MiracleBlue's Awesome Blog!

Over the last few days, I’ve been toying around with the Kohana PHP Framework.  I’ve attempted to learn various PHP frameworks on many occasions, but I always seemed to lose interest because of too much documentation, or a lack of documentation, or just being forced to add too much complexity to an otherwise simple web application.  For the first time, however, I’ve managed to get the hang of one, and as a learning exercise, I turned my personal website into a Kohana application.

One of the features I wanted was to have a single controller that was able to send the full HTML page (with header, navigation, content view and footer) to the client on regular (non-AJAX) requests, or switch to a simple JSON response containing just the new content for AJAX requests.  This is just a short example of how I was able to implement template switching in my main controller so my alternate JSON template would be used when a request was done via AJAX.

PLEASE READ THIS FIRST! We’re going to assume you understand about Kohana template controllers.

My two template views

First we’ll have a look at the HTML template with the full header, navigation & footer.  This is the one I will use when responding to all normal non-AJAX requests.  I simply named it template.php, and it’s located in application/views/miracleblue.

<!DOCTYPE html>
<html>
	<head>
		<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
        <title><?php echo $title ?></title>
		<?php foreach ($styles as $file => $type) echo HTML::style($file, array('media' => $type)), PHP_EOL ?>
		<?php foreach ($scripts as $file) echo HTML::script($file), PHP_EOL ?>
    </head>
    <body id="body" class="bgimage">
		<div style="width: 1px; height: 1px; position:absolute; display: block; overflow: auto;" id="preload">
			<img src="/blue_eyes_fade_title.jpg" onload="$(function(){imagesLoaded();});" />
		</div>
		<div id="loader" style="text-align: center;margin:auto;margin-top:300px;display:none;">
			<img src="/ajax-loader.gif" />
		</div>
		<script type="text/javascript">$("#loader").css("display","block");</script>
		<div style="width: 900px; margin: auto; height: 500px;" id="wrapper">
			<div id="nav" class="bgshadow">
				<?php foreach ($nav as $key=>$link) : ?>
					<a href="/<?php echo $key; ?>" class="<?php echo $link['class']; ?>"><?php echo $link['title']; ?></a>
				<?php endforeach; ?>
			</div>
			<div id="content" class="bgshadow">
				<div id="inner-content">
					<?php echo $content; ?>
				</div>
			</div>
			<div id="info">
				<a href="http://www.soundcloud.com/miracleblue" tip="Soundcloud"><img src="/orange_white_24.png" /></a>
				<a href="http://www.myspace.com/miracleblue" tip="Myspace"><img src="/myspace-icon24.png" /></a>
				<a href="http://www.facebook.com/miraclebluemusic" tip="Facebook"><img src="/facebook_icon.png" /></a>
				<a href="http://www.beatport.com/artists/miracleblue" tip="Beatport"><img src="/beatport_icon_24.png" /></a>
				<a href="http://itunes.apple.com/artist/miracleblue/id409867809" tip="iTunes"><img src="/itunes_icon_24.png" /></a>
			</div>
		</div>
		<script type="text/javascript">$("#wrapper, #content").css("display","none");</script>
    </body>
</html>

As you can see, it’s the full page.  It includes the header, footer, and everything in-between, renders it, and sends it to the client.  This is what gets sent when any normal request comes in.  However, when a request is received that contains the “Ajax” header (X-Requested-With: XMLHttpRequest), the main HTML template is swapped out for a really basic JSON template, that includes only the new page “title”, a “name” of the page (that corresponds with the relevant link in the navigation bar), and the new content html (which is a rendered view) to be put in the “inner-content” element.  Here’s an example of a fully rendered JSON packet.

{
	"name": "about",
	"title": "MiracleBlue - About Me",
	"content": "<p>This is some body content, to go in the page.<\/p>"
}

And here’s the template file, simply named ajax_template.php, in the same folder as the main template file.

<?php
    header("Content-Type: application/json");
    echo json_encode(array("name" => $name, "title" => $title, "content" => $content));
?>

That should be pretty self-explanatory.  The javascript that makes the AJAX request also processes the returned JSON accordingly.  You would, naturally, implement your own processing routines, so we won’t be going into that here.

Switching the template

The way to do this conditional template-switching is actually very simple, but I haven’t seen this technique documented anywhere, so someone who is still new to the Kohana framework (like me) may be hesitant to try figuring it out on their own, just in case it goes horribly wrong and – you know – accidentally brings on the apocalypse and the end of mankind (hey, it could happen!).

So, to avoid that, let me show you exactly how it’s done.  In your template controller class (the one that extends Controller_Template), you should have defined a public variable $template that points to your main HTML template view file.  This will be the default template view for all normal requests.  In your before() method, at the very start of the method before any other code, is where the template switch happens.  Then in your after() method, you need to manually call render() on your content view.  Here’s an example of what mine looks like.

<?php
	defined('SYSPATH') or die('No direct script access.');

	class Controller_Miracleblue extends Controller_Template
	{

		// Define our default HTML template
		public $template = 'miracleblue/template';

		public function before()
		{
			// Switch template to JSON version if request is AJAX
			if ($this->request->is_ajax())
			{
				$this->template = 'miracleblue/ajax_template';
			}
			// NOW we can call the parent method
			parent::before();
			// And do other stuff
			if ($this->auto_render)
			{
				// Do stuff here
			}
		}

		public function after()
		{
			// Manually render the string of the inline view on AJAX requests
			if ($this->request->is_ajax()) {
				$this->template->content = $this->template->content->render();
			}
			// Otherwise, continue as normal
			else {
				if ($this->auto_render)
				{
					// Do stuff here
				}
			}
			parent::after();
		}
	}
?>

There you go.  The paths to your template files should be modified accordingly to your own filenames and paths, of course.  It is very important to note that you NEED to call render() manually in your after() method.  This will convert the HTML view for your inline content into a string, which is then fed to the json_encode() function in your AJAX template.  Leaving this out could result in the end of the world, so don’t forget

Photo by transCamOh, hello there!  I bet you thought you’d never see another blog post on here again, didn’t you?  Thought I had abandoned this blog for good?  Well, quite frankly, so did I for a little while.  The good news is, we were both wrong!

This is just a short example on the basic usage of the jQuery Address plugin by Asual, which provides AJAX applications with deep-linking and state/history management.  If you have ever come across this plugin and tried to figure it out, chances are you found the official documentation to be of little or no help.  You are not alone.  I had been wanting to integrate it into my personal website – for which I required deep linking and state management – for about a week.  Finally, yesterday, I became determined to figure out enough about how the plugin worked in order to get the functionality I needed out of it.

In my website, I wanted to use jQuery Address for deep-linking and history management, but I also wanted it to take advantage of HTML5′s new pushState method in browsers that support it, and only use location.hash as a fallback method for dynamically changing the displayed URL (jQuery Address supports both these methods).  The reason I want to avoid using hashed URLs for deep-linking when possible is because the only way to read any data contained in a hash segment is with Javascript.  This is because the hash segment of a URL is not visible to the server; only the browser can use it.  Therefore, having a hashed URL requires the user to have javascript enabled in order for the application to know what content the user is requesting.  I know some of you are probably asking why we should care about users who don’t enable javascript in their browsers, however that is not the point of this blog post.

What I wanted to achieve

I have a main navigation bar with a set of links which point to real URLs which I want to load dynamically via AJAX when clicked.  Since they are real URLs, they point to real content, and can be loaded directly without AJAX.  My server-side logic will return a full HTML page for normal requests, and JSON-encoded data containing only the dynamic content to be inserted into the page for AJAX requests.

Loading the plugin

In order to enable jQuery Address to use HTML5 pushState functionality, we need to set one of the plugin’s configuration parameters called “state”, which points to the base path of your website or application.  In this case, my base path is the webroot “/”.  You can set this and other configuration parameters in query-string format, like so:

<script type="text/javascript" src="jquery.address.js?state=/"></script>

The code that makes it happen

Here’s an edited snippet of the code that I wrote for my site that makes it all happen, explained step-by-step in the comments:

$(document).ready(function(){
	// Add jQuery Address functionality to the links in the navbar
	$("#nav a").address();
	// Our event responder that triggers whenever the address is changed (including on first load!)
	$.address.change(function(event) {
		// Set shortcut to URI value
		var uri = event.value;
		// Run ajax call and get JSON data
		$.getJSON(uri, function(data){
			// All parsing and processing of returned data should happen here
		});
	});
})

Voila!

You can see a live, working example of the code and how I have implemented it over on my main website.  Feel free to take a look at the full code, which is in the main.js file.

I hope this helps you to have a basic understanding of how to make this plugin Just Work™ so you can start using it.  As always, leave questions and feedback in the comments!

Hey guys!  Long time no post.  A few months back I was coding a small unrelated project when I got somewhat bored and noticed I had a page with a lot of black text that wasn’t really doing much of anything.  Suddenly I had this idea in my head: Why not give the text a pretty gradient colour scheme?  It could even follow your mouse when you hover your text over it!

So that’s exactly what I did.  I borrowed some RGB/Hex conversion math from the internets and spent about an hour coding a totally useless algorithm that gives your text a gradient colour scheme that follows the mouse on hover.  Cool, huh?

Check the demo here: http://www.miracleblue.com/colourify.html

In this new age of social media and the internet, web applications have fast become the primary computing platform, and with this change has come new and better ways to write those applications.  The rise of PHP and Javascript is in full swing!  However, because of how easy it is to pick up these languages and start writing very powerful applications with very little training, the new generation of programmers lack sufficient knowledge in securing their own programs, leaving the doors wide open for even the most basic of attacks to gain access to critical systems and data that need to be protected.

The problem lies in the mindset of the programmer.  When you’re thinking in code, your brain has routines for finding patterns and structures to estimate the outcome of an algorithm.  These routines are constantly being run as you code, determining the best solution for a set of given problems (fulfilling the purpose of your program) that also meets certain requirements (e.g: low memory footprint, result caching, or whatever.)  Most novice programmers, when setting out to develop an application, don’t include security in the list of requirements when creating their solution algorithms.

Most people when starting off believe that the key to being a good programmer is to *think* like a programmer.  In fact, most people in general will agree with that logic.  I’m here to tell you that’s exactly what you shouldn’t do, ever.  A programmer’s primary goal is to get something to *work*.  As long as it works, you’ve done your job.  The problem with focusing on getting something to work means you’re only seeing the perspective of what the computer is doing, and this is a bad thing.  The computer on which your application runs is predictable – the human beings that will be using your application are *not*.  You must NEVER trust that any user is going to do what you expect them to do when using your application.  When your application wants a number from the user, assume it is going to be given everything but a number.  You must think like someone who wants to break your program; you must think like a hacker.

The Practical Stuff

Okay, so, let’s begin with some very basic things that all PHP programmers MUST know and MUST make a habit of.  Number one, sanitizing SQL inputs.  I know that to many of you this might seem like one of those “No, duh, you think?” things, but believe it or not there are a ridiculous amount of sites that suffer from the problem of simply NOT SANITIZING SQL.  Also, to those shouting “BUT WHAT ABOUT MAGIC QUOTEZ?!”, NO!  Bad dog!  Magic quotes will not save you!  What happens if you move to a system which doesn’t have Magic Quotes, and you’ve developed that habit of using it to sanitize?  What happens if your code gets ported to such a system?  Game over, that’s what, and you’ll have no one to blame but yourself.

Example 1:

If you still think that the code above is perfectly fine to use, go back to the top of this document and read everything again.

Problem: In this example, you have a blog site or news site which stores posts in a MySQL database, in a table named “items”.  Each news item has an incrementing “id” field.  Your code is supposed to take a number from the get variable “itemid”, and search the “items” table for a row with that corresponding number as it’s id, and then retrieve the row.  What’s the issue here?  Well, for starters, what happens if anything other than a number is the value of the get variable?  What if the value were “zomgwtfbbq”?  Then the sql query would become “SELECT * FROM `items` WHERE `id` = zomgwtfbbq”.  Or what if the value were “1 OR 1=1″?  It would become “SELECT * FROM `items` WHERE `id` = 1 OR 1=1″.  Do you see the problem?  EVEN IF you had Magic Quotes on, you’re STILL screwed because you haven’t put quotes around the value in the query because you’re expecting an integer!  But that doesn’t matter, you should never rely on Magic Quotes, ever.  EVER.

Solution: First of all, you should ALWAYS enclose any user-supplied input data within your query string in single quotes, since everything within those single quotes will be interpreted only as data and NOT as SQL commands, EVEN when expecting an integer.  Second of all, ANY time you are using ANY USER-SUPPLIED DATA in your query, you must ALWAYS use the mysql_real_escape_string function on that data before it is inserted into the query string.  The reason for this is so that if a user tries to break out of the quotes by entering “1′ OR 1=1″ as the itemid, the ‘ will be escaped properly, preventing the “OR 1=1″ part from being interpreted as SQL commands.

This is the way that code SHOULD be written:

As you can see in the above example, I have also included a check to make sure that the $itemid is an integer (contains ONLY digits, no other characters).  This is probably the most important habit for any programmer: always make sure the data you receive is the data you’re expecting. Any experienced programmer in any field will tell you this is one of the golden rules of good code.  Here we used a built-in function of PHP called ctype_digit to verify that $itemid contains only numbers.  In PHP, the “ctype” set of functions are an invaluable tool in verifying data, and you should check them out in the documentation.

Example 2:

Let’s say you’ve decided to use PHP includes as an easy way of having separate pages.  Each page has it’s own content, but you want certain bits of content/code to be shared across *all* pages without having to write it out multiple times for every page.  Each page is stored in separate .php files, with one index.php file which will load pages specified in the url.  Many beginners often use a method of solving this problem similar to this:

Problem: Raise your hand if you can see what’s wrong here and why.  Anyone?  Yes, you, up the front row!  Oh, that’s just my ridiculously good looking reflection in the mirror, my bad.  What’s wrong here is that the file path is being provided by the user, completely unfiltered and unmodified.  Why is that bad?  The user can cause your script to execute ANY FILE ON THE SYSTEM!  Still unsure?  Those familiar with Linux-based web servers should know that Linux account passwords are stored in the /etc/passwd file.  This is a plain text file which only the “root” user can access.  If, for example, your instance of Apache/PHP is running with privileges that allow the accessing of said passwd file, a user can then cause your script to print out the contents of the entire passwd file, and it’s game over.  All one would need to do is put “/etc/passwd” as the value for “page” in the url (example: www.yoursitename.com/index.php?page=/etc/passwd), and the ENTIRE SYSTEM is compromised.  If it still hasn’t clicked in your mind just how catastrophically bad that is, go back to the top of this document and read everything again.  Do not pass go, do not collect $200.

Never, and I repeat, NEVER allow the user to specify a path on the local file system, or a file name of a file on the local file system.  Ever.  You might be thinking “But what if I just appended it to the end of a path string?  Won’t that restrict the user to only executing files in that directory?”  Short answer: No.  Long answer: Nooooooooooooooooooooooooooo.  Say for instance you changed your include to be this: include(“/path/to/webroot/some/directory/”.$page); If the user enters /etc/passwd, when it’s appended to the path string in the code it will end up being “/path/to/webroot/some/directory/etc/passwd” which obviously doesn’t exist, and won’t show your passwords to the whole internet.  Solved?  Think again.  In Linux file systems, by entering “../” in a file path (when working on the command line, for example, like “cd ../”), you’re moving *up* one directory.  You can chain several of these to move up several directories.  This is called “Directory traversal”, and works even with a full file path in front of it.  So if a user sends “../../../../../../../../../../../../../../etc/passwd” to your script, that translates to “/path/to/webroot/some/directory/../../../../../../../../../../../../../../etc/passwd“.  They’ve just traversed up by 14 directory levels, so since the path is only 5 directories deep this will guarantee the file pointer reaches the root directory, and will stop traversing up until it reads “/etc/passwd“, where it will then access the passwd file.  Game over.

Solution: Let me demonstrate one great way to prevent server Armageddon while still achieving the same goal:

Can you see what’s going on here?  Let me explain.  First, all of the php files which are going to be your “pages” are stored in a specific directory called “pages”, which is relative to the path that your index.php file is in (so, if your index.php file is in /var/www, then the pages directory will be /var/www/pages).  Also, instead of the “page” variable containing the whole filename, we only expect it to contain part of the filename, without the .php extension.  We simply append the “.php” to the end when doing our checks.  Our code checks the $page variable to see whether a blank value was assigned, and if so it sets the default value to “home”, so it will load the file with the content for the home page.  We then set a variable containing the name of our relative directory path containing the pages, which in this case is “pages”.  We then use the “scandir” function to scan that directory and list all the files and folders in an array.  We use this function as the first argument of the “array_diff” function, with the second argument being an array of “.” and “..”.  The reason for this is because all directories contain reference pointers to itself (“.”) and the directory above (“..”), so we have to filter those out of our array because they aren’t the files we want.  We then use the “in_array” function to check whether our array contains a file with the name specified in our $page variable with the extension “.php”, and if it doesn’t, we use include to load a generic 404 page file.  If the file is found to exist in our array, then we append the directory path from $dir, the file name, and the extension together, and include it.

Voila!  We have just achieved the same functionality, but in a much more secure way.  Granted it does take more code, but it’s absolutely essential.  The moral of this story is: if you’re not going to spend the extra time necessary to write SECURE code, then don’t write any code at all.  Also, check, re-check, and re-check your code constantly.  And finally, remember to think like a hacker.

Happy coding.

UPDATE: Unfortunately, because of fundamental changes in the Bejeweled Blitz game itself, this script no longer works.  If anyone would like to assist in making it work for the new version, please get in touch.

I’m proud to present my first Greasemonkey script release, Bejeweled Blitzer 0.1!

About:
Bejeweled Blitzer is a high score hack tool for the Bejeweled Blitz facebook game. It will present you with a box that sits above the game, allowing you to enter in whatever high score you want to give yourself. Simply apply pressure to button, and voila!

Instructions:
1) Make sure you’re running Firefox and have the Greasemonkey Firefox Extension installed. If it’s not installed, go do it now!
2) Once it’s installed, follow the link after these instructions. Greasemonkey should automagically detect it and prompt you to install.
3) Browse to the Bejeweled Blitz facebook app, and enjoy!

Download: http://pie.miracleblue.com/downloads/bejeweledblitzer.user.js

Screenshot

Okay, so you know what a class is, by definition.  But now you’re asking, “how the heck do they work?  What exactly is a method?  What can I use them for?”

A real basic explanation of what a class actually does goes like this:  A class is like a container for storing functions and variables.  The functions and variables stored in a class can be re-used many times for different purposes in a single script.  It’s often very handy to use a class to store a collection of functions that are related to eachother (that do different operations on the same task), for instance you could have a class containing your database-related functions.

Here’s one way to look at it:

Let’s say you currently own an iPod.  Your iPod stores a collection of your favourite Jazz music.  It has functions for adding new music & deleting existing music in the collection.  It also has functions for playing, pausing, seeking and skipping songs contained in the collection.

Your friend, John, also has an iPod.  His iPod stores a collection of his Hard-rock music, and has all the same functions that your iPod has.  Both devices are exactly the same, and have all the same features, but they are separate devices working on separate data!

So basically, the iPod is a class, add() delete() play() pause() skip() etc are its methods, and $music is a property which will have the music collection data as its value.

Okay, enough theory!  Show me something with code!

So what do I mean when I say that a class can be re-used?  Well, this is how we would go about creating Your iPod and John’s iPod in PHP:

$myiPod = new iPod();
$johnsiPod = new iPod();

When we do this (calling new on a class, like new iPod()), it’s called Creating an instance.  Think of it like cloning, but for functions.  So now we have $myiPod and $johnsiPod, which are Instances of the iPod class!

Okay, now let’s add some jazz to $myiPod

$myiPod->add($jazz);

See what we did there?  We called a method (function) of our iPod class on the $myiPod instance of the class!  Now the instance $myiPod contains Jazz music in its collection.  But $johnsiPod does not!  But they’re both the same!  Is it starting to make sense?  Yes?  GOOD! Let’s continue.

Remember that $music property that we have in our iPod class?  Remember that it’s basically a variable stored in a class, just like a method is simply a function?  Well, we can access those too, and in the same manner!  Check this out:

$myiPod->music;

We just accessed the music property!  That means we can get its value.  But did you know we can also SET its value?  Just like a regular variable.  Let’s say, for no apparent reason, we wanna set the music property in the $myiPod instance to a string that just says “O hai thar!”.  It’ll over-write our entire jazz music collection with a single string of text, but hey, this is just for the sake of examples.

$myiPod->music = "O hai thar!";

Now let’s see what happens when we echo out the music property’s new value!

echo $myiPod->music;

It will print “O hai thar!” – Do you see now?  It really is just like a regular variable.  But remember, we’re doing all this to the $myiPod instance of the iPod class!  If we were to echo the value of $johnsiPod->music, it would give us nothing, because since we haven’t set the value of music for $johnsiPod nor have we called add($hard_rock) on $johnsiPod, its value is empty.  Even though both $myiPod and $johnsiPod are instances of the same class, they are completely separate from eachother.  Calling methods on $myiPod will NOT affect $johnsiPod.  This is one of the main features of Object-Oriented Pogramming that makes it so useful – Code is truly RE-USABLE!

And there we have it.  A really, really big explanation of the absolute basics of OOP in PHP.  Later I’ll start going into some of the slightly more advanced stuff, so if the way I’ve explained it here was enough to give you a good understanding of the basics then you should check back every so often for my next article!

Until next time, happy coding =]

Recently I’ve been working on a personal project of mine (For which I will eventually be putting the code up here for all to download and use at will), and I have been using the PrototypeJS framework and many of it’s very useful features.

One of these features that I have just discovered and found very useful for this project in particular is the Object.extend method.  Looking at the API docs on the prototype website, you find that it doesn’t have any examples of how to go about using Object.extend.  So, I’ve decided to do my best at writing a very simple example on how one would use it.  This is based on how I’ve used it in my project =] hopefully it should help those looking for insight on what it does.

Okay.  Let’s just say for example you’re writing a class that contains an array of link urls, and has a method that simply writes them out as html.  This class also has a property which holds the value of the class attribute to be used in all the <a> elements that are written out.  This is the code:

var LinkStuff = function() {
	this.config = {
		links: [
			'http://cnn.com',
			'http://google.com',
			'http://php.net',
			'http://miracleblue.com'
		],
		className: 'linky'
	};

	this.writeLinks = function() {
		// Do some link stuff
	};
};

var myLinks = new Linkstuff();

Here we’ve also created an instance of the class as the “myLinks” object.  The configuration properties are in myLinks.config, which is where the writeLinks method will be getting the list of links to write as well as the classname to assign to all the anchor elements.  As it is, if you wanted to change the links in the array that will be written, you’d have to change the class manually, or set the values in your new object directly (like by doing myLinks.config.className = “newclass”).  Wouldn’t it be easier to have the properties in the config object assigned when you create an instance of the class?

This is one example of where we can use Object.extend!

Let’s give our class an argument called “options”, which we will use to pass a hash of properties to be assigned to the config object.  This is the concept of inheritence.  Basically, any properties we pass in the options argument will be “added” to the config object in our class, and any property that has the same name as a property in the config object will replace (or “overwrite”) the original property.  Then we will use Object.extend to copy the options object over to the config object.

var LinkStuff = function(options) {
	this.config = {
		links: [
			'http://cnn.com',
			'http://google.com',
			'http://php.net',
			'http://miracleblue.com'
		],
		className: 'linky'
	};

	Object.extend(this.config, options);

	this.writeLinks = function() {
		// Do some link stuff
	};
};

The two arguments we provide to Object.extend are the Destination object and the Source object (In this case, this.config and options).  The properties in the source object will be copied over to the destination object.

Now to initialize the class and assign a new array of links, as well as setting the className to “mylinks”, we can do this:

var myLinks = new LinkStuff({
	links: ['http://facebook.com','http://cnet.com','http://foreverskybound.com'],
	className: 'mylinks'
});

Voila.  To see if it worked, try returning the value of myLinks.config.className, and you should get the string “mylinks”.

Note: While Object.extend will now copy all properties in the ojbect we passed as the options argument when we initialize the LinkStuff class,  you do not have to pass all the original properties.  Hmm…maybe I’ll just show you what I mean.

Let’s say for instance you want to create a new instance of LinkStuff and only change the className property, but keep the original array of links which are already defined in the LinkStuff class.  You then only need to pass an object with a className property.  Like this:

var myLinks = new LinkStuff({
	className: 'mylinks'
});

Now the only property that will be over-written will be className, and the links array will have all its original values.

In fact, you don’t even have to pass anything in the argument at all!  If you want all the properties to keep their original values, it’s as simple as:

/* */
var myLinks = new Linkstuff();

And there you go!  I hope that after reading this post, anyone trying to figure out what Object.extend does will have at least a vaguely better understanding.  =]