Yohanes Mario [dot] com

my online scrapbook of scrambled thoughts

It took me one night to realize that my session validation method in my admin page wasn't secure at all. When a user logs in, the user database will be called, and the database will be matched with the username and password which he enters. After that, some sessions will be registered as to what the output of the database produce. After finishing the session registration, the user will be redirected to the main.php page, and it will check whether a session is registered or not every time the user access that page.

Well, you can see that I create 2 fatal vulnerability. First of all, I didn't validate the input that the user give, in short, they can use SQL injection method to access the database. Second of all, at the main page, I only check whether a session is registered or not, but I didn't check whether the session has a valid value or not.

Finally, after a long night of working in front of my laptop, I resorted the problems. I use preg_match() to validate the user inputs, and instead of checking whether a session is registered or not, I check whether the sessions has valid values or not.

Well, if you don't want to get hacked, keep in mind that no input can be trusted. Not even sessions.

Happy blogging!

   Posted in Blog        Yohanes Mario Chandra        0 Comments

When I'm making this blog for the first time, it never cross my mind that I'll be building the new kind of CMS. However, overtime, I realize that all of this effort will be worthless if I'm keeping it for myself. The CMS will also be worthless if it can only be used by certain class of people (in this case, people who can express them self through writings).

After thinking about it over and over again, I decided that I will make a feature plan for this blog. The most important thing of all is the way user interact with the blog. The web would be ideal if you can feel it with all of your senses: hearing, sight, touch, taste, smell. However, let's focus first with 2 of our main senses: hearing and sight. With the future version of this blog, you will be able to let anyone hear and see you. You will be able to held an orchestra, a live concert, a live painting tutorial, a live handwriting tutorial, a solo piano concert, or a full 3D first person shooter battle, all happening in your blog through web browsers. Don't worry, you will still be able to post videos, music, or writings in your blog.

Don't get too excited yet, as I've just got started on learning HTML 5 and how to integrate javasript into it for a rich web experience. However, to make sure that I don't forget that I have plans for this blog when I'm busy doing something else, I'll make a release cycle for this blog. Because I'm a fan of Ubuntu, I'll use the same release cycle as it, which is once every 6 months. The first release of this blog will be published on August 2011. The next will be on February 2012 and so forth. However, incremental updates (e.g. 1.2, 1.3, etc) will be published immediately after it's finished. For the first release of this blog (version 1.0-stable) I wont be integrating it with rich HTML 5 multimedia blogging yet (like orchestra blogging, concert blogging, or paint blogging) because I need to make sure that the most used presentation media of a blog (writings) is correctly and beautifully implemented. There are still several features that haven't been implemented or fully implemented yet like WYSIWYG editor, email notification, social media integration, customizable sidebar, etc. So, version 1.0-stable will be about making another CMS like wordpress, drupal, joomla, and so forth. And then, for the next release, I'll be integrating every type of rich HTML 5 multimedia blogging one for every release. It will be a slow process, since I'm currently doing this all by myself.

In the mean time, I wont opensource my sourcecode until the first release of this blog. However, if anyone offer a help in developing the platform, I'll try to find a way to give them limited access to the code, which will not be happening for a while, at least until the next two months.

The web is changing, that's not a fiction. To contribute or not, it's your option.
Happy blogging!

   Posted in Blog        Yohanes Mario Chandra        0 Comments

I've just got my first spam comment. That's not a big problem for me, since I disabled HTML tags in my comment system, so they can't post any real link in this post, nor a malicious javascript. It will be a problem in the long run though since I'm planning to add email notification to the comment system.

That's why I immediately add captcha to the comment system. Captcha is a sequence of text which is printed on an image to make sure that only human can read and interpret it.

To understand how to make it, please visit this site (Indonesian). If you're looking for an english alternative, you can google it. Just type "captcha php".

Let's fight spammers to assure our readers that they are talking to a human, not something else!
Happy blogging!

   Posted in Blog        Yohanes Mario Chandra        0 Comments