funkatron.com

When Google AppEngine was announced, a lot of sturm und drang went through the PHP community because it only supported Python. Of course, the same thing went through the Ruby community. The Perl community, not so much, because they’re used to getting ignored.

Anyway, I didn’t really give a crap, because Python is a cool language, and I’ve been interested in learning new languages and frameworks lately. PHP is cool and all, but having done it for 9 years, you kinda look for new challenges. Plus, getting hung up on one language is a sure way to be a boring dude who gets caught up in lame religious language wars.

I’ve actually toyed a little with Python here and there, but never dove in on a significant project. I’m someone who really likes whitespace and indenting rules and such, so those aspects of the language never bothered me. Otherwise, Python is a good fit for me philosophy-wise, because it’s totally the anti-Perl, lacking goofy magic characters and 1000 ways of doing the same thing. I can’t stand languages where “~^s” means “find all numbers that start with the letter ‘s’, add them, multiply them by 75, and then post the result to Twitter”. I’m not freakin’ R2D2 here.

So anyway, I started working on a little side project with Alex Payne on GAE. It’s been an enjoyable experience to work with a new language and framework, and there’s a lot to like about what GAE offers. It also has some rough edges, though, in some areas you’d be surprised by.

The good

The webapp framework

The built-in framework for handling requests is webapp, a nicely straightforward system for mapping requests to handlers.

class MainPage(webapp.RequestHandler):
    def get(self):
        self.response.out.write('Sup dogg?')

class FooPage(webapp.RequestHandler)
    def get(self):
        self.response.out.write('This is the foo page')

def main():
    wapp = webapp.WSGIApplication([
                                    ('/', MainPage),
                                    ('/foo', FooPage)
                                  ],
                                  debug=True)

    wsgiref.handlers.CGIHandler().run(wapp)

So we define a class to handle a specific URL request, and define methods for GET or POST or whatever HTTP commands inside those classes. Then in the main function we map URLs to those handler classes in the webapp.WSGIApplication constructor, and then start it up.

I like this because it’s simple and easy to follow. I could read the code before I’d written any myself and get what’s going on. There’s no magic happening here; no auth-mapped stuff or relationships established because I happened to name something the right way and put it in the right directory. Convention is good, and we have conventions here, but the conventions are clear and obvious.

Django templating

Django has a really nice templating system. GAE lets you use it outside of the whole Django stack. This is cool. For example:

# define some values to plug into the template
tpl_data = {
    'page_title':"This is an awesome page",
    'body':"Here's the page body, sucker"
    }

# get the template path
path = os.path.join(os.path.dirname(__file__), 'index.html')

#render and output the template
self.response.out.write(template.render(path, tpl_data))

Here’s a super simple index.html template:

<html>
    <head>
        <title>{{ page_title.striptags }}</title>
    </head>
    <body>
        {{ body }}
    </body>
</html>

Google User Auth

Writing a user system is a pain. Making people set up new accounts to use your site is yet another barrier to experiencing your amazing new Google sellout project site. You could presumably do these things if you want in GAE, but most of the time that seems kinda stupid. GAE offers you very easy integration with Google user accounts, so you can use that as your authentication system. Since everyone and their mom has a Gmail account, it’s a pretty good bet many or most of your users will be able to skip account setup.

Pricing

GAE is free for your first 500MB of storage and “around” 5 million pageviews. That’s plenty to host a smallish app or do initial testing on something you want to get big (because big == profit, right?). If you push past that, the pricing is in-line with similar services from Amazon. That means it’s totally reasonable to set up an app just for goofing around and learning.

Python

Python is a cool language: easy to pick up and quite powerful. It doesn’t fit some tasks as well as PHP IMHO, but it does a ton of stuff well, and its large community means there is lots of support and library development. Some stuff it does really well includes:

• Network programming (example)
• Parsing HTML
• Email parsing and manipulation
• OS X scripting
• String manipulation
• Unit testing
• Other stuff I probably don’t know about

AppEngineLauncher

Recently the GAE team released the Google App Engine Launcher, an app for OS X that handles launching the development server and deploying your app to Google’s servers. You can of course script all this stuff yourself on the command line, but for folks less comfortable with that, this is a godsend. I actually did use the CLI before, but I don’t touch it now because the GAEL is just so fly. Single-click deployment is especially awesome.

Leveraging Google’s Infrastructure

They gots some big computers, rite? You’d certainly think so, and they probably have better uptime than your $5 shared hosting account. We hope.

The lame

Datastore query limitations & primitive text search

The Datastore API is GAE’s database system. It has some similarities to traditional relational DBs like MySQL and PostgreSQL, but it is fundamentally different. It stores data objects as entities instead of rows, and properties instead of columns. Objects are described by model classes, defined in Python:

class Page(db.Model):
    title = db.StringProperty(required=True)
    keywords = db.StringProperty()
    date_added = db.DateProperty(required=True)
    date_updated = db.DateProperty(required=True)
    body = db.StringProperty()

Models are to entities as classes are to objects, then (I think).

The object approach has some cool flexibility, like expando models that let you add arbitrary properties to entities (very unlike rows in a relational database).

You can do SQL-like queries against the Datastore with GQL. It’s a lot like SQL, but a lot more basic. In fact, this is a summary of the entire language:

SELECT * FROM <kind>
[WHERE <condition> [AND <condition> ...]]
[ORDER BY <property> [ASC | DESC] [, <property> [ASC | DESC] ...]]
[LIMIT [<offset>,]<count>]
[OFFSET <offset>]

<condition> := <property> {< | <= | > | >= | = | != } <value>
<condition> := <property> IN <list>
<condition> := ANCESTOR IS <entity or key>

This lets you do basic queries, but it’s missing a lot of powerful stuff present in SQL. Most notably there is no equivalent to the LIKE comparison operator. That means there is no way to do partial string matches!

Okay, so you can do kludgy prefix matching, and there is an as-of-yet undocumented whole word search using the SearchableModel class, but those are primitive compared to the string matching capabilities in MySQL. Personally I would’ve thought that the search company would have given GAE really awesome text search capabilities out of the box, but for now folks have to roll their own hacks.

I guess now I have an idea of why Gmail’s search can’t match partial strings.

No “beginner” docs

GAE’s docs are aimed at experienced developers who have already built web apps. Most of it is reference, and it’s a little light on examples. If you’ve not used Python before, here’s the entire introduction form the GAE docs:

For more information about Python, see the Python website and the Python documentation.

I think Python is easy to pick up, but GAE doesn’t even bother pointing out some good tutorials for beginners. Compare this to The Django Book or The Definitive Guide to Symfony, both of which aren’t really for beginners, but do a good job of helping them get up to speed.

I’m early in my development experience with GAE, so this is by no means comprehensive. Google has already demonstrated that the GAE feature set will be growing, having introduced memcache and image manipulation APIs just a week ago. I’m sure the documentation will be improved and supplemented by third parties in short order, and the issues with text search will almost certainly be addressed soon – it’s an obvious deficiency.

For now, I’m having a lot of fun working with GAE. It’s a solid platform with a lot of promise, and it offers a lot of learning opportunities for folks who want to explore web app dev with Python.

After experiencing the inspiring atmosphere of php|tek 2008, I vowed to write a blog post a day to hone my writing skills.

Whoops!

Building Desktop RIAs with PHP, HTML & Javascript in AIR

Note: The ZIP on the php|tek 2008 site didn’t have the AIR code in it, so until that’s fixed I’m linking to my locally hosted copied

• Slides (PDF)
• Code

Securing the PHP Environment with PHPSecInfo

• Slides (PDF)

Anyone who gets me liquored up knows that I’m not a fan of Wordpress. I think it’s great from a user (that is, the person writing the content) standpoint, but it has lagged behind severely in terms of security, and I don’t believe its popularity is the sole reason WP has been the subject of dozens of vulnerability reports every year. That being said, the WP 2.5 release appears to offer significant improvements in a couple areas: password hashes and cookie data encryption. From the WP blog:

Salted passwords — we now use the phpass library to stretch and salt all passwords stored in the database, which makes brute-forcing them impractical. If you use something like mod_auth_mysql we’ve created a plugin that will allow you to use legacy MD5 hashing. (The hashing is completely pluggable.) Users will automatically switch to the more secure passwords next time they log in.

Secure cookies — cookies are now encrypted based on the protocol described in this PDF paper. which is something like user name|expiration time|HMAC( user name|expiration time, k) where k = HMAC(user name|expiration time, sk) and where sk is a secret key, which you can define in your config.

These are good steps, and while I think they took way too long to happen, I’m glad they finally did. I do still feel that WP suffers from an architecture that makes it too easy to make input filtering mistakes, and I would strongly recommend a tool like WPIDS for all self-hosting Wordpress users.

Update: This seems to have fixed itself one night. Maybe I rebooted? Who knows. Anyway, all seems good now.

So I use SFTPDrive on my Vista workstation at work to mount remote filesystems. It generally works pretty well, and I’ve never had an issue where a program didn’t treat my mount as a local drive — until I decided to give upgrading to Zend Studio for Eclipse a go (licenses for which were generously donated to CERIAS by Zend). For some reason, ZSfE just doesn’t show me my “k:” drive (the SFTP mount) when browsing for a project directory. This throws a real wrench in my usual workflow — ZS 5.5 had built-in SFTP support, and I could also use the local mount if I wanted.

I did look in Zend’s Support KB and the forums, but did not come across anything like this. Have you? Any alternatives for directly connecting and editing over SFTP?

The experience of SXSW

• Unlike other conferences I’ve been to, which were mostly tech confs SXSWi is not about nuts and bolts — it’s about higher level issues of people using technology
  • A couple exceptions, like the Secrets of JavaScript Libraries. This was good, and I’d like to see more like this. I don’t expect hardcore advanced code talks, but good intro-level stuff would go a long way, I think.
• At most confs I attend, I’m the “weird” dude, with my earrings and black t-shirts. At SXSW I’m another asshole with a fauxhawk.
• Way, way, way more women at SXSWi than any tech conf. Someone on a panel I attended complained that the % of females has been going down at SXSWi, and I’d guess it’s maybe 35-40% female. At most of the tech conferences I go, it’s 5-10% female, tops.
• Despite the fact that web apps are one of the primary points of attacks for malicious users, security was really not talked about much at SXSW (although I heard there was some in the OpenID panel). This was disappointing. People running web apps are the stewards of their users security and privacy, a responsibility not to be taken likely. I’d wager under 20% of attendees and panelists could describe basic techniques for architecting software with security in mind (but I hope it’s higher). Definitely need to propose a panel for 2009.

The culture of Austin

• People really do seem more hospitable. Locals will ask a stranger how there night’s going. This is pleasant, but a little weird for a yanqui when it happens in the men’s room.
• Austin embraces being different. They like it, from the top down. This is so unlike most other communities.
• Austin doesn’t feel like a big city. It has some big, cool buildings, but you’ll see flop houses a couple blocks away.
• Closest thing I’ve experienced to Austin is Portland. I think PDX has better public transportation. Austin’s weather doesn’t cause city-wide suicide watches, though.

Other tidbits

Introduced Clint Ecker to Jason Perkins, both Chicago-based web devs. They discover that they work literally next door from one another.

Had lunch with Jason Perkins and the rest of the Pixish crew. Surprisingly was not mocked incessantly for not using Rails. They’re good peeps, and Pixish is a cool site.

I wonder how far the Zuckerberg “keynote” set back female journalism. That’s a hari-kari situation right there.

If you are unwilling to say to someone’s face what you say in your little gadget (or otherwise) blog, you need to shut up. Stop being a punk.

I was really happy to see ExpressionEngine and CodeIgniter represented as strongly as they were at SXSW. I still feel strongly that EE is the strongest CMS product in its market (which includes Drupal, Joomla, Wordpress and the like), and the improvements in EE2.0’s administration system will increase productivity considerably.

Holy shit, I have never seen as many iPhones as I did there. And it’s taking some effort on my part to not go get one now. I could have left my laptop in the hotel room if I’d had one, which would have reduced my fatigue considerably. Since I am doing about 4 conferences a year, it’s starting to make more sense. I’m making myself wait for a new hardware revision, though (and I really can’t afford one atm).

The panel on the success of icanhascheezburger.com was interesting, and I think underlines that luck is a (the?) key component for almost all of these rags-to-riches stories

Being with someone — or a small group — seems key to me. I think I would have enjoyed SXSWi a lot less if I was not able to always count on the two friends I was with.

Do not be afraid to come up and talk to people. It’s hard for me to do, but I was always glad I did. I got to meet old internet-only friends like Violet Blue because of this (so glad I did!). I also got a hug from Halcyon, which was awesome — more dudes should be down with hugs.

Meeting Alex Payne was another highlight of SXSW for me. What a great guy; I wish we’d had more time to hang and talk. And there were so many others, like Derek Allard, Jonathan Snook, Ken Fisher (thanks again for dinner Monday night), Thomas Myer, C. Eric Smith, Obie Fernandez (I wish he’d written Rails), Stephanie Booth, and many others whom I’m too forgetful to remember at the moment.

Frank Warren’s keynote on his PostSecret project was the highlight of SXSW for me. It was funny, tragic, inspiring, and compelling. One could not help but be inspired, as exemplified by the man who asked his love to marry him in front of the entire audience. Technology empowering us to express ourselves, communicate, and aid one another is so much of what the last few years in web dev has been about, and we would do well to follow the example set by Frank Warren.

Oh hell yes I’m coming back next year