After checking out the code and realizing that it might have just been written by a beginner, I "installed" it locally: From a users point of view I have to say it is exactly what I need. I am able to post small snippets (called "nodes") to a project (kind of a category/idea). Thats all. Drag & Drop works - awesome. The design is simple but really neat! However to make this system perfect for me it needs to implement multi-user functionality, where I can chat with my friends about our current projects.
I think I would give this project another try, when you were able to refactor the whole code basis and add multi-user functionality.
Good luck anyways.
PS: This post lead me to create a HN account.
However, I've often been amazed at how "messy" code is. Code that does what it needs to, and works. Early bird get's the worm, and I applaud this guy for throwing something out (something perhaps that we were too busy taking our time "working on to get clean and perfect"). I'm sure it'll get refined and refactored as time goes by, if people latch on.
Many have been burned by PHP experts before. This guy is a beginner. I really like the app design and idea but I can't find a reason to let protect my data or compromise my server. Might be cute to host it inside my firewall, though.
That would be the question. Is it bugfree, or will it eat my data and let scriptkiddies run amok on my host?
Looks like it was written by designers...
1) please find a better way to inform the app developer security vuln
2) please don't stereotype or discriminate designers. There are designers that are way more conscious and way more knowledgeable about general web security best practice than many of the HN readers here. Professional sites like Google can have XSS. Don't be one of those ignorant thinking XSS is easy to solve. I bet you just created a new account so you can tell the world how much you think designers are incompetent regarding web security best practice. I bet you are also incompetent showing your true identity.
and honestly, it doesn't matter. the author has no responsibility to you or to anyone to write hardened production-ready code. if his app gets rooted, it's on him, and it's honestly the responsibility of everyone that runs it to determine if that's a risk they're willing to live with.
but the quality of the code has little bearing on the fact that this product didn't exist some while ago and now it does. maybe it'll influence somebody to create a desktop version or to contribute some security fixes, or maybe it'll just spark some design discussion. it shipped and irrespective of its quality, it's making at least one person more productive.
Kudos to the author for shipping something that - like everything else - is not perfect and has room for improvement, but is out there anyway.
Can we just all collectively downvote this and/or change the title to "Daily WTF: ..."
Your "criticisms" aren't even valid criticisms, they're hyperbolic. Zero separation of presentation and business logic? I looked at the code. Zero separation means everything is in one file. Yes, the author mixes presentation and logic in many instances, but where is the presentation code in the file node.php? Oh, look, some business logic is separated to its own file, just like one would expect with "zero separation". Seriously, why should we throw a hyperbolic insult that doesn't even address the problem? I can't think of any good reason to be destructive here.
EDIT: After discussing this more in replies, I found the guidelines for Show HNs. It looks to me like these comments violate the guidelines for Show HN comments. If HN is going to be comfortable place for people to share their work, this shit needs to stop. Every time I see shit like this I think about how little good it does to post a Show HN unless you already have a business behind the project. Even when there's low-hanging-fruit that one could easily help with, some "rockstars" would rather make insults than contributions.
The idea isn't to shove people out of the circle when they present something they've been working on.
Is the code hosted somewhere on a VCS?
We need more dead simple-to-install open source webapps, especially with a modern look!
I too applaud the author for embracing the spirit of open-source; but I think now would be a great time for him/her to learn the super-basics of PHP (and programming in general) best practices. Develop with all errors being tracked and displayed! Don't use undefined variables or constants! Use tutorials / books that were written in 2014, not in 2003!
So the idea is to package all the necessary parts of ''dokuwiki'' and make it installable by simply throwing or wgetting it into a PHP enabled dir. The first rule of software development is "don't write code, because there is already someone who solved a similar problem before you." Instead of writing a whole new blogging platform, see what you can build starting from a stripped-down ''dokuwiki''. Using the fs as the data store is a good pattern for usability.
inflating: nemex/php/zipProject.php
inflating: __MACOSX/nemex/php/._zipProject.php <---
COPYFILE_DISABLE=1 tar cvzf release.tgz file1 dir1 dir2 ...
zip -r -X release.zip folder_to_compress
Ugh.
So congrats for this project and this messy creative code.
One comment on the site though - it would be really cool to be able to see a demo. I get a good vibe from the description/images, but a demo site would be great.
This isn't some arbitrary work-in-progress "Show HN" project. It's being released and advertised as a fully working product which is quite the polar opposite, absolutely filled with security holes and should be approached with serious hesitation before someone were to actually utilize it.
I'd also argue every single one of my criticisms is incredible valid and hardly hyperbolic.
That's great. You SAID "zero". And you pointed out zero examples to defend your statement. I pointed out one example that completely invalidates your statement, which is all that is needed. Because 1>0. Here, let me help. "Your application doesn't do a good job of separating business logic and presentation." Was that hard? I didn't say anything hyperbolic, I didn't recommend downvotes or call his application "WTF" in that statement. It WAS NOT HARD.
>I can also point out numerous massive security flaws, utterly unused code, the obviously unprepared .DS_Store shit, and code which attempts to load missing libraries and SQL inserts when it's blatantly billed as "no database required"
Did you do that, or did you try and insult the author? I see others in this thread pointing out specific issues that will help the author. You can't do that? Or is the author not worthy of your help, but somehow IS worthy of the time you spent to insult the author's project?
>I'd also argue every single one of my criticisms is incredible valid and hardly hyperbolic.
Sorry, but if you say "zero" and it's not true, that's hyperbole. It's either hyperbole or it's not, there's no such thing as "hardly hyperbolic." You exaggerated and you knew it was an exaggeration, OR you thought you were making a true statement. Either way, wrong.
http://dictionary.reference.com/browse/hyperbole
My point is you are not offering anyone anything. Who do you help by insulting the author? The author? Or do you think you're protecting the world from bad software?
BTW, here's the rule I think you're violating:
>When disagreeing, please reply to the argument instead of calling names. E.g. "That is an idiotic thing to say; 1 + 1 is 2, not 3" can be shortened to "1 + 1 is 2, not 3."
One could argue I'm breaking the same rule in arguing with you, though...
Even if one disegards bad architecture,the project suffers from too many security flaws. The creators should have a look at http://www.phptherightway.com/ which is really basic guidelines for any modern PHP project.
PHP suffers from bad rep because of developpers that clearly dont know what they are doing. They have client-side skills for sure.
But i would feel totally embarassed if someone linked to something i've made and that would look like the source code.
I'm not saying i'm a PHP "rockstar". But there are channels where beginners can get code reviews for free (IRC,reddit,...) before making a project official.
They need to find a proper developper
What's wrong with the username and pass stored in a config file? Almost all PHP apps store their database credentials in a config.php as well.
I haven't done much FTP or shared hosts since, maybe, 7-8 years, but I remember Wordpress has the same 0777 is bad practice for many years and hasn't changed.
777 is never a good option.
[1]: http://codex.wordpress.org/Changing_File_Permissions#Shared_...
Anyway, these days, for a couple dollars you can have a really really good cloud hosting service.