Author: David

  • NetBeans 6.5 rocks!

    NetBeans 6.5 rocks!

    It seems I’m not the only one who thinks the new PHP support in NetBeans is pretty cool.

    Roumen’s blog points to a post on the zend forums:

    My company bought 3 3-year licenses for Zend Studio earlier this and up until a few weeks ago, there was nothing else on the market that even came close to meeting our requirements. Then Netbeans released 6.5 with PHP support. Right out of the gate, their PHP and JavaScript support is on the whole, so much better and faster than Zend’s product, with so many fewer bugs, that despite the fact that we spent $1000 this year investing in Zend’s product, and I personally have spent time with Zend’s tech support and developers (good guys, very helpful), I am assisting my team in migrating over to use Netbeans for most of our development.

    and a comment from Demian there really hits the nail on the head:

    As a Zend license payer for many years I believe I’m entitled to share my opinion on the emergence of netbeans as an Eclipse and Zend Studio killer, at least as far as PHP support is concerned.

    This is not a superficial “ide war” as suggested above, but probably more a reflection of the fact that PHP developers have had to endure low quality IDEs for years, so the relief felt now that a decent product, netbeans 6.5, has appeared on the market, is tremendous. Netbeans is far more than just decent though, it is clearly head and shoulders above Zend Studio for Eclipse, you only need to watch the videos or use it for 5 minutes to realize.

    The Zend Studio product on the other hand maintained the same bugs in its product for literally years, releasing updates less than once a year, and showing an apparent total lack of interest in responding to the requests of its customers.

    Then with the move to Eclipse customers were burdened with an even slower, more bloated and memory hungry app with possibly thousands of unnecessary configuration options and with an odyssey of undertaking required to get debugging working. I’m not surprised, given the context, that there is a lot of emotion being expressed now that a decent product is finally available.

    For years we had to put up with Zend Studio’s bugs simply because there wasn’t anything better. Now there is.

  • NetBeans 6.5 RC

    NetBeans 6.5 RC

    I first blogged about the PHP support in NetBeans at JavaOne this year. At that stage it was only available as an Early Access release and was a little too buggy for serious use so I always found myself having to switch back to Zend Studio. Since then the development builds have been getting better and better and now there is a NetBeans 6.5 Release Candidate available.

    The improvement in the last few months has been massive and the PHP support has reached a level of maturity such that I have no problems using it as my main IDE. Last week I made heavy use of it on a project at work based on Zend Framework and not once was I forced to switch back to Zend Studio. Code completion and source navigation works great, debugging is integrated nicely with Xdebug (which is much easier to get working than the Zend debugger), plus you get all the other NetBeans goodness like great subversion support and local file history, source highlighting for loads of languages, a nice CSS editor and refactoring support. If I did much JavaScript programming I’m sure I’d be impressed with the JavaScript support, too. It also means I only need one IDE for all my PHP, Java and Grails projects and can take advantage of all the NetBeans plugins available.

    According the to the roadmap, NetBeans 6.5 is due for release on November 18 but if you’re still using Zend Studio or even emacs or vi I strongly recommend downloading it and giving it a go.

  • PHP gets some NetBeans love

    PHP gets some NetBeans love

    I’ve just been to a very interesting BOF by Ludovic Champenois at JavaOne about the new PHP support in NetBeans. The talk was in the context of the new OpenSolaris WebStack so some time was spent on this, including the unique DTrace functionality which looks neat, but I found the NetBeans demo the most interesting.

    NetBeans has great support for Ruby and JavaScript and now PHP is starting to get some of that goodness too. At the moment it is only available as either an Early Access release with just the core PHP stuff or in NetBeans trunk (6.5) but it looks very promising. It has:

    • code completion
    • PHP documentation
    • variable renaming
    • source navigation
    • goto type
    • extensible templates and auto-comments
    • integrated debugging with XDebug

    Sure, you don’t get all the neat refactoring you can have with a statically typed language like Java but even just the variable/method/class renaming is a big help. The code completion is good and the navigation even works over the filesystem in ‘require’ statements. Debugging works just like normal NetBeans debugging including all the usual stuff like call stack, mouse-over variable values, step-in/out, etc. A JMaki plugin brings all that goodness as well.

    It’s still fairly early days but it looks pretty neat and maybe PHP finally has a good open source IDE.

  • Advanced Web Application Security

    Advanced Web Application Security

    This was a popular session. The queue stretched down the hall, out the front door and around the block. It covered the main vulnerabilities bad guys exploit to attack websites. It was a good session given by Joe Walker who also gave the BOF on Comet.

    First up was cross-site request forgery or CSRF. This is basically misusing people’s cookies. For example if a user is logged in to bank.com on one tab and then they visit evilsite.com on another tab it is possible to do something like: <iframe src=”bank.com/transfer?amt=all&dest=dr_evil” />. No JavaScript required. The only real way to prevent CSRF attacks is to include some kind of authentication token in every request that is separate from the cookie, like a hash of the user’s session ID. These tokens shouldn’t be in GET requests as they could cause problems with bookmarks, etc and GET requests should be idempotent. So a hidden POST field is better. You can use the OWASP servlet filter to add these hidden fields.

    He also covered JSON hijacking and the old favourite, XSS. An interesting point was that if your site has an XSS vulnerability that will allow bypassing of any CSRF protections you may have put in place. One of the biggest problems for preventing XSS is that browsers will render any old crap. Basically the web is broken.

  • Using FindBugs in Anger

    Using FindBugs in Anger

    I attended a session by Bill Pugh (although sometimes it seemed more like a TB ward with all the coughing and sneezing going on) about using FindBugs on large code bases. FindBugs is a static analysis tool that analyses your class files without executing the program. Some people don’t think it should be needed but smart programmers still make dumb mistakes and FindBugs can catch these.

    FindBugs can scale to very large code bases; Google has fixed more than 1000 issues discovered by FindBugs. Bill’s talk described ways of using FindBugs on a large project where the number of issues found can be overwhelming. For example, running FindBugs on Eclipse 3.4M2 discovered 36,000 issues. This can be made manageable by using FindBugs filters to filter out:

    • Low priority issues (leaves 26,000)
    • Vulnerability to malicious code (5,000)
    • issues also present in v3.3 (now down to 62 issues)

    The reason the vulnrability to malicious code is filtered as this is mainly for code that will run untrusted code, like the JVM.

    Another key point was to integrate FindBugs into your CI. Hudson has a good plugin that can display historical results and cause FindBugs issues to affect the health of a build. It can also notify who caused the issue.

    Bill gave some typical warnings density of 0.3 – 0.6 medium or high priority warnings per 1000 LOC and about 1 – 4 other potentially relevant warnings per 1000 LOC. But don’t use these numbers to judge whether your project is good or bad!

    To narrow what issues you should be investigating he suggested ignoring the low priority issues. High/medium issues are useful for ranking issues within a pattern but not across patterns, ie, don’t just look at high issues. Each bug has a category, for example, correctness (code seems clearly wrong), security (xss, sql injection), bad practice (violates good practice), dodgy code (something weird that might be wrong), i18n, etc.

    We use Hudson at work, so it’s probably worth trying the plugin to see what it turns up.

  • Comet

    Comet

    Tonight I went to a very interesting BOF given by Alex Russell and Joe Walker about Comet. Also known as ‘Reverse Ajax’, Comet is a way of implementing ‘push’ technology in the browser. Basically, it is just long-lived or delayed-response HTTP connections; so a client will open an HTTP connection and then this is kept open to push data to the client. It is needed because now that many sites use Ajax it means page refreshes don’t happen as much as they used to so while parts of a page may be refreshed through ajax, other parts of the page may become out of date. It is used for things like asynchronous updates in GMail, chat in Meebo and collaborative editing in Google Docs.

    It looks really cool and seems to finally be the push technology that was hyped in the 90’s.

    You can’t use a normal web server like Apache as it would collapse under all the connections it would need to keep open so comet must be run on a server like Jetty that supports the techonology. However, it is possible to retrofit an existing app using an external cometd server. The original server serves a page but the clients open long-lived connections to this external cometd server (eg jetty) which then routes ‘events’ from the app server to the clients. Apparently it is quite easy to convert an existing app to use this external cometd approach.

    JavaOne was the first I’d heard of this technology and it sounds really cool. They showed a fancy graph that suggested there weren’t problems with scaling the technology to many thousands of concurrent connections.

    It seems like this could be used to deliver ads to pages that are heavily ajax-based and so don’t see many page refreshes and therefore ad views. Maybe we need a new ‘Comet’ tag type in OpenX.

    By the way, ‘Comet’ doesn’t mean anything, it is just a bad pun.