think tank forum

I had this up and running on thehomerow for a while but lost interest in having a blog. today I got bored and decided I should share the code, so it is up here: http://www.planetsareplaces.com

let me know if you have any questions or anything. and also let me know if you notice I missed anything when I was cleaning out the site-specific pieces of code :).

i can has white hat or black hat?

uh oh…

don't worry. :)

I thought you found something!

nah, but i'll probably look over the code.

it's awesome that you used the openbsd variant of the bsdl. i use it too . :D

bah! at the mac carriage returns. luckily vim is smart.

more to come---

I know, I looked at ttf's code while I was doing this :).

are there carriage returns in the code?

also, I am glad and appreciative that you are looking it over, lucas!

i hoped that you had used my (albeit unlicensed) image resizing code .

I probably used it as a reference at least.

it looks like sql injection attacks are possible, but luckily (a) only with SELECT queries, and (b) there isn't any sensitive data in the database.

also, you create way too many connections to mysql. you should at least be using require_once() instead of require() for lines like this:

require("$ROOT/common/db_connect.inc.php");

and you might want to consider using a pconnect in ~/common/db_connect.inc.php .

but overall, it looks like decent software (with room from improvement, as with virtually all software).

any examples of where injection is possible?

from what I've read of pconnect, it seems like that would create more of a load on the mysql server. what would the benefits of using it be?

> any examples of where injection is possible?

~/blog.php, lines 23-4.

> from what I've read of pconnect, it seems like that would create more of a load on the mysql server. what would the benefits of using it be?

you might be right, i don't know much about it. i just know that pconnect was designed for subsequent requests (e.g., one visitor executes many pages within a short amount of time, or many visitors execute the same page within a short amount of time).

I'm tweaking this a bit right now and have a question for lucas and whoever else has developed web apps. how do you handle web administration? does it even exist for ttf? can you do stuff like edit posts or delete posts via the web as an admin? have you ever made software that does this?

here's the problem: code replication. so I have the main public page for my blog, and I get the html and php for that all nice and clean. but oh wait, literally all of that code is replicated in the admin page, and then stuff like edit and delete buttons are added. how can I avoid this?

check it out!

updates page works too, but I might change the name of it to "home" or something and just have the update feed thing be one aspect of the home page. projects page doesn't exist yet but will have things like my bike on it (inspired by lucas's projects page ).

> how do you handle web administration?

for wingedleopard.net/lucas, i have a form that allows me to insert/edit/archive entries.

for wingedleopard.net/lucas/photos, there is this.

for ttf, admins can revise any post (see here). they also have some admin scripts.

> how can I avoid this?

you can use some kind of function like this:

buss_html($arg_a, $arg_b, $arg_c, $admin=FALSE) {

    echo <<<EOF
I CAN BUSS HTML

ALL DAY

boom $arg_a

boom boom $arg_b

EOF;

    if ($admin) {
        echo <<<EOF
<a href="admin.php?id=$arg_c">edit things</a>

EOF;

    };

};

?>

print the user version by running buss_html('ha','ha','ha'). print the admin version by running buss_html('ha','ha','ha', TRUE).

or if you don't want to feed a function an argument, you can use session variables. if an http_auth user is validated, set $_SESSION['admin'] to TRUE. then if it's TRUE, print some admin buttons.

http://docs.djangoproject.com/en/dev/ref/contrib/admin/

djangos admin

been cranking web apps out like crazy lately, from simple cms's to complex systems.

django is pretty much my favorite thing on a computer these days...

and i've also fallen in love with python over the past year or so

http://images.google.com/images?q=django%20admin -- thats a better link if you just want to see the admin in action

thanks so much for the feedback guys. I'm at work right now but am going to take a closer look at this when I get home this afternoon.

today is the day!

I've been working on this intermittently. nothing major yet. I just tweaked the CSS a little, made it so you could view one post at a time, and cleaned up the code a little (the new code isn't available publicly yet).

http://planetsareplaces.com/blog.php

on the agenda is (some of this is from the planned.txt file in the source download):

- integration of admin functions into the public blog.php file (this will, I think, require form login and cookies, rather than http authentication)
- comments (viewable via javascript probably)
- pagination of posts
- reordering pictures
- (javascript?) confirmation of post/picture/category deletion
- add regular expression pattern matching to actions.php
- possibly migrate to PostreSQL
- more human-friendly date formatting

a few things I noticed when setting up a development environment in a VM for this tonight:

- for some reason my sql schema does not include the auto_increment part of the id column and I have to manually add it
- apache uses ServerName in httpd.conf to do some weird external redirect shit when you feed it a URL with no trailing slash, so if your hostname is not a fqdn, you better set ServerName to your IP!
- apache being chrooted is annoying

so add the auto_increment switch to the schema

I will. just weird that it's not in there to begin with. must have been something wrong with my dump command.

you gotta do extra things to get keys and auto_increments, i think

--opt should get you auto-increment values. read this.

I tried using think tank forums as a blog for a bit. I ended up going back to wordpress. I still don't ever update it.

www.music-piracy.com in case you are interested in seeing my quarterly updates.

thanks for the link, lucas.

I am struggling with the layout of my site right now. part of me thinks I only need one page to accomplish what I want to. however, I want to have something similar to lucas's projects page. I could just create blog categories/topics for each project instead of having a separate page, but I feel like fairly static projects like my openbsd router/firewall would just get buried in a blog compared to the prominence of being featured on a projects page.

I also don't want the front page to be too busy either, but I want pretty links to my facebook, twitter, and last.fm pages like I have now (twitter is missing, but will be there eventually). and I want to make a header of sorts using the ship.jpg image I have in the bottom-right right now. having the header and no navigation bar might be attractive, but I think I want to keep separate pages.

with a navigation bar, I question what I should have it link to (i.e., what should the index of the site be?). I could have it be a page with my facebook, twitter, and last.fm links, and a quotation like I have now. I think I'd like to get rid of the idea of an updates feed, but without that I don't know how likely someone would be to click on 'blog' to see if I've updated it lately. I could have something like "last blog post: whatever" and make it a link to the post or "last project update: blah" and have it link to that project.

hmm. thoughts?

i'll get back to you.

haha, ok.

> but I feel like fairly static projects [...] would just get buried in a blog compared to the prominence of being featured on a projects page.

just make sure you link to the projects/categories and give them prominence in that manner.

i don't really have thoughts on the rest. just play with it and eventually you'll find something that works for you and your visitors.

yeah, I think I might end up with a setup like yours. I might also have a separate section for quotations.

I think I'm going to go through the code of my software and make it more generic, so it's possible to use it as a CMS for pretty much anything. I was thinking about it, and every page I have thought of that I want my site to have is pretty much the same thing.

blog can be posts with various topics, projects can be project updates with various project names, and quotes can be various quotes with author names.

or something.

I started implementing session support tonight. first step to integrating admin functions into the main php file. I might ditch picture support because it's a pain in the ass, adds a lot of code, and I never use it. especially if I set up a separate photo section for my site. who needs pictures in blog posts anyway.

Sending        blog.php
Adding         login.php
Adding         logout.php
Transmitting file data ...
Committed revision 4.

:)

new version of this soon. perhaps 1.0? or maybe just a beta or something. I've been doing a lot of work on it. no more pictures attached to posts, but I'll probably re-use a lot of that code to do photo software.

just a heads up!

man, pagination just added like two kilobytes to blog.php. killer.

this is live now: http://www.planetsareplaces.com/

saw your tweet. neato.

next feature for this has to be the ability to update twitter. I want to be able to send tweets with links to photos as well, so bit.ly integration or something for links to the picture filenames or picture page is crucial too. I also really need to add tags to posts. and I want to store data about whether a particular post has been sent to twitter, with a little link to the tweet's page or something.

in the interests of data retention and ownership, I want my blog to be somewhat of an aggregation of what I post elsewhere, so that I am always able to revisit what I have posted previously. twitter doesn't make reading all your old tweets very easy.

I kind of want to do this for facebook too.

I added tags: http://planetsareplaces.com/blog.php

I need to tar it up.

live and tarred up for download. try to break it.