I have recently been looking at the payment processing options for two projects which will be based in New Zealand.

In both cases, the client will be organising a merchant account with a bank, so it is a matter of connecting those up with an online payment processing service. Here are the ones I have been actively considering:

SecurePayTech

SecurePayTech seems a relatively well established service. I created a Silverstripe payment module for it last year without any issues and has a decent API which allows for integration via SOAP or HTTPS post. SecurePayTech is also a wholly owned subsidiary of Digiweb. I guess that means they are a bit more established then…

www.securepaytech.com

Pricing:

Set-up fee: $30.00 + GST

Black Marks:

• No multi-currency processing (NZD only)

PayStation

PayStation seems like a decent option. Their website has plenty of detailed information on their service and what is needed to get set up etc. Their pricing is quite competitive and is kind to businesses with low transaction volumes but with a very competitive per transaction cost. Good code examples and documentation also.

www.paystation.co.nz

Pricing:

Set-up fee: $200.00 + GST

Black Marks:

• Haven’t had fantastic responses to my queries with them, concerned just how well established they are

Payment Express (DPS)

The DPS service from Payments Express seems to be the most well known Kiwi payments processing solution and is in use on a lot of high profile websites. There is plenty of supporting documentation, test accounts are available etc. As it is the most established, there are also lots of existing payments modules for shopping carts etc.

www.paymentexpress.com

Pricing:

Set-up fee: see table

Black Marks:

• A lot more expensive than the others at lower volumes
• Higest setup fees

Honourable Mentions

Paymex

Paymex is a slightly different animal in it as a payment processing service and combined Merchant account.

www.paymex.co.nz

Pricing:

Set-up fee: free

Black Marks:

• No multi-currency processing (NZD only)
• Per transaction and monthly transaction limits
• Charges appear on customer statements as “Paymex Ltd” – could cause confusion
• Hosted integration method only

Recently I have been working on a project, the final output of which, is an iPhone application that displays content in html. 

Of course to do any actual application development, you are going to need a Mac and the iPhone SDK, but in my case I am simply developing a web based system that is creating and editing the content that is then fed into the iPhone application.

My challenge though, was previewing the content before it went to the app – so I could check the layout etc on either my Windows pc or online within the content management system I was building.

My first goal was to find something for my Windows PC – once I had that available to me, and I was happy that it was displaying content roughly the same as on the iPhone application, I could use that as my baseline for testing and build out an online version within the CMS for a live preview function.

Well the options seem pretty few and far between! The two viable options I could find are:

1. Firefox iPhone Emulator
   This is a Firefox add-on that emulates the iPhone. It looks interesting, however, it requires installation of Netbeans, which is a bit heavy I felt, so I haven’t tried this one. 
    
2. iBBDemo
   This is a nice little emulator from Shaun Sullivan at Blackbaud. I’m pretty happy with how it functions and it uses Webkit, just like the iPhone application does, to display the html. Be warned though: the instructions state you need to download and install the latest version of Safari – don’t! This does not work with Safari 4.0 – in order to get it to work you will need to download Safari 3.2. I found it here. Aside from that, it looks pretty good! Given that it does not work with Safari 4.0, my concern is that it will become out of date as changes are made to Webkit which are contained is newer versions of Safari.

And now the online versions….

So there are two that I found worthy of praise: 

1. TestiPhone
    Of all, I found this the best mix of convenience and accuracy, particularly when viewed in Safari. What impressed me most was that when compared to the same content on an iPhone, though the display was larger, the text spacing, layout etc was very accurate: lines ended almost exactly the same.   

   The major disadvantage I found was that the pages I was testing required vertical scrolling: when viewed in Firefox, the scroll bar was show, which reduced the width of the page, this messing up layout. On other browser types, no scrolling was possible, which was even worse. I solved this by rewriting the emulator in my own test page with some Javascript to scroll down the page, thus maintaining correct width, but allowing scroll, just as in the iPhone. Let me know if you would like the code…
    

2. iPhone Tester
    In many ways, I should applaud this one for being more honest – when not being viewed in Safari, it gives a warning saying it is best viewed in this browser. Practical advice given you are testing an iPhone page – Safari is the best place to do this.   

   In terms of layout and function, it was very close to the TestiPhone site above, but lost points for: showing a scroll bar automatically, thus breaking layouts, and having messed up navigation: every time I entered a url and hit enter, it gave an error and I then had to click on the suggested link….

My inline preview utilises TestiPhone code as a baseline and no complaints so far.
So if you don’t have a Mac or an iPhone, iBBdemo or TestiPhone are my recommendations!

ReadWriteWeb report today that Six Apart have announced the release of some Six Apart plugins for Wordpress at Wordcamp Mid-Atlantic. RWW think this is “shocking”. If they think that counts as shocking they need to get out more….

I was intrigued enough to zip on over the their page for Wordpress users, and yes, sure enough, there are some shocking plugins available.

On initial examination, I kind of felt there wasn’t much new to it: wow a comment spam plugin, an advertising plugin… The only one that caught my eye was the TypePad connect plugin, and even that one I kind of knew wasn’t going to be a runner.

Yes it does lots of fantastic stuff, see the above page for a feature list, but it struck me that:

• users had to go off to TypePad.com to register for your blog
• comments were no longer stored on your own blog
• the gains offered for the above are really not worth it

So I gave it the benefit of the doubt and installed the code on a test blog site. Installation itself is pretty easy, so no complaints there.

As expected, the newly activated plugin does make users go off to TypePad.com and create a TypePad account in order to become a member of your site. This doesn’t sit nicely with me: users click a link on your site and all of a sudden they are on TypePad.com being asked for their email address, set a password and their date of birth (TypePad: you don’t need my DOB, you might think you do, but you just don’t).

Ok so if you do all that and post a comment on my site it shows up and there are all the extra goodies they mention on their page.

Some points against:

• You no longer have comments stored within your own site
• Comments are harder to manage: two different sites to manage your blog, your blog site and your comment site
• Not offering much: threaded comments are available in WP 2.7.x, Comment Spam is not an issue with plugins
• The community thing: wow, you can create profiles. Not a big seller for me.
• I can’t find any option to export your comments back to WordPress if you choose to leave TypePad connect???

The very fact that comments are no longer stored within my own Wordpress database, not even duplicated there, is a deal breaker for me. Comment counts are often used in my work for listing most popular posts, etc. I see no need to have data stored elsewhere.

In short, there are some nice features here and I think it is great that Six Apart are opening up their work to other platforms, but so far, there is nothing here that makes me want to use one of their plugins.

TIP: If you think TypePad connect might be something you find useful, check out IntenseDebate also.

I’m delighted that I have my first SilverStripe website under my belt that I developed from start to finish. I find it quite frustrating these days that I only get to do bits and pieces of websites, add modules, modify code etc – seems I only ever get asked to the hard bits! The same holds true for SilverStripe: I have been working with it for several months now, developed modules, modified sites and other odd jobs, but never a complete site.

But at least all the bugs in Cashtrack.co.nz are all 100% mine! I worked with the very talented ladies of Decisive Flow on this project: they provided the fantastic design of the site, and I tried not to ruin it too much as I combined it with the Silverstripe development

Cashtrack is a pretty simple website (hence my ability to do it on my own!?), it lets New Zealanders enter the serial number of their note and little about where they picked it up etc. As the database grows, I think it will become a really interesting site that can might go in directions we haven’t thought about before.

I’m already thinking about some of the reports we could run: Where in New Zealand do people have the most $100 notes? What dollar amount has the site tracked so far, etc. 

We stuck with the philosophy of keep it simple at the start and adapt the site as required over time. I think it is the best policy for a site like this as it lets the site direction be guided by how users interact with it.

So best of luck to Rupert with the site. I certainly enjoyed doing the web development with SilverStripe and the development framework, Sapphire.

Almost finished my next big SilverStripe project too!

Oh dear, SilverStripe 2.3.1+ now has an updated meta tag function that has a “generator” meta tag which includes detailed version numbers of the CMS. Eg for version 2.3.1, it has the text: “SilverStripe 2.3.1 – http://www.silverstripe.com”. Take a look here as to why I think this is a bad idea.

This is a real pity, and not something I want to have in a production website. SilverStripe is a great CMS and development framework and deserves praise (as does the web development company behind it, SilverStripe), but not right down to the release number!

Removing the generator tag is pretty straightforward:

1. Open the Page.ss for your theme. Eg for blackcandy, open /themes/blackcandy/templates/Page.ss
2. Remove this function call: $MetaTags(false) (could be $MetaTags(true) either)
3. This prevents the generator tag from being output, but it stops a few other meta tags too, so I suggest you add the following to your Page.ss in the <head> section:
   <title><% if MetaTitle %>$MetaTitle <% else %>$Title <% end_if %>- MyWebSiteName</title>
<% if MetaKeywords %><meta name="keywords" http-equiv="keywords" content="$MetaKeywords" /><% end_if %>
<% if MetaDescription %><meta name="description" http-equiv="description" content="$MetaDescription" /><% end_if %>
<meta name="generator" http-equiv="generator" content="SilverStripe - http://www.silverstripe.com" />

<meta http-equiv="Content-type" content="text/html; charset=utf-8" />
<meta http-equiv="Content-Language" content="en"/>

4. Save your file and upload if necessary. Once you flush the cache, your should see the changes

Now you might notice that I did slightly more than just meta tags there: I also updated the <title> tag. The $MetaTags function call I removed can output a title tag if $MetaTags(true) rather than false is set and you have a meta title set for your page in addition to the standard title.

This is a good idea for some pages. For example, a page on a site I was recently working on was called “Home”. This was fine for the navigation label and actual on page title, but “Home – MyWebsiteName” does not look good for a window title or in google search results, so we used the meta title to set something which only appears in the meta data and not on the actual page, which was more descriptive and useful.

You might also notice I did not completely remove the generator tag. Well I do want to show my support for SilverStripe so in this particular instance I have just removed any mention of version numbers. At least you now have control over this text.

Some caveats though: my code above replaces what the MetaTags function currently does, but this may change in future so that were additional functionality added to the function, you might be missing out. It also gathers data such as the language and content-type automatically which you need to set manually in my code (if you need to change it).

I will blog again on the MetaTags function if it does change. A perfect reason for subscribing to my RSS feed!

No, I don’t suppose that is the first thing you are going to tell a perfect stranger now is it? How about someone who has just called to your door? More unlikely still.

The Rant:
Which is why it really annoys me that some web applications insist on vanity tags displaying to the world what software system you are using, and worse still, sometimes it shows what version you are using!

Just what is required to execute a zero-day attack on your poor little website. Or indeed make it far too easy for evil minded people to find sites running out of date software.

Is it on your site?
Examine the source code of your web page. It will be between the “head” tags at the top of the page. Take for example the screenshot of the html code on a blog I visited the other day. You can clearly see from the generator meta tag that not only is the blog powered by Wordpress, but it is running version 2.5.1. In this example, the blogger is probably fine. There are a couple of security fixes released since Wordpress 2.5.1 was out in July, but none that I would rate as vital. But is it really a good idea to let the world know:
a) what web application you are running?
b) what exact version you have installed?

The cure
Now, I was going to go into a big rant about just how pointless I thought the generator meta tag was anyway, but I have to decided to bite my tongue and concentrate on the real evil: including the version number.

This is just plain old bad idea. I was really annoyed to see it creep back into the Wordpress blogs I manage recently as the location has been switched from the wordpress header template file to the Wordpress internals (from Wordpress 2.5 on). So even if you thought you had removed it, if you upgraded to 2.5 or later, it might be back in there again!

There is a relatively easy way to remove it again however, and this should be permanent unless they change this again in a future major version release.
Add the following line to the functions.php file of your Wordpress theme:
remove_action('wp_head', 'wp_generator');
(within the php code tags)

For other web applications, you may need to check the documentation or search the support forums for answers on how to remove the generator tag.

I admit, not the sexiest title you will come across.

I have been recently tweaking the design of my site. My first port of call, as it usually is when I need to iron out the kinks in a style sheet, is the W3C’s CSS Validation Service. I find that ensuring anything, be it html, xhtml or css is standards compliant, goes a good way to curing a number of cross browser issues, allowing you to concentrate on the stubborn ones that drive you scatty sometimes.

So off I go to validate my style sheets and um, nothing. Looks like the server is down, throwing the error I mentioned in the title.

No matter I thought, I will try another one. Put in “css validator” into your favourite search engine and you will get plenty of results. The problem it seems though, is that practically all of them use the W3C’s CSS Validator as a back-end. The same result comes back time after time:

Servlet has thrown exception:javax.servlet.ServletException: Timed out

I did find one site that has a non-W3C validator, but this is a shareware program which you must download and install. Hardly ideal and is most likely limited in functionality unless you cough up for the full version.

After about 48 hours I began to get suspicious of the fact that nobody else on the oul Interweb had reported a similar issue. Sure enough, after testing a couple of other sites, I found that the issue was specific to my own website.

On further testing, I found that a couple of other sites also had this issue. Specifically, Wordpress sites with a plugin installed called Sezwho. Sezwho is a web service that adds additional functionality to Wordpress comments, more on that in a separate article.

An undocumented “feature” is breaking the CSS Validator. Hopefully anyone else with a similar issue might find this useful. I will contact Sezwho to let them know of course.

Oh, and if you do want to validate your CSS, just deactivate the plugin, validate the css and reactivate the plugin.

Basecamp is a handy little web based project management tool from 37 Signals. It is an ideal tool to put some basic manners on a project without adding too much complexity. It has such features as to-do lists, project milestones, messages, write boards and online chat functionality. Yes all this stuff can be done elsewhere, but this is an easy way to bring it all together into a little intranet. You can send logins to clients, co-workers, sub contractors and your mother so they can all see how hard you are working.

If you move up above the free or basic plan, there are additional tools available including time tracking (Plus or Max plans). I use this for some of my projects where I am charging on an hourly rate. I also use it on occassion when I simply want to book in my hours and see if I am making any money on a project.

Through the use of the API available for Basecamp, the clever fellows at Cornerstone Systems have developed a little desktop tool that allows you to record your time directly from the desktop. You can simply select your project and clock in and out as and when you need to. You can also record time directly against a particular to-do task which is what I normally do. This tool is called Project Recon.

Like Basecamp it is somewhat simplistic, but that is what I like about it. Sure it doesn’t have a lot of bells and whistles, it just simply records your time, but that is a good thing. You can concentrate on getting your work done without having to spend time trying to figure it out. If you find you can’t use it, you most likely have your monitor switched off. It really is that simple.

Project Recon 1.8 Screenshot of my World Domination project (still in beta)

Cornerstone have just released version 1.8 which is a major shift in how the application is presented to the end user. It is very different to the 1.3x version I had been using, the main change being 1.3x was simply an icon in the Windows notification area that popped up to let you perform the tasks. The 1.8 version has it’s own app window which allows for much more room to work, select items etc. I am still going towards the notification area to do stuff but that will pass.

If you already purchased project recon, 1.8 is available as a free upgrade. I had misread the date on their forum post and thought I missed the mailout for the upgrade. Within a few hours of emailing support, instead of being told to hang on for the mailout, I had been given my own personal link to download a copy of the new version.

So you not only get a handy time tracking tool, but there is some great support there too.

I have just recently switched this website from the Drupal CMS to Wordpress. Within the last 24 hours I have had the first symptoms of an irritation I have noticed on other blogs I mangage. Almost as soon as the conversion was complete, I had two suspicious user sign-ups. Suspicious in that they occurred in very short order for a relatively low traffic website, and guess what, they both end in “.ru”, the Russian domain ending.

Now I am not in favour of tarring everyone with the same brush, I am sure most Russians couldn’t give an Abkhazia about my blog, but there is something fishy going on. Another blog I managed has over 1,500 registered users, yet over 800 of those users have emails ending in “.ru”.

So what is going on here? Initial suspicion was that this was a way of attempting to place spam comments on the blog, but does not seem to pan out. Firstly, the Akismet plugin does not seem to have a problem catching comment spam whether the user is registered or not. Not that I could find any relationship between these “dodgy users” and the comments that had been placed into the Spam bin by Akismet.

So I haven’t worried too much about them since they don’t seem to be doing any damage.

As I mentioned earlier, this is a new blog. Comments have been open on it, but I have only just activated the Akismet plugin. So there were about 24 hours during which comment spam could have been placed on the blog yet it wasn’t, even by the suspicious new users. Strange huh?

It seems then that there must be another reason for these signups other than comment spam. They may be trying to exploit known vulnerabilities in older versions of Wordpress.

In any event, to see if I can cut this out, I have installed a new plugin, Register Plus, this has quite a number of nifty features around user registration which have been a bit lacking in Wordpress to date. The features I have so far activated are:

• Email address confirmation for new users
• Users can set their own passwords
• Custom logo on the registration page

There are a number of additional features worth checking out, but so far those are the ones I will be using.

I will see how I get on over the next few weeks and if successful, I will roll out the plugin to other Wordpress sites I manage.

My suspicion is that these “dodgy signups” are driven by an automated bot and this may well not be able to use the new registration form. If that fails, then I am pretty sure the email addresses are invalid and therefore the user accounts are not activated and will be removed after 7 days.

In the last resort, there is also a captcha feature, but I would prefer not to have to use that. Hate the bloody things!

Another blogger who doesn’t think much of the fake user signups is using the Sabre plugin, but I am going to see how I get on with Register Plus before employing yet another plugin that only does one specific task. They become a nigthmare to manage them all.