Wordpress stuff, a statistics plugin, and jello

As I was writing my kStats introductory post for 0.7.1 I concurrently received a bug report which should be fixed now.

The problem was with the htmlentities() php function I was using — all information coming from the database should be trustworthy, due to sanitization on the way in. However I figured it couldn’t hurt to wrap it on the way out again, and make sure on both sides of the equation.

Since PHP 5.2.3 htmlentities() has allowed for a fourth argument, which if set to false won’t encode already encoded html entities. By running this on data to be displayed I figured it would help catch any mistakes that slipped by on the way in and ensure no malicious javascript could be injected into your dashboard. The problem is I forgot to read the changelog on the function and didn’t realize at first that it was only available on 5.2.3 and up, causing an error to be displayed for anybody running an earlier version.

The wrapper has been updated with a version check. If you’re running 5.2.3 and up it runs with the flag set. If you’re running an earlier version, it simply decodes the string first then encodes it again to make sure all html entities are caught.

Remember to upgrade your copy of PHP, or harass your sysadmin to do so for you! Not just to cover my blind spots (though it doesn’t hurt!) but for the sake of your own security. Keep up to date. (Disclaimer: I realize this responsibility is most often supposed to be that of the host. Hosts, despite providing otherwise exceptional service, can be dinosaurs when it comes to upgrading. Harass them.)

Thanks for catching that one Jake.

Download

I don’t know why, but this blog has been really hard to write. Could be the fact that I’m still extremely sore from ripping the garage apart and cleaning it top to bottom, or the fact that I’m bummed out about my new intake for my car not being in the mail today, but I just don’t find writing easy at the moment. So I’ll just try and spit it out, and eventually it will get lost in my archives anyways…

What’s new in 0.7.1?

You won’t notice any major visual changes or fancy new features in this release. I fixed a possible vulnerability in the way that some of the data was stored and retrieved and added a new opt-in program which benefits the plugin and another program, both of which I’ll go into further detail on below.

I did however bump up the versioning from 0.6.x to 0.7.x because there’s something new going on behind the scenes that will be a long term benefit to kStats and the people who use it on their blogs.

The Old Way

The aggregate is tripped every night by somebody visiting your web site. Long story short, this would be better accomplished via a cron process run directly off the server, but due to the nature of plugins and Wordpress, expecting a user to set such a thing up just to use kStats would be asking a little too much.

When the aggregate was tripped, previous to this release, the process would run fast as fast can be and sort your data from the raw table into the seperate totals and charts tables. This of course allows kStats to run faster on a regular basis, and store more information with a much smaller footprint than its predecessor did. The pitfall was that the poor sap who tripped the process had to wait anywhere from 1-3 seconds extra for their page to load (possibly even longer on high traffic web sites).

In this age of broadband expectations, 3 seconds is an eternity.

The New Way

kStats now uses what is called an Asynchronous HTTP Request to run the aggregate. When the scheduled time comes, kStats fires off an HTTP request to an interface that runs the whole process in the background. This means that poor sap we were talking about above no longer notices a delay in their page load, no matter what the size of your database is or how much traffic you’re getting.

I promised when I started this project that the primary focus, regardless of features and capabilities, was to bring you the fastest plugin I could. I believe this update goes a long way to solidifying the groundwork of that promise.

Odds and Ends

There’s a new opt-in program that can be found on the Options page under the Definitions Utility – while I’m still looking for a more reliable Geolocation API (hint, hint), the user agent facility (determining OS, Browser, etc) is powered by the API provided by user-agent-string.info.

Should you choose to participate, what happens is when kStats stumbles across a user agent it can’t identify, it will immediately fire it off to user-agent-string.info so that they can identify it and include it in the next update of their API. The more user agents we can identify, the more accurate the process will be in determining exactly what people are using when they visit your site.

In addition, a possible security vulnerability has been closed up in the way that some data was being stored and returned from the database. The upgrade process will clean your current database and all information entered from now on is completely verified and sanitized. Please note that this was not an SQL injection vulnerability but instead a much smaller XSS vulnerability.

Download Changelog

I have to stop making changes to the user interface. Every time I’m about ready to tag a new release of kStats, I finish checking in the last of the files to Trunk, and just as I start typing svn cp trunk tags/x.x.x… Oops, forgot the new screenshots.

Would it be funny if I just left the screenshots from 0.1.0 up forever?

The path to stable

So far I’ve been managing to hit all of my goals, even surpassing a few during the beta period of kStats. I fubbed up the nightly aggregates for the first little bit, until I realized half my problem was my attempt to reinvent my own wheel. The other half fell under the same umbrella, I was just making things complicated that could have been simplified. Once I crested that hill, things starting falling into place. Read the rest of this entry »

It’s been a little while longer since my last release than I had anticipated, so once again I’ve made myself feel a little rushed on getting this out there.

There’s not a whole lot of fancy new stuff here, mostly bug fixes and some minor upgrades to the interface to allow for a little more user customization. One of the biggest changes you may note is how the statistics overview is organized. There are four new color coded dialogs at the top which display the all time total for each area of interest (visitors, pageviews, spiders, etc) along side the daily current total.

By removing this from the table, I’ve cleared up some room to include the last few months aggregate data, but chose to continue displaying today’s and yesterdays information here as well. Eventually the totals may be split up by months and days in two seperate tables, but for now I decided to focus on the monthly data here, while letting the bar chart handle the majority of the daily totals.

New Options

You now have more control over how many recent hits kStats will display. It defaults to 20, though you can set it up anywhere as high as 500.

The ignore list is now configurable through the administrative options page. The old way of directly editing the ignore.dat definitions file seemed too obscure and this allows for much easier control.

Top 20 Charts

The top 20 charts are no longer displayed side by side, to accomodate smaller monitors with less room to try and fit all that information. In addition, you can now select the ‘view all’ option to see all the stored information for each area.

Feedback, as always…

…is appreciated! I’d like to know what changes you like, any that you don’t, and suggestions for future releases.

Somehow my schedule has gone from ‘late night’ to ’senior citizen’ in the past couple weeks, and I’m about ready to pass out, so I’ll check my grammar in the morning.

Wordpress MU 2.8.5.1 is out!
Read the full post on Donncha’s blog; WordPress MU 2.8.5.1

As you may read, it is a security upgrade based on the recent 2.8.5 release of Wordpress.org, so there are absolutely no excuses — Download and upgrade as soon as you’re finished eating now!