What Is Larry Thinking? #54 => Salt, Pepper, 99designs, and Ajax

In this edition…

• About This Newsletter
• On the Web? => Properly Salting Passwords, The Case Against Pepper
• On the Road => Istanbul and Silicon Valley
• On the Blog => My New Logo and Business Card from 99designs
• On the Blog => Five Ways to Lose Work
• On the Blog => Yii and Me (aka, the Yii Book)
• Q&A => How Do I Make Ajax Content Available to Search Engines
• Q&A => Can You Use .html Instead of .php?
• Larry Ullman’s Book News => “PHP 5 Advanced: Visual QuickPro Guide” (3rd Edition)

About This Newsletter

To repeat what I’ve said in the past two newsletters, I am now officially on Twitter. Hopefully next month, I’ll get the Twitter “follow me” link on my main site and add it to this newsletter template. But in the meantime, you can follow me using @LarryUllman. I’m doing better about sending out tweets, and I do retweet things that I think are notable or useful. In fact, I sent out a tweet a couple of days ago asking for good newsletter questions, and I received a few, one of which I answer here. Even an old dog can learn a new trick, I guess.

Also, I would love to have more questions to answer in forthcoming newsletters. I tend to get the most questions when I do a book giveaway, and I haven’t had one of those in a while, so the well is running a bit dry.

As always, questions, comments, and all feedback are much appreciated. And thanks for your interest in what I have to say and do!

On the Web => Properly Salting Passwords, The Case Against Pepper

Anthony Ferrara, creator of the PHP PasswordLib library, just recently posted a discussion of using salts and pepper to improve the security of a stored password. Mostly, the article is a discussion of why a pepper is unnecessary (and if you don’t know what a “pepper” is, just read the article), but the posting also does a good job of explaining the purpose of a salt, and why the salt does not need to be a secret. The posting is relatively short, and is something I think everyone can benefit from reading.

The posting ends with the most important security fact:

Remember, the most dangerous kind of security is a false sense of it. Thinking you’ve made your application more secure, when in fact you’ve weakened it, is the worst thing you could possibly do.

On the Road => Istanbul and Silicon Valley

For the first time in a long time, I’m going to do some work-related traveling. I used to travel somewhat regularly for conferences and training seminars and the like. But then I had kids and other personal issues came up, so I cut back. I think the last time I travelled for work was when I spoke at a Voices That Matter conference in Nashville, TN in 2008!

My first trip is to Istanbul, Turkey, at the end of May. I’ll be speaking at the E-commerce Expo on May 30th (the site is in Turkish, so you’ll want to use a browser like Chrome that will translate the page for you). I will have about two other days to see what I can of the city, so if anyone has any recommendations of what to see and do, or where to eat, please let me know. I’ve heard nothing but great things about Istanbul and am really looking forward to it. Oh, and my speech—Building a Successful E-commerce Venture, or Failing Gracefully—should be good, too.

At the end of June, I’ll be doing two days of training on JavaScript and jQuery at the Mid-Pacific ICT Center Summer 2012 Faculty Development Week in Fremont, California. I’m tentatively thinking about making myself available for drinks or dinner on Thursday, June 28th, although I haven’t thought it through, yet. If you’re in the area and think you’d like to meet, let me know and I’ll see what makes sense from there. Thanks!

On the Blog => My New Logo and Business Card from 99designs

In March, I finally got around to having a new logo and business card created, using 99designs. It wasn’t a driving need for me, but it was about time. I wrote about the contest experience in one blog post. In another blog post, I show the end results, and also some of the terrible logos and business cards I’ve had along the way (i.e., the ones I designed).

I’ve since hired a designer to modify my CSS to use the new logo and colors. This is going to go with a new WordPress theme, which I’m hoping to get online in May. Hoping. After that I’ll also update this newsletter template.

On the Blog => Five Ways to Lose Work

In the previous newsletter, I wrote about competing for work. Getting work is a frequent topic of conversation I have with readers, and between that question, and my recent experiences with 99designs, I wrote a blog post titled “Five Ways to Lose Work”. Although some of the examples in that post come from my 99designs experience, it’s not really about 99designs, but more about the common mistakes people make when trying to get a project. My intent is that by recognizing these mistakes, you’ll be less likely to make them, and therefore have a better chance of getting work.

On the Blog => Yii and Me (aka, the Yii Book)

Many people have appreciated my Learning the Yii Framework series and are awaiting a formal Yii book written by me. This is something I have been hoping to do for sometime. It looks like that time will be the latter half of 2012. Almost definitely. In a recent blog post, I announced my current plans and thinking about the book. I was also very pleased to say that Qiang Xue, the creator of Yii, has generously agreed to act as the technical editor for the book. Now it’s just a matter of writing it!

Q&A => How Do I Make Ajax Content Available to Search Engines?

I’m digging way through the archives to find questions to answer, and I came across this one sent in by Richard back in October of 2008. It’s probably way too late to help Richard, but perhaps my answer can be of use to others. Here’s the prompt (summarized by me):

I have a discussion board that pulls posts via Ajax, which means that posts aren’t being indexed by search engines. I updated the system so that all posts are displayed by PHP, to make them search engine visible, and then use Ajax for new posts since the user got online, but are there other places where Ajax presents this sort of problem?

This brings up a very good point that every Web developer ought to be aware of. It’s obvious that if someone disables JavaScript, they can’t see the JavaScript functionality on a site. Statistically, only around 1-3% of all users have JavaScript disabled. However, all search engine bots are unable to see JavaScript-derived content. This means that all content on your site that’s created by JavaScript will not appear in search engines. This is especially ironic as many sites use JavaScript for the most important content. So what’s the solution?

The solution is actually the same solution for all JavaScript-based sites. Unless the site absolutely has to require JavaScript, you should always start with a non-JavaScript version first. A non-JavaScript version will be accessible by all search engines and by, well, anyone. The non-JavaScript version may not be pretty or cool, but it will be functional, which is most important. Then you can add the JavaScript layer to implement the cool, or more interactive, version. This process is called “progressive enhancement” and is a cornerstone of modern JavaScript, as explained in my “Modern JavaScript: Develop and Design” book.

If, for whatever reason, you don’t want to take this approach, then simply create alternative versions of your content that would be available for search engines. This could be as simple as a site map that links to non-dynamic versions of the content.

Q&A => Can You Use .html Instead of .php?

This question came in from @enxaneta_info via Twitter:

Is it possible to replace the .php extension with .html?

The short answer is yes. A file’s extension just tells the computer what application should be used to execute that file. With Web files, the extension tells the Web server how to treat that file. Normally, the .php extension indicates that the code therein should be run through the PHP module. If you wanted to use .html, you’d just need to tell the Web server to send all files with a .html extension through the PHP module. (This is done via an AddType directive in the Apache configuration file.)

One benefit of doing this is that it allows you to hide what type of server-side tool is being used. On the other hand, there is certain to be a performance hit as the Web server will send every page through the PHP module. But if you have a site that only contains PHP scripts and has no HTML files, this is a reasonable change to make.

Larry Ullman’s Book News => “PHP 5 Advanced: Visual QuickPro Guide” (3rd Edition)

I’ve formally started writing the third edition of my “PHP 5 Advanced: Visual QuickPro Guide” book. You can view the initial Table of Contents on my Web site, along with some discussion of my approach to this edition. The new edition is tentatively titled “Advanced PHP and Object-Oriented Programming: Visual QuickPro Guide”, to better reflect the book’s focus.

If you have any thoughts on the book’s table of contents, please share them on that blog posting page. As I said, I’m writing the book now, and it will be my primary focus for the next two months. Ideally the first submitted draft will be completed by the end of May (although that will be a stretch), and the book will come out by the end of summer.