News
CodeIgniter Community Voice - Lee’s Lost Bet
EllisLab is blessed with two of the greatest communities that can be found anywhere on the internet in ExpressionEngine and more recently CodeIgniter. Despite being a relative newcomer to the scene, the people attracted to CodeIgniter are among the smartest, most talented and down-to-earth developers around today. From time to time we want to highlight some of these talented people, and we’ve asked them to lend their voice to ours. Have your voice. I hope you enjoy what they have to say as much as I did.
This week, our Community Voice author is Lee Tengum, who discusses how CodeIgniter has cost him over $8,800 in beer and soft drinks. Lee is a bit of a serial entrepreneur, with 5 successful startups under his belt including the recently launched http://cleverandy.com. He has become something of a cookie! jar of startup knowledge. When he is not managing his team of contractors he blogs about the trials and tribulations of his startups at http://tumbledry.ca.
It all started with an idea at 4 a.m. on a Tuesday morning that brought us to CodeIgniter.
We were neck deep in a deadline and sinking fast. We knew we needed help.
After puling some strings that bought some time we quit work for a week - well, client work at least. There were our own issues to solve.
We had amassed a team of roughly 14 at this point and had no way to efficiently manage who was doing what for how much and how long; in fact we were often surprised by code submissions.
That’s a sad place to be.
We had been building in the ‘flavor of the weak’ when it came to frameworks and often chose whatever the contractor was fluent in to save time (which != saved money).
Not only were we not communicating, but we were reinventing the wheel for every project. Have I mentioned how sad of a place that is to be?
Back to 4 a.m.
Doug is one of my closest friends, and a trusted peer. He suggested we should develop a contractor management system and that we should build it all on CodeIgniter. At this time I hadn’t seen sleep in nearly a day, consumed almost seven liters of coffee, the “development tub” was empty and we were trying to finish a RoR project that a contractor bailed on. I didn’t want to hear about another &^%in framework, I just wanted this to be done.
Thankfully my friend couldn’t understand the word “no” and kept pressing. He went on about how anyone with knowledge of PHP can build with this, its development cycle and the community that was forming around it. I still wasn’t convinced but he assured me this would be the last time we changed frameworks and proposed a friendly bet.
I hate that I love gambling. I don’t have a problem, per say, but I always lose. The problem is that my pride drives me to bet anyways. Besides I relished the opportunity to prove him wrong.
So the bet was laid. We would build the contractor management system in CI and all client projects for one month with CI. At the end of that month if I wanted to go back to another framework and could justify it rationally with solid points then he would keep the Development Tub full for a full year (a cost of roughly $100/week). If we stayed with Code Igniter I would the one stocking the tub for the next year and I would also have accept his offer to buy into my company and become a partner.
On Wednesday morning we filled the tub (again not a problem… really) and set out to build our app. We outlined what we wanted, mapped it out on the whiteboard, set up a Basecamp project for it, defined our milestones and set Saturday as launch day.
Beer? Check.
Monster energy drinks? Check.
Coffee? Check.
M&M Peanuts? Check.
Babysitter? Check. (We’re parents…)
Pizza? Maybe.
Basecamp set up? Check.
SVN Server? Check.
While I depleted the tub and read the user guide, Doug was getting down to business. By the time I’d figured out how I was going to tackle my portion of the build he’d built the user authentication as well as the management section. Doug was already adding features to our “Wish List” in Basecamp and checking off milestones. Roughly 9 hrs into our project we started completing items on the wish list, which had never happened before. The wish list had never become a checklist before a deadline and I was starting to worry.
In the wee hours of Thursday morning we headed home to sleep. The following day we sent login details to our contractors and set up a basecamp project to log bugs. We fixed the stupid little ones that we missed and made changes on the fly. By the end of the day I had a huge overview of our team of contractors and a vision of things to come. I never did see the 48 hr Milestone reminder emails from Basecamp… again I was seeing a change.
By the end of the month we had more than a few client sites built on CI. We also had a process for development laid out and the term Rapid Development was taking on meaning with me. I was happy, the clients were happy and we had a team we could manage… and then reality sunk in.
I hate losing, even more so I hate losing to people I like winning against. I lost the bet. Though I gained a valuable business partner, a managed team, profitability and a kick ass framework to build it upon… I am forever filling the tub.
And with ExpressionEngine 2 built on CI (Which we are using extensively for client sites now), the tub has gained a lifetime sponsor. Me.
That app was build on 1.4.0 on September 20th 2006 and since then we have revised many things including our checklist:
Beer? Check.
M&M Peanuts? Check.
Basecamp set up? Check.
SVN Server? Check.
See the difference? We don’t live at the office any more. CodeIgniter gave us the freedom to build around our needs and wants and it gave us the structure we needed to become more efficient. Just don’t bet against CI, it has cost me $8800 and counting…. weekly.
ABOUT LEE
Lee is a bit of a serial entrepreneur, with 5 successful startups under his belt including the recently launched http://cleverandy.com. He has become something of a cookie! jar of startup knowledge. When he is not managing his team of contractors he blogs about the trials and tribulations of his startups at http://tumbledry.ca.
Posted by Derek Allard on July 21, 2008
CodeIgniter Community Chieftain Michael Wales
We’re happy to announce a new program for exceptional members of the CodeIgniter community, CodeIgniter Community Chieftains. As the community grows, the EllisLab development team often does not have the time that we would like to interact with the community in various ways, but it’s always been a key part of our success. So as the need arises, we have created this program to help keep the wheels greased so to speak, making sure that our forums, wiki, and bug tracker are handling the needs of the community and are properly moderated.
This is an invitation only program as the aforementioned link explains, and we’re proud to bring Michael Wales on board as our first CodeIgniter Community Chieftain. Most will need no introduction to Michael as you have likely already encountered him or some of his contributions in the community. Welcome aboard, Michael!
Posted by Derek Jones on July 17, 2008
CodeIgniter Brazil
Hermes Alves has launched a CodeIgniter resource in Portuguese, located at codeigniter.com.br. The site includes a discussion forum, mailing-list, and a few other resources. Kudos Hermes!
Posted by Rick Ellis on July 08, 2008
CodeIgniter Community Voice - Mathew Davies
EllisLab is blessed with two of the greatest communities that can be found anywhere on the internet in ExpressionEngine and more recently CodeIgniter. Despite being a relative newcomer to the scene, the people attracted to CodeIgniter are among the smartest, most talented and down-to-earth developers around today. From time to time we want to highlight some of these talented people, and we’ve asked them to lend their voice to ours. Have your voice. I hope you enjoy what they have to say as much as I did.
This week, our Community Voice author is Mathew Davies (AKA Popcorn), author of the Redux Authentication library, a light, easy to use and fully featured auth engine. What follows is a brief discussion of some of the logic and security that went into the library, and considerations for your own programming.
Let me start by saying I love CodeIgniter, it’s a developers dream. 
Today I plan to talk about some of the security features that are used within my library : Redux Authentication.
Hash Once and Only Once!
Over at TalkPHP someone provided a code snippet which had this code :
$psd = sha1(md5(md5(sha1(md5(sha1(sha1(md5($_POST['password']))))))));
I’ve made a similar mistake myself in the past. Someone on the CodeIgniter forums pointed out that a solution like the above will actually increase the probability of a collision. Here’s what inparo had to say :
“It’s safer if you only hash it once. The initial string is random in both length and characters. The first sha1 gives you a fixed length and reduced character set. By hashing this again you’re actually increasing the probability of collisions.”
So there you go folks, hash once. This also leads nicely to my next topic “salts”
Salts
A lot of people when hashing passwords will do something like this :
$password = md5($password);
You may think this is secure, but actually it’s very insecure. Websites exist which store hashes of dictionary words, so if your database was ever stolen, the passwords could be looked up and revealed. This is where the power of the password salt comes in. Salts come in two varieties : A dynamic salt and a static salt. A dynamic salt is automatically generated and is usually very hard to guess. A good example of a dynamic salt would be :
$salt = microtime();
It’s not totally random, but you get the idea.
You would then concatenate the salt along with the password to provide a new hash. This new hash can’t be looked up because of it’s “randomness”. You would then store it with other user info and select it when you need to log them in.
I know what you’re thinking. If the database is stolen they’ve got the password and the dynamic salt “What good is that?!” This is where a static salt comes in.
A static salt is just that, a variable that is random in both length and characters. This is best stored in a configuration file somewhere. You then combine this with the dynamic salt to provide a very secure solution. Reasons being: (a) If the database is stolen, they are missing the static salt; (b) Two passwords the same will result in a different hash. Here’s an example:
$dynamic_salt = microtime();
$static_salt = 'qGPBA8iCM3cUuCbBAQx3E0uOkKTrSeEUiSrAkykEk4sEniyP67Q2BTp8vtDqoqw'; // Grabbed from file.
$password = 'password'; // Password from input form.
$hashed_password = sha1($dynamic_salt.$password.$static_salt); // Super Secure!
Forgotten Password
Ooops, the user has forgotten their password. What are we going to do? Michael Wales made a well informed post about this topic a while ago, but it was recently lost.
The best method is to use a secret question and answer system coupled with email verification.
The logic would be something like this:
User requests new password -> Sends email verification code -> Verification code is looked up in the database -> Show secret question -> Check Answers
I prefer this system because a hacker could of got into your email account and requested a new password, but would then struggle to get your secret question right. Keeping the users account secure.
DB Sessions
This will be a quick talk. At the moment Redux stores a “users_id” in the session cookie and uses this to figure out if the user is logged in or not. A hacker could use the algorithm in CodeIgniter’s session library and craft his own cookie with a fake “user_id”.
Database sessions move this data from the clients cookie to the database providing a scenario where the client can’t edit it. Redux doesn’t currently use this, but it is in the works.
Thanks for listening to me babble on, hope you enjoyed it.
PS : All examples above are used in Redux so go download it
- Mathew Davies
Posted by Derek Allard on June 30, 2008
CodeIgniter 1.6.3 Maintenance and Security Release
We are happy to release CodeIgniter version 1.6.3 today. Version 1.6.3 is primarily a maintenance release, with a variety of bug fixes and some refinement to existing features (with a few new ones tossed in for good measure). Details of course can be found in the Change Log.
Additionally, with the assistance of an outstanding community member, Pascal Kriete (Inparo), we have identified and eliminated a potential cross-site scripting vulnerability. No known sites have been affected, but as we take security very seriously, we felt it warranted a feature-light point release to help users protect their sites. We cannot thank Pascal enough for the manner in which he reported this issue to us, and then continuing to diligently work with us to make sure the vulnerability was plugged. If you’re looking for a fresh set of eyes to do a security audit on your app, he comes highly recommended by the EllisLab staff.
Command line addicts: don’t forget that starting with version 1.6.1, the CodeIgniter subversion contains tagged releases!
Posted by Derek Jones on June 26, 2008
