never guilty of Comic Sans or blinking text. I do have some sort of taste ;)

The current wave of CSS-based design with clean and usable interfaces is a joy for me. I still cringe at the thought of most sites in the late 90s. The web has come a long way in the last decade — both content and design wise. I can just wait to see what the next decade will bring. And maybe I’ll get my fingers and brain in gear and do something about the future myself as well.

More Internet Explorer on Linux

Because I’m lazy and don’t like switching computers to test my web development work, I’ve been playing around with Internet Explorer on Linux a bit more. As I’ve already noted, the Sidenet configuration utility works well in installing IE 6.

But unfortunately web development still requires testing with older IE versions so I finally got around to testing the well-known tutorial on getting several different IE versions to work on the same computer. I used the packages provided by Ryan Parman to simplify the process. By following the directions you’ll get the different versions installed.

I tested them and although the About-dialog always shows the same version number (6.0…), server logs show that different IE versions were used. There are also subtle differences in the layout that they produce, so everything should be fine in that respect. I did note an interesting bug though, the output of phpinfo() just shows the table boxes with all of the colors and such, but all of the text is missing. I wonder if the same problem persists on Windows as well?