One crucial thing that came up was the reasoning behind rejecting an email address that the user enters into the form. It boils down to wanting or needing to be able to contact the user at a later time. A very common case is account recovery. If a user loses their password, and you don’t have any way of contacting them, they’re probably stuffed. If you can tell them as quickly as possible that what they’ve entered doesn’t look right, then you’re going to save a lot of bother.

A few people commented that they often get less technically savvy users entering all kinds of incorrect things, ranging from just the local part (or conversely just the domain) of their email address to their desired user name on the service they’re trying  to register with. Given that this sort of thing goes on, validating that an email address is composed of an “@” symbol with some characters on either side is sensible (of course, you should still send a validation email if you want to make sure you’re being given correct data).

As for using such validation to prevent fake account creation, it’s trivially bypassed. If I’m working for nasty-corporation.com and want to sign up a bunch of accounts on your site to post loads of spam, I’m probably going to be able to generate email addresses, or better still create valid addresses on my domain to register an account. As annoying as they can be, some form of Captcha is better for this (preferably one with an audio alternative to the picture, for accessibility reasons), and doesn’t rely on spammers being totally incompetent.

Just one more thing, I know the comment system built into WordPress does a poor job of all this. More than a few of you were good enough to point it out. I’m switching away from the default one soon anyway.

I really started to notice this when I began to use the disposable addresses system that Gmail provides. Any mail sent to <youraddress>+<some_other_string>@gmail.com arrives in the Gmail inbox for <youraddress>@gmail.com. This is quite handy, and I personally use it for automatically tagging email I receive. For instance, for any email related to unicorns, I’d simply enter “<myaddress>+unicorns@gmail.com” on the sign-up form, and my mail filters would automatically tag all mail sent to that address for me (as an aside, these don’t really work as “proper” disposable email addresses as it’s easy to just strip everything after the “+” character in the local part of the address, and get the proper address). Sounds great, right? Well it is, until half of the internet fails at email address validation and rejects it.

The problem is that the email address specification allows for far more than most programmers expect it to. For instance, things like ” ! $ & * – = ^ ` | ~ # % ‘ + / ? _ { } ” are all valid, along with a whole bunch of others (even “@” if you quote or escape it). Some of these are a tad silly. Using another “@” sign by escaping, for instance, is just confusing, and is probably only used by sociopaths. Reject some of those others however, and you’ll start to annoy your users.

I was recently at a talk given by Andrew Godwin at FOSDEM. In that he mentioned a problem Django ran into, where their regular expression used for email validation would hang on long input (scratch that, I think this is the bug he mentioned, that other one is hideously old). After some head scratching, they came up with an improved regular expression, which didn’t have the issue. I’m not sure that either solution actually validates according to the specification though, and if the validation falls on the side of being too strict, it’s probably out there irritating people right now. As a fun aside Perl’s Mail::RFC822::Address module gives you a glimpse at a regular expression that actually follows the specification from RFC822.

Even the best validation is only going to get you a syntactically correct email address, with no guarantee that it actually exists. If you want to know that you’re being given a valid address, send it an email and have the user click a validation link in it, and stop annoying your users!

EDIT: I wrote a little follow up article on some of the points raised by commenters.

First off, you need to grab the latest stable binary from http://httpd.apache.org/download.cgi (at the time of writing, it’s version 2.2 that you want, specifically 2.2.16). I chose to get the one which includes OpenSSL (which you’ll need if you want to test serving secure content). Once you’ve got that, run through the install wizard. In terms of which options to choose during it, I went with installing the server as a service so it started up with Windows. Also, I chose to customise the install and selected to install all features (as opposed to taking just the typical ones). This is almost certainly unnecessary, but I did it just to make sure I wasn’t missing anything I needed.

Something to note throughout this guide is that after any change to the config files you must reload the server. The installer will have added an icon to your notification area which will allow you to do this.

The config files are located in <your_install_directory)\conf\. In some areas, the config files dependant on your installation directory, which can differ (for instance, if using a 32 bit operating system, you won’t have things installed in “Program Files (x86)”).

Notation used throughout the guide

The use of “->” denotes before and after of each line changed (before on the left, after on the right).Anything which is for the user to decide is given between angular brackets. In code blocks, “#” is used for any comments (just as it is within the config files).

Basic Setup

To get Apache just serving content from its htdocs folder (which is located in the installation folder) requires the least configuration. To achieve this, just make the following changes to the defaults in the config file.

In httpd.conf:

Listen 80 -> Listen <Number Of Port To Run Web Server On>
#ServerName localhost:80 -> ServerName localhost:<Number Of Port To Run Web Server On>

At this point, you should be able to navigate to http://localhost:<Number Of Port To Run Web Server On> and see a page confirming that you’ve set it up correctly (or your own index.html if you’ve replaced the one that’s in the htdocs folder by default).

Add setup for user directories

Adding the necessary config for user directories means that each user account you have on your machine will have a directory that they can place files in to be served by Apache.

In httpd.conf:

#LoadModule userdir_module modules/mod_userdir.so -> LoadModule userdir_module modules/mod_userdir.so
#Include conf/extra/httpd-userdir.conf -> Include conf/extra/httpd-userdir.conf

You should now be able to navigate to http://localhost:<Number Of Port To Run Web Server On>/~<user>/ and view any content that the user places in their website directory (by default “My Documents\My Website”). You can change which directories are used as user directories by editing conf\extra\httpd-userdir.conf in the Apache installation folder.

Add setup for virtual hosts (also known as vhosts)

Virtual hosts are more useful in a development (and in most production contexts) context than user directories. They allow you to specify a folder which Apache should serve from when receiving a request on a given domain/subdomain. They also allow you to specify some settings specific to that virtual host, such as a custom log file to use (rather than just putting everything in the default log file).

In httpd.conf:

#LoadModule vhost_alias_module modules/mod_vhost_alias.so -> LoadModule vhost_alias_module modules/mod_vhost_alias.so
#Include conf/extra/httpd-vhosts.conf -> Include conf/extra/httpd-vhosts.conf

In httpd-vhosts.conf:

NameVirtualHost *:80 -> NameVirtualHost *:<Number Of Port To Run Web Server On>
# Delete the two existing VirtualHost entries, and add your own following this template.
<VirtualHost *:<Number Of Port To Run Web Server On>>
 ServerAdmin <yourname>@localhost
 DocumentRoot "<drive_letter>:/path/to/your/website"
 ServerName <subdomain>.localhost
 ServerAlias <subdomain>.localhost
 <Directory "<drive_letter>:/path/to/your/website">
  Options Indexes FollowSymLinks Includes ExecCGI
  AllowOverride All
  Order allow,deny
  Allow from all
 </Directory>
 ErrorLog "logs/<subdomain>.localhost-error.log"
 CustomLog "logs/<subdomain>.localhost-access.log" common
</VirtualHost>

One thing to note with a vhost, is that you’ll need to add an entry to your hosts file for the each subdomain you use, so that the domain still resolves to localhost (at least, I found that without this, it the domains didn’t resolve). To do this, simply open C:\Windows\System32\drivers\etc\hosts and add a line that looks like:

127.0.0.1 <subdomain>.localhost

With that done, you should have it all working, and should be able to visit any of your virtual host sites at http://<subdomain>.localhost:<Number Of Port To Run Web Server On>/. If it’s not, please leave a comment as I could well have missed something crucial out (though I think I’ve covered everything, as this guide was produced by diffing my working config files against the original ones).

Things to watch out for

• In Apache’s config files, forward slashes are used in paths, as opposed to the backslashes you’d usually use on Windows.
• You’re probably best running this on something other than port 80. One thing that many people get caught out by is trying to do this on a machine which also has Skype running on it (not too unlikely on a home dev machine), which it turns out binds to port 80. To work around this, either disable this option within Skype (I recommend doing this), or run the web server on a different port. The option to disable is in Tools -> Options -> Advanced -> Connection -> Untick the checkbox “Use port 80 and 443 as alternatives for incoming connections”.
• Make sure you reload/restart the server after any config file change. This is a required step, and without it your changes will be ignored.

What has happened here is a complete misunderstanding. Following the main example from that post (though it’s completely true of other services which Buzz can import from) Google Buzz will only display shared Google Reader items and comments that you publicly share. If these are private, then Google Buzz isn’t going to ruin your day and wave them around publicly.

To top this off, within Buzz there is actually a link (under Connected Sites, select Edit next to the Sharing With column) which takes you straight to the privacy options page, where you can go back and fix your earlier mistake of not correctly choosing your privacy settings. I’d actually say that, far from revealing your private data, Google have done a reasonable job of letting you protect your privacy in this case.

The hype that this has generated is rather saddening, and a reminder that people are all too quick to jump on the bandwagon. The author has posted a follow up, with a bit more explanation and as it turns out, a confirmation from Google of what I have focused on here (though this doesn’t have too much attention brought to it).

If you care about the story not being spoiled you may want to avert your eyes. The game starts with you being plonked down on a roof somewhere in some city where the graphical bloom goes up to 11 and stays there at all times. You’re taught your repertoire of jumping and fighting techniques in one go, god forbid you should forget them, and then launched into the game. The story is set in your regulation future dystopia, where the police are evil, the government are evil and concrete blocks are extremely springy. You’re not really given too much motivation to hate the government; you just take the game’s word for it and set about acting like a royal prick with a poorly explained briefcase fetish.

Sadly, the game play doesn’t even come close to making up for the plot. There is one route, and only one route, and any deviation from it will result in crunchy death as you faceplant into the pavement. Most of the time this route is helpfully painted red, but the game occasionally decides you’re more competent than that and lets you decide what to do. Don’t be fooled though, there’s one path, and any attempt at creativity will be duly rewarded with death.

Linearity aside, the game still manages to produce an unnecessarily frustrating experience. Every time you grab an object or ledge, you’re treated to a face full of concrete and have to stop and move the camera around, breaking the flow of the game. This, teamed up with the loss of momentum every time you jump over anything higher than a cinder block, caused a steady feeling of rage which didn’t really subside at any point in the game.

The lack of choice in paths reared its ugly head more than once during the game, but one incident stuck out more than the others. In a section in chapter 7 the character is running on top of some ventilation shafts and some pipes are highlighted red on the other side of the room. I spent a good half hour wall running along the wall that headed directly to them, only to be left disappointed at the game’s edge detection and plummeting to an inevitable death. It turned out that I was meant to run along a wall parallel to what I was aiming at and make possibly the most hilarious jump ever to reach the bars.

The edge detection was a constant annoyance. At times it seemed like the protagonist simply wasn’t trying, but as soon as a bit of concrete turned red it may as well have been a fucking spring board. The net result is that you only go where the game wants you to go, no matter what incredible leap that may involve. Occasionally it will even help you when you don’t jump far enough, and you’ll end up performing a mid air vault for a pipe or ledge.

Overall, I’m confounded as to why people recommended this game so highly. While it’s a nice concept, it’s totally marred by a lack of polish (no, not bloom, there’s enough of that) in the execution. Bring on the release of Assassin’s Creed II on a real platform.

The iPad though, leaves a lot to be desired. It seems like Apple have produced an enlarged version of the iPhone (but not a phone, so really more like an iPod Touch), without applying significant work to it. It suffers the same issues as the iPhone, those being:

• A total lack of multitasking. Running applications in the background is not a new concept, and failing to provide such functionality seems like a massive step backwards. I’ve felt this about the iPhone for a while and it seems even more crippling for a device which truthfully should provide more.
• No camera included. While it’s obvious that this device isn’t for taking photos, I don’t understand why it doesn’t have a small, integrated webcam on the front. Being able to make video calls on, for instance, Skype seems like a reasonably sensible use-case for this device.
• Lack of a hardware keyboard. This is a more debatable point, but to me it makes little sense. With a device of this size I don’t envisage that an on screen keyboard would be pleasant to use. Selling a keyboard dock isn’t really a solution as you’re just increasing the amount of clutter that you have to carry with you to use the device as you want to.

I’m left not really knowing who this product is aimed at. Which group of people want a larger iPhone whose main advantages are negated by dodgy design decisions? It seems more  like they’re simply riding the wave of success which means that people will end up buying them simply because it’s the latest thing to emerge from the shinies factory.

My second gripe (and only other so far) is the ridiculous way that account security is handled. Something which is probably never an issue for most people just went straight to the top of my list. It turns out that if you forget the answer to the security question on your account there is no way to change it. That’s correct, even as an authenticated user you can’t change this setting. In itself I wouldn’t have cared about this. I’m not a moron, I can remember my password (although apparently not my secret answer, yes I do appreciate the irony in this). However, in their infinite wisdom they have decided to require this answer to change the email address associated with the account. This leaves me in a rather crappy situation. My account is associated to an email address that I’m trying to move away from and I’m being denied the option to do so.

What infuriated me at this point was the response I received to my support request. It contained the following: “The problem you were experiencing is now resolved and you should be able to use all the features of your account now.” For some terrible reason this got my hopes up, but it turns out it was some canned bullshit. The website has not been changed to allow this, and I’m still in the same predicament. I’ve sent a reply, but I don’t hold a great deal of hope for it getting a proper response. If it carries on like this I’ll give them a call and see if their phone support is any better.

I’ll write more when there’s some advance in the situation, but for now it’s a case of waiting.

http://www.herod.net/dypm/ to download it (comes with full setup instructions). Also yes, I am tempted to “sed s/math/maths/” the source.

EDIT 22/07/2009: Turns out it does something else to annoy me. The box moves itself about if you turn Javascript on/off, looks like someone decided it was okay to fix the layout with the *worst method  ever* (yes, this problem does override the Enlgish language pedantry from before).

While playing around trying to make this work I did find out about the giant goodie bag of awesome that is the unix find utility. In this case I was using it to change permissions on certain groups of files/directories, and some useful examples are given below. I sense it might come into play a fair bit now and might have some uses I’ve not thought of.

Before I set off with this one I’m going to issue a few warnings:

• Your distribution (if you are hosting this on a Linux machine) may have a package for WordPress which makes for a much easier install, and (going with the example of Debian) receives quick, convenient updates through the package manager.
• You should be familiar with the Linux system including File Permissions, the Apache Web Server, and various other tools.
• If you get the permissions wrong as I did you can end up letting the world see your config files which include your database credentials and the keys you generate during the setup.

Those issues aside the set up process is relatively simple. As I’m using Debian (stable, which is Lenny at the time of writing) I may make references to Debian specific things such as the package manager apt. Let’s get cracking then.

First, you’re going to want to install all the relevant modules (run this as root):

apt-get install apache2 php5 mysql-server libapache2-mod-suphp

With those installed you’re able to get going with your basic WordPress installation. I’m not going to duplicate WordPress’s installation guide as that would be completely pointless, so here it is:

http://codex.wordpress.org/Installing_WordPress#Detailed_Instructions

Once you’ve got WordPress unpacked (I personally chose to set it up in my home directory ~/wordpress/ and add a vhost config in Apache’s sites-available with the appropriate directory as the DocumentRoot, there are plenty of guides for this if you do a quick search) you should set about fixing its permissions. For this I chose to use the Linux find program. I don’t guarantee that this is the complete set of commands and you should probably check through the installation thoroughly in case I missed one out (I managed to do one of these quite incorrectly initially so I spent a while sorting out the mess I’d caused).

find ~/wordpress/ -type d -exec chmod 755 {} \;
find ~/wordpress/ -type f -exec chmod 644 {} \;
find ~/wordpress/ -type f -name "*.php" -exec chmod 600 {} \;

Having followed the WordPress installation guide you should have a working database (I sort of recommend phpmyadmin for this, especially if you want to do this in a GUI) and configuration. Now for the important part. You need to configure suPHP, and to be honest this is almost completely trivial.  First enable the module:

a2enmod suphp

Then edit the suphp config file at /etc/suphp/suphp.conf so that it contains either the line:

check_vhost_docroot=true

or the line:

docroot=/path/to/your/docroot/

The first will allow suPHP to run anywhere you define a DocumentRoot in your Apache vhost, the latter will allow you to point suPHP to a specified DocumentRoot.

Finally, you need to edit your apache2.conf (found in /etc/apache2/) to turn off the standard apache mod_php. I personally use the following config as I have no use for mod_php within /home (however if you do you may want to swap php_admin_flag for php_flag so that you can enable the module for other php sites you’re hosting):

<Directory /home>
 php_admin_flag engine off
</Directory>

<Directory /home>
AddHandler application/x-httpd-php .php .php3 .php4 .php5 .phtml
suPHP_AddHandler application/x-httpd-php
suPHP_Engine on
</Directory>

That should do the job! If I’ve missed any hilariously crucial stage out then please slap me in a comment so I can add it in.

EDIT (27/05/2009): I probably should have actually explained what suPHP does. All it means is that any PHP files are executed as their owner. In my case the main benefit of this is that the config file doesn’t need to be readable to anyone but myself. Possibly a greater advantage, and one which becomes immediately apparent in a shared hosting environment, is that the PHP files are only executed with the permissions of the user. This means that as long as you’ve got sensible limitations in place on the user anyway, they shouldn’t be able to cause any more damage than they could from their shell (and there you can probably see the advantage of the php_admin_flag which they cannot override).