Posted on by julie · 1 Comment

More complexities

Due to the fact I had a JavaScript midterm last week, I haven’t done any coding for my game project. That’s okay. This is not going to be something I’m going to hack out over the course of a week. Or a month. This is going to take a long, long time.

In the meanwhile, I’ve been doing some reading.

Let’s talk about usernames: Excellent read. Also, horrifying. As I was reading, I came across this line:

There’s our user table, there’s our unique username column. Easy!

That’s exactly what I was thinking. That’s how to make something unique, right?

And then I kept reading. Case-sensitivity, normalization, punycode, other alphabets… Also, single-script confusables (ie: a lower-case L and a number one and a capital i, l 1 I, all look ridiculously similar in many fonts. Is that a problem? And what about unique emails? Gonna have to take the + sign that Gmail allows and nuke everything after it to ensure true unique mails. Also, remove all periods in the email’s username portion. And what about names like “root” or “admin”? Probably should disallow those, too.

So that alone gets complicated.

Then I did some more reading about PHP web apps in particular, in terms of best practices, just to make sure I’m on the right page. This page, PHP Best Practices, is a great resource. It’s mostly in English, basically, which is useful. Or, at the very least, I can understand it. It also goes into detail about why or why you should not use a specific way of doing things.

So in terms of storing passwords, I’d been right — this resource recommends bcrypt hashing. That’s wonderful.

In terms of connecting to, and querying, a MySQL database, not do much. Turns out the method I hated most (PDO – PHP Data Objects) when learning is the newest and most robust method, particularly when using prepared statements. All of my testing code to date uses mysqli, so that’s something I need to rewrite to ensure it works okay.

So lots of reading and understanding done there and more to come, I’m sure.

In other news, I successfully installed a Let’s Encrypt SSL certificate all by myself for one of my (many) domains. The only bummer is that they expire every three months. Still, refreshing them takes like, five minutes. So it’s not too bad. And it’s free! That’s one of my projects for this spring: Get all of my sites to be on SSL, using HTTPS, even though I basically don’t ask for any user information whatsoever. Why? Because Chrome is starting to list things as “insecure”. So that’s something to do.

Finally, in terms of work, can I just say how delightful it is to have a job that allows us to work flexibly? I was about an hour and change short of my 40 hours last week, so I made up the time this weekend. Of course, in making up the time this weekend, I actually worked for almost three hours. So because I worked an extra two hours or so, those are banked against next week’s time. Normally, I work 9-hour days on Mondays or Tuesdays (sometimes both) in order to make up for class on Thursday, but seems as though I won’t need to do so this week. And the bonus is, I’m all caught up on my own outstanding tickets. Whew.

All right, it’s now past midnight, so I should consider going to bed, now. Have an excellent week!

Posted on by julie

Continuing Adventures in Coding

Well, it’s 12:43am on Wednesday, February 14 (… happy Valentine’s Day?) and I feel like a coding badass.

Why? Well, two reasons.

The first is that I was working on Tuesday and someone had a ticket open with me that was complaining that one of our plugins was forcing use of the http protocol, rather than the https protocol. And I’m like “pfft, no way,” so he sends me a video and shows me and I’m like… “whaaaat?”

So I went digging around on GitHub in the code.

Sure enough, in the abstract class file (which, in case you’re unaware, serves as a template, if you will), there was a reference to a variable for a base URL… which had http hardcoded as the protocol to use.

Now, that might not seem like a big deal, because so much of the web is insecure and has no real need to be secure. But we deal with ecommerce sites, so HTTPS is, more often than not, in use on these sites. So why on earth didn’t the developers use // as a protocol agnostic prefix to the base URL? No idea. Literally, no idea.

Of course, this was coming from me, with my whole entire 80 hours of PHP under my belt, so although that’s what it looked like to me, I wasn’t certain. I flagged it to a developer who took a look and said “great sleuthing!” and she pushed some changes which made it into the release that’s going out this week. I was so surprised that:

a) I was right

b) This code existed in the first place!

I mean, I haven’t done any secure sites ever, but I learned at my last workplace that one needs to account for whether or not the client will be using an SSL certificate, so you should always use // instead of specifying http or https. Makes sense. I checked the history and it appears that the two lines with http in them had been there since, oh, the start of the plugin. hahaha.

So, that’s one reason I feel like a coding badass.

The other is that, with a nudge from an online acquaintance, I managed to finish my JavaScript assignment in which I have to show the current time in six separate timezones: Houston, London, New York, Seattle, Sydney and Tokyo.

It took me longer than I’d like to admit, but I finally got it to work. The main issue was that I’d accidentally written newTime=newtime.settime(newvalue) instead of just newtime.settime(newvalue).  ¯\_(ツ)_/¯ The secondary issue was that my universaltime variable wasn’t going to GMT/UTC, for some reason, which ended up being “Julie, you’re stupid and altering the wrong variable before passing it back.”

Anyhow, my JavaScript assignment is now done and tomorrow night, I can actually study for my midterm on Thursday.

Just six more classes (including Thursday) before I’m done! And then maybe I can return my attention to my game.

No real updates there, although I now have figured out I’m probably just going to end up using bcrypt as my password hashing method. Literally, the only piece of personally-identifiable information I think I want to store that belongs to a user is an email address. No reason for anything else, so I don’t think I need to go all out for security. Still, I did a lot of research and reading and feel a lot more comfortable with what I’m going to be attempting here, at least when it comes to users.

Okay, it’s getting late and I should be up in about 8 hours to work, for eight hours, and then study for the rest of the evening.