After a fair bit of fiddling, I've gotten avatar uploads working on the newLISP on Rockets blog. Now you can upload your own image.
The code to display a file upload form looks like this:
(displayln "<p>Upload new avatar (all avatars scaled to 64x64 pixels): <form name='FileUpload' action='rockets-avatarupload.lsp' method='POST' enctype='multipart/form-data'><input type='file' id='uploadName' name='uploaded_data' onChange='this.form.textname.value = this.value'><input type='hidden' name='textname'><input type='submit' value='Upload' name='submit'></form>")
(set 'file-name ($POST "filename"))
(set 'file-binary ($POST "binary-data"))
(write-file (string "images/avatars/" file-name) file-binary)
sudo chown www-data:www-data images/avatars
It's not quite like winning an Olympic Gold Medal or anything, but it's a nice feeling.
I was having a very intermittent problem with long posts being truncated. Most posts are short enough that they didn't encounter this problem, but longer posts with code would sometimes just cut off randomly. The weird thing is that if I went back and refreshed the page they would go through. It wasn't predictable at all. Those kind of bugs are the most annoying!
Basically I had some old code that followed a similar technique that Dragonfly used:
(when (> (peek (device)) 0)
(if (and (read (device) post-buffer $MAX_POST_LENGTH) post-buffer) ; grab all post data, put it in variable 'post-buffer'
(parse-get-or-post post-buffer $POST)
(let ((buffer "") (post-buffer ""))
(unless (zero? (peek (device)))
(while (read (device) buffer $MAX_POST_LENGTH)
(write post-buffer buffer))
(parse-get-or-post post-buffer $POST)))
Today I implemented an entirely different way to view posts and comments, the forum view. When you view a blog post, the same post also exists in the forums. In fact, you can click on the "View post in forums" button to toggle the views.
A lot of people would tell you to write this kind of thing using the MVC (model-view-controller) model, or at least use a framework that has a templating system so that you can view the same data differently.
This is a completely valid perspective and I'm not going to argue otherwise. MVC is a well-established design methodology and it works pretty well for a lot of different applications. Templates seem like they could be really useful.
I didn't implement the forum view this way, however. I just had a toggle variable called (forum-view-post) and checked to see if it was true. If it was, then I executed a different code block. The real danger here is code duplication, which is something we always want to avoid.
The thing is, implementing this very different view took only ten lines of code.
(displayln "<h3>" (list-post-data 3) "</h3>")
(set 'header-list '("Author" "Message"))
(set 'post-data (list (string "<img src='images/avatars/" (author-avatar (list-post-data 1)) "'><br>" (author-name (list-post-data 1))) (format-for-web (list-post-data 4))))
(set 'PostId (int (list-post-data 0)))
(set 'post-data (list post-data)) ; okay these two lines of code are duplicated... I can live with it for now
(set 'post-comments (get-record "Comments" PostId))
(if post-comments (begin
(dolist (p post-comments)
(push (list (string "<img src='images/avatars/" (author-avatar (p 2)) "'><br>"(author-name (p 2))) (format-for-web (p 5))) post-data -1)) ; add each comment to the thread
(display-table header-list post-data "striped")
Blogs and forums are two different things, but they don't have to be.
I'm adding a forum to the Rockets blog, where any registered user will be able to post on any topic. Each new blog post will appear on the forum, and any comments added in the forum will be reflected in the blog itself. But the inverse is not true-- any new forum post will not appear on the blog. This allows other users to start discussions and interact with each other without interrupting the blog itself.
The way I do this is to add a new column called "PostType" that can be either "Blog post" or "Forum post". The former will be retrieved by the main page, while the latter is retrieved by the forum page.
I'm also using my new (display-table) function to display the forum posts.
A couple of additions today...
First, a Table function that prints some nicely-formatted HTML tables.
(display-table list-of-headers nested-list-of-data "optional form styling")
striped - alternates rows in grey
bordered - adds borders and rounded corners to the table
hover - enables hover state on table rows when mousing over
condensed - more condensed style of table
Some sites have a mascot. Okay, we have a rocket, let's call him Rocketty. Done.
Now all we need is a theme song.
This is another UBB code enabling the user to embed YouTube videos. Just use the tags [ youtube ] and [ /youtube ] (without the spaces) and in between, put the alphanumeric string of that video (eg: rJppnG1tflU)
So, now we have the final U in CRUD done, and I can finally edit posts. YOU can't edit comments yet, but that's coming soon, probably tomorrow.
That's fun. EDITING ROCKS! It's also a really neat macro that makes it pretty easy to do SQL update statements.
Here's another neat thing: Basically, I use the exact same statement to create and update a post:
(update-record "Posts" Id PosterId PostDate PostSubject PostContent) ; It's the U in CRUD!
(create-record "Posts" Id PosterId PostDate PostSubject PostContent) ; It's the C in CRUD!
There's a lot of stuff going on behind the scenes to translate the above into two very different SQL statements. Basically the Id in the first is to CHECK for Id's value, and in the second statement it is to SET Id to that value. I like the symmetry,
Sometimes SQL injection comes in tricky forms. Often attackers will add on extra junk in the URL to try and confuse SQL into doing something it wasn't intended to do. For example, if the URL for page 2 is:
an attacker might try something like
http://newlisponrockets.com/rockets-main.lsp?p=2 OR 1=1
to try and break the code or inject some other SQL into the query by adding these commands with spaces.
I've added a function called (force-parameters) that makes it easy to prevent this. For example, to get the page number from the URL, I used to call ($GET "p"), which in this case would return "2 OR 1=1".
Now, I use the code:
(set 'current-page (force-parameters 1 ($GET "p"))) ; we only need the first part, ignore anything else
which takes only the first parameter from the URL. You can add as much extra junk after it, but it will only take the "2".
Just a little bold and italics and underlines
and some code samples:
The above code now translates these UBB codes into HTML. Actual HTML is converted to its literal equivalent to avoid cross-site scripting issues.
When I started this little thing a month and a half ago, I didn't expect anyone to notice it right away. The Internet is a big place and Rockets is, for now, quite small.
But a few people have found their way here (welcome guys!) and so I now need a way to send some welcome emails for new users.
I've added a function called (send-mail), which sends an email to a given address. Behind the scenes it uses the Unix command sendmail, so you will need to have that installed on your server (simply type "sudo apt-get install sendmail" on Ubuntu or Debian).
To avoid emails falling into spam traps, you need to be sending from a valid email address that has the same domain as the server that is sending it. The (send-mail) function will take care of all the headers and things automatically.
For example, for new users, I simply use:
(send-mail UserEmail "firstname.lastname@example.org" "Rocket Man" "Welcome to the newLISP on Rockets blog!" welcome-email)
where welcome-email is the string of the body of the email.