Yay I got a Zeitgeist ........ whatever the hell one of them is .... personally I call it a search cloud, it's far easier to spell In the true spirit of OpenSourceSoftware I stole the idea off Whoo and decided to see how easy it would be to create a b₂evolution plugin that did the same thing. It's probably taken me longer to write this post than it took to code it

How does it work ?

It's pretty simple really, the plugin scurries through your hitlog and finds all of the hits that have been flagged as coming from a search engine. It takes all these hits and meanders off to count them, grabs a beer and a smoke and then ambles back with a cloud ready to be slapped on your blog. If it's enabled then you should see a cloud below the first post on the first page of my blog, the font-size indicates how often that search term was used to find my tacky lil pad

If any of you fancy having a pre-release play with it then you can steal it from here (we've now released version 1.0 of the plugin on Sourceforge ), unzip/upload/install it and then add the following skintag to your skins _main.php

Code:

You can pretty much throw that anywhere in your skins main, even inside your post loop as it defaults to only showing once per page. There's a couple of parameters you can use :

1. blog : spookily enough this is the blog ID that you want to show the cloud for. The default is to use the current blogs id. If you set it to 1 then it will show all hits for all blogs
2. show_once : by setting this to false you can display more than one cloud, the default is to only show once

If you want to play with the styling then just take a root around in the plugins source and you'll see all the classnames it uses, you can even play with the html it produces to bend it to your will. The chances are that most of that bit will become params by the time the release version comes out.

That's pretty much it really. As always if you find any bugs or want to send me the odd million quid then feel free to leave a comment
¥

I finally found the time to finish off the nested comments plugin. If you fancy having a pre-release play with it you can find it here. Please note : it has a known problem - when you preview a comment it "forgets" which comment it's a reply to. This is caused by the fact that the core redirects through htsrv when creating a preview and doesn't pass on the plugins parameter. I'm working on it *solved : zip file update 12^th March*

Unlike most of our plugins this one also involves some code in your skins _feedback.php, not a lot though so don't worry. First find this segment of code and add the new bit :-

PHP:

The next piece of code can go anywhere in the comment loop and will spit out a "reply to this comment" link

PHP:

The final bit of code is just a demonstration of how to use the comment depth to indent your comments

PHP:

And that's pretty much it. The plugin should work in all 1.8.x and 1.9.x versions, let me know if you manage to break it
¥

I finally decided to have a play with nested comments for b2evo, which is something Scott asked me about a fair tad ago and, barring a few bits and bobs, I've now got a plugin that achieves this.

At the moment it's not available for download as it still needs work to add the depth to each of the comments so that they can be styled easily, and I still need to work out what to do with child comments if you decide to delete their parent. The basic choices are to change their parent to the grandparent, remove the parent completely and return them to their date order position, or to delete them along with their parent. Of course the ideal solution would be to offer all three choices and leave it to you to decide when you delete a comment, but I haven't even begun to look into how achievable that would be.

Once I've sorted out all of that I'll make another post and attach the plugin, along with basic instructions for installing and using it.

¥

I've been having a play with our Search Highlight plugin. Mainly to see if it could be easily upgraded to 1.9.x or whether it'd require a rewrite. At the same time I decided to try and make it as 100% a plugin as possible, as the original involved a fair few changes to your skins _main.php, which makes upgrading a tad tougher. I'm happy to say that after a few days of beating my head against the wall that it appears to be finished Obviously it still requires a fair amount of testing but *touch wood* it appears to do what it should with absolutely no skin modifications at all!

If any of you fancy having a play with it then you can find it here. If you find any bugs then feel free to let me know

¥

I don't know about you lot, but one of the things that I dislike about b2evolution is the fact that you have to use absolute urls in your posts. This is great if your blog always remains on the same (sub)domain, but if you ever want to move it then you're screwed! Up until now your only recourse was to either hit the database and change all of the affected urls in your posts or to manually edit each of your affected posts in admin. Not exactly user-friendly and it pretty much goes against the grain of how a website should be coded in the real world.

I've always coded my websites with relative links as it makes them truly "portable" and it's a habbit that I've continued with my blogs by hacking the bbcode plugin to allow me to use http://site/ to point to my blogs $baseurl ..... which worked right up to the moment when I merged two of my blogs that reside on two totally seperate domain names ( InnerVisions and WafflesOn ). Rather than piss about with the bbcode plugin (and have to reapply the hacks on every upgrade) I created a shiny new plugin to cope with my current needs. Basically this plugin adds 3 "special urls" that I can use for my posts to keep my links as relative as possible

http://site/

This gets converted into the posts blog url, so I can now make links relative to the individual blogs folder

http://base/

This gets converted into the $baseurl, so now I can make links relative to my install folder, which in my case is the same folder, but on a less trick install these could be different.

http://media/

Spookily enough, this gets converted into $media_url, just to make it a smidge simpler for me to move my media folder if ever the occasion arises.

Hopefully a certain unamed yank will get the time before the next ice-age to do a full write-up on AstonishMe, but if you want to have a play with this plugin in the meantime then you can find it here. You can't help but notice that I've dumped it in my media folder in a demonstative kind of way

Have fun
¥

XSS is one of those geeky terms that you see floating round the net, usually accompanied by some innocuous example where they point you at a link to a 3^rd party website and make a javascript alert() pop up saying 'XSS!'....... not very impressive huh? I mean, what use is a simple alert()? It couldn't possibly harm your website right?

WRONG!!!!! That innocuous little box is one of the worst thing that you could see on your site, especially if you have any form of membership, customers or database. If you see that then it means that you've just unlocked your door and left it wide open. It means that you've just failed misserably at the most basic rules of coding. NEVER TRUST INPUT and NEVER OUTPUT UNSANITISED INPUT

Now we all know, or we should all know, that you should never just shove information straight from $_GET/POST into a database ... hell, it's one of the quickest ways to unlock your database to the world, you might as well just put your connection details on your front page in <h1> tags. The very least you should do is escape the string, but that really isn't enough. Every single piece of data that your website uses should be verified against the type and contents that it allows. If you're asking for an ID make sure it's a number (sounds obvious, but you'd be amazed). Asking for a date? Either make sure she's hot or check the input is actually a date huh? A string? Only allow the characters you expect (and still escape it ). However, you shouldn't just be doing this if you're going to shove the data into a database, you should always do it, even if you're only echoing the values to the screen

Still unsure what that little box means? How about if instead of the box popping up the link called a malicious javascript file? What could happen then? For starters all of your cookies are available to the javascript, so if you're daft enough to store a username/password in them then it's just been hijacked, and if you're the admin that means the code now knows your login for the site and it's VERY simple for it to “call home” and pass these details on. Or it could incorporate a keylogger and watch everything you do ... pretty scary if you're entering your credit card details huh?

“ Yeah, but I never store the actual details in the cookies, I encrypt them! ” ..... that's really great ..... unfortunately as far as your code is concerned the javascript is your user and can easily make requests on that users behalf, either with something as simple as an image call or full blown ajax requests .... either way you're still screwed.

“ Yeah, but it only happens to crap coders who write shitty little websites that no one will use right? ” ..... urm, guess again ..... I spent the the last few days trawling round the web reading up on this and eventually ended up on this thread on sla.ckers.org which has a list full of some of the biggest names on the web, including several .gov websites! At the time the thread was 34 pages long and growing daily.

“ Yeah, but I filter out javascript from all inputs! ” ..... excellent ..... so did myspace.com and they got brought to their knees by the Sammy worm which was written in javascript.

Now, the boys at b2evolution are pretty hot when it comes to sanitising input and output, but that only works if you use their functions ( param() is there for a reason ) and if you code a plugin/hack that doesn't use them then you really need to make damn sure that you do your own checks/sanitisation. This is especially true if you're going to make your plugin a public release because then it's not just your blog that you've unlocked the door of, it's every blog that installs your plugin/hack.

If you want to read more about this then try some of the following links, there's a good deal of information about this and other security problems, including ways of blocking these holes :-
Full Disclosure - sla.ckers.org (highly recomended if you like horror stories)
PHP and Web Application Security - shiflett.org
Nitesh Dhanjani - dhanjani.com
PHP: Security - Manual - php.net

The moral of this story is very simple “ In God you trust ... just sanitise His input first ”

If anyone from sla.ckers.org happens to read this post, I'd like to thank you for your full disclosure forum. It certainly was an eyeopener!

¥