Review of 'Learning Mambo' by Douglas Paterson
Reviewed by Martin Brampton
Mambo is a powerful and popular piece of software, but it does have problems that it shares with many other open source products. Part of the attraction of Mambo is its flexibility, but a critical factor is the richness of the features that are offered. But this owes a lot to some of the skilled developers who have worked on the system and developers have weaknesses. One of them is a distaste for documentation, so Mambo has extremely patchy documentation. In fact I rather doubt if there is anyone who actually knows precisely how Mambo works in all its ramifications. Including me - would a book help?
While spending six months as leader of the Mambo development team creating version 4.6 I came to know a lot about the code internals. Despite that, there were plenty of gaps in my knowledge of how to use Mambo. Books on Mambo seemed superfluous if they didn't get into a lot of detail and what I saw of the blurbs sounded quite superficial. All the same, when I was invited to review the latest edition of Douglas Paterson's book “Learning Mambo” (aimed at version 4.6) it seemed a good opportunity to check out the reality.
Flicking through the contents, I was impressed with the coverage. While the emphasis is on the user experience, and particularly operation of the “content” facility, Paterson goes into enough detail in enough areas to give the reader a good understanding of much more of Mambo than I had expected. Starting to read, I was initially rather put off by the light, even flippant, tone of the text. At the same time, the Zak Springs Golf Club project sounded complicated and confusing.
As I worked through the book over a week or so, my opinion changed. The chatty style grew on me, and began to lighten what would otherwise be some rather dry material on the ins and outs of building a web site that is not inherently very interesting. In the end, I was enjoying the style more than the substance as I struggled through the technicalities of template modification. And as it turned out, the individual Golf Club examples were simple enough to be good illustrations of the points being explained.
Very good explanations they are for the most part, too. Occasionally Paterson is frustrating, especially for a reviewer, when he fails to cover some important information, only to deal with it a little later. Some clearer forward references in those cases would be very helpful. For example, the discussion of the front page on pages 47 to 50 gives no idea how to control the details of layout, and gives only the barest hint that the information will be given just a bit later on page 60. Otherwise, though, the approach to introducing features is progressive and very effective.
In general, I was surprised and gratified by how much I learned or in some cases put into a better context. Paterson thoroughly reviews the workflow aspects of content development, including making cogent criticisms of the Mambo implementation. Having worked mainly on sites where I had to write everything myself, his descriptions were illuminating. Although evidently defeated by a few of the obscurities of Mambo (I still don't know why some things have both a title and a name, or sometimes a title and a title alias) few aspects of Mambo content are left unexplained. “Content” has been an unfortunate name for what are effectively “articles”. One is left having to point out that there are other kinds of content than “content”.
Likewise, the administrator side of handling “content” is thoroughly explained, using practical examples. There is just one important point that Paterson omits. Every experienced user knows about it (although they often continue to suffer), but beginners need to be warned against taking too long over online composition of content. Mambo will only permit a session to be idle for a certain length of time, commonly 15 minutes. And Mambo thinks the session is idle when it does not see any data being submitted – it has no idea that you are working very hard on the creation of a first class article on an important topic. When you come to save it, Mambo is liable to tell you that you have been logged out for inactivity. In this situation, everything you have written is totally lost. So, although this review is designed for web publication, it is being written offline!
Towards the end, Paterson makes a valiant attempt to describe how to modify a template. Although his suggestions are sound enough, I found this the least successful chapter. Once you engage with this level of development, life becomes very messy and potentially frustrating, as I know to my personal cost! Certainly it is advisable to proceed with caution, making frequent backups of the relevant files. It is quite easy to make a few changes, especially to CSS, only to find that the whole appearance of the site is messed up. Another huge problem for most people is that having created a beautiful layout in one browser, it is quite common to find that it doesn't work at all in another. Few are equipped to carry out comprehensive testing across a range of browsers. For example, the CSS hover and visited techniques suggested by Paterson are liable to fail in some versions of Internet Explorer. A useful addition to the chapter would have been mention of the World Wide Web Consortium's validation site at http://validator.w3.org which will check the validity of a site's HTML. Another small point is that it is generally better to omit the XML declaration that appears on the eighth line of the index.php file of the template described.
The final chapter describes deployment of a web site using a hosting service. As usual, the advice is generally sound. A few supplementary points worth making are:
- FTP is not always reliable for handling large numbers of files – it is better to upload the entire Mambo distribution to the server and expand it in place – most File Managers can do this
- It is tidier and more secure to delete all unnecessary files from the site's base directory – that includes all the files with no extension, changelog.php, configuration.php-dist and install.php – they help hackers to identify the kind of site that is being run which can invite attack
- Mambo 4.6 and 4.6.1 do not use the values in configuration.php for mosConfig_absolute_path or mosConfig_live_site – instead they are derived automatically in order to attempt to adapt to changing circumstances
- File permissions are complex and while Paterson's description is good as far as it goes, there are liable to be further issues – hosting varies a great deal and it is impossible to give universal advice – and there are special problems with components such as galleries or file repositories
- The suggested .htaccess changes are liable to damage any module that has its own images
- Mambo's statistics gathering facility can be a very big overhead and is best switched off – good hosting services provide much better tools for getting site statistics
Given the importance of security on web sites, it is perhaps worth pointing out some issues that are not fully covered by Paterson, possibly because of the timing of the writing of the book.
- The most important is that extCalendar 0.91 is vulnerable to exploits, and you should always use the revised 0.92 version (you can download it here, view the discussion in our forum)
- MD5 on alphanumeric strings is actually quite easily decoded using brute force – it is a pity that Mambo restricts passwords to alphanumeric (for no particularly obvious reason)
- If you really dislike a user, it is better to leave them disabled than to delete them, as this will prevent them from simply signing up all over again (assuming the more secure choice of insisting on unique email addresses has been chosen)
- Personally, I'd prefer Mambo to email administrators even on the creation of users by the administration side, just as a security precaution
- Preventing access to a component by setting the level of access for the associated menu entry was insecure prior to Mambo 4.6 and attempting to make it secure created a good many other problems which some people have solved by defeating the security fixes
- Although tightening up on file permissions may be a good idea, if a hacker has reached the point of being able to execute arbitrary PHP, the site (and possibly the server) is lost
Each chapter ends with a summary. It is quite short and obviously didactic in intent. But it is a good idea to review what a chapter has covered, and helps to commit more of the material to memory. There is also a reasonably good index so that it is possible to refer back to significant points later. By the time I reached the end of the book, I had learned quite a lot, and will continue to refer back to Paterson's descriptions. I'd recommend anyone who is serious about building a Mambo based web site to buy the book. It is the nearest thing I've yet seen to a Mambo user manual.
1 March 2007
Copyright © 2007 Martin Brampton
“Learning Mambo – A Step-by-Step Tutorial to Building Your Website” by Douglas Paterson
Published by Packt Publishing http://www.packtpub.com