Drag Dropping a Helper (or something else) with jQuery UI

May 17, 2013 — JaZahn

I was having issues using jquery UI’s draggable and dropping something other than what I was dragging into a sortable. So this example, but dropping something else.

Originally I was trying to do it with Helpers. Helpers are nice, but limited in functionality and you cannot get the draggable helper element from the sortable. The right way seems to be to append / create the element within the dom once it’s been dropped. So create an element template and drop it in on the sortable’s update event.

Here is a jsfiddle with my solution.

Highlight:

var textItem = 'Text that is droppped';
var imgItem = 'Image that is dropped';

$(document).ready(function(){
	$('#sortable').sortable({
		revert: true,
		update: function(event, ui){
			if($(ui.item).hasClass('mysortable')){
			    // we don't add one if we're sorting a pre-existing item	
			} else {
				$(ui.item).removeClass('ui-state-highlight');
				$(ui.item).addClass('mysortable');
				
				if($(ui.item).hasClass('textDrag')){
					$(ui.item).html(textItem);					
				}
				if($(ui.item).hasClass('imgDrag')){
					$(ui.item).html(imgItem);					
				}
			}
		}
	});
	$('.draggable').draggable({
        connectToSortable: "#sortable",
        helper: "clone",
        revert: "invalid"
	});
	
});
Posted in ATG, Flashcards, Javascript, jQuery. Tags: , , , , . No Comments »

Why PHP Tidy didn’t work for me

May 11, 2013 — JaZahn

I have to fit most of my applications within the confines of an LMS that requires everything it gets from my application to be valid XHTML. This causes an issue when displaying code users input or (in this case) 3rd party libraries are whole hog html5.

I don’t want to say you should close your tags, even in html, but you should.

So I’m using wysihtml5 for my wysiwyg needs. I wanted something smaller and cleaner than TinyMCE. What I got was something smaller. The issue created by wysihtml5 was they were doing img tags with document.createElement(‘IMG’) — which by default creates an unclosed void element. Now if you append that void element to an xhtml doctype, the browser will automatically fix it, but if you’re taking the toString of it and throwing it directly into a database, it will stay

So I decided to try and filter the entire app before it got sent to my LMS with PHP Tidy. tidy_repair_string will take a string, some config options and “fix” most validation errors.

echo tidy_repair_string($content,
array(
'output-xhtml'=>true,
'doctype'=>'omit',
'show-body-only'=>true
));

This worked almost perfectly. The only issue was wysihtml5 uses textareas. And the imgs go into the textareas. And that’s a violation of xhtml. So what does Tidy do with that violation? It just strips out the img (it also strips out brs). And there is no config option to stop that from happening. “Don’t correct this validation violation.”

So what am I stuck with?

preg_replace("/(]*)>/", "$1/>", $content);

Lame.

 http://stackoverflow.com/questions/10028…
 http://stackoverflow.com/questions/75395…
 http://stackoverflow.com/questions/70030…

 http://www.php.net/manual/en/tidy.repair…
 http://tidy.sourceforge.net/docs/quickre…

 http://stackoverflow.com/questions/15365…

Posted in Uncategorized. Tags: , , , , , , . No Comments »

OWASP Top 10

April 30, 2013 — JaZahn

Often software developers like to ignore security concerns because it’s a huge time sink. Regardless, it’s a great idea to review the OWASP top 10 every so often to make sure you’re refreshed on what to look out for.

1) Injection
taking parameters directly from the query string into a query
use parameterized queries

2) Broken Authentication and Session Management
sending the sessionID in the query string
store sid in cookie only

3) Cross Site Scripting (XSS)
taking parameters directly from the query string and printing them on the page
all user supplied input sent back to browser needs to be properly escaped

4) Insecure Direct Object References
no checking when query parameters are requesting actions that shouldn’t be allowed by the current user
use indirect object references (don’t use db keys in the view, but rather have an internal mapping to the db keys that would obfuscate them)
Or check authorization on every action

5) Security Misconfiguration
general security issues. default passwords, outputting errors, software (dbms, apps, libs) patches
change default passwords
turn off error outputting / all debugging
be proactive about applying software patches to components

6) Sensitive Data Exposure
encryption (storage and transit)
encrypt “sensitive” data
public key encryption with private key decryption only on the backend

7) Missing Function Leven Access Control
UI showing access to admin functions, functions not checking authentication appropriately, checking authentication on server done without relying on user provided information

8) Cross-Site Request Forgery
– each link and form should include an “unpredictable token” otherwise, you can’t be sure it’s a forged request

9) Using Components with Known Vulnerabilities
– keep up to date on the libs you use

10) Unvalidated Redirects and Forwards
– don’t put part of (or the entire) redirect url in the query string

Posted in Uncategorized. Tags: , , , . No Comments »

Getting Travis-CI to work with a PHP Project

March 21, 2013 — JaZahn

First off, Travis CI is only usable through github. It’s a great service that allows tests to be run before pull requests are merged, helping to ensure code stability. It’s a very new service, and PHP support is in flux. Almost daily information changes. So I fear this will be outdated tomorrow. Regardless, I wanted to get this written down.

The magic all happens in the .travis.yml file. It’s a config file that tells travis what to run. It only has a few sections, but they can be tricky. Here is the example .travis.yml for PHP:

language: php

# list any PHP version you want to test against
php:
  # using major version aliases

  # aliased to 5.2.17
  - 5.2
  # aliased to a recent 5.3.x version
  - 5.3
  # aliased to a recent 5.4.x version
  - 5.4

# optionally specify a list of environments, for example to test different RDBMS
env:
  - DB=mysql
  - DB=pgsql

# execute any number of scripts before the test run, custom env's are available as variables
before_script:
  - if [[ "$DB" == "pgsql" ]]; then psql -c "DROP DATABASE IF EXISTS hello_world_test;" -U postgres; fi
  - if [[ "$DB" == "pgsql" ]]; then psql -c "create database hello_world_test;" -U postgres; fi
  - if [[ "$DB" == "mysql" ]]; then mysql -e "create database IF NOT EXISTS hello_world_test;" -uroot; fi

# omitting "script:" will default to phpunit
# use the $DB env variable to determine the phpunit.xml to use
script: phpunit --configuration phpunit_$DB.xml --coverage-text

# configure notifications (email, IRC, campfire etc)
notifications:
  irc: "irc.freenode.org#travis"

Not included libs

Currently this will not work. Their phpunit is requiring libraries that aren’t included in the vm that’s created. Regardless of if your project is using these libraries:

before_script:
  # everything after this point is needed to just use phpunit
  - pear channel-discover pear.phpunit.de
  - pear install phpunit/PHP_Invoker
  - pear install phpunit/DbUnit
  - pear install phpunit/PHPUnit_Selenium
  - pear install phpunit/PHPUnit_Story

Database usage

I use mysql currently. The problem I hit was you can create users, but you can’t grant them privilages. So you HAVE to use the default root user with no password.

env:
  - DB=mysql

# execute any number of scripts before the test run, custom env's are available as variables
before_script:
  - mysql -e 'CREATE DATABASE `quizmo_dev`;'
  # The following is fine, but travis won't allow granting privilages
  # - mysql -e "CREATE USER 'quizmo_dev'@'localhost' IDENTIFIED BY 'quizmo_dev';"
  # - mysql -e "GRANT ALL PRIVILEGES ON *.* TO 'quizmo_dev'@'localhost' WITH GRANT OPTION;"
  # migrating adds all tables
  - quizmo/protected/yiic migrate --interactive=0

Notifications don’t work

I’m assuming this is something they’ll fix soon. I’m just trying to use email notifications — but it never sends an email.

Posted in Development, Open Source, PHP. Tags: , . No Comments »

Continuous Integration with PHP on Travis CI and Github

March 21, 2013 — JaZahn

People on high have been preaching the wonder of continuous integration for a while now. It’s been all about Jenkins forever. Jenkins is still the #1 choice for most people, but I recently ran into Travis CI and at least short term, this is going to be the solution for our shop.

What is Continuous Integration for PHP?

CI to most people involves building and running integration tests. PHP clearly doesn’t build, but good PHP still has unit tests / integration tests / functional tests — so CI for PHP is running those tests before code merges.

What makes Travis CI good?

Probably ease of use. There is no setup of a “travis server”. It’s a service that they run. You hook it to a repo you have access to and set up a config file and it’s good to go.

But this only works with github?

That’s probably the biggest detractor. It’s currently built exclusively for use with github. Which is awesome for github projects, but not every project can be on github. We don’t always have control over where our repos are — and not everyone is an open source person.

Posted in Development, Open Source, PHP. Tags: , , , , , . Comments Off on Continuous Integration with PHP on Travis CI and Github »

Feature Branches with Code Reviews

February 26, 2013 — JaZahn

We have been trying to find a process for doing code reviews for a little while. Because most of our current projects are in github, it made sense to try and use some of the github features to help in this process.

I have been using issues for stories and milestones for sprints for a while. And it works out nicely because I get a pretty neat gamificationy results.

So I started using a feature branch in order to have the ability to make pull requests on my own project and get a discussion thread before code is merged into the trunk (production).

 https://github.com/Harvard-ATG/Quizmo/pu…

This discussion is a great way to get a reasonable code review before merging code. Right now we’ve decided to only do this for non-trivial changes, but with a very high bar on “trivial”.

Posted in ATG, Development. Tags: , , , , . No Comments »

Forcing Client Involvement Through Production Releases

February 22, 2013 — JaZahn

What I take away from agile is the idea of putting something in front of a client as quickly and as often as possible. Of course things are going to have flaws, and things may be unfinished, but having the client see what you’re doing gets a sort of course correction done that doesn’t happen in a vaccuum. People tend to understand this, but they don’t often abide by it.

The problems I’ve seen lately have been in the instance when there is no client directly involved in the process. In that case, a product manager is assigned to take on the role of client, someone who mostly understands what the client wants and basically be their advocate. But the product manager, being an employee and not a client, doesn’t want to risk releasing an incomplete project for fear of how that will look or how the client will react to that. Therefore purposely not involving the client in the only part of the process where the client could give direct feedback — in production.

As long as it’s explained to the client that they are dealing with an alpha, and we welcome feedback on things they feel are necessary, it seems they could be used at that part of the cycle to offer feedback and keep features that will never be used from being added to the project and keep the project from straying too far from something they don’t want.

Posted in Agile, ATG, Development, Quizmo. Tags: , , , , , . No Comments »

Agile Context Switching

January 31, 2013 — JaZahn

I had the pleasure of trying to work on 3 separate agile projects last sprint. I typically get 40-50 story points done in a sprint. I like to take on more than I think I can do to keep myself from letting work expand to fill time. I also had the issue of having to take on another developer’s work. Total, we promised ~80 story points.

Now, when my kid was new and I wasn’t allowed to sleep nights, I was able to cram 70-80 sps into a sprint. But sleep has made that level of productivity very hard.

I was also tasked with working offsite, organizing a community of practice, and trying to learn a very large project through “osmosis”. Which is to say, learn as much as you can without reporting time spent on it.

I have to admit, all of the work is interesting and the clients are all people I personally don’t want to let down. So it’s hard to say “forget project X”. (Which is hard to say generally when there actually is a project X.)

So with many things pulling me in many directions, my completed story points for the sprint was 33. A significant decrease in general productivity.

Context switching needs to be allocated for in sprint planning. Duh?

The trick is how much? Some people say it takes 15-30 min to effectively context switch. That’s part of it. I think the larger part is when you’re focused on one-two items, you can finish things effectively. The more items, the more you end up with partial work. Partial work is the worst time killer. You get 50% into a feature and if you have to stop and start again it magically turns into 30-40% done.

Solution? Don’t switch contexts.

Har har. Work on something to completion before switching contexts. Be strict about it.

Posted in Agile, ATG, Development, Flashcards, Harmony Lab, Quizmo. Tags: , . No Comments »

Flashcard Gamification

January 23, 2013 — JaZahn

With our Flashcard application, I am trying to make gamification a focal point. I want the games to be modular so anyone can create new games and I want games that are multiplayer. Friendly competition within the class would be ideal.

Competition among a scoring system is too antisocial. The score scroll at the end of a game of donkey kong doesn’t make for a lot of interest in this day and age.

I have a couple of ideas.

A “card” game. Each student is dealt the same 5 cards from a “deck”. They see only one side of the 5 cards. The reverse of one of those cards is displayed and the first student to select the correct card gets a point. That card is then replaced with a new one. Having them both have the same cards takes any chance out of the game. It is time based, which means it is reliant on students being on at the same time.

So a variation of the previous could be one student plays and waits for the other student to play and they don’t lose a point unless they get it wrong. Players could be matched based on how much they’ve studied.

But is that fun? I think after a while, most people would just get bored of it.

Word games on phones are quite popular, but they’re all just variations of word scrambles, word finds, or crosswords. These are simple and not very applicable to a flashcard framework.

I stopped writing this and don’t have the motivation to continue, so I’m just going to post what I have.

Posted in ATG, Flashcards, Gamification, Trends. Tags: . No Comments »

Making Money With MOOCs

January 11, 2013 — Michael D. Hilborn

The New York Times continues to explore MOOCs, this time with an article about how MOOCs, particularly those run by companies like Coursera and Udacity, have yet to become a lucrative business. Although millions of students have enrolled in classes and although millions of dollars have been invested in MOOCs, a stable and profitable business model for offering free, online courses has yet to be established. The current, most promising model involves licensing course content or entire courses to other Universities so that they can fulfill their online desires. Additional ideas abound, including charging small fees for certificates of completion, for more advanced courses or follow-up courses,  or for one-on-one instruction. And, of course, there’s always the possibility of  incorporating advertising.

To me, it’s interesting that these online companies are insistent that their courses remain free, and that they believe the bulk of their revenue stream will come from licensing models as opposed to charging for courses outright. I admire their desire to have free content online, but that seems at odds with traditional education, which requires steep tuition fees. It’s also at odds with extended schooling; all night schools that I have known charge for admission. So I don’t see the harm in Coursera or Udacity taking the approach of offering some courses for free, but then asking $0.99 for other courses. With hundreds of thousands of students per course, that’s a lot of money trickling in. And with some online courses costing Universities over $50,000 to create, that money needs to come from somewhere.

 

 

Posted in MOOCs. No Comments »
« Older posts «
Newer posts » »