Don’t overlook username limitations

Photo Credit:

Photo Credit:

One of the items that I see often get overlooked in building a website with user profiles is limits to username validation. The obvious list to exclude are items like ‘admin’, ‘staff’, and ‘system’, however I’d suggest an even wider blacklist. Should your website offer shorter profile urls ( vs or virtual subdomains (, the list should also include items like ‘account’, ‘secure’, and ‘redirect’.

Security isn’t easy. Hopefully this helps you add yet another layer of protection to your site or client project. Username blacklists – added to the checklist.


I spent my first 27 years growing up in rural america. The 80’s weren’t Mayberry but it still felt like many of the same qualities existed. Small family stores and friendly neighbors were the norm. Moving to the largest city in Ohio some 8 years ago was originally a bit of a shock. Navigating the highways, one way streets and the larger 4 lane variety didn’t initially come naturally. Sure enough, with time my comfort level raised and now life in the big city is the norm.

On this primary election day, I can’t help but think about the parallels with the political side of things as well.  While many people I grew up with continue to live in same general area, fewer of us moved on to a different life. When I see friends in different geographic areas express absolute positions on a number of hot topic issues and arriving at different conclusions I can’t help but attribute it in part to perspective – specifically geographic and economic perspective.

I feel privileged for the opportunity to have experienced both rural and city life. Extreme conservative, bible loving farmer? I understand where they’re coming from. Ultra liberal, over educated career academic? I understand them too. With perspective comes understanding. It’s funny to look at the wide array of opinions from my Twitter, Facebook, and Instagram friends. I’m not exaggerating in saying they cover every position on the board.

Without getting extremely political on this I’ll just say this – I respect whoever you vote for. However, I’d also like to say I hope that person is not Trump.


Current Podcast Playlist

I consume too many podcasts but I can’t give any of them up. Here’s the current list:

If you have any recommendations let me know!


You don’t need that mobile app

Last year I was in a meeting with a client that was pitching us on writing the specs for a mobile app and possibly building it after a bidding process. While everyone in the room furiously pitched grand ideas and starting making lists on the whiteboard, basic questions remained unanswered. I couldn’t let things remain to be unaddressed so I asked the following:

What is the business case for this mobile app? What would it accomplish that you currently don’t (or can’t) offer? What requires it to be a mobile app? Is there a better way to accomplish these things?

To this day those questions are still not answered. Luckily the project didn’t move forward. What was really taking place is some executive said “our competitors made an app and we need one too”. Never mind that it may have been a huge waste of money for the other companies. The client also stated that they didn’t see any value in the competitor’s app. Checkbox envy can be costly.

The web industry can sometimes get a bad wrap for some of the crazy ideas that investors put money into, the outrageous development costs for some government websites ( anyone?) and the the cesspool of people willing to just take your money.

I refuse to take money for projects that I know will fail. Whatever form of karma that I believe in won’t let me do it. I don’t have a formal questionnaire or checklist, but here are some of the questions that I believe should be part of the early project discussion:

  • What business goal(s) are we looking to support with this project?
  • What will make this project a success?
  • What work, time and budget will that require?
  • What assumptions, risks and external factors are we aware of?
  • What platforms can this be made available on (mobile/native, web)?

So I could have pitched whatever version of an app the client wanted and been rewarded monetarily in the short-term, but I’ve instead slept well for the last year knowing that I didn’t just take the money and run. That’s helped me build a portfolio that I’m proud of and promotes the world I want to live in.

99 problems but a design ain’t one

I’ve recently seen a couple of high profile people publicly give next to zero value for design. I may be a developer but I can’t believe this is going on. When starting up my new venture the first person I called/paid was an accountant, the second a lawyer and the third was a designer.

Logo design, branding, print, or digital work needs to be budgeted for and categorized as a long-term asset for your business. Playing the cheap card on a logo or brand palette shows up when you apply it to your business cards, invoices, promotional swag, or website. That’s why I can’t fathom going to 99designs or odesk upwork for this category of important work. Spending $1,000-2,000+ on an identity shouldn’t be a problem for any serious business. We have no issue valuing the business idea (most likely worthless), development (not complaining about this one) or business coaching/advising, so what makes design so different?


Launching a Newsletter

I’m excited to finally announce the launch of a monthly newsletter full of the top resources that I’ve compiled. I’ve long shared resources via twitter and this new list will act as a digest of the top 5 to 15 items. I’ll also be adding additional commentary and share a mix of other helpful tips.

The first issue is scheduled for February and you can signup today.

It’s a great time to be a PHP developer

It’s important that we be true to ourselves. PHP had a number of frustrating, dark years and some great developers jumped over to Ruby on Rails, Python, Go and other languages. I can’t fault them for their move.

PHP has me excited again. After being close to making the switch myself, I’m happy that I stuck it out. Working with Composer, Laravel, and a number of great packages over the last couple of years, I can say that PHP is back. The modular direction, open sharing of knowledge and resurgence in energy are all pointing to a great future.

What will the most popular web languages be in 10 years? It’s hard to say. But, PHP is the most used language, has the most common CMS, and I’m comfortable calling it home for the foreseeable future.

P.S. If you happen to reside in Ohio, consider attending ColumbusPHP or OhioLaravel. I’d love to put a real face to your avatar. 


Latest Slideshare Content: Digital Literacy & Modern Web Security

Digital Literacy – Basic Technical Concepts (Session 1)

As part of my current role at LMG, I’m tasked with bringing the entire team into the digital space, and filling in any knowledge gaps that may exist. I’ve received some helpful feedback from the first session so far, but would always welcome more.

Modern Web Security

I recently spoke at the Dayton Web Developers meet up on the topic of security and thought I’d share it here as well.

Understanding Digital QA

A couple of weeks back I attended a local QA (Quality Assurance) conference in Columbus and I’d like to share some of the topics and insights presented.

#1 Testing Types

Unit Tests
These are small tests written by a developer that check a small bit of code functions correctly. An example would be if a request to list all customers in fact returns all customers. There will
typically be a large number of these and they should cover the core of the website or application. These tests are run by a developer during the course of development and before each release. These can and should be setup to be highly automated.

Integration Tests
Tests written by a developer that verify modules work correctly together. An example would be that when a user is submitted to the signup service all of the steps in the process complete
successfully (create the user in the database, added to the newsletter, and the welcome email is sent). These tests are run by a developer during the course of development and before each
release. These can can and should be setup to be highly automated.

Acceptance Tests
Tests that check the website or application behaves in the expected manner from within a browser (or API), which includes page elements, interactivity/functionality, and error handling. An acceptance test could cover entering user login data, clicking on the login button, and checking for the result. These may be run manually, but should also be automated when possible. These are run by end users, project managers, and developers.

Manual Tests
While manual tests may include acceptance tests, they also should be used to cover UI appearance, and link locations. Manual testing should be completed primary by the end client and project manager, but it’s recommended that all parties participate.

#2 Costs of Failure

The cost of failure gets more expensive as you work through the process (up the triangle), and as such, errors should be caught as early as possible. In an optimal scenario unit tests will cover all of the components, integration tests will test all systems, and acceptance tests will test all interfaces (or at least the user stories), leaving manual testing as an efficient final formality.

QA Triangle

#3 Testing Environment

Web testing environments should mirror the production environment as much as possible, guaranteeing the
production environment will be sufficient. Because physical infrastructure can be costly to replicate, most web applications can be efficiently hosted on a virtualized platform, bringing full testing environments into reach for nearly all budgets.

Environments should use a copy of production data and connect to live APIs whenever possible.

#4 Maximize Automation

Whenever possible, opportunities to utilize automation should be taken to decrease testing time, reduce errors, and increase release timeliness. However, automation will take additional time to setup and may not be the best option for short, non-recurring projects. Having a fully automated test suite allows for agile projects, continuous integration, and generally a higher
confidence in quality.

#5 Whole Team Approach

Effective testing includes a whole team approach, shared information, straightforward results, and a commitment to quality. No one party will have full exposure to the entire lifecycle of the project, requiring testing from multiple parties.

Additional QA(ish) Testing

Load Testing
Tests the amount of concurrent traffic a website can handle before becoming unresponsive or unusable. This may also test that a site automatically scales correctly, if the platform is designed to automatically add servers during periods of high activity.

Tests the system for exploits that leak sensitive data or allow unauthorized access. Security tests can include third-party scans, penetration testing, and white-box security testing.

Disaster + Recovery
Tests that cover the procedures when the environment fails and the reliability of backups. If the environment is designed for high availability, this could test automatic or manual fail-overs for
each geographic zones.

Tests the load time for the website or application. These will focus on server response times, number of resources (images, scripts, etc) requested, and optimization techniques utilized.

Tests that accessibility criteria is addressed, which includes image alternate text data, proper headings, and other section 508 guidelines. Many commercial sites must properly handle
accessibility or be subject to litigation and/or heavy fines.

Conference Resource