The Developer Day | Staying Curious

TAG | book

Jun/10

26

Expert Python Programming Book Review

Expert Python Programming BookI’ve finished reading Expert Python Programming written by Tarek Ziade. This book is written for Python developers who wish to go further in mastering Python. Expert Python Programming covers a range of topics such as generators, meta programming, naming standards, packaging, continuous integration, writing documentation, test driven development, optimizations and design patterns. Even non Python developers will find this book useful since it covers best practices which are well suited to other programming languages.

There’s a sample chapter available which covers the topic of documentation. We all know how frustrating it is to write documentation. It’s boring, often it feels pointless and it tends to get out of date. The 7 rules of technical writing presented in the book changed my mind. It’s actually one of my personal favourite chapters in the book.

The first chapter of the book is very friendly and covers installation of many Python flavours, packaging tools such as EasyInstall and setuptools, prompt customization and choices of editors.

While the first chapter is very easy going the second chapters dives deep into syntactic intricacies of Python with it’s iterators, generators, decorators and context providers. If the second chapter won’t make your head spin then the third one on class level Python best practices certainly will. Author of the book does a great job at explaining the pitfalls of multiple inheritance, inconsistent super usage, Python’s method resolution order and finally meta programming which allows to change classes’ and objects’ definitions on the fly.

The rest of the book is a lot less confusing but nonetheless rewarding. Chapter four gives some very good advice on naming standards, building API’s and tools that ease might help along the way. Chapter five explains how to create python packages, distribute and deploy them.

What I really like in every book is examples. One example can explain more than a thousand words could. The examples in the second and third chapters are very valuable and help greatly to understand the concepts explained. The book goes even further and provides a complete example of a small application called Atomisator. This example is implemented following the best practices of previous five chapters.

Chapters eight and nine will be very interesting to team leads which explain distributed version control systems such as Mercurial, continuous integration and managing software in an iterative way.

Another very important topic on Test Driven Development or TDD is presented in chapter eleven. I cannot emphasize enough how valuable test driven development is. Though even today it’s not a widely adopted practice and not a well understood one either. This book will try to convince you why you should be doing TDD and if you’re already convinced it will present you with tools that you can use to do TDD. I was very interested to find out about the available unit testing framework alternatives. Further an interesting idea on doc testing is described which while seems a little exotic may be a very efficient way to keep your documentation up to date.

Reading further there’s a great chapter on optimization which describes general principles of optimization and various profiling techniques. Measuring performance may prove difficult on different hardware such as local development machines and stage servers. I was very intrigued to find out about pystones and the general concept behind it which helps to deal with the problem described.

Together with optimization techniques, various profiler tools which you never knew of, the book describes some generic optimization solutions available. Some are well known such as the Big-O notation, some are less known such as Cyclomatic Complexity. I think this book explains the concepts behind multi threading, multi processing and caching very well. Making an informed decision whether to use threads or multi processes for your Python application may as well mean if it’s going to be successful or not.

And finally the last chapter talks of design patterns. While it’s not the most mind blowing chapter of the book it provides some very interesting details why Python doesn’t have interfaces or how certain GoF patterns can be implemented in a Python specific way.

Conclusion

Should you read this book? My answer is yes. Especially if Python earns your bread and butter. Not only you will know the syntactic intricacies of python it will introduce you to many must know concepts of software development. Even if you’re not a day to day Python developer but you do write an occasional Python script or application by all means read the book and read the first six chapters. I will go even further and recommend this book to non Python developers. Simply because it explains concepts that every developer should understand. And as an extra it is always interesting to learn new ideas and to see how things can be done differently.

, , Hide

Feb/10

27

Expert Python Programming Review

Expert Python Programming BookI’ve always been interested in Python. Python is a dynamic programming language with a very clear and readable syntax, strong introspection, intuitive object orientation and so on. It’s been used in many successful projects such as Trac, Django, Mercurial, YUM. It’s used in companies such as Google or Yahoo. Python has a vast standard library allowing to solve almost any domain problem. From the early beginning Python had a design philosophy behind it which is probably one of the reasons why Python is such a successful programming language now days.

All these and other reasons make Python an interesting and valuable language to learn. I’ve chosen to review Expert Python Programming as my next book. Having used Python for personal projects such as PyDumpy or work related tasks such as continuous integration with BuildBot I hope it will be an interesting read that will help me to improve my understanding of Python.

For those interested Packt Publishing offers a sample chapter of the book.

, , Hide

Zend Framework 1.8 book As I mentioned earlier guys from Packt publishing asked me to review a recently published book Zend Framework 1.8 Web Application Development. The title says it all – it’s a book about designing and developing PHP web applications using Zend framework.

This book doesn’t require the reader to be familiar with zend framework and explains all concepts in proper detail, though it will be easier to read the book if the reader is familiar with the framework and/or has experience with MVC and OOP in general. This book should be interesting to all developers who design and develop day to day web applications using MVC frameworks or not yet familiar with them as it may improve their insights towards web applications modelling, testing , optimizations and more.

Even though I am fairly familiar with the framework I found the book to be an interesting, easy read, plentiful of examples explaining the intricacies of the framework.

The first though a very important chapter teaches the concept of bootstrapping using Zend_Application and shows how to write and run a simple hello world program using controllers and views. As well it introduces the use of controller utility methods such as _getParam(), _forward(), _redirect(), action helpers, view helpers which are very valuable and a lot of developers miss them entirely. This chapter also shows the proper use of the response object which also tends to get forgotten.

The second chapter dives straight into the Front Controller pattern explaining how the framework routes, dispatches requests and responds to the client. I have never been bothered to understand the whole thing and was quite surprised to see how simple it all is. It is worth mentioning that this chapter explains in great detail how the router and various routes work and how elegantly it integrates with Zend_Config. Last the chapter covers the request object and it’s external API which provides lot’s of valuable functionality.

From the third chapter author Keith Pope starts building the main application of the entire book, the Storefront. It’s a relatively simple “real life” application that serves the purpose of being an online products catalog. This chapter shows how such an application is structured on a file system and bootstrapped and configured.  Even more the chapter covers the creation of Zend_Log and various logging writers and database profiling. Extremely valuable features that not many developers know of. If every zend framework application would start as the chapter describes I believe a lot more developers would be eager to start their IDE’s 9:00 AM straight.

Next is my personal favorite chapter – Models. Zend Framework does not have a base Model class and there’s a pretty good reason why it doesn’t. Models are specialized for a certain business task and as such it is arguably impossible to make a generic model implementation that would fit all sizes well. It then might raise a question what’s there to read about? It is my personal belief that web applications modelling has lost focus during the years by the ever growing development community. Developers got their minds focused on the next “new” thing. Let it be template engines, ORM’s, rise of active record and ruby on rails, ajax and javascript frameworks. While the majority of the models “out there” are deeply crippled. Hundreds of books were written explaining how to manage the complexity of the problem so a single chapter is a mighty challenge. I believe the author made a great choice by explaining the concept of the fat model, skinny controller, explaining the benefits composition over inheritance, data access layer separation from the business layer and my deepest respect for introducing domain model design, Martin Fowler’s book Patterns of Enterprise Application and Eric Evan’s book Domain Driven Design also known as DDD.

Next five chapters describe the implementation of the Storefront application. Each chapter highlights a major component of the framework. Use of resource autoloaders, plugins, Zend_Form, Zend_Auth, Zend_Acl. Before saying anything else it is very important to say that books rarely ever show hardcore “real life” applications as examples. Even Fowler himself likes to skip certain topics like validation in certain sections of his famous book just because they complicate things too much. This book is no exception to the rule. It’s a pretty straightforward application. There isn’t a single join to another table or a GROUP BY statement in SQL, forms implemented with Zend_Form are rather simple with little if any javascript / ajax. I found it a bit disturbing that class create other classes having both business and factory logic. One of the ugly examples was where a getPrice() method on a product model creates it’s own Taxation service which could not be mocked if that class would need to be unit tested. In most of the cases author provides injection methods for unit testing but I would argue that it does not show class dependencies explicitly which is very valuable for unit testing. Besides that I really enjoyed how the author decided to go with ACL in the domain layer. This would more often than not be implemented in the controllers making the model tightly dependent on the controllers. All in all keeping in mind that it’s a tutorial application introducing the framework I’m highly satisfied of it’s overall quality. Repeating myself. If every zend framework application would be so well written..

Another chapter worth mentioning is regarding optimizations. I was surprised to learn about such things like plugin loader cache, table gateway metadata or various Zend_Cache frontends which I have never bothered to look up. Not to mention widely known tricks using APC, stripping zend framework of all requires and setting up an optimized include path.

And last but not least again one of my favorite topics – testing. I strongly agree with Misko Hevery that test driven development is a skill. It’s definitely not easy to start or learn. One would fool himself to think otherwise.  This topic deserves many books of it’s own. I can only share from my own experience – once I started unit testing applications that I work with, I have never looked back. This chapter explains different types of testing, shows how to setup PHPUnit and provides examples of controller testing using Zend_Test. I believe this chapter deserves more attention on how to do testing with a database in mind, debugging failing controllers, avoiding complicated mocks, implementing continuous integration. But again it is worth to keep in mind that the book is about Zend Framework and not testing in general.

All in all I enjoyed reading this book. I would and will recommend it to my colleagues and friends. I hope that this hopefully not too boring review convinced you to buy the book and learn something new. Once again – big thanks to Packt Publishing for a free book. Happy reading. Over and out.

, , , , Hide

Zend Framework 1.8 bookI was recently asked by Packt Publishing to review a copy of one of their books called Zend Framework 1.8 Web Application Development book. This book is about designing, developing and deploying feature-rich PHP MVC based web applications using Zend framework. Guys from Packt Publishing were generous to send me a hard copy of the book. I owe them a thanks.

Even though I feel fairly familiar with Zend Framework I believe this book will be a great opportunity to dwell into the darker corners of the framework. The fact the Zend Framework is now at version 1.9.5 and version 2.0 is on the horizon is a bit worrying but having had a quick glimpse at the table of contents I see that some topics of particular interest to me like chapters about model design, optimizations and testing are not the ones that change at the same pace as the framework does which makes this book even more worthwhile to read.

I believe I will have a great time reading and reviewing this book.

, , , , Hide

Aug/08

28

“Essential PHP Security” Book Review

Essential PHP Security Book Cover

Essential PHP Security” is an introduction to the PHP applications security written by Chris Shiflett. Though you could say that it suits any other language too. Well atleast to some point it does. It is a really short easy read. Developing PHP applications for quite a few years I have never tried to take a look at all the security issues in one place to see if I’m up to date. To say the truth I expected something more but that is why the book name includes a word “essential”. Let’s take a closer look at the book.

Chapter I – Intro

Basically it tells you to avoid the deprecated register globals (that are going down in PHP6), turning on the error_reporting(E_ALL | STRICT), “Defense in Depth”or otherwise adding additional “safeguards” where possible to make it harder for the attacker, “Least Privillege” or otherwise giving only required permissions,  writing simple, elegant code to easier spot security issues.

Chapter II – Forms and URLs

Basic, basic, basic .. Don’t do things like reset_password.php?username=john&email=john@example.com,  use is_file_uploaded() and move_uploaded_file() for uploads, prevent XSS using htmlentities with ENT_QUOTES and the encoding that you specified in the HTTP response of your application, the CRSF topic is quite old now but quite not taken seriously and a few thoughts not to take HTTP_REFERER too seriously.

Chapter III – Databases and SQL

Keep your db credentials outside of document root or atleast not visible from outside, better yet in server environment variables,  avoid SQL injections using database specific escape functions, prepared statements or addslashes() and encrypt stuff like SSN or credit card numbers.

Chapther IV – Sessions and Cookies

Things get more interesting here. Cookie theft or it’s just a subtopic of XSS, session fixation is a topic like CRSF – known for a long time and not taken seriously. For those of you that don’t know session fixation is about regenerating your session id every time a user in your application gets higher permissions like logging in. Also an old trick to check whether user’s USER_AGENT suddenly changed on every page load to make it harder for the attacker.

Chapter V – Includes

This chapter explains to keep as much as possible of your application outside of document root, filtering every user given variable that you use for includes with basename, realpath, pathinfo or any other tools. Also  disabling allow_url_fopen though I prefer disabling allow_url_include more.

Chapter VI – Files and Commands

Almost the same as Chapter V. Except that you learn new functions like escapeshellcmd() and escapeshellarg().

Chapter VII – Authentication and Authorization

A nice idea to use 15 second login timeouts to make it harder for the attackers while keeping the legitimate users safe. Use SSL.  Try to avoid persistent logins. And if you can’t don’t store sensitive information in the cookies like usernames or passwords. A really nice idea to generate one-time-use tokens that you save in cookies with a timeout for persistent logins and regenerate them every login.

Chapter VIII – Shared Hosting

It’s best to avoid PHP shared hosting. The book was written in 2005 when PHP had a lot more security issues. Most good hostings have virtual machines or have open_basedir, safe_mode enabled with lots of stuff disabled. Safe mode will be removed in PHP 6 but it has a really nice feature like allowing to run executables from a certain directory.

Apendix A

Not too interesting. Configuration directives. Disable allow_url_fopen, use disable_functions, turn display_errors off, disable enable_dl, set error_reporting E_ALL | E_STRICT, log errors, turn off magic_quotes_gpc, set memory limit 8mb if you can, use open_basedir, turn of register_globals, use safe mode.

Apendix B

Avoid eval, avoid functions that allows to execute commands on the server, use includes carefuly, be careful when using preg_replace modifier /e.

Apendix C

Nice idea to use salt when generating password hashes to make rainbow tables ineffective.

All in all it’s a very good book to get started. Maybe not as detailed as the latests Steffan Essers recent findings but if only every site on the web would do the things described in the various book chapters… Projects like Google Hacking Database show how secure the web really is. And for the last words .. It’s not the PHP that is not secure .. Enormous amount of effort was put into PHP to make PHP more secure.  Just to give you an idea listen to “The state of PHP security” or read about what Steffan Esser is doing. Yes there still are security bugs in PHP .. But honestly like Steve Balmer would say it’s all about: Developers, developers, developers. PHP deserves a better name.

, , , Hide

Find it!

Theme Design by devolux.org