Posts Tagged ‘atk’

I've written an article about writing web applications using ATK and an Oracle database. It's currently published on Oracle Technology Network. (direct link to the article).

I'm very happy with this publication and I welcome any new users that this may bring.

Next stop: php|a

A few weeks ago, we had a major problem with software we'd written for a client. It was software for sending mailings to the client's customers. Suddenly there were many reports of clients receiving multiple mailings instead of just one.

The problem appeared to be in our test code. The software had a 'test' mode for testing the mailing by sending it only to the author and a small test team. It appeared that for some reason, all test mails were being mailed to the customers as well.

This problem would not have appeared if we had applied what I would like to call 'defensive programming'. Take a look at this example, which is an oversimplified version of how the software worked:

 
  ....
  if ($mode=="test"}
  {
     $recipients = "testers@somedomain.ext";
  }
  else
  {
     $recipients = "customers@somedomain.ext";
  }
 

What happened was that due to some change in the software, this particular piece of code, along with a bunch of other code, was refactored into some other function, where the $mode variable ran out of scope. Result, $mode=="test" is never true, and we send all the test mailings to all our customers.

The defensive programming approach would be like this:

 
  ....
  if ($mode=="production"}
  {
     $recipients = "customers@somedomain.ext";
  }
  else
  {
     $recipients = "testers@somedomain.ext";
  }
 

Would the same problem appear, the bug would have been less awkward, as only the testers would receive the mailing. Ofcourse this doesn't solve the actual bug, but it helps fight bad results.

In essence, you have to expect the worse. Write your code with Murphy in mind. Anything that can go wrong, will go wrong at some point. Especially when relying on (global) variables that are defined at some distance from the code where they are used, so it's easy to not notice the problem until it's too late.

P.S. We've released ATK 5.4 this week and, [shameless plug], my little .com adventure epointment.com has gone live this week in a very basic first version [/shameless plug]. For those interested: the epointment site is entirely written in ATK, while the backend server was written using Ruby on Rails, linked together via SOAP. What better way to compare ATK with Ruby on Rails

We've just released ATK 5.3, the next stable version of the Achievo ATK framework. The new release can be downloaded here.

This release contains numerous changes and improvements.

Some highlights of the changes since ATK 5.2.2:

• Improved performance and reduced memory footprint
• New debug console for tracing debug statements and debugging queries
• Added Open Office document generation engine
• Added a preliminary MS SQL driver
• Improved atkMetaNode (see previous blog posts)
• Recordlist caching for dramatically increased performance in admin pages
• New attributes such as an atkLiveTextPreview
• Direct linking feature for example for linking directly to edit pages from inside e-mails
• New atkConfig class for easier per-module configuration settings
• Added Traditional Chinese translation
• Hierarchical group support in authorisation
• Support for multiple named database connections

And many, many more fixes and improvements (you can see the complete change log on the release notes page).

For the impatient, I've took only a few pictures, you can see them in my gallery.

Most reviews I've read so far were either of speakers or visitors. I hope to provide a little bit different perspective as I had a booth for ATK.

We arrived on monday, on the management day. The exhibition was officially on tuesday and wednesday, but optionally we could already exhibit on monday. So we drove off at about 7.30 in the morning, to arrive in Frankfurt at about noon. We could only check-in to our rooms from 15.00h, so we decided to setup our booth first.

Our booth was located quite nicely. Whereas some projects were located in a kind of corner room, we were located right outside that room, next to Pearson VUE and O'Reilly, on a spot that a lot of people had to pass by on their way to the sessions. That first day was meager though. Not too much managers were walking around, and the people attending the workshops did not really walk around at the exhibition much.

We had lunch, where we were joined by Daniel Convissor, and had a conversation about what he did, what we did, etc. When telling him about Achievo he appeared to be a user of Achievo, so we discussed some features he would like to see in Achievo. He was in a bit of a hurry though, as his laptop had broken down and he had to arrange a new one before his sessions on wednesday. Later I read that he didn't manage to get a new one. A pity, I would've borrowed him mine for the session had he asked.

Anyway, for the exhibition, monday wasn't too interesting. In the evening we visited Frankfurt to have a glimpse of the city center (which for some reason reminded me of Gotham City, with its tall black buildings with yellowish lighting).

Tuesday was excellent, we had a lot of visitors at our booth, and those who saw the demo were enthousiastic. Some wondered why they hadn't heard of us before. To them I can only say: help us spread the word .

At dinner, we had a conversation with a manager from MySQL AB, who gave some interesting insights into their business model. This was interesting, as we, like MySQL, employ a dual licensing model.

Later that night in the PHP lounge, I had a beer and a very nice conversation with Danne Lundqvist (triggered by this blogpost). I showed him ATK, and he showed me a preview of his wysiwyg editor. What made this conversation interesting was that he seemed to share some of the same ideas that we try to incorporate into ATK, such as code minimalisation, and he also took pleasure in writing generic, clean code. When his editor is finished a bit more, I will integrate it into ATK.

Wednesday was interesting too. A lot of attention again at our booth, although somewhat less than tuesday. At about 15.00h we drove home.

(In between demo's, I managed to add some features to ATK which I will put in 5.4 once I released 5.3)

In general, it was a nice conference. One worry though; I spoke to a lot of people who visited sessions, and while some of them were good, there were also complaints about a lot of them (ill prepared, too shallow, too specific). I can imagine that it's hard to get to exactly to the right depth, as there is a great variety in audience, but if a presentation is not prepared well enough, that's really a pity. People pay a lot of money to visit a conference. The least the speakers can do is prepare. But in general, the responses were positive.

This was my first time in Frankfurt, whereas I had a booth twice at the spring edition in Amsterdam. What I noticed about that was that the Amsterdam conference seemed to be a little bit more 'international'. There, we had a lot of visitors from France, Spain, Italy and other countries, whereas in Frankfurt most were German.

All-in-all, it was a pleasure being there. The hotel was nice, the people were nice, the conference was nice. See you at the Spring Edition in Amsterdam next year!

I'm preparing for the PHP conference. In about 5 hours, I'll be driving off with Sandy to Frankfurt. I hope to arrive there at around 11 o'clock, so we have some time to check in to our rooms, and populate our booth in the afternoon.

I have to get some sleep before I depart, but I'm currently preparing my laptop for the demo's. I've started this much too late this time, but luckily, Sandy prepared all the demo's so all I have to do is do a 'cvs -q update -d' and I should be up and running. Currently installing Open Office 2.0 to showcase the open office template engine we've added to ATK recently.

On to a different subject. This week, one of our users wrote a nice testimonial about his experience with ATK. It's always nice to receive compliments, but messages like this are of course extra motivating.

I know my way around PHP. I've been working on frameworks, web applications and CMS'es for almost 6 years now. I'm even a Zend Certified Engineer.

Still, last week I amazed myself in how stupid I can be.

ATK can be downloaded with a demo application. To aid the developer, most pages in the demo application have a 'view source' link. What was I thinking when I used __FILE__ to determine the source file and pass that to a viewer through the url, not checking the validity of the filename? I created a 'Local File Include Vulnerability': any logged in user was able to tamper with the URL, and for example use ?file=/etc/passwd to view any file that the webserver has read access to.

I've read numerous blogs about the subject, read slides and articles from security experts such as Chris Shiflett, but still, one unguarded moment of late night, sleep-deprived hacking and bang, there you have it.

Luckily, it was only the demo application, which is usually not installed in public places, and also, you still have to log in to actually be able to exploit anything, but still, given how relatively easy it is to make such mistakes is discomforting.

(A fix was immediately released of course, at http://www.achievo.org/atk/download you can find the 5.2.2 version which fixes this issue).

There is also some positive news about ATK. Boy wrote a new howto on custom record actions. This shows how to do a lot more with your app than the usual CRUD operations.

Guido did some excellent work last week on an Open Office template engine. It is now possible to generate Open Office documents right from an atkNode. As usual, documentation comes second, so it's undocumented right now, but it is already available in the nightly build. If you want to experiment with it, we can help you on IRC or in the forum. We will give a demonstration of this new functionality at our booth at the PHP Conference in Frankfurt next week.

Finally, Sandy created a new CRM module for Achievo. It's far from finished (it only works with Achievo 1.1, not yet with the development version), but it's a start. This one is available from Achievo's nightly build page.