ZgPHP meetup conference 2013

On 14th of September (this Saturday) our friends from ZgPHP user group will held a second anniversary jubilee ZgPHP Meetup and a full blown one-day PHP conference. The conference will be held in Croatian chamber of commerce offices (HGK), Nova cesta 3-7 on the second floor (entrance is located on south side of the building, same entrance as Lidl). For further details check out the conference web site.

See you there!


Beware of max_input_vars php ini configuration option

If you are updating PHP on your production server, beware of relatively new max_input_vars php.ini directive which is now 1000 by default. That means if you have 1001 form field - only 1000 form fields will be submitted. Use of this directive mitigates the possibility of denial of service attacks which use hash collisions in connection with CVE-2011-4885.

From php changelog:

2012-01-03 : security / trunk - Added php-5.2-max-input-vars patch max_input_vars directive to prevent attacks based on hash collisions - CVE-2011-4885

Why we have so much form fields is a subject for different post. The main problem is that even php site says this update is available from PHP version 5.3.9. The fact is we have 5.3.2-1ubuntu4.14 and the update is there.

So... you know... beware. :)

So long Kolektiva, it was a pleasure

Yesterday we have finished the last step in the great migration of Kolektiva away from us. Exported databases, switched everything, and closed this case. Yes, Kolektiva is no longer our client, at least not in the way it used to be.

We have started working on Kolektiva almost two years ago with Jeffrey Treichel and Martina Usmiani. They were Kolektiva, we were the full service agency supporting their project. Couple of months later, first Kolektiva version hit the web and it turned out to be a success. The Kolektiva general idea was nothing new, it was a Groupon clone, but it was the first clone in this region, and among the first ones in Europe (at the moment there is over 20 clones just in Croatia, which all followed and often unsuccessfully copied Kolektiva). We had no idea what we are building, how will the market react and how should it scale. Everything we did had to be super flexible in order to properly scale later, both server-side and design/front-side.

Kolektiva started with one daily offer in one city, and it quickly grew into more cities with more than one offer per city, from 2 employees to dozens of them. Then it went regional, outside Croatia, and even further, outside the Balkans. This growth was made possible by our flexible and customizable approach to our work. Everything is scalable, everything is upgradeable, everything is modifiable.

As Kolektiva was growing, they required outside financing to support branching to other countries. It really takes manpower to scout for the good deals in distant countries as well as good lawyers to bind everything together. Financing was found, and with it came the demands of the financiers. One crucial demand was that Kolektiva should be switched to the open-source solution for the backend. From their perspective, this is a logical requirement. First, this ensures that the project can continue even if the bubonic plague decimates everyone in Nivas - there will always be someone else that could open up the open-source backend and continue to work. Second - should anyone ever want to buy Kolektiva, the project needs to be one neat package which can be sold without ties to the outside Agency; us.

We nurtured Kolektiva to its full potential through scalable solutions, and now that it is full blown and it's specifications are well known, it can detach from custom built solution and go to adequate open-source platform. This could not be done from the start as in the start no one knew what would the project look like few months in the future. The future was uncertain, so everything had to be custom to support incoming situations, which sometimes were borderline paranormal.

As with all in life, you win some - you lose some. Kolektiva required open-source. Some of our other clients required closed proprietary system. Our backend is our closed proprietary solution which runs all of our projects. Although it's running on open source stack, our policy is that we keep our system closed; we do not give away the source code nor allow clients to write plugins or modify our code. For those, and many other reasons there will always be a need for open-source as well as custom built systems. We are here to offer custom built solutions with security and scalability when clients have no idea what the future will actually hold.

Kolektiva, through our joint efforts, bumped up a notch regional online shopping awareness as well as woken up some banks and institutions. During first year of Kolektiva's life, almost a third of the people who bought something on Kolektiva stated that this was their first online shopping experience. Kolektiva was Croatian online shopping enabler. A year ago, the amount of daily credit card transactions reached daily limits, which bank and credit card processor has never seen before. When the number of transactions reached certain limits bank just shut the gateway down for fraud protection prevention. Well, that wasn’t fraud what happened, but pure Kolektiva success. Afterwards, this repeated twice more and we hope that will repeat in future as well.

So long Kolektiva, it was a fun ride while it lasted, we had a great time working with you guys.

xoxo Nivas crew loves you! :)

Payment processing in the region and PayPal integration woes

From mid March, companies in Croatia can finally receive electronic money transfers via PayPal (read background story in my article published in Nacional).

Payment processing isn't something new in Croatia, but PayPal is. On-line stores were able for years to process user credit cards via some of our local popular credit card processing services like T-Com Pay Way or Webteh - WebPay (or directly through connections with each bank - less popular method). But only recently (a year ago), with arrival of Kolektiva and similar sites oriented to wider online consumer public, online payments started to become more popular, widely accepted and less frightened to a regular Joe.

In our e-commerce web development work so far, we had chance to work in close with following regional internet payment service providers:

And just recently - the PayPal.

No matter PayPal is mature product, integration was not walk in the park. From developers standpoint, I would definitely commend T-Com Pay Way, Webteh and qVoucher services for ease of integration and support they have. In contrast to PayPal's undocumented features (or lack of documentation and examples) or EMS's infinite redirects to 3rd party pages (enforced by other parties) in payment process.

After some headache & time spent at the PayPal sandbox (self-contained environment within which you can prototype and test PayPal features and APIs) we finally managed to get it working.

We used widely used HTML way to integrate Website Payments Standard with our shopping cart (please see “Third-Party Shopping Carts – The Cart Upload Command”) since integration via API has been proven to be more complex and undocumented than Facebook's SDK.

For security we used Encrypted Website Payments (please see “Protecting Payment Buttons by Using Encrypted Website Payments”.

Encrypted Website Payments relies on public-key cryptography using OpenSSL which is available both as external program that can be executed from PHP and as php extension. Prepare to enter world of pain with this one, since most of examples use executable file to do actual encoding.

Using OpenSSL as extension with PayPal is not straightforward, best example can be found at PayPal SDK in php toolkit.

We implemented support for both IPN and PDT notifications:

  • PDT (Payment Data Transfer) – is secure method to retrieve details about PayPal transaction after (and if) user chooses to return to our site after paying on the PayPal. It should be used only to display information to the user. Our system is not depending on it since there is no guarantee that this action will be executed.
  • IPN(Instant Payment Notification) – is direct PayPal to our system communication. In order to verify authenticity of IPN data received from PayPal should be checked and then sent back to PayPal in exact order it was received. PayPal should respond with “VERIFIED”.

Please note that although PayPal send newline as CR+LF (%0D%0A), PHP returns these new lines as LF (%0A) – so, newlines transformed by PHP into LF must be replaced with CR+LF before data is sent back to PayPal. This bug can easily be reproduced if you enter both Address line 1 and Address line 2 during payment, because those two lines PayPal combines into one field separated with CR+LF.

You can try all all this, or you can just contact us for consulting and/or implementation services. :)

Nivas “Time” – timetracking online

Time tracking is an integral part of any organization. It is just impossible to remember at the end of the month what all the people did for a client with any certainty. Even if you are a one-man-band, I can bet you that you are losing track of spent hours if you keep them only in your head. As Nivas grew over the last years from couple of people up to today's number of ten(ish) and with that grew the number of active clients, it became obvious that we will need some software to help us keep track of spent hours.

time 00
Name subject to change. Or not. Maybe. =)

So we decided it is time to build our own service to track time. You could now ask "why not just use one of the existing ones available online?". And that question is perfectly valid, there are some great time-tracking products available! However, there is this little thing called - Croatia, and Croatian laws. You see, our law system is out of the touch with reality therefore out of touch with how time tracking should really work. They passed a law for time tracking in companies that requires very specific things to be tracked in case of inspections. Commercial available systems do not have all those details built in, as they were designed to do one thing only, and do it good - track time spent on projects/clients.

You can read all about it here in full bizarre detail. Even if you do not understand Croatian, you can just quickly scroll and see the number of bullets, that will give you the clue.

Nivas Time is in use here locally for the last 3 months, and it is going heavy development and beta testing. It is "Soon™" ready to be released into world as invite-only beta. After that, it will be released into public with two way model - free for small users (one-two man forces), and subscription based for bigger companies. It will be available with English and Croatian interface, of course.

A small preview:

time 01
---- Time Dashboard

time 02
---- Smart Client/Project search

time 03
---- List of clients

If you are interested to be in the first batch of invite-only testers, send us a mail, we will keep you in mind.

Keep on tracking!

update1 (16.1.2011.): Time is now online at time.nivas.hr address and we are preparing test accounts for all of you who contacted us.

WEB FEST 2010. – We won Festival Grand Prix award and two jury awards!

After two months of competition between 1700 sites from around the region for the top position in 17 categories, last night in Belgrade (Serbia), in front of a large number of invitees, Web Fest 2010. winners were announced.

Two of our projects won three awards. We won special Grand Prix award and two Jury awards. Respects to everybody who made this possible!

1. Grand Prix (Grand pri festivala) - MTV (www.mtv.rs)
2. Information/news (Informativni) - 24sata.hr (HR)
3. Entertainment (Zabavni) - mtv.rs (RS)

Mediakit, press release.

Also, congrats to friends from Web Burza and Bruketa&Žinic for their winnings.

WEB FEST is the largest regional Internet festival dedicated to the selection of the best regional web projects and education, promotion and popularization of Internet.

Vlada takes one for the team:

Web::strategija 05

We created banner campaign for 5th annual Web Strategy conference (Web strategija) held here in Zagreb by our friends. The theme of 5th conference is - recession in web industry! So, if you see our evil eagle logo on their site, don't be afraid of the eagle. :) We didn't have enough time to prepare our self to be speakers on this conference, but my good friend Goran Blagus will share some of his infinite wisdom with visitors. Definitely worth checking out if you are in the area. Read more...

Centrala.hr – edited by human not a robot

We just released your new homepage - Centrala.hr (eng. plānt - A building or group of buildings for the manufacture of a product; a factory.). :) Centrala is a human powered news aggregation site, where editors hand-pick best information from across the region just for you. In the avalanche of completely automatized rss aggregation news sites in Croatian cyberspace, we think a human touch can make a significant difference. What do you think?


Thanks to everybody for such a nice feedback: