Paul Hinks' Blog

We have been evaluating cs-cart as a replacement shopping cart on our store front. It has more features than Actinic, our current solution; it seems generally more flexible and configurable; and it isn’t tied to Windows. We installed a store based on a beta release of the forthcoming 2.0 version, did a lot of data and design migration, and all was going well. Until yesterday when I tried to log into the admin area and found I was locked out. A little investigation revealed the site had been hacked from Russia using an apparently well known SQL injection hack. I replayed it myself and got a nicely formatted list of user names and password hashes in the product description area. I thought the admin password was strong enough to resist a hash lookup attack, but apparently it took him just 9 minutes to figure out the password and log in.
A post to the cs-cart forum was met with the response that the sql injection attack was well known, and that was it. Studied indifference. I still like cs-cart but this attitude worries me. I am going to modify the password code on my copy to incorporate a salt into the password, and I may make some other changes to make my password generation different from the standard. I may even package up an add-on for other users. But if any other such blatant insecurities come to light we will be looking elsewhere for our shopping cart software.

A while ago I posted that I’d tried Ruby and didn’t like it, thanks very much. But I’ve been back and tried it again and it’s beginning to grow on me.

To be honest, going back to Java was a little hard. It was a bit like going back to C++ after working in Java – it suddenly takes a lot of code to do something very simple. So I admit it’s true – Ruby does get a lot more done with less lines of code. The major problem I had with using Ruby was really Rails – it’s attitude is do it my way or don’t do it and I didn’t want to do it its way. I have another project now to prototype a simple cloud API, the only requirement was that it should be REST-ful and it would be good if it was in Ruby. So I did some googling and discovered Sinatra, a very lightweight framework that seems to have been designed specifically for writing REST-ful APIs in Ruby. And it is very cool. I don’t find the framework getting in the way at all – I just define the http action and URL and it handles directing the request to my code and then promptly gets out of the way. I intend to post the code to my prototype as soon as it’s presentable, but for anyone with a development background in Java thinking about dipping a toe into the world of Ruby I heartily recommend Sinatra as a starting point. Unfortunately I don’t see any easy solution for the performance issues I mentioned.