Funnel of Love

Greetings All,

We recently dropped Mantis and the use of our own pCal and adopted SugarCRM. This contact management software includes its own bug tracker along with providing all the CRM features one could dream of. It is just easier for us to have everything in one central location (software) then using separate tools. Say hello to the new and rm -rf to the old.

How's the business:
Thanks for asking. We just landed an exciting job for Vaupell, who is a large manufacturing company with offices throughout the US. The branch we are working with specializes in rapid prototyping, stereo lithography and short run production. They also have a full machine shop for mold production. We are building an online quoting application that will allow users to upload .STL CAD/CAM files, select material type, finish and delivery time, then create a PO. Woah, cool right. Well that's not even the half of it. We've just started the database design and will be revealing more about this project in the coming posts.

TechTrax, what is that?
We should have our first articles in TechTrax, an online E-Zine next month, March. Ben, ProjectSkyLine's chief engineer is going to be writing a paper about common web-based application security problems which includes plenty of sample code.

RSVP Mash up:
Our RSVP software aka pRSV aka Project-Contact is nearing prime time. We've recently constructed our postcards that will be used in targeted mailings. We will also be doing a round of Google PPC advertising to coincide with the February release. We are very excited to be launching our first product. Project-Contact has some great features:

• Events created are given a unique URL
• Customization of events via HTML, color changes and company logo
• Events can have multiple sessions allowing users to choose whichever they please
• Event creator can export event data directly into Excel
• Attendees can import the event directly into Google & Yahoo calendars
• Plus a whole lot more
• Project-Contact Homepage

Procedurally Porting To Object Oriented (PPTOO, heh):
We've begun porting all our procedural PHP 4 & 5 code to OOPHP 5. So far we are very happy
with the outcome, which is making the code much more readable and actually creating less overhead in the main files, moving much of the logic to the library or support files.

We've been super busy working with some new clients on some possible great projects. Stay tuned for more!

- psl

Write Software or Die Trying

Open Sores:
ProjectSkyLine supports open source software. While many of the applications we create are closed source we balance those releases with tools and open source libraries to aid developers.

Much of our daily development takes place on the LAMP (Linux – Apache – MySQL – PHP) platform, all of which are open source applications. And all these applications work exceptionally well.

Folks say, “you get what you pay for” and in LAMPs defense its sooooo true. We get software that is FREE from bullshit, FREE from show stopping bugs, FREE from limiting EULAs.Open source has it place in all marketplaces and development environments. Thinking back to a story an employee of ProjectSkyLine told once, he recalls being at a Linux Users Group meeting sometime in the late 90's. He asked if RedHat would ever have an IPO. He was laughed at.

Peas in a Pod:
Bugs and software development go together like PB&J. It sucks to hear, we know. Its just the sad reality of dealing with such complex systems. We utilize Mantis, an open source bug tracking database (mySQL) with a browser independent user interface (PHP). Its great. Its relatively lightweight in comparison to Bugzilla and setup is a breeze.

Content management Content schmanagement:
If your a LAMP developer we can be assured at one time or another you have had a client who requests the use of Joomla, or the need for a custom CMS solution. We have too. Simple apps don't always need the entire weight and unnecessary bloat of the CMS frameworks. That's why we developed an open source tool that JUST WORKS. Its smart enough to read into the database your looking to edit and fetch the tables. It allows you to update and remove rows, plus add new content. This amazingly simple tool is called pCMS and we use it. A lot.

Check out our 'Open Source' section for additional info.

Please, support OS or you might get hacked!

- psl

The Real World - SQL Injection

z0mg:
Recently one of ProjectSkyLine's employees found his email address on a list. A list that was sending him junk email (heh). Conveniently at the bottom of the email was a link that allowed him to unsubscribe from the list. After visiting the page to do so he noticed the URL parameters:

http://itsyoursnow.net/index.php?cat=

This code is attempting to load a .php file by whatever name is specified in $POST['cat']... Oh, what a mess.

http://itsyoursnow.net/index.php?cat=../z0mg

Yields:
Warning: main(../z0mg.php): failed to open stream: No such file or directory in /var/www/itsyoursnow.net/htdocs/index.php on line 59

Warning: main(): Failed opening '../z0mg.php' for inclusion (include_path='.:/usr/local/lib/php') in /var/www/itsyoursnow.net/htdocs/index.php on line 59

Now we cannot go into details about exploiting this site nor did our employee try. But you can clearly see why input validation is a must for web applications. There are plenty of things to try at this point, but we don't condone any of it!


Friends don't let friends code sh*t.

- psl

Tar up, its a code trip!

Yup.

Browser-Compatibility:
When developing web based applications, as we do at ProjectSkyLine, we MUST check our software on different browsers and operating systems. We recenetly got ahold of Muli-IE,
a super useful tool that provides working copies of IE 3.0 -> 6.0. Even though the browsers identify themselves as your most current IE installation, they do behave correctly when rendering web pages. Kudos to the coders at Tredosoft for putting this together.

--; SELECT * FROM ...:
For database driven sites with php & mySQL there are alot of ways to handle state data. For simple sites its easy to pass a variable such as 'act' with a page value when navigating a site.
Such as index.php?act=1 (goes to page 1).

Now, if your taking this data and using it in a SQL Query such as:
'SELECT * FROM content_table WHERE act = ' . $_POST['act'];

..AND you didn't validate that input than you've got a serious problem.
This is called SQL injection, in its simplest form.

A visitor could easily alter the POST data in the URL; index.php?act=ph33rMyHaxorSkillz
If your lucky this would cause your code to halt execution after the failed query, thus displaying a plain white page for the visitor. You don't want this.

A quick fix for this is to validate the input of $_POST['act] against an array of allowed values. For small sites with limited pages, this is recommeneded.

Our sample site has 2 pages:

define(constHomePage, 1);
define(constHomePage, 2);

/* returns valid pages for our site */
function sitePages( )
{
 return array (  constHomePage    => constHomePage,
                 constContactPage => constContactPage
               );
}

/* fetch the value of act from POST data */
$actVal = $_POST['act'];

/* load the array of valid pages */
$vActSet = sitePages( );

if ( !isset($vActSet[$actVal]) )
{
   /* if actVal does not map to a key in this array */
   $actVal = constHomePage;
   /* push the user to the home page */
}

This code will change $actVal to the value of 'constHomePage' if something other than 1 or 2 is passed via the URL. There is no way for a malicious user to circumvent this code.

We will go into much more detail in upcoming entries and also provide a wrapper function for fetching values from $_POST, plus some other tasty code-bits.

- psl

Second wind

Real programmers do real things:
Yup, a 16+ hour day for the pioneers of ProjectSkyLine.

Who doesn't love things that are fast and small? Motorcycles, missiles...png's?! If your a web developer and you need to support IE 6.0, 5.5, etc you have undoubtedly had a run in with
the infamous png-24 problem.

After searching Google and trying various bits of javascript, css and other kludge fixes, we still had not reached a STABLE (Visual Studio was catching IE 5.0 crashes) answer to the png-24 problem for ALL browsers. So we may not be using .png's as much as we'd like too.

A STABLE fix is to use .gif images w/a matte background to match any color of your choice.
Transparencies will also work but we've found small images distort when transparency is added. IE7 fixes this error as well as FireFox and Opera (v9).

Take some source give some improvements:
We designed pCal to help connect ProjectSkyLine's workers across states. Its been invaluable to us. Today we released updates to the pCal package and clarified the installation process.

Another open source project we find of great use is bfExplorer. It enables remote users to connect to our development server and manage files through an easy to use 'explorer-ish' interface. One point of improvement was needed in the file list code however. The application had plenty of space to display full file names but was stopping after 16 characters. Yeah, this makes it a bit difficult when you organize your files. So here's a quick fix for anyone wanting this changed:

Inside /files/config.php change $names_chars from 16 to 30;

Yup, that's it! And now you have your file names...in full!

- psl