Web Computing Web Computing

Hard found gains in Symfony

September 2nd, 2008
post #126 

My first production Symfony application is a newletter manager and sender. This gave me a few headaches that I couldn’t easily find solutions for in the Docs. In the end trial, error and other sources came up with some gems that kept things moving.

Assigning complete module output to a variable


This is pretty useful, dropped into your Action this retrieves the fully rendered (layout, template, content) output of another Action/Module. Many of the email examples recommend putting the content you wish to send out into a partial or component and show how to grab it for variable assignment, but this will take a whole page you might want to email ‘as is’. I use it retrieve a current newsletter page as it is would be rendered for the web so I can drop it into an email.

Flexible but full Absolute URLs to assets

  stylesheets:    [main , 'https://mysiteDotCoDotUK/path/to/this.css']
  javascripts:    ['https://mysiteDotCoDotUK/path/to/that.js']

The books don’t seem to mention it, but you can use absolute URLs in your view.yml for embedding stylesheets and javascripts. So you can set granular stylesheet and script settings down to the module while still producing absolute links to them. When your assets also use the absolute=>true boolean options in Link and Asset Helpers, then you have dynamically generated fully standalone output. I’ll be using this to make sure email newsletters find their supporting content.

With this, I can provide the editor interface, management and preview options, a live copy of the current newsletter and archive of old ones on the web, and share the very same content in mails to subscribers.

Mixing Object and Form Helpers in Symfony

August 21st, 2008
post #125 

Being new to Symfony I’m still getting my head around some of its paradigms. Two months with the manual before embarking on any development taught me that it was worth pursuing, but there’re always areas you need to see working.

The Object form helpers looked particularly useful, so for my first production development I aim to use them wherever possible. These helpers allow you edit objects directly, simplifying the update process back in your actions.

sample form in editformSuccess.html?php echo form_tag('editform/updatetitle'); ?>
<?php echo object_input_hidden_tag($newsletter, 'getID') ;?>
Title: <?php echo object_input_tag($newsletter, 'getTitle') ;?>
<?php echo submit_tag('update'); ?>

and in actions.class.html?php
public function executeEditform($request)
$this->newsletter = »

public function executeUpdatetitle($request)
$nltoupdate = NewsletterPeer::retrieveByPk($request->getParameter(’id’));
$this->forward404Unless($nltoupdate );
return $this->redirect(»

The update code uses the fromArray method to update any properties of your object it holds data for, received from your form. Adding fields to your form doesn’t require changes to the action.

I got into difficulties when it came to setting a boolean field for my object, called “IsPublished”. Wishing to stick with the Object form helpers I investigated the Object_select_tag, however this has a different use altogether - allowing you to grab properties of other objects to match with your current object. The classic example being choosing an author from the authors object to match up to a post object.

I still wanted to save a property for my object, but I didn’t want to have it select from the object, or grab values from other objects. Further searches revealed I wasn’t alone in wondering how to set default selected values and generally get to grips with object_select_tag.

Mixing Object and Form helpers seemed the best solution, using select_tag for my boolean field. However this meant I wasn’t using the Object helper exclusively, so would it still work with fromArray?

The form code generated looked promisingly simple, so I tried a mix of object_input_tag and select_tag in my editformSuccess.html?php
$defaultOption = »
$newsletter->getIsPublished() == 1?1:0; # get current, set default
echo select_tag(’in_published‘, options_for_select(array(»
0, 1),

Note the highlighted property in select_tag. My Object Property is called “IsPublished”. To object-generate a plain text input field I’d have used:

Published: <?php echo object_input_tag($newsletter, 'getIsPublished') ;

So my current field value would be retrieved, and the Object helper generates form fields using BasePeer::TYPE_FIELDNAME which in turn is used in my fromArray method to update the Db.

Normally one would use select_tag with internal field names (BasePeer:: TYPE:PHP_NAME) and write more action code to marry them up before a save(), however here I have to add my database field name into my view code.

Tethering your templates to your database schema is a route no-one should go down. So the internal name should be converted to the Db name on-the-fly in your template. The Peer classes have a function for this, and its public. The following call converts your usual internal field name for you, ready to drop into your select_tag:

$IsPublished_translated = BaseNewsletterPeer::translateFieldName(»‘IsPublished’,BasePeer::TYPE_PHPNAME, BasePeer::TYPE_FIELDNAME )

You could assign this in your action, but it works just as well in the template:

echo select_tag(»
‘IsPublished’,BasePeer::TYPE_PHPNAME, BasePeer::TYPE_FIELDNAME
0, 1),

A final step would be to migrate this into a function higher up that so as to make templates a little prettier when editing.

Twitter ye not - no more UK Mobile updates

August 14th, 2008
post #123 

Looks like there’ll be no more Twitter mobile updates on the UK number. According to the email this morning the cost of sending Twitter updates to our mobiles has become prohibitive.

I’m not sure if there’s a bad guy in this, or if this just shows how social networking doesn’t have the power to sweep traditional business aside after all. That Twitter didn’t come up with a premium service to address this earlier probably means they’re hoping that user outcry will force some sort of reinstatement, a full or partial climbdown on the part of the operators.

We’ll see, but we’ll probably have to log on to see.

Your history is your business, not ours

July 28th, 2008
post #122 

I like the sound of Cuil- all the goodness of their ex-employer without the digital footprint. Their privacy page reads:

Privacy is a hot topic these days, and we want you to feel totally comfortable using our service, so our privacy policy is very simple: when you search with Cuil, we do not collect any personally identifiable information, period. We have no idea who sends queries: not by name, not by IP address, and not by cookies (more on this later). Your search history is your business, not ours.

Right now though I’m waiting a long time for the first few of the 1,682,519,994 results promised on a search of this blog’s title to appear. The first time I tried it I got a rapid response - saying there were no results. But I’m optimistic that this could be my search engine of choice when things settle down. Their claim to examine the context of search queries in order to refine results is interesting and I wonder what it means in practice.

While a good tactic for a launch I don’t imagine the black homepage with centred box will last, not least when they quickly revert to convention for the results; but the results page layout of boxed up summaries is pleasant and readable - not unlike a good news site.

Now I’m waiting for page 2, and the features, privacy and management pages have all gone missing. I’ll come back tomorrow.

Advances in Computer Security and Forensics Conference

July 22nd, 2008
post #119 

I’m really glad I got the opportunity to attend this event. It’s given my own research and writing a bit of a boost, but its also shown me just how important advances in this field are.

On day one we heard from Merseyside High Tech Crimes (HTC) Unit, about their day to day challenges and how they’re overcome. We also heard from a career digital forensic analyst about recovering data from all makes and models of mobile devices: handhelds, phones and the like, and the ways and means of recovering data from the removable media they commonly use.

On day two there was a practitioner talk from Henrik Kiertzner, about the technology’s propensity to nurture self-selecting constituencies, groups of like minded (though possibly geographically dispersed) individuals with ideologies in accelerated development - and how we’re unlikely to even notice them until they make their move.

We heard from Mark Taylor about scoping corporate forensic investigations, which gave me additional avenues of inquiry for my own research.

The keynote speaker Jim Gamble from the Child Exploitation and Online Protection Centre brought us insights - with wit and wisdom - from a truly difficult field and a call to developers to understand the difference their expertise can make to young individuals. Many of the techniques they use in the kind of cybercrime they combat are traditional. Knowing your enemy being one of them.

I’d assumed this would be a dry and technical conference, so its surprising how far social concerns pervaded the discussion sessions and the conference as a whole.

First spam attempt on Drag n’ Drop captcha

July 14th, 2008
post #118 

As its still in development, I’ve set the drag n’ drop captcha mechanism to report failures in full as well as forwarding legitimate responses.
I’ve had the first (update: two now) such failure notice from a live installation today - subject line: ‘yGAQJUnxHNOw’ and just a few web addresses I won’t repeat here.

Positive so far.

Computer Security and Forensics conference, ACSF 2008

July 9th, 2008
post #115 

Tomorrow I’ll be at The Third Conference on Advances in Computer Security and Forensics .

Purely for research purposes. Hopefully there’ll be lots of useful insights that will inform my current work. We will see, updates as and when.

Drag n’ Drop captcha updated

July 7th, 2008
post #110 

I finally have this released into production environments which will no doubt help me to improve it. There’ve been some updates to the mechanism to dissociate image filenames from the puzzle fields.

Next I need to make the names more variable, and perhaps cache them and generate random permutations. Accessibility remains a concern.


Affleck’s, saved!

February 2nd, 2008
post #94 

Iconic Afflecks saved by owners


January 22nd, 2008
post #92 

Yesterday I learned that all our RSS feeds fail to render in IE7. This was a surprise, as feeds are often the least worrysome areas of output, normally bypassing rendering and compatibility issues. IE7 reported:

This feed contains a DTD (Document Type Definition). DTDs are used to define a structure of a webpage. Internet Explorer does not support DTDs in feeds.

We defined a DTD only to ensure encoding of certain characters, as a number of our feeds are generated from (x)html based, content-managed information and often have content mishandled via software such as MS Word. In the past we have had some problems providing editing tools to suit certain departments resulting in encoding and character-set problems, and the DTD assured us some control over this.

The Microsoft RSS Blog outlines the reason for the failure:

Feeds that reference a DTD are not supported by the RSS Platform. A DTD is used to help XML parsers with validation of the document. However, DTD validation is a potential source of security issues for XML parsers, and validation is not required for feeds to work correctly in aggregators.

The MSDN article referred to outlines situations where a malicious DTD could be used to launch a DoS attack from an untrusted source. Our fatal DTD however, was inline:

<!DOCTYPE rss [<!ENTITY pound "&chr(34)&"£"&chr(34)&">]>

I can’t say I’m wholly impressed that my implicitly trustworthy (requested) content has, according to IE7, untrustworthy components.

The solution is -unsurprisingly- to remove the DTD entry - I call this a proprietary hack - and to keep an eye on the entities which have for operational reasons failed us in the past.