Skillings & Sons Website Launch

After nearly 3 weeks of programming, graphic design, ajax debugging, a custom gallery and countless trips through iStockPhoto, we are proud to launch Skillings & Sons' corporate website.

This launch marks the culmination of nearly 6 months of joint effort by Ben Sgro (President), Devin Bousquet (Vice President), Diana Melgarego (Finance Director) of ProjectSkyLine LLC and Brandi Coulter (Marketing Manager & website liaison) of Skillings & Sons.

In an on going effort to support the online needs of Skillings & Sons, we are providing hosting support in conjunction with Nexcess, and managing a robust online marketing plan with the assistance of Matt VanWager of FindMeFaster.

(Matt will be speaking at SEMNE on Sept 11, check if out if your around!)

The new Skillings & Sons site exhibits a terrific user-interface (UI) design, fueled by the artistic excellence of Devin Bousquet. The tabbed interface provides a simple to navigate and user friendly interface for Skillings' target demographic.

::tech note:: The original tabbed interface used Ajax to load the content, which worked fine. We use CSS to control the mouse over attributes and we chose to have the state of "on" (the currently loaded page) be represented with a specific color. Since the CSS had to be redrawn and sent along with the Ajax, we soon found out that you CANNOT do this IE. Smooth.
We removed this feature and went with something that worked cross browser. We'll get into more of the technical aspect of this at a later date.

The site also sports a "search" ability, which is powered by MySQL fulltext indexing. It works well, but will be receiving a tune in the approaching days.

ProjectSkyLine built ajax drop down menus to highlight (and hide) specific data. In conjunction with the scriptaculous javascript library, we've added fluid motion to the drop down of these menus. We've also used the scriptaculous library to selectively highlight important messages within the site. In keeping with a smooth and memorable user experience, we are using cookies to keep track of the state of the drop down menus. Meaning, when a user navigates away from a page and then returns, the drop down is in the same state as they left it. Terrrrrrrific!

Another thing**** we learned while building our custom image gallery (powered by scriptaculous and Ajax) is that IE on VISTA (NOT XP) does not allow you to rewrite a cookie
multiple times without a page refresh. Sheesh.

::tech note:: Our original image gallery design was suppose to be modular enough that it could be both 1) used again and 2) released as open source. To maintain state (if the user leaves and then returns) we used cookies. However, we soon found out IE7 on Vista doesn't allow cookies to be written more than once. On IE7-XP & FF-XP & FF-Vista this technique worked. So, what's the reason ...? We checked and altered the browser security settings to see if that effected it, adding out development server to the list of "ok" sites, and lowering security to exploit enticing levels. heh. Nothing. So, we rolled back the code to instead of cookies, use sessions. Those HAD to work. And they did. For those that are interested, the source to the gallery will be made open shortly.

Skillings & Sons is full of other subtle design features that make it clear why ProjectSkyLine LLC is moving on up and setting some triumphant trends.

- psl

ProjectSkyLine deploys Halftime Magazine & matching Website

Yup, its true! Our magazine creator, Brian Cain, has been working tirelessly with Devin, ProjectSkyLine's creative director in preperation of Half/Time Magazine's 4th release.
For those of you whom are not familiar with Half/Time Magazine, read on:

H/T Magazine is an indepently published and voluntarily fueled magazine of uplifting stories, inspirational artwork and candid interviews. Check out the sample chapter.
We'd like to commend Devin on a job well done!

In other news, we've began work on a complete revamp of Lease2Buy.com. This website held a #1 position on google for lease 2 buy and rent to own homes. However, Rob, the owner, really wanted to spruce up the visitors experiance. Devin has constructed a new logo, new layout, new buttons, new typography..hell, nothing is really left except the content..and we've even improved that! Stay tuned for the launch later this month!

We're approaching our release date for the Skillings & Sons new website. We've been working hard on this and will present a detailed case study with the release.

We've also added a new employee, Chris Lyght, a part-time web developer. Chris brings experiance in graphic design, programming and sales. We look forward to seeing Chris's work
on Lease2Buy, as he is the lead programmer on this project.

More to come, more to come.

- psl

Joomla, XSS and Obfuscated Code

Hello again,

Yesterday, our chief engineer Ben, came about an interesting backdoor php script that a friend off irc was talking about. He was studying the joomla source, prior to implementation, and found that tons of joomla sites had been owned with a XSS used to load the r57shell php script.

We've included a copy of the script here for educational purposes: http://www.projectskyline.com/phplist/r57shell.txt

Ben went and posted this information to the NYPHPlist to provide fellow developers
an insight into the tools crackers are using against us.

A member of the PHPList pointed out that the script has some backdoor, author alerting features: http://seclists.org/fulldisclosure/2006/Sep/0083.html

Ben decided to base64_decode( ) the obfuscated variables and see what kinds of programs the
shellscript was building and executing.

The first section of code is that of the author alert...this provides the author w/the ip of the owned machine.

Ben then went ahead and decode the programs...a link to them is here:
http://www.projectskyline.com/phplist/test.php

Can't trust those russians!

- psl

I'm out for Presidents to represent me.

Greetings,

The ProjectSkyLine executives just returned from an extended stay in the beautiful presidential mountain range of NH. Photos and more are located at flickr.

After a nice hiatus, we are returning full force and moving forward with StoryXchange, our premiere skunk works project. In tandem, we are also delving deeper into the development of WARP2.

Oh, yes, we are also proud to announce our business arrangement with Skillings & Sons, to both create their online presence and managing their online marketing campaign. You can read the press release.

We look forward to a very exciting June!

- psl

Write Software or Die Trying

Open Sores:
ProjectSkyLine supports open source software. While many of the applications we create are closed source we balance those releases with tools and open source libraries to aid developers.

Much of our daily development takes place on the LAMP (Linux – Apache – MySQL – PHP) platform, all of which are open source applications. And all these applications work exceptionally well.

Folks say, “you get what you pay for” and in LAMPs defense its sooooo true. We get software that is FREE from bullshit, FREE from show stopping bugs, FREE from limiting EULAs.Open source has it place in all marketplaces and development environments. Thinking back to a story an employee of ProjectSkyLine told once, he recalls being at a Linux Users Group meeting sometime in the late 90's. He asked if RedHat would ever have an IPO. He was laughed at.

Peas in a Pod:
Bugs and software development go together like PB&J. It sucks to hear, we know. Its just the sad reality of dealing with such complex systems. We utilize Mantis, an open source bug tracking database (mySQL) with a browser independent user interface (PHP). Its great. Its relatively lightweight in comparison to Bugzilla and setup is a breeze.

Content management Content schmanagement:
If your a LAMP developer we can be assured at one time or another you have had a client who requests the use of Joomla, or the need for a custom CMS solution. We have too. Simple apps don't always need the entire weight and unnecessary bloat of the CMS frameworks. That's why we developed an open source tool that JUST WORKS. Its smart enough to read into the database your looking to edit and fetch the tables. It allows you to update and remove rows, plus add new content. This amazingly simple tool is called pCMS and we use it. A lot.

Check out our 'Open Source' section for additional info.

Please, support OS or you might get hacked!

- psl

Tar up, its a code trip!

Yup.

Browser-Compatibility:
When developing web based applications, as we do at ProjectSkyLine, we MUST check our software on different browsers and operating systems. We recenetly got ahold of Muli-IE,
a super useful tool that provides working copies of IE 3.0 -> 6.0. Even though the browsers identify themselves as your most current IE installation, they do behave correctly when rendering web pages. Kudos to the coders at Tredosoft for putting this together.

--; SELECT * FROM ...:
For database driven sites with php & mySQL there are alot of ways to handle state data. For simple sites its easy to pass a variable such as 'act' with a page value when navigating a site.
Such as index.php?act=1 (goes to page 1).

Now, if your taking this data and using it in a SQL Query such as:
'SELECT * FROM content_table WHERE act = ' . $_POST['act'];

..AND you didn't validate that input than you've got a serious problem.
This is called SQL injection, in its simplest form.

A visitor could easily alter the POST data in the URL; index.php?act=ph33rMyHaxorSkillz
If your lucky this would cause your code to halt execution after the failed query, thus displaying a plain white page for the visitor. You don't want this.

A quick fix for this is to validate the input of $_POST['act] against an array of allowed values. For small sites with limited pages, this is recommeneded.

Our sample site has 2 pages:

define(constHomePage, 1);
define(constHomePage, 2);

/* returns valid pages for our site */
function sitePages( )
{
 return array (  constHomePage    => constHomePage,
                 constContactPage => constContactPage
               );
}

/* fetch the value of act from POST data */
$actVal = $_POST['act'];

/* load the array of valid pages */
$vActSet = sitePages( );

if ( !isset($vActSet[$actVal]) )
{
   /* if actVal does not map to a key in this array */
   $actVal = constHomePage;
   /* push the user to the home page */
}

This code will change $actVal to the value of 'constHomePage' if something other than 1 or 2 is passed via the URL. There is no way for a malicious user to circumvent this code.

We will go into much more detail in upcoming entries and also provide a wrapper function for fetching values from $_POST, plus some other tasty code-bits.

- psl

We've moved!

Welcome:
To a new blog that is. After fixing a few bugs in bBlog (php driven) we decided we needed something a bit more secure and hosted on our live server, not the development server.

So we've switched.

For those who need access to the old posts source code, they are here now:
PHP/mySQL connect to a database procedure
PHP/mySQL query a database procedure
PHP/mySQL query database and return one

To whom it may concern:
For those that are new to us, ProjectSkyLine is a stable start up company that writes amazing and intelligent software. We can't possibly define 'software' without boring you to tears, so read up on its breadth at wikipedia.

Count up 'till now:
We've been very busy the last 3 months with all that encompasses a start up. Besides breathing life into PSL, our clients workload is immense.

Software:
We've recently released our very own pCal, which was an application written by Ben, our Chief Engineer, for tracking tasks and to dos across the company. FYI, ProjectSkyLine has offices in both New York and New Hampshire, so you can imagine minor details can fall through the cracks. But not anymore!

pCal is released as open source. We will continue to provide updates and bug fixes, so check the site often. We encourage those that find it use full to drop us a line, comments or complaints welcome.

Soon to arrive:
Our next software release is that of pRSV, which was designed for our client HHC Marketing of NY. HHC Marketing promotes for NY's hottest Broadway shows and off-Broadway events. They needed an application for clients to RSVP to events hosted by HHC. Our pRSV software takes care of creating the events, tracking the users RSVP, sending email reminders and even allows client data to be exported directly into excel or openoffice...very useful to HHC when constructing the final guest list.

Visit our products page to see more about the upcoming release.

- psl