Many folks have complained since I took down the forum that was up for the support of gCards. Now, I’ve got a new forum up, this one powered by Vanilla. Hopefully it’ll do a bit better than the last one.

Check it out

A reader posted some comments on my blog this morning, pointing me to a website listing some security vulnerabilities in gCards and also to the fact that this had been exploited on my website! Not good, not good. I’ve fixed these problems and posted gCards 1.46 – you can download it at the regular location.

If you’re using gCards (any version), you must upgrade to this version or you risk someone gaining control of your site and executing arbitrary code.

The challenge with me for gCards is that I wrote it so long ago and it’s such a big mess of spaghetti code, that it’s difficult for me to confidently say how secure it is. I would rewrite it from scratch, but that requires a bunch of time, and there’s so much built into it already to handle the complexities on running in so many different PHP environments. If anyone hears of any other security vulnerabilities or finds any, please let me know…

I just uploaded gCards version 1.45 – you can get it here. This should hopefully fix all of the issues people had with the authentication. Basically when it was written I used a mySQL specific function called ‘password’ for creation of and validation of the users password. MySQL changed this in one of there versions – 4.x I think, so anyone using newer versions of mySQL couldn’t quite login to the application. I’ve updated gCards to store the password as an md5 hash of the real password, so that should hopefully stand the test of time, as its not specific to any mySQL version…

For users upgrading…it is very important to note that upon running the setup.php file, all passwords will be set to the same as the username. For example, if i had gCards 1.44 with a username of bobbyjoe and a password of schweenard, after running setup.php I would login with bobbyjoe/bobbyjoe. Makes sense?

I did very minimal testing, but it all seems to work just fine on my home computer and at my web host (which runs mySQL 5). Let me know here if you find any problems.

Enjoy

Greg

I just posted up a new release of gCards, the PHP ecard script I wrote about a year and a half ago. I haven’t done a good job at all of fixing bugs over the last year and I have all but stopped reading the forums, but the application – aside from the major news bug (which was actually a small fix) – is very stable now.

I started gCards as a project to learn how to write a PHP app. I wanted to have some background in programming – I work at an enterprise software company as a product manager. In this job I spend about half of my time working directly with engineers. I thought it would be useful to get a better understanding of the issues of design and implementation of software. I bought a PHP book and started reading it, but I quickly got bored running through the chapters and decided it would be better to make a little project for myself that would give me exposure to a wide variety of aspects of PHP programming. I decided on an ecard application because:

• I like photography and I had a very lame ecard page up on my site – I forget now which script I was using
• An ecard script would need to involve the following technologies
  • Database to store the card information and the sent cards
  • Image resizing to create thumbnails
  • Security to prevent public access to the admin interface
  • Dynamic front-end pulling information from the database
  • Creating and sending dynamic emails
• It was more fun the reading through the book

So I started working on it and quickly had something up quickly. I had used a couple scripts which I had found on hotscripts so I figured it would only be fair to post my completed effort on the site for others to use. I never really expected people to download it and use it. In the first couple days, several hundred people downloaded the application. It was very rough around the edges and many people reported bugs which I dutifly fixed, all the while learning how to write a PHP app.

In addition to bugs, people were asking about features. My goal had been to create a simple and dynamic PHP script for my website, so I tried to stick with that goal – I only wanted to implement features that made sense for me and that would keep the script simple. So I added things like WYSWIG (first HTMLArea then FCKeditor) editors for writing. A couple other things I didn’t need for my site I decided to add – one example was internationalization – gCards has been translated into more than 20 languages.

Since I first created gCards, I have created several other applications:

• A enhancement database, customer database, and several other internal applications for Selectica, the enterprise software company I work for
• The backed for both the intranet and website of Selectica
• A website for my friend Michael’s band, Boys on Trial
• A website for Kiesandahl and Calhoun, a fine art gallery in New York
• A document / file management application
• A blog for my brother, that I used at his site
• Mailing list management for my mom’s company, Redstone Studios

Over the course of this work, my skillz have increased quite a bit, and now I find it difficult to wade through the hackish code that gCards is comprised of. It works, but it isn’t a very nice application from the code perspective. PHP, HTML, and SQL are intermixed with no separation between data and logic. If I wrote the same application now it would be OOP and it customization of the user interface would be a much cleaner thing. I don’t have enough time to rewrite it…between work, travel, and entertaining my girlfriend…I don’t have much time for gCards.

I think that the most important reason for the (relative) success of gCards was it’s ease of use. Too much open source software is difficult to install, use, or understand. It’s not the most beautiful application, but it’s much better than most of the competition. As a product manager at my company it is my job to design usable software that accomplishes its goals. That’s what I tried to do with gCards. So despite it’s hackish origins and it’s moderately ugly looking code, I think gCards was redeemed by it’s ‘keeping it simple’ approach. I hope people like using it, and I plan to continue to fix bugs whenever I have the time…but that time is few and far between.

The beauty of open source software, of course, is that the source is out there for everyone to see. So if there’s something you want to add, or a fix that you think needs fixing…..fix away!

Thanks for reading this completely incomprehensible post!