The conference will feature 2 tracks, one targeting WordPress UX topics and issues, and the other targeting strictly development issues. The day will also be host to a WordPress Un-Conference where participants are encouraged to pitch talks and join in discussion.

The conference is open to all WordPress Developers and Designers interested in learning about practical, applied WordPress development by industry thought leaders and local WordPress practitioners.

WordCamp:Developers is part of the Vancouver Open Source Week.

We hope to see you there!

http://wordcampdevelopers.com/

First the ugly:

Now the Beautiful:

Here are my photos, taken in an empty colo facility, just sitting there, waiting for a reason to go to work. The collocation facility was built, and then never used:

This location is in a Canadian town, originally built by 360 Networks, which built a number of these buildings, built to identical spec, to service its fiber optic trunk line.  360 is long gone and the property was part of an assets liquidation deal. The photos are from about a year ago, and I dont know what happened to the property. But what you are looking at is a beautiful dream job, with a super redundant clean power system, with a truck sized diesel gen set to feed the batteries. And its right beside a railway track, so you could even roll up a diesel car beside the generator for long term supply. Naturally, all the power is routed through the battery bank, the facility has air cleaning and conditioning, cooling, and the location can be cooled by ambient air 8 months of the year. It has a secure entry system, high quality trunk line, pure copper and silver components in the power system; the bank of batteries alone must be worth over a million dollars.

The collocation facility was built, and then never used…

http://www.globaltvbc.com/video/index.html?releasePID=F2c99hC0V1kc4WrGZu0sZguKx_83_IuT

Editors,
As a web developer experienced with WordPress, I know you have made errors in your understanding of the software. If the mayor has really broken some law with regards to the bidding process, then that is another matter. It is however hard for people to find good, skilled web developers and themers, on a per project basis, when a quality website is needed.

A quick consultation of the home page of http://wordpress.org would show you that this free open source software is used by the New York Times, Wired.com, and many many other individuals and corporations much larger than Global TV. Suffice to say if it is a good choice for NYT then it is probably a good software choice for Mayor Robertson. Actually it is not even so much about the software, but the developers who take steps to ‘harden’ the software from security intrusions during the development and deployment process.

It is a shame that a member of the press such as Global TV does not understand the parallels between freedom of speech and of the press, and the openness of the Free Open Source Software community, and how both are so effective in exposing lies and moving towards the truth.

Free Open Source Software such as WordPress is free as in speech, not free as in beer. Indeed, WordPress is just one software package among thousands of others that the Internet and the World Wide Web rest upon. But I realise by the comments in your report that you are unaware of the massive worldwide movement to create and distribute Free Open Source Software. While the cost of the software may be a factor for the contractors, as it is in every other business, it is the openness that is really important. The openness of the software and the community allow for the exposure of security problems, and then expedites their repair to the entire community of WordPress users. It also allows for such things as the enforcement of high technical standards, and the independent development and release of thousands of additional software add-ons to boost and customise software functionality.

Shawn Moore of thinkprofits.com claims in the news piece that he can quickly hack and steal information submitted through the contact form on Gregor Robertson’s website. Instead of just claiming this, he should prove it. I say this because security breaches in general take more time to manifest themselves than Moore implied when he said ‘quickly’. And if Moore does know of a current security exploit WordPress, he should do the right thing and contribute the exploit to the WordPress development community, or to the head company behind WordPress, Automaticc, so that the patch may be written and released.

It is a shame that a member of the press such as Global TV does not understand the parallels between freedom of speech and of the press, and the openness of the Free Open Source Software community, and how both are so effective in exposing lies and moving towards the truth. You should be really educating your viewers on the benefits of Free Open Source Software instead of insinuating that WordPress is merely a ‘cheap’ alternative.

As I said in the beginning, I dont know if the mayor broke any laws or not. But please understand that good developers may be harder to come across than you think. Neither are they cheap. Please also educate yourselves on the benefits of Free Open Source software because it is in use widely and in many roles across the Internet.

• GST Only: 5%
  • Alberta
  • Quebec
  • Manitoba
  • Saskatchewan
  • Prince Edward Island
  • Nunavut
  • Yukon Territories
  • Northwest Territories
• HST 12%
  • British Columbia
• HST 13%
  • Ontario
  • New Brunswick
  • Newfoundland
• HST 15%
  • Nova Scotia

From what I have learned, you charge the buyer the tax rate relevant to their local. You may be in BC but you charge them HST 15% because they live in Nova Scotia.

Disclaimer:  I am not a fan of taxes. Just trying to help fellow developers out.

GourmetPregnancy.com website

Notes for development

When creating a WordPress site, I now generally attempt to pull in all the resources I can in one go, as I find this saves a large amount of time. I have a small project in github for automated installation of WordPress, which I would like to keep telling people about. Grabbing all the resources for a project is a very regular, standard task, and this process can be automated. There are other projects like it for other applications, like Drush for Drupal.

When developers get into new packages, they start off by downloading zips and tarballs. A little more skill and confidence and people start pulling down the software from the SVN or CVS repository. My github project is a shell script with the commands captured for obtaining the WordPress core, as well as a host of the common plugins and themes that I am going to use. Its a very simple idea, but one that is a huge time saver when you use it. It takes about 2.5 minutes for the script to run on my local Ubuntu desktop, in the shell. Its not perfect, but it is just meant to be a massive time saver over the tedium of grabbing the source, and then browsing through plugins and themes. A script like this can save untold hours.

So after that the site was a matter of layout and enabling plugins, creating a copy of the arras theme to hack on, configuring the cforms contact form page, and a host of layout fixes, for which Joe Hewitt’s Firebug plugin for Firefox is invaluable. Even so, there are multiple style sheets in the system and it was found lower down in the details that there was 1 or 2 conflicts. The Arras theme is more of a ‘feature’ theme as opposed to a ‘news’ theme, but still we spruced it up by removing columns and expanding the main area. Incidentally, the cformsII plugin required a complete rebuilding when the site was launched in the root domain. It didnt like me hacking the serialized array directly in the db.

You replace the instance of ‘the_excerpt();’ with ‘the_content();’ to get your full posts for the category. Search engines and users will thank you for it.

The home page in the theme has a Jquery slide show and dynamic feature boxes. There is always a question of the tools you have to do the presentation and we decided to swap out the slide show for a flash object, and replace the lower boxes with static content, since they will never change. The theme does provide for page & post options in in the slide show and sections on the page, and the options within the theme and plugins would have an influence over the content design, meaning what content gets defined as pages and posts. There is the time factor to consider in straightening out all the little issues between our layout and their theme, so after some investigation the static chunks and flash object was how we did it.

The header navigation took some time to master, but it came out looking nicely. The multi-level navigation plugin was in the end, not needed.

The book page has a light box plugin working, which works quite well.

The site has two post categories, News & Reviews and Recipes. The one important change for posts was a simple one line change to the template. It seems that in WordPress themes the post category listing displays only an excerpt by default. This doesn’t do much for usability or page ranking. Home pages, as I have on other news & blog themed WordPress sites, show the latest posts from all categories. You would expect that navigating to a given category should present like the home page, but only for that given category. That is not the case, but the fix is a one liner. You replace the instance of ‘the_excerpt();’ with ‘the_content();’ to get your full posts for the category. Search engines and users will thank you for it.

]]> http://www.superwebdeveloper.com/2010/03/18/presenting-gourmetpregnancy-com/feed/ 0 http://www.superwebdeveloper.com/2009/11/25/the-incredible-rate-of-diminishing-returns-of-fixing-software-bugs/#utm_source=feed&utm_medium=feed&utm_campaign=feed http://www.superwebdeveloper.com/2009/11/25/the-incredible-rate-of-diminishing-returns-of-fixing-software-bugs/#comments Wed, 25 Nov 2009 20:41:25 +0000 pbg http://www.superwebdeveloper.com/?p=287 While I was at Codeworks DC in September 2009, there was a particular slide during the talk by Stefan Priebsh, in his talk on OOP and Design Patterns that stood out more than all the others. It’s a slide that describes the relative cost of of a bug fix at different times in the life cycle of a software project. At first, the cost of fixing a bug at the requirements stage is nominal, when everything is on the drawing board. But as the software moves along in its life cycle the cost of fixing a bug increases radically. We start at 1 times when we are at the initial development stage when a bug is no more than a change in notion. But at the design stage, the relative cost is 5 times what it was compared to the requirements stage, and then ten times what it was when it becomes code and on this goes until it the relative cost of a bug fix is 150 times what it was originally. Conversely, the graphic indicates that the cost of rewriting is far less than attempting to maintain broken software. Starting right, or starting over right, is by far preferable to the alternative.

Relative Cost Of A Software Bug Fix

Slide credit: Barry Boehm, “Equity Keynote Address” March 19, 2007.

This chart is intended for developers, to decide how best to spend ones time. Ever wonder why, as a developer, fixing bugs is such a pain and a kludge? There is something not simply tough about fixing bugs, there is something fundamentally wrong about putting any effort at all into repairing them. But the chart is also a message to the paying client, the person whose dime it is on. A client may be only thinking in the short term to make the software work, but it is the most expensive and unproductive path to the realization of goals.

The effort to fix bugs is great and the rewards are minimal. Frustrations are high, satisfactions are low. The website suffers from some sort of performance penalty, users are inconvenienced. Bugs must be dealt with with some amount of procedural overhead no matter what, and when the bug is fixed and submitted, very little was ever really accomplished. It is really far better to think of a better solution to all your problems together rather than to continue fixing things one at at time. It will cost the customer less and they will get more. So when bugs become a staple of the work load, its time to persuade the client to accept a rewrite.

…with the software in production, fixing bugs is akin to repairing a car while it is driving down the road, long after it has left the drawing board, the assembly line, and the dealer lot. Its as expensive to do as it can possibly be.

Developers still have a great deal in common with the clients they perform work for. They charge money for their work so they think in terms of the cost in terms of labor time (actually, developers also think this way when they work on their own software). The question every developer asks is, “What is the simplest, easiest, and fastest way to get something done?” The answer could be open to interpretation, but that is because the long view must be taken into consideration, and that is why software makes use of functions, templates, classes, objects, and design patterns. The work is needed now, but how will it be possible to understand the software in a few months time when noone is mentally fresh? How do I share my ideas with other people? How do I take the long view into account?

Despite the love a client may have for their own project, nobody is interested in working on the same software forever. After all, software developers are creative people who really want to expand their skills and take all that they have learned and apply it to the next project, instead of keeping something half dead on life support.

I enjoy attending talks from the best people in the world in my business, because they are very good at exposing the importance of planning and organizing the overall picture, and are very knowledgeable in all the concepts that make projects produce a top quality result in an efficient manner. They also point out the simple mistakes people make that cost them so much. When we are at the far right of the graph, with the software in production, fixing bugs is akin to repairing a car while it is driving down the road, long after it has left the drawing board, the assembly line, and the dealer lot. Its as expensive to do as it can possibly be.

Developers should try to understand the message of this graphic before going further fixing bugs. If you are put in a position fixing bugs, it is time to change the way you work, because you are the one bearing the cost in terms of your own time performing the least valuable, most expensive, and least meaningful work.

Web developers as they learn start by downloading packages in zip and tar.gz archives which is fine. A pro technique is to pull in the resource via SubVersion (svn). Svn provides additional features such as svn externals and svn hooks. Svn externals allows for the pulling in of external resources into a defined project in a svn repository. Svn hooks is for additional labor saving scripting that allows for the automation of repeated tasks such as a script that can pass along data from commit messages into other resources in the project such as the bug tracker. Learning these tricks allows for labor savings at every step in the production cycle. We can take these practices to the next level with capturing the commands in a bash script and then organise all the features of a website in a deployment script, something that is done all the time at software majors.

This script is a big-ass time saver.

I took the time to sort this out recently because I had some web development requests from people who have simple websites that could be converted to WordPress easily enough, but I wasn’t interested in going fishing for plugins and themes twice, and again when the next people come along needing the same thing. The job of a software developer should be to automate processes. I say often that the credo of developers is not to work for a living, but to eliminate work. But this idea is not always employed by developers in all the places it could, and its sometimes even a harder to get a client on board to make full use of methods and procedures that automate tasks and eliminate work.

…the credo of (software) developers is not to work for a living, but to eliminate work.

Lets at least cover the benefits in point form:

• The script takes a couple of minutes and you save hours.
• You dont repeat the labor, but you can repeat the use of the script, deploying anywhere else.
• All your stuff is there at the beginning. Useful for planning, development, and policy across teams.
• You are organised, and you can develop variations. Svn export may be good enough for your needs.

In pseudo code, here is what your script will do:

• Set up your repository.
• Make your directory structure for your project.
• Check out your repository.
• Run procedures for svn externals for core WordPress.
• Run procedures for svn externals for plugins, iterating through data in an external file resource.
• Run procedures for svn externals for themes, iterating through data in an external file resource.
• Grab additional resources in an array, iterate through them using wget command, extract them.
• Cleanup.
• Commit message.
• … anything else you can think to do.

The bash file, save as getallwpsvn.sh:

#!/bin/bash
# run this script with chmod 755 permissions.

workPath=$(pwd)

rm -rf filerepository repository www *.zip # this line cleans dir for testing, comment out when done

svnadmin create repository

mkdir -p filerepository/{branches,tags,trunk/{html,db,cron,scripts,themes,plugins,project,selenium}}
# got anything to import into those directories under trunk?
# import into the directories under trunk now
# before the next step
svn import filerepository file://$workPath/repository -m "initial import using getallwpsvn.sh script"
rm -rf filerepository
svn checkout file://$workPath/repository/trunk www
cd www
svn rm html
svn commit -m "rm html temporarily for clean propset"
svn propset svn:externals 'html http://core.svn.wordpress.org/trunk/' .
svn up
cd html/wp-content/
# get plugins from repository http://svn.wp-plugins.org/
# plugins listed in svn.plugins.externals
svn propset svn:externals -F ../../../svn.plugins.externals plugins/
#svn commit "plugins propset" # no commit if no local repository
svn up
# themes repository: http://svn.wp-themes.org/
# themes repository is a bit of a ghost town, none grabbed here
# browse the site and get the zip
# themes listed in svn.themes.externals file, if there are any
svn propset svn:externals -F svn.themes.externals plugins/
svn up

cd themes
# load up on themes
#more human readable format for array

THEMESITES[0]=http://dev.digitalnature.ro/fusion/fusion-wordpress.zip
THEMESITES[1]=http://ericulous.com/?load=googlechrome.zip
THEMESITES[2]=http://ericulous.com/?load=internetcenter.zip
THEMESITES[3]=http://ericulous.com/?load=redbusiness.zip
THEMESITES[4]=http://wordpress.org/extend/themes/download/elegant-box.4.1.1.zip
THEMESITES[5]=http://wordpress.org/extend/themes/download/thirtyseventyeight.4.0.zip
THEMESITES[6]=http://wordpress.org/extend/themes/download/thirtyseventyeight.4.0.zip
THEMESITES[7]=http://wordpress.org/extend/themes/download/constructor.0.6.4.zip
THEMESITES[8]=http://wordpress.org/extend/themes/download/jq.2.4.zip
THEMESITES[9]=http://wordpress.org/extend/themes/download/ahimsa.3.0.zip
THEMESITES[10]=http://wordpress.org/extend/themes/download/retromania.1.3.zip
THEMESITES[11]=http://wordpress.org/extend/themes/download/skinbu.1.0.3.zip
THEMESITES[12]=http://wordpress.org/extend/themes/download/mystique.1.16.zip
THEMESITES[13]=http://wordpress.org/extend/themes/download/lightword.1.9.3.zip
THEMESITES[14]=http://wordpress.org/extend/themes/download/monochrome.2.3.zip
THEMESITES[15]=http://wordpress.org/extend/themes/download/thematic.0.9.5.1.zip
THEMESITES[16]=http://wordpress.org/extend/themes/download/hybrid.0.6.1.zip
THEMESITES[17]=http://wordpress.org/extend/themes/download/new-york.1.0.1.zip
THEMESITES[18]=http://wordpress.org/extend/themes/download/f8-lite.1.3.zip
THEMESITES[19]=http://wordpress.org/extend/themes/download/simplex.1.3.1.zip
THEMESITES[20]=http://wordpress.org/extend/themes/download/cleanr.0.1.2.zip

for s in ${THEMESITES[@]}
do wget "$s"
done

FILES="*.zip"
for f in "$FILES"
do unzip "$f"
done

rm *.zip
rm *.zip.*
cd ../../../
svn commit -m "load in of plugins and themes complete"

cd $workPath
cp $workPath/www/html/wp-config-sample.php  $workPath/www/html/wp-config.php
chmod 777 $workPath/www/html/wp-config.php
chmod 777 $workPath/www/html/wp-content #temporarily, for cache
mkdir $workPath/www/html/wp-content/uploads && chmod 777 $_
touch $workPath/www/html/.htaccess && chmod 777 $_

# do any post processing, other importing now, and commit it if you did.

Set the file permission to chmod 755, and run it from the shell command line as in ./getallwpsvn.sh.

The file you save as svn.plugins.externals:

all-in-one-seo-pack http://svn.wp-plugins.org/all-in-one-seo-pack/trunk
advertising-manager http://svn.wp-plugins.org/advertising-manager/trunk
cforms http://svn.wp-plugins.org/cforms/trunk
google-sitemap-generator http://svn.wp-plugins.org/google-sitemap-generator/trunk
sociable http://svn.wp-plugins.org/sociable/trunk
stats  http://svn.wp-plugins.org/stats/trunk
ultimate-google-analytics http://svn.wp-plugins.org/ultimate-google-analytics/trunk
vipers-video-quicktags http://svn.wp-plugins.org/vipers-video-quicktags/trunk
wordbook http://svn.wp-plugins.org/wordbook/trunk
wp-flickr http://svn.wp-plugins.org/wp-flickr/trunk
wp-super-cache http://svn.wp-plugins.org/wp-super-cache/trunk

The svn.plugins.externals file is a name – resource listing, one per line, when you have more than one resource to define with svn externals.

Please note that you may not need all of this; comment whatever out you want. You dont need to create a local repository, that is only if you are doing team development, or perhaps custom development on themes and plugins. I found though that it was necessary with svn propset directives to create a top-level directory structure wherein is stored all the different directories. The point of this exercise is a pull-in of public resources in a step that you can repeat automatically over and over. It also need not be a very sophisticated script to get the benefits from it.

I had of course heard of svn externals before but a little explanation really enlightened me. You can multiply your power as a developer with svn externals. Alongside your own project under svn control, you can add in other remote projects from remote svn repositories with the svn propset command and they will naturally remain current as you run updates on your own repository.

You can multiply your power as a developer with svn externals.

In the struggle for project housekeeping it can be a chore to keep libraries, plugins, middleware, and other goodies up to date. In general we as developers have a mindset about keeping a project managed by version control, but its an idea that I have seen stopping at the project in question. The project is under svn, the rest of the libraries are from static resources like tarballs. By just extending the power of version control just a little bit further, we have a big labor saver, and we are opened up to the great universe of software. Svn externals gives us mighty lever, because we then have the power to keep in step with all of the other bits and pieces that go along with a project.

Your main project is under version control, but your rich html editor, TinyMCE, is not. Well it can be. Lets use it as an example.

test$ mkdir tmc
test$ cd $_
test/tmc$ mkdir html
test/tmc$ mkdir project
test/tmc$ cd $_
test/tmc/project$ mkdir branches tags trunk
test/tmc/project$ cd -
/home/pbg/websites/test/tmc
test/tmc$ cd html/
test/tmc/html$ ls
test/tmc/html$ emacs index.php
test/tmc/html$ cd ../
test/tmc$ cp -rf html project/trunk/
test/tmc$ ls
html  project
test/tmc$ ls project/trunk/
html
test/tmc$ ls project/trunk/html/
index.php  tiny
test/tmc$ ls
html  project
test/tmc$ rm -rf html
test/tmc$ ls
project
test/tmc$ svnadmin create tmcrepository
test/tmc$ svn import project file:///home/pbg/websites/test/tmc/tmcrepository -m "initial import"
Adding         project/trunk
Adding         project/trunk/html
Adding         project/trunk/html/index.php
Adding         project/branches
Adding         project/tags
Committed revision 1.
test/tmc$ ls
project  tmcrepository
test/tmc$ svn checkout file:///home/pbg/websites/test/tmc/tmcrepository/trunk .
A    html
A    html/tiny
test/tmc$
/test/tmc/html$ svn propset svn:externals 'tinymce https://tinymce.svn.sourceforge.net/svnroot/tinymce/tinymce/trunk' .
/test/tmc/html$    svn commit -m "propset"
/test/tmc/html$    svn up
/test/tmc/html$

So that is how its done from bash with a vanilla website and one repository checked in for your pleasure. Tips to know include wrapping the directory and resource in quotes, don’t create the directory, specify it in propset and let svn create it for you. Go to a directory somewhere else on your system and test your checkout. In the example above the remote repository trunk is checked out. However, you are also able to check out specific branches or even specific revisions if you want the bias more to stability over new features. You can also specify multiple remote repositories by creating a text file with directory and remote resource pairs and point svn propset at that file. Be prepared to handle things that you flub up using svn propedit. Your repository is not broken, but you may have to know how to fix a thing or two that you didn’t do the first time. That is why doing a vanilla procedure like what is described above helps show what the right way is.

So Imagine having a repository somewhere with all the tools you like to work with as part of your own best practices, sitting there, in one place ready to go with one checkout. That whole kit and kaboodle becomes your blank slate from where to start from, but you are already miles ahead of the competition because you already have tabs on all the resources you are going to use in your project. Having it all on hand saves labor and helps foster better practices as a developer.

• Zend Framework, CakePHP, Symphony, PEAR or whatever middleware turns your crank
• PHP Unit, or SimpleUnit, or some other unit testing suite
• WordPress, Drupal, Joomla, or of course any of the related themes and plugins
• Tiny MCE
• Jquery, Scriptaculous, Dojo, whatever floats your boat with javascript
• XDebug,
• phpmyadmin
• Integration testing software like Selenium or Molybdenum
• bloody well anything from sourceForge, or anything else for that matter public and under svn control.

Links for this blog post:

http://www.superwebdeveloper.com/2008/10/08/essential-cheat-sheet-of-shell-commands/

http://devzone.zend.com/article/9930-The-ZendCon-Sessions-Episode-26-Best-Practices-of-PHP-Development

http://beerpla.net/2009/06/20/how-to-properly-set-svn-svnexternals-property-in-svn-command-line/

http://blogs.gnome.org/johannes/2008/02/20/svnexternals-for-noobs/

When I want to see the latest clip from the Daily Show, I am abandoned by Comedy Central. This is fixable!

Yeah, so when I want to just have a break and watch the latest Daily Show posted on Reddit, Comedy Central dumps me off to fend for myself like some kind of bum. Ok maybe Im Canadian, but for the level of popularity of this link, this is damn well unforgiveable.

Lets see, we have a url with a query string:

http://www.thedailyshow.com/full-episodes/index.jhtml?episodeId=220250

But somebody at Comedy Central, probably someone with no sense of humor at all, cant figure out how to pass episodeId=220250 to the canadian mirror. It takes a little more programming, but not a lot more. Something like this is easy to figure out, because there is a unique identifier there to work with. From there on in, we would just be passed along to the mirror and we would be happy and laughing and we wouldnt be left on a dead page, screaming FFFFFFFFFFFFFUUUUUUUUUUUUUUUUUU- …….

——————-

Holy Crap here is an update!

On digg recently, someone posted the fix for this one!

You are a Firefox user, yes? I dont need to tell you now do I? Good. Go install the following Firefox plugin:

https://addons.mozilla.org/en-US/firefox/addon/967

1) In Firefox, Go to tools->modify headers
2) From the drop down box on the left select add
3) Then enter: “X-Forwarded-For” in the first input box without the quotation marks
4) Enter: “12.13.14.15″ in the second input box without the quotation marks
5) Leave the last input box empty, and save the filter, and enable it
6) Click the ‘Configuration’ tab on the right then proceed to check the ‘always on’ button.
Close the Modify Headers box and it should work.

Tested on Ubuntu. It worky.

All credit goes to Digg user casspa.

ah, no more screamin!

Here is an example of something I saw recently. Names have been changed to protect the innocent.

<?php
foreach ($fieldName as $field=>$type) {
$UserObject->setValueInDB($field, $$field);
}
?>

This is from a form submission script. There are a couple of transgressions I can think of, not least of all the reliance on the register_globals directive which is now off by default, and soon to be eliminated from a future release of PHP.

The variable variable part here is $$field, basically, what has been posted. The $fieldName value is a list of fields grabbed from the table, so you don’t trust $_POST. But what is the point in trusting the scalar equivalent of your posted value? You are getting farther away from certainty, not closer. A $_POST submission from an attacker could wipe out data because their $_POST array doesn’t have any keys that your table has. As well, if your $_POST array on your own page doesn’t have a $key=>$value that is also in $field=>type, well that value is going to get wiped out. In the case of a user profile edit page, a form page probably wont have all the fields that are posted. Especially if a developer doesn’t consider using table joins elsewhere.

One of the cardinal rules of programming is never trust user input. And I consider losing user data to be a deadly sin. But setting up a situation where you risk losing data in a field because of one additional field in the table for the user is downright dangerous.

One of the early-ish contributors to PHP, by virtue of being a C programmer, was no doubt familiar with the variable variable language construct, and appreciated its eloquence in CRUD scripts and elsewhere. You got your field names, so cycle through them in a looping construct and execute your value setting method.  He or she is forgiven for not realizing that eventually, with the blossoming of a thousand new web hosts and thousands more developers on the web, not only users had to be protected from themselves, but developers from themselves also. And so, as of release 4.2.0, register_globals was finally set to OFF by default. Many hosting companies have been slow to react, and even today set it to ON to support legacy software.

So while you have this spartan and eloquent structure, it relies on an obtuse language construct which in turn relies on data that is potentially not trustable. The solution to the above problem required a static array of field names that must not be overwritten. Of course, testing this once might reveal that data is being overwritten with empty values. Unintentionally. By design. Due to a deprecated directive and an obscure language construct.

Here it is, encapsuated, all the things you should know about web design and development. If you can do all this stuff, you are going to do ok as a developer.

function printR($arr, $label= null) {
if($label){
echo “<h2>$label</h2> \n “;
}
echo “\n\n<pre>\n”;
print_r($arr);
echo “\n</pre>\n\n”;
}

You can of course do fancier things should you wish to dump your results to a directory before overwriting your files.

#!/bin/sh
for files in `find *.php`
do
sed ‘s/..\/..\/adminincl/includes/g’ $files > ‘temp’.$files && mv ‘temp’.$files $files
done

svn
make svn code directory, call it codebase. Put a trunk, branches, and tags directory below it. Import all that codebase under trunk. That means, the whole site. Also, make a directory for your db, and put a db dump in there. If you are running a cron, make a directory called cron, put your cron scripts in there and a text file copy of your crontab. Don’t store passwords in subversion, as in the top level file that your site uses. Make a version of the file without the passwords, call it something like config.orig.php or whatever, and check that in instead. Also, you may need the equivalent of the CVS ignore command called svn propset and make use of it.
#svnadmin create repository_directory

#svn import codebase file:///home/user/pathtorepositorydir/repository_directory -m “initial import”
check out your remote repository into your local machine at the command line:
#svn checkout svn+ssh://user@domain.com/home/user/repository_directory/trunk .
local:
#svn checkout file:///home/user/pathtorepository/repository_directory html/

now you are checked in and out, you can delete codebase directory.

svn export works in a similar way. It pulls out the files from the repository sans .svn directories.
#svn export svn+ssh://user@domain.com/home/user/repository_directory/trunk

grep
find instance and string in and below current directory, pipe it to less.
#grep -r “string” * | less

find
find all those old CVS or .svn directories, and kill them:
to look:
#find . -type d -name “.svn”
to dump to a file
#find . -type d -name “.svn” > dump.txt
when you are ready:
#find . -type d -name “.svn” -exec rm -rf {} \;

Another way to wipe out everything:
#find . -name ‘*’ -print0 | xargs -0 rm
this means find here, the name of all, dont print it to stdout, then redirect the output to as an argument that the rm command will execute on.

scp
push a file
#scp localfile.txt user@domain.com:pathtofile/remotefile.txt
grab a file
#scp user@domain.com:pathtofile/remotefile.txt localfile.txt

rsync
get all those image files
#rsync -avz user@domain.com:/home/pathtofiles/ .
ah yes, but I will get a complaint  from subversion about my directory being out of sync because what I just did was downloaded the .svn file from the server over that directory. They arent the same, so your svn update now crashes. What do do?
# rsync -avz –exclude=.svn  …….then everything else after that. More options in the man pages.

mysql
Export a db
#mysqldump -uuser -ppassword -hlocalhost dbname > db.sql
Import a db
#mysql -uuser -ppassword -hlocalhost dbname < db.sql

crontab
A crontab line should point to a .sh script. The .sh script can then execute the shell script. This enables you to use either the sleep funciton or looping constructs to run the script a multiple of times if you like, and  keeps your command to one line inside the cron.
Look at your crontab with #crontab -l edit it with #crontab -e
Crontab time examples:|
1 */3 * * *  every 3 hours, one minute after the hour. Where possible, dont run a crontab exactly on the hour, because that is when everybody else does it on a shared host. Set it for a minute after when the cpu isnt likely to be so taxed.
1 0,12 * * * every 12 hours, one minute after the hour.
*/1 * * 3/6 every minute on every third and sixth day of the week

wget
use wget to grab that tarball directly, for when you are grabbing such things off sourceforge or wherever.
# wget http://domain.com/pathtofile.tar.gz

tar
good old tape archive.
To extract:
#tar -xvvf filename.tar.gz
To archive:
# tar -czvf tarballname.tar.gz directory

screen
Got a shell connection to a dodgy host that keeps giving you the boot? after you login, run screen:
#screen -DD -R

You will still get booted, but at least you can get right back to where you were when you reconnect by replaying the above command.

mysql
you probably know mysql command line access if you are on this page. You have to know how to work with this because a database can exceed the size allowable for transfer over http, making into phpMyAdmin impossible. But a goodie that I found is that case when you want to wipe out all the tables in a db, but not the db itself, in order to preserve all the privleges, and access credentials. The following line can save a step:
#mysqldump -uuser -ppassword –add-drop-table –no-data dbname | grep ^DROP | mysql -uuser -ppassword dbname

It would work like this:

• set a number of allowed login attempts.
• set the time limit in seconds for duration of access denial.
• keep track of the number of failed login attempts.
• keep track of when login attempts started with timestamp function.
• test for meeting or exceeding the number of allowed login attempts.
• let them keep trying if they have waited past the time limit.
• set a time limit for when they can come back, and forbid them.
• give them some messages and links to help.
• if the login has been successful, wipe out all the tracking for login attempts.
• You are done.

Here we go, into your login processor after initial validation and constructing a sql query.

$loginAttemptsAllowed = 5;

if( $_SESSION['loginAttempt']['Count'] <= $loginAttemptsAllowed ) {
  $result = $db->queryRow($sql); // only query db if allowed to do so
}

if( !$result ){
  $seconds = 300; // 5 minutes
  // if trying again after lockout time limit ....
  if( $_SESSION['loginAttempt']['Count'] >= $loginAttemptsAllowed ) {
    $difference  = abs($_SESSION['loginAttempt']['LockoutTime'] - $_SESSION['loginAttempt']['Time']);
    $diffSeconds = round($difference);
    if( $diffSeconds > $seconds ) {
      unset($_SESSION['loginAttempt']); // they failed but have a new set of chances
      } else {
      $minutes = $seconds / 60;
      $message = "Sorry, you have had $loginAttemptsAllowed failed login attempts. <br />
      We temporarily forbid access in order to protect your private information. <br />
      Please wait $minutes minutes before logging on again.";
      }
    } else {
    if( !isset($_SESSION['loginAttempt']['Time']) ) {
      $_SESSION['loginAttempt']['Time']  = get_microtime();
      $_SESSION['loginAttempt']['Count'] = 1;
    } else {
      $_SESSION['loginAttempt']['Count']++;
    }
    if( $_SESSION['loginAttempt']['Count'] >= $loginAttemptsAllowed ) {
      $_SESSION['loginAttempt']['LockoutTime'] = get_microtime();
    }
    $message = "login error";
  }
  addMessage($message, "MsgErr");
  redirect($_SESSION["backPage"]);
  exit();
}

….. go on and log them. Dont forget to unset( $_SESSION['loginAttempt'] );
// a couple of the functions in there are custom ones, they are basically just wrappers.
// I forget where I got the following function, but it is used for benchmarking. Maybe php.net?

function get_microtime() {

  $mtime = microtime();

  $mtime = explode(" ",$mtime);

  $mtime = doubleval($mtime[1]) + doubleval($mtime[0]);

  return ($mtime);
}

So there you have it. Forcing users to have highly secure passwords, while a good idea, is not always possible.

Keep your users safe. And curses to wordpress for screwing up my code formatting…

You really do want to keep the mod_rewrite rules simple. Dont try to write a complex regexp in mod_rewrite that handles all kinds of apostropes, special characters, etc. (like I did). You dont have to have question marks, quotations, colons in the rewritten url for it to be useful to search engines. You can turn a title like “O’mally’s dog’s bone” into http://domain.com/Omallys_dogs_bone and there is definitely enough textual sense in that rewritten url for a search engine to deal with it.

Take your table with all your content data in it. Create a field for your content for a safe title. Then you can process your old titles into the new field. In your looping construct, use a bit of php to clean out your old titles for spaces, quotes, slashes, and other silly things.

$punctuations = array('.', '\'', '?','!','*','=','Ó','%','@','&',',','/');

$safeTitle = str_replace($punctuations, "", $title);// get rid of the junk

$safeTitle   = str_replace(" ", "_", $safeTitle);// replace spaces with underscores

Now you have a content resource which you can add to your output queries that will fill in your url link on your page for mod_rewrite goodness.

Make your mod_rewrite rule in your .htaccess file. Note here that the rule has a place for 2 variables, and is looking for all instances of strings with upper and lower case letters, the numbers 0-9, and the underscore character. And of course, it turns it all back into a query string to submit to your content page.

RewriteRule ^/?([a-zA-Z0-9_]+)/([a-zA-Z0-9_]+)(/)?$ item.php?safeTopicName=$1&safeTitle=$2

Almost done right? Eh, not quite. Almost though. Dont screw over your existing users, who may have linked to something of yours to the past. You can still account for your old reference style to your web content, and you most definitely should. You can write checks for query string data validation to allow for transparent access to content through either the old query string method or the new one.

if($_GET["safeTopicName"]){

  $sql = sprintf("SELECT topicId
                  FROM contentTopics

                  WHERE safeTopicName

                  LIKE '%s'",

                mysql_real_escape_string($_GET["safeTopicName"]));

  diode($topicId = $db->getOne($sql), $sql); // my db connection wrapper

  $sql = sprintf("SELECT articleid

                  FROM content

                  WHERE safeTitle

                  LIKE '%s'",

                mysql_real_escape_string($_GET["safeTitle"]));

  diode($articleid = $db->getOne($sql), $sql);
} else {

  if($_GET["topicId"]) {

    $topicId =  (int)$_GET["topicId"]);

  }

  if($_GET["articleid"]) {

    $articleid =  (int)$_GET["articleid"];

  }
}
if(!isset($topicId) || !isset($articleid)) {

    addMessage("no item found", "MsgErr");

    redirect();

    exit();

}

A couple notes: Im using PEAR, and a couple of custom functions for efficiency sake. Note the use of (int) and mysql_real_escape_string() for sanitizing and typing.  And yes, there are probably better ways to write this up, but you get the idea. Look for your $_GET vars, and if you dont have one set or the other, no result, otherwise, process it so the rest of the code needs no further reliance on these initial options so a user can get to your site with /Planets/earth as well as with item.php?topicId=2&articleid=249.

To Recap:

• Set up safe versions of your content titles
• process the old titles with a script
• make a simpler rewrite rule as a result
• set up your validation to process both kinds of queries
• marvel about how much simpler it was to do it that way than to try and do it all with Mod_Rewrite alone.

Create a moving target that attackers cannot seize upon repeatedly. build arrays in a looping construct for all the form fields you want to assign in your page. Store them in a PHP Session array. You use built-in php functions such as md5(), uniqid(), microtime(), mt_rand(), and a salt value if you like as well. You output your form fields dynamically, using php to assign the randomized hash to the name value of the form field. Enter some data, submit the form. The script takes your $_POST array and compares the array keys to $_SESSION. You can then do further validation and then assign your values to common sense variable names that are always private.

When you have validated this submission, you know the data has come from your form page. While you can spoof referrers, You cant spoof the form field names because they are only created at runtime.

The honeypot is the inverse approach, And also has lots of fans in its camp. A honeypot is a web form with addtional form elements, usually of a hidden type, that get discovered by a spammers crawler. They then seize upon the field name and use it in an attack. But since the form field isnt visible to users through the browser, it must be some kind of forged submission, and is worthy of filtering out.

The advantage of the moving target over honeypot is that forged submissions can be filtered out earlier in the script. Also, an attacker could easily analyze the form page once and determine what form fields to omit, and just add that information into the submitting script. They visited the page once, made a correction, and are back in business. Even so it is known as a successful defense. It is a successful defense because of the reason spam is spam: people messing with your site without ever even visiting it, not once. And if you are using an off-the-shelf website-in-a-box like WordPress or Drupal or whatever, the attacker can even more easily attack your site, with its cookie cutter template form elements, one same as the other million out there already.

It is very economical to attack as many sites as possible in the same way as possible. It will always be so.

I have had my share of naysayers over the moving target method. Please allow me reply to a few of the comments others have already made.

Why not just use the form name, why all form fields? I guess you could, but really there are a couple answers. First is the concept of defense in depth. Secure the whole thing, not just one element that an attacker could lock on to. Next answer is that it is simple enough to do the work in php to generate all the form field names you wish.

The site could still be attacked. Yes. Assume that it will be. Funky forms is of course not the only line of defense you must apply to stop your site from being trashed. What I was able to accomplish here is to break the link between the site and the garden variety automated attack, which must assume to know your form name and names of input fields in order to forge the rest of the information. The client must be on your web page in real time to submit data into your form. And in fact that is all the moving target approach does. The attacker still harvests your page, prepares a http remote attack in the guise of a simulated form posting, then goes to work, submitting to all the websites. But nothing gets through to a site with the moving target approach because field names wont match up.

A position based attacker could still hit it. Yes but of course you are not done validating your input because you have this in place. Spam, like anything else, is a matter of economics, in terms of both time and money. Yes someone could get you, but not likely, because like 2 boxers in a ring, both have to be stationary for a moment for a punch to connect. Otherwise its much harder to be effective, and much less powerful. The analogy is a fair one: The time required to hit a site with moving target is greater than the time to perform the usual kind of automated crawling and submitting designed for static form field names. The mere fact that you require your user to be on your page, absolutely, is enough in itself for attackers not to bother changing its tactics for millions of websites, or to lose so much time to making an exception to you that it becomes uneconomical to do so. As it stands, they may never even know that their submission was unsuccessful. You can of course push suspicious submissions to Akismet.

Yeah but sessions are evil and should never be used. Some have said so. Not to long ago, they didn’t work very well. But this isnt the case anymore. Drupal doesn’t use sessions, for example, and other middlewares avoid them as well. Projects with requirements for handling legacy code, particular kinds of services or policies may insist that sessions not be used. But even more evil is to never use sessions because of not understanding how to use them properly and parsimoniously.

First comes your form page, use some php before the form to generate the fields that you need.

<?php
session_start();
if(!$_SESSION["subscriber"]["values"]) {
  $fieldNamesCount = 11;
  $fieldNamesArray = array();
  for ($i = 0; $i < $fieldNamesCount; $i++) {
    // $fieldNamesArray2[] =  md5("killSpam" . uniqid(microtime(), 1)); // random coctail with salt, if you wish
    $fieldNamesArray[] =  uniqid(md5(mt_rand())); // random coctail
  }
  $_SESSION["subscriber"]["fieldNames"] = $fieldNamesArray;
} else {
// do something when its a return pag
}

echo "<pre>";
print_r($fieldNamesArray)
echo "</pre>";

……. and then your form fields look something like this:

Name: <input type="text" name="{$_SESSION["subscriber"]["fieldNames"][0]}" value="<?php  echo  $_SESSION["subscriber"]["values"][0]; ?>" size="20" maxlength="50" />

Phone: <input name="{$_SESSION["subscriber"]["fieldNames"][1]}" type="text" value="<?php echo  $_SESSION["subscriber"]["values"][1]; ?>" size="20" maxlength="20" />

You submit this to your form target script. If you look at your page Info in Firefox, under the forms tab, you will see you have form field names created from random hashes generated at runtime. The values for the names will be unique at every page load. The user must be on the page to submit.

So lets take a look at the script you are posting this data to.

Lets just assume that you are pointing this form submission to a different file, so here is what is required at a minimum:

<?php
session_start();
if (!$_POST) {
  echo "no post reference";
  exit();
}
// compare $_SESSION["subscriber"]["fieldNames"]
// to array_keys($_POST);
if(!$_SESSION["subscriber"]["fieldNames"]) {
  echo "no ref to my session";
  exit();
}

$postedKeys = array_keys($_POST); // I need to access this as an  array.

$_SESSION["subscriber"]["values"] = $_POST;
$realNames = array('Name','Telephone',.... etc);

for($i = 0; $i < count($postedKeys); $i++) {
  if($postedKeys[$i] == $_SESSION["subscriber"]["fieldNames"][$i]) {
    // no cheating! you must you my randomly generated field names to use this page!!!!
    $realValues[$realNames[$i]] = $_SESSION["subscriber"]["values"][$_SESSION["subscriber"]["fieldNames"][$i]];
  } else {
    // its the work of satan
    echo "please dont do that ";
    exit();
  }
}

so if it passes all the tests, its good to go. Otherwise, its like two people talking to each other who dont speak each others language. They will never get what each other is saying, will never understand, and will just move on.

But really, this is a problem that is endemic to cms packages. A hacker can write one script and attack all drupal sites on the world wide web. Same problem for wordpress and every other website in a box. They all have a url that someone can post to with name & value pairs. There are always lots of things to do to protect your site, but with every new upgrade and patch, there are always new exploits that might just work when applied to your site.

Without a human being to look and see, you wont know that your site has been tossed until you see it for yourself, and remains that way until it is fixed.

Randomizing not only the form name but also the field names was a very successful experiment in my case when someone had my number. The attacker cant presume the name of your fields then so easily, and then they cant attack you. Its like you become a moving target, not a static one. At the very least, they actually need to be on the page in real time in order to post something. Now other developers have told me that in fact it could be attacked with a position based form filler, say based on a xul widget or hacked firefox, but this solution, while possible by some attackers, is generally extra effort to include in the whole looping construct for the attack.

Spam networks hire out at at least $5000 an hour, I learned at a VanLug talk last year. So if an exploit takes too long to seize on to, it is not worth the time. CMS packages are uniform instances of software in terms of action urls and form and field names, so they are static things to sieze upon in the eyes of an attacker who has to provide the biggest bang for the buck. They are sitting ducks, just waiting to get attacked. If even an array key was constructed of a md5 hash at page load time, stored in a session  (oops, no sessions in Drupal, not Kosher, if you are a Drupalist), that at a minimum would be enough to be a moving target an attacker would be unable to sieze upon without actually being on the page in real time. And that is the whole problem with spammers, they never even visit your site. Never have and never will.

Mercer, David. Drupal: Creating Blogs, Forums, Portals, and Community Websites, How to set up, configure, and customize this powerful PHP/MySQL-based Open Source CMS. Birmingham, U.K.: Packt Publishing, 2006.

Its a pleasure to write a review on David Mercer’s Drupal, Creating Blogs, Forums, Portals, and Community Websites, from Packt Publishing. This title will allow you to know much more about Drupal’s features, and it will become a much more valuable to you as a result.

I have wanted to know more about Drupal ever since seeing Drupal emerge as the Content Management System (CMS) of choice in my local user group community over the past couple of years. You might say that that some of the local developers have really drank the kool-aid by the measure of their enthusiasm for Drupal. There is a Drupal User Group in town now; I also sat in on a PHP User group presentation on Drupal by inventor Dries van Buytaert; I’ve eavesdropped on the conversations of developers waxing away on all the great stuff they can do with it, and how great it is; then of course there was the massively successful Northern Voice / OpenSourceCMS conference, said hi to Dries again, and a couple hundred coders and bloggers, were all very thirsty, hungry, and excited about all they could do or wanted do with Drupal. It was all they could talk about. Drupal Drupal Drupal, its all I ever heard! Its just another Content Management System, right? But I cant remember when I saw so much enthusiasm for a single piece of software. There are lots of Content Management Systems out there, right? Drupal is just another, right? Why this CMS? Is there something to all this excitement for Drupal? What, exactly, is in that kool-aid that everyone else is drinking? Maybe, there’s something to this Drupal thing after all…

Drupal is a content management system written in PHP with MySQL database. Its for blogs, communities, news sites and more. It is one of those select breed of packages that you can always rely upon to run the first time, ‘right out of the box’, with a minimum of effort, ready to run. Then there is a large array of extensions and skins, written by that enthusiastic Open Source community I just mentioned that you can add into your package, and when you do, they just work, with a minimum of instruction and effort. Drupal is what most people would call an excellent example of what Open Source software is all about, with thousands of sites using this package and development communities around the world.

So its a package that works right out of the box, easy to set up and run, lots of resources, and tons of community support. In fact, with some basic knowledge of computers, a shared hosting account, and a bit of your time with David Mercer’s book, you could become a self-reliant owner/operator of a Drupal website, with features and functionality that dynamic websites are supposed to have, supporting categories of text and media, and users organized by roles an access levels you can define.

Say you might be someone I would describe as a website client I build sites for. You could use Drupal and avoid having to pay a developer ( like me ) money to build a dynamic website that has the features that Drupal has. On top of that you would have the benefit of the free extensions, modules, skins, and community that you wouldn’t have if you got someone to code up a site for you. There are arguments against using an off-the-shelf CMS, like if you have a very particular need, type of thing you are doing, but I am not going to entertain that here. You even have the contentment of knowing what it is you have for a website, if you weren’t technically inclined, and you would know six months from now. You are sold, you save a bundle on your website budget, but why would a developer give that all away? The answer is this: the higher the abilities of my clients, the more interesting the work is for me. Work is performed on tasks that need to be done, not on tasks that have been done already. We don’t need to reinvent the wheel here, most of the time, and the work a developer does within a Drupal site can be applied to other Drupal sites, and even shared with the development community. Find out everything to know about Drupal, its history and future, at http://drupal.org.

If you are that kind of person, David Mercer’s book on Drupal is for you. Its a well written book to help reduce your trial and error, and allow you to get on with the business of operating your website in a knowledgeable manner. And isn’t that the point? Its a book that is designed to help you learn about what Drupal can really do for you. Use this book and you can become an expert in Drupal without necessarily needing to be an expert in PHP.

The first chapter provides an introduction to Drupal, and explains again a lot of those whys I covered above, but in detail to give it credit. The second chapter covers setting up your development environment and gives you an overview of the technologies Drupal is built upon, namely the LAMP stack. Follow the instructions in this book and you will be fine. You need a development environment? No, but really you do, trust me, you do. Apache2Triad is recommended as an offline development environment. While I would have recommended XAMPP instead, both do the job. If you don’t have one of these, get one. Hey, everybody needs a sandbox.

You then get lessons in site configuration, and adding functionality. After the groundwork has been laid for you, an aspect that you will appreciate down the road, you get on with the business of adding features and functionality to your site. You get introduced to modules, so you can add the chunks of code you need so you can do what you want with the site, and blocks, so you can place them where you want.

Users, Roles, and Permissions explains Drupal’s web admin system for managing users with access policy, roles, and rules. Access rules are something site owners need to know about because the task of keeping the people you want as members to your site is simpler than keeping the people you don’t like off your site, like members who make nuisance postings in your forum.

You then move on adding and management and content, where you learn how to add and manage content in your site, and then cover in more detail filtering input for code, and what that means, and the Taxonomy module, arguable the most important module within Drupal. The Taxonomy module allows you to determine the method of your your content is organized. Good advice is here: it means the difference between running your site and running it eloquently and well.

The book continues on at in a look at Drupal’s theme system, and techniques for styling and customizing your site look with CSS. The following chapter is on more advanced features and Modifications to the site, with examples such as Adsense, Flexinode, and News Ticker. While depth of this material is in many ways introductory, it also does a good job of indicating for more experienced developers an overview of what depth one has to wade into in order to start in earnest with the customization of the site.

Your site development efforts are all applied together when you are ready to deploy your site. Again, the chapter covers tips, hints, tricks, and other valuable lessons for running your site, such as choosing a host, your database, backups, crons, poormanscron, site throttling, search engine optimization, web site statistics, and more. Again, this material is laid out to cover the major points in live website maintenance so you know how to be independent, but also as an overview to more experienced developers for what in a Drupal site needs to be done the ‘Drupal way’.

You don’t need this book to start with Drupal, but you will learn a lot more about it if you do. And that is the whole point, isn’t it?

Vancouver PHP Users http://vancouver.php.net/

sites for tutorials, reviews

http://developer.yahoo.com/php/
http://www.php.net/manual/en/
http://www.phpit.net/
http://www.elroubio.net/
http://www.sitepoint.com/
http://www.thesitewizard.com/
http://www.phpdeveloper.org/
http://www.phparch.com/

http://www.phpbuilder.com/

http://www.zend.com/zend/tut/
http://www.devshed.com/c/b/PHP/

http://webmonkey.wired.com/webmonkey/programming/php/

Content Management systems
http://moodle.org/
http://www.phpbb.com/
http://drupal.org/
http://wordpress.org/
http://phpadsnew.com/two/

Software tools
http://www.mysql.com/
http://www.sqlite.org/
http://www.apache.org/

http://www.phpmyadmin.net/
http://lamppix.tinowagner.com/

Internet News
http://slashdot.org/
http://news.netcraft.com/
http://www.digg.com

Scripts, etc http://freshmeat.net/
http://sourceforge.net/
http://pear.php.net
http://www.phpclasses.org

A little time spent with user groups can improve your skills. Take for example the possibility of reducing costs by learing how to use Open Source software, or perhaps you can find new ways to serve your clients and customers.

User groups are really for anybody interested in technology. if your skill background is different from the group, its still an opportunity to share your own knowledge, and you add diversity to the group. Think about going to a user group for something you might want to know more about.

User groups arent just for experts; they consist of regular people, and this is important to understand. They are the grassroots organizations for modern technologies, and they help put a human face to technology.

User groups provide an unprecedented opportunity for networking and learning in the field. You can get exposure and information from first hand users you may never get from learning on your own. Regular meetings feature talks by association members or invited guests, and the groups all have websites which post forum discussions and job postings. Groups even occaisonally organize larger events and conferences. Its a great opportunity to see how the field of technology works from the inside.

User groups operate with minimal overhead. Meetings are free to attend, and sometimes there are even courtesy offerings of pizza and soft drinks. Membership is optional. But still what is really surprising is that most user groups are fairly small, even though the opportunities for networking, knowledge and participation are excellent. Maybe these organizations just need a little more publicity to increase their attendance numbers.

The best way to support these groups is by going to meetings because you can help share the awareness of these groups with your colleagues. User groups have become the bulwark in promoting Open Source technologies, which otherwise dont have marketing and advertising budgets that major technology corporations have. It can help you get ahead in your profession – and you can enjoy a good slice of pizza while you are at it.

If only groups were a bit more aware of each other, they could become a greater force and option for the public to get what they want and need from technology.

To start you off, here’s a partial list of groups for Vancouver area. Spread the word!

PHP: Vancouver PHP Users Association http://vancouver.php.net
Linux: Vancouver Linux User Group (VANLUG) http://www.vanlug.bc.ca
XML: Vancouver XML Developers Association http://www.vanx.org/
freeBSD: http://www.vanbug.org
Python / Zope : http://www.vanpyz.org
Java: http://www.openroad.ca/vanjug
.NET: http://www/netbc.ca
Macintosh: Hosted by Apple Canada http://www.mactag.org
Perl: Vancouver Perl Mongers http://vancouver.pm.org
Microsoft: http://www.vantug.com
Information Processing: Canadian Information Processing Society http://local.cips.ca/vancouver/
Graphic Design: SIGGRAPH http://www.vancouver.siggraph.org/
Game Design: http://www.igda.org/vancouver/
Software Developers: Vancouver Software Developers Network (VANDEV) http://softwaredev.meetup.com/17/
Software QA: Vancouver Software Quality Assurance Group http://vanq.org/
GIS: Vancouver GIS Users Group http://www.vancouvergis.org/
Bioinformatics: VanBUG: Vancouver Bioinformatics User Group http://www.vanbug.org/
Useability: The Vancouver User Experience Group (VanUE) http://vanue.com/
Wired Woman: http://www.wiredwoman.com/mc/page.do?sitePageId=2952
Engineers: IEEE Computer Society, Vancouver Chapter http://www.kruchten.com/IEEE/