All About Ruby

Hashing passwords

In the last walkthrough you should have created a script that allows user to enter information in the HTML form and then stores this information in the database. The most obvious security hole is that we store password in the database in plain text. If somebody will be able to get the contents of your database, all user passwords will be in plain view to see.

This part of tutorial helps you learn how to make the passwords more secure. The common practice for storing passwords is storing a hash of a password, which is a scrambled copy of it. There is no easy way to decrypt the password, so this set up is much more secure. You will then compare the hash stored in MySQL with the hash of the user-input password. If both hashes are identical, then the password is correct.

There are 2 basic algorythms: SHA1 and MD5. Because a specific password always corresponds to a specific hash value, the attacker does not need to brute-force the hash to get the underlying password. If you build a database of all possible passwords, you can get the plain-text password by doing a hash lookup in the database. Here is an example: MD5 lookup. As there are no reliable SHA1 lookup services at the moment, it is safer to use this algorythm with some kind of modification (called salt). Here’s the line you need to add to your register.php:

$password = sha1(sha1($password).”mysecretcode”);

Recently I needed to start my new PHP project and required a basic (but secure) user authorization / registration script. To my surprise I was not able to find one script that would allow me to register users in MySQL database, require user activation via email, show a turing (aka captcha) at the login form and have no obvious security holes.

16 hours later, I now have my own script and understand better why there is no universal script available on the Net (the task turns out non-trivial and requires a lot of security tweaking).

In this post I will start discussing how a user authorization script should be developed. Continue reading this entry »

One of the difficulties you might have with jumping into Ruby on Rails is that you need to learn the Ruby language (yes, you do ). And if you come from the PHP background as I am, the single weirdest thing in Ruby would be the notion of blocks. I have never seen the blocks in any other language. The concept seems beautiful, but completely unrelated to anything I know about programming.

The concept of blocks is logical and intuitive, but most likely very different from the way you experienced programming. Blocks are like alien logic - something so basic, that it changes the meaning of everything. Think of how an amphibian race of super-intellectual beings would differ from humans - this is how different the blocks concept is from your PHP functions.

As blocks are the basic structures of Ruby, chances are you have already seen them and did not really understand what was going on. I hope this post will be able to help you out with getting the hang of the concept really quickly.

So let’s start with an easy example. Run irb (cmd irb.bat) and define the method:

def aliens
i = 1
j = 2
yield(i, j)
end

This method just assigns two variables and then passes those variables to the block. Now let’s call the block:

aliens { |x, y| puts x, y }

It works as follows: aliens method is called, with Ruby recognizing that this method has a block attached to it. Once the yield is encountered within the aliens, it is passed to the block together with any parameters in the brackets. As i and j are local variables, we need to define the first and second variable to be used to hold i and j values. Finally we have the Ruby code that does something with those parameters. Puts just displays the values of i and j on screen. But you can do something more complicated:

aliens { |x, y| puts x+y*y }

This should display 5.

If you are not confused at this moment, great - you have almost mastered the blocks ;). If you are, think about the aliens as a function that allows three parameters - x, y and some arbitrarily complex Ruby code. Yield is the place where this code is executed. To make sure that this is the case, try this: (copy the code, save it to blocks.rb in your project directory and run ruby blocks.rb)

def aliens
i = 1
j = 2
yield(i, j)
i = “magick”
return nil
end

aliens { |x, y| puts x }

The script should print “1″. This is easy stuff. (Pedantic note. You can ignore “return nil“, it is there because Ruby returns the last value in the function (=method) as the result of the function, so if you run the code above in irb without “return nil”, you will see that aliens actually returns “magick”)

Another cool feature is the ability to test whether the method has a block. Check out this code:

def aliens
if block_given?
  i = 1
  j = 2
  yield(i, j)
 else puts “magick”
 end
end

aliens { |x, y| puts x }
aliens

In that case if the block is provided to the method, we execute the if statement, otherwise we execute the else statement. So, as a result the script should print “1″ and “magick”.

How cool is that?

Curt Hibbs’ tutorials are the only accessible tutorials that I’ve read on Ruby on Rails. Curt has also written a great introductory article on Rails which you can find here.

So, I am trying to get deeper in the understanding of Ruby and Rails and things are progressing nicely. However, I have to say - the information on Rails and Ruby is not up to notch. Unless you are a seasoned programmer or a smart hacker, chances are you will be lost when trying to understand how to use the Rails API or what exactly you are supposed to do after you have installed Ruby on Rails and did an ONLamp tutorial. A good sentiment that every newbie will recognize instantly is expressed here.

TextMate by the look of it is a great editor for Ruby developers. New version was released just recently, but there are still no plans to release a PC version - only Mac users need to celebrate.

Blaine Kendall released a very nice 14-page PDF that summarizes nicely gotchas, syntax and some basic building blocks of both Ruby and Rails. Get the pdf from his blog post here.

Ok, so this will basically be somewhat a repeat of the information made by Curt Hibbs in this great hands-on tutorial. However, the versions of all products changed from the time Curt made his tutorial, and in some areas I felt that additional description was required. So, in this tutorial you’ll get a step-by-step instructions on installing Rails on Windows 2000 Server (Windows XP would be very similar).

Continue reading this entry »

I have written about the Instantrails package before, but having tried it for a day, I decided to go with a proper installation. The reason for this is that I’ve never used to run either MySQL or Apache on my local computer, and as I have all sorts of firewalls and quirks on my computer, when things went wrong, I did not understand how I could fix them. Instantrails does not have any real documentation and I was not sure what exactly went wrong.

Also, Instantrails comes with phpmyadmin for MySQL admin, and for this it also needs to install php, which I thought was excessive - I’d rather go with my old trusted MySQL Control Center or the new Query Browser. So, if you are not a power user of either MySQL or Apache, I would recommend against using InstantRails.

Finally, for development you do not need to install Apache, as Rails comes with WEBrick, which should do the job good enough.

Yes, books…

I have purchased the “Programming Ruby” Book from Pragmatic Programmers, and based on what I’ve read (I’ve read around 60 pages up to now) - this is an excellent book that guides you through Ruby from the very beginning (you do not even need to know what classes and methods are) to the very end (which is a long section describing methods). I recommend everyone to purchase it on-line, and while there, you can consider also purchasing their Ajax and Rails books (I haven’t bought them yet, but they are high on my wishlist).