Jacques Marneweck's Blog

I'm a keen believer of learning from other folks mistakes and attempting to not repeat them. Source code disclosure and even worse configuration disclosure which happened with tumblr. One thing to remember, if you keep your configuration for your app outside your webroot, you reduce the chances of you actually accidentally disclosing your configuration. Typically one could even do something like:


<?php
require_once dirname(dirname(__FILE__)) . '/bootstrap.php';




Rather than having everything in your index.php file. Separating your configuration directives out to a separate configuration file outside the webroot and modifying that when making changes.

One can use your version control pre commit scripts to check that you've not borked a the file - checking for php scripts being of a file type php script vs file is one way of doing this - foo.php contains a php script starting with "i?php" and bar.php has same code starting with "

$ file foo.php 
foo.php: PHP script text
$ file bar.php 
bar.php: ASCII text

Posted by Jacques Marneweck at 10:34 PM | Permalink | Comments (0) | TrackBacks (0)

If you've not heard about it yet, there is now a website advocating not using Smarty. The time for using smarty has gone - but makes one wonder if Flickr, Facebook, etc. are still using it.

Posted by Jacques Marneweck at 7:38 PM | Permalink | Comments (0) | TrackBacks (0)

It's finally EOL time for PHP4 and they sneaked out a release of PHP 4.4.9 out a day later. Not too many changes to 4.4.9.

Posted by Jacques Marneweck at 10:03 PM | Permalink | Comments (0) | TrackBacks (0)

Quick note that the PEAR installer is missing (go-pear.org has expired and has been snapped up by some cybersquatters) and http://pear.php.net/go-pear renders a 404. So the current solution is to grab the go-pear install from CVS:


curl
"http://cvs.php.net/viewvc.cgi/pearweb/public_html/go-pear?revision=1.11
8&view=co" | php


Cool the pearweb crowd have fixed go-pear via http://pear.php.net/go-pear :)

Posted by Jacques Marneweck at 11:06 PM | Permalink | Comments (0) | TrackBacks (0)

So sometimes one needs a standalone version of PEAR. Check out the the instructions on how to do an Installation of a local PEAR copy on a shared host.

This is quite useful when you are forced into using a clueless shared host who only have the bare PEAR installation on their servers, and have not ever considered installing DB, Mail, Net_SMTP, etc. which lots of people use instead of reinventing the wheel with each project. The added bonus of having and using your own standalone installation of PEAR is that you're able to install and upgrade your own PEAR installation as your need arises.

Posted by Jacques Marneweck at 10:55 AM | Permalink | Comments (0) | TrackBacks (0)

Evert mentioned that he is keeping his home directory in subversion.

I tend to have two setups. A full and basic home directory. Version controlled using subversion. Previously I used CVS.

The basic gets checked out at webhosts, etc. which I use. The full gets checked out at work and basically ensures that i have some level of sanity with my shells. I'm using svk to do revision control with subversion.

What's in my version controlled home directory:

• .screenrc
• .zshrc
• .zlogin
• vim settings

The only difference between the two currently is that the work one has a few extra directories setup. I tend to use svk for work.

Posted by Jacques Marneweck at 8:42 PM | Permalink | Comments (0) | TrackBacks (0)

Chatted to Lukas earlier today, and discovered that he has already done the hard work and created a PEAR::DB wrapper for PEAR::MDB2. So now is definitely a good time to look at upgrading to PEAR::MDB2 from PEAR::DB seeing that PEAR::DB is deprecated.

This package been superseded by MDB2 but is still maintained for bugs and security fixes.

Posted by Jacques Marneweck at 10:25 PM | Permalink | Comments (0) | TrackBacks (0)

I was looking at an article from Yahoo's Cal Henderson article called Serving JavaScript Fast.

Previously one would have a good chunk of lines to include different javascript files based on what your form was requiring for effects, etc.:

<script src="/js/menu.js" type="text/javascript"></script>
{if $js eq 'formupload'}
<script src="/js/prototype.js" type="text/javascript"></script>
<script src="/js/effects.js" type="text/javascript"></script>
<script src="/js/upload.js" type="text/javascript"></script>
{elseif $js eq 'formuploadnewsimage'}
...
{/if}

And in the template file where you include the header.tpl file you would specify which set of javascript files to also include:

{include file="header.tpl" js="formupload"}

I decided to spend a bit of time and actually get Cal's code to work from the example code (saved to plugins/insert.js.php), which I discovered that you can't invoke it from the example as:

{insert_js files="foo.js,bar.js,baz.js"}

I ended up having to do invoke it using the insert tag and specifying a name to be js so that it runs the smarty_insert_js function which is in the plugins/insert.js.php file mentioned before:

{insert name="js" files="foo.js,bar.js,baz.js"}

Posted by Jacques Marneweck at 4:57 PM | Permalink | Comments (0) | TrackBacks (0)

Some PHP related links from around the web:

Remember: be nice to byte code caches

Mr pooteeweet, aka Lucas Smith, reminds us that the voodoo magic behind the PHP autoload functionality does not play nicely with PHP opcode caches. Be sure to read what Rasmus Lerdorf, our PHP BDFL, says about how autoloading affects opcode caching or the lack thereof of caching that stuff, the problem with adding that sort of dark voodoo magic into PHP.

Autoload is kinda convenient. Especially since in PEAR we have such a clear mapping of class name to file name. I do not really understand why some libraries and projects have these insane class name to file name mappings like ez Components and I think symfony also has them. Anyways while it seems kind of nice one must be weary of the idea that they speed up your code. If you are running a byte code cache (which anyone who cares about performance of course does) you will get quite the opposite. Here is Rasmus's answer on this taken straight from #php.pecl:

Trusted Zend Extensions

PHP's own Stefan Essar reminds us about how evil IonCube or Zend's Trusted Extensions are, which he has to pend time implementing stealth loading features in order to bypass the Zend checks. I'd prefer that the Suhosin patch for PHP, which provides additional security functionality for the PHP internals, would be applied into PHP rather than being a seperate patch. On FreeBSD the Suhosin patch is enabled by default which is good news for users at hosting companies like TextDrive (although they are only upgrading to the 5.2 branch after 5.2.1 or 5.2.2 is released).

Everyone that has used IonCube or Zend tools has most probably experienced the problem that both companies ship extensions that backdoor PHP in a way that only those extensions can be used that they consider trusted. On pages like this they claim this is another (optional) security feature. In reality it does not offer any additional security, because everyone who is able to install Zend Extensions on a server is also able to directly patch the untrusted code into the PHP installation.

The most likely real reason for these backdoors is to keep Open Source alternatives to their products away from the PHP installation.

Because of this the Suhosin extension already contains stealth loading features that are able to bypass the Zend checks. Unfortunately until today I was not aware that IonCube comes with a similiar protection that is only activated if the encoded files request it. Of course future Suhosin versions will work their way around this backdoor.

However I decided to take further actions against this kind of anti-open-source actions and will create a patch against the PHP codebase (that will also be added to Suhosin-Patch) that will introduce the concept of extension trust. The basic idea behind this feature is that the admin can give different trustlevels to extensions, so that an extension can only see those of a lower trustlevel. Additionally it will not be possible for an extension to learn it's own trust level so that the encoder backdoors cannot demand to have the highest trustlevel.

From my point of view it is really sad, that companies with a business model based on extensions and support for open source take such drastic steps against open source products.

Zeev mentions a couple of things in his response from the post about them trying to ensure compatibility and thread safety issues. Those lovely mutex locks as Clive keep reminding me, the neccessary evil to make code thread safe.

Stefan,

First, your use of the word 'backdoor' is simply wrong in my humble opinion. The word backdoor has nothing to do with what these extensions are doing - preventing potentially incompatible extensions from loading. Backdoor is a word with security connotations, so I'd appreciate it if you changed the text to reflect the fact that they 'change the behavior' or 'patch' or whatever. It's definitely not backdoor.

Secondly, the reason we (Zend) does this is to ensure compatibility. Most of the engine extensions out there are incompatible with Zend products, because they change the behavior of PHP in a way that can potentially prevent some of the hacks that we do in our products from working. I can't speak for ionCube, but as far as Zend's concerned, it's definitely not an issue of security - it's an issue of compatibility and support.

If you want to make Suhosin load in stealth mode that's entirely up to you, but it does mean that it may cause incompatible Zend extensions that make certain assumptions to crash or misbehave. I can tell you that we at Zend are now considering whether we would like to officially support systems that have Suhosin installed on them. If & when that happens, it would mean that we test our products with Suhosin installed to ensure that there are no incompatibilities or bugs in either product that trigger unwanted symptoms when they meet each other.

Posted by Jacques Marneweck at 10:20 PM | Permalink | Comments (0) | TrackBacks (0)

Some interesting links from around the web:

Are Lines of Code really a measure of either success, productivity or popularity?:

The title PHP Eats Rails for Breakfast and subtitle Despite the buzz around sexy new frameworks like Rails and Django, PHP is more dominant than ever initially commits the same fallacy that others have and that is to compare frameworks (Rails and Django) with programming languages. And then the suggestion becomes that one can interchangeably use Rails and Ruby, Django and Python.

Working Backwards:

In the fine grained services approach that we use at Amazon, services do not only represent a software structure but also the organizational structure. The services have a strong ownership model, which combined with the small team size is intended to make it very easy to innovate. In some sense you can see these services as small startups within the walls of a bigger company. Each of these services require a strong focus on who their customers are, regardless whether they are externally or internally. To ensure that a service meets the needs of the customer (and not more than that) we use a process called “Working Backwards” in which you start with your customer and work your way backwards until you get to the minimum set of technology requirements to satisfy what you try to achieve. The goal is to drive simplicity through a continuous, explicit customer focus.

Posted by Jacques Marneweck at 9:20 PM | Permalink | Comments (0) | TrackBacks (0)

Nothing more funny than reading a post from Stefan Esser tonight titled "Dealing with ZendOptimizer Support":

Yesterday I blogged about the fact that Suhosin-Patch is now activated by default in FreeBSD and that this will cause problems for Zend, because the ZendOptimizer accesses already freed memory which will be punished when running with a security patch that protects memory with canaries.

I also blogged about the fact that my bugreport to Zend from 3 weeks ago was simply ignored. This changed today, when a woman from Zend contacted me. (What a coincidence...)

Well under normal circumstances you are happy when a company reacts on bugreports but not when you realize that you ended up with someone from the second level support. Of course her first reaction was to blame this problem on a wrongly used ZendGuard. After that I replied to her that the problem is that Zend Optimizer is using already freed memory and that all Zend needed to reproduce this is to use a debug PHP and a ZendGuard encoded file that uses classes. And that it also might be a good idea to use valgrind on ZendOptimizer, because it will show lots of accesses to not properly allocated memory.

The response from the Zend Support lady was that according to her knowledge it is not possible to use the released ZendOptimizer with a debug PHP. She was happy to have resolved my issue with this response and if I need further technical assistance I should not hesitate to contact her.

I don't know if I should laugh or cry about this kind of support. Maybe I should just do it the Zend way: when someone tries to load a Zend product into a Suhosin-Patched PHP write a big warning message to the error log. ZendOptimizer for example does refuse to work whenever it detects a 3rd party Zend extension not in Zend's whitelist.

Maybe Zend and Andi should start hiring clued up support staff?

It's good to know that the Suhosin-Patch is enabled by default on FreeBSD. :)

Posted by Jacques Marneweck at 11:39 PM | Permalink | Comments (2) | TrackBacks (0)

The November 2006 meetups for the Cape Town PHP Users Group and the Cape Town MySQL Users Group are going to be happening on the Thursday the 2nd of November. Please RSVP to either of the meetups or both if you are going to attend.

• CTPUG @ 5:30pm
• CTMUG @ 6:30pm

Posted by Jacques Marneweck at 12:02 AM | Permalink | Comments (0) | TrackBacks (0)

Interesting to hear that the Postgresql Project, who claim to have the worlds most advanced open source database, use MySQL to power their website!

As embarressing it is to say, we've been using the MySQL version of phpAdsNew for almost a year now ... its the only one we could find that could actually keep up with the # of hits that the web sites are getting :( Even with pg_autovacuum running ...

Obviously, it wasn't something I particularly wanted to *advertise* :(

Posted by Jacques Marneweck at 7:46 AM | Permalink | Comments (0) | TrackBacks (0)

Discovered that there is now a mailing list for APC Development.

I've subscribed. Have you?

Posted by Jacques Marneweck at 8:23 PM | Permalink | Comments (0) | TrackBacks (0)

The Cape Town PHP Users Group will be having our
"first" get together on the first Thursday of September 2006 (2006-09-07).

Posted by Jacques Marneweck at 8:07 PM | Permalink | Comments (0) | TrackBacks (0)

Rasmus Lerdorf led OSCON attendees through a series of optimizations for modern web applications using PHP at O'Reilly's Open Source conference today. Most programmers use default installations and configurations for their web applications and never really dig deep within their stack or their own code to optimize page load and latency. The full slides from Rasmus's talk are available online and I recorded audio of the entire session from the front row.

Read more over at Niall's blog

Posted by Jacques Marneweck at 8:54 PM | Permalink | Comments (0) | TrackBacks (0)

Via phpdeveloper.org:

The Zend site has published part three of their "Extension Writing" tutorials, this time focusing on the management of resources in your extensions.

Up until now, you've worked with concepts that are familiar and map easily to userspace analogies. In this tutorial, you'll dig into the inner workings of a more alien data type - completely opaque in userspace, but with behavior that should ultimately inspire a sense of deja vu.

They start things off by describing what resources are in the Zend Engine, initializing your resources, using them, and destroying them. They mention different kinds of resources, including normal and persistent resources. There's code for each step of the way, including a sanity check at the end.

Posted by Jacques Marneweck at 10:59 AM | Permalink | Comments (0) | TrackBacks (0)

There is comment on the Zend Framework Tutorial showing how Chris invokes the ZF which looks slightly different to how I'm invoking the ZF:

    <Directory "/path/to/webroot/">
      <IfModule mod_rewrite.c>
        RewriteEngine on
        RewriteBase /
        RewriteCond %{REQUEST_FILENAME} !-d
        RewriteCond %{REQUEST_FILENAME} !-f
        RewriteRule . /index.php [L]
      </IfModule>
    </Directory>

Posted by Jacques Marneweck at 10:37 AM | Permalink | Comments (0) | TrackBacks (0)

Ilia has released another release of the PHP 5.1 branched - PHP 5.1.3.

The PHP development team is proud to announce the release of PHP 5.1.3. This release combines small number of feature enhancements with a significant amount of bug fixes and resolves a number of security issues. All PHP users are encouraged to upgrade to this release as soon as possible. Some of the key changes of PHP 5.1.3 include:

• Disallow certain characters in session names.
• Fixed a buffer overflow inside the wordwrap() function.
• Prevent jumps to parent directory via the 2nd parameter of the tempnam() function.
• Enforce safe_mode for the source parameter of the copy() function.
• Fixed cross-site scripting inside the phpinfo() function.
• Fixed offset/length parameter validation inside the substr_compare() function.
• Fixed a heap corruption inside the session extension.
• Fixed a bug that would allow variable to survive unset().
• Fixed a number of crashes in the DOM, SOAP and PDO extensions.
• Upgraded bunbled PCRE library to version 6.6
• The use of the var keyword to declare properties no longer raises a deprecation E_STRICT.
• FastCGI interface was completely reimplemented.
• Multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions.
• Over 120 various bug fixes.

Further details about this release can be found in the release announcement and the full list of changes is available in the PHP 5 ChangeLog.

Posted by Jacques Marneweck at 6:15 PM | Permalink | Comments (0) | TrackBacks (0)

This evening I sat down for a couple of minutes to write a script to block idiots people run scripts which just grab pages from ones website or abusive search engines.

View source: [ PHP Highlighted Syntax | Plain Text ]

Posted by Jacques Marneweck at 10:56 PM | Permalink | Comments (0) | TrackBacks (0)

Something funky is up with the Shiftlett's regex which does some weird things to comments there so here I'm adding a list of South African PHP Blogs which are not on Planet PHP continuing from here.

Here in South Africa, we have various people who blog about PHP on their blogs:

• Colin Alston
• Ian Gilfillan (ex-Technical Manager of IOL)
• Neil Blakey-Milner (also ex-IOL stock)

Chris has a couple of blogs listed which I also read including:

• Jeremy Johnstone
• Joyce Park
• Laura Thomson
• Luke Welling
• Martin Jansen
• Michael Radwin
• Simon Willison
• Zak Greant

Posted by Jacques Marneweck at 7:16 PM | Permalink | Comments (0) | TrackBacks (0)

Zend have quietly moved over to ezPulish. Quite an interesting move, considering that once upon a time I run ezPublish on a box a few years ago cirra 2003 and had issues with slow performance. I've preferred rolling out my own CMS solutions rather than use Mambo / Joomla / ezPublish or shopping carts such as osCommerce for example.

I'm definately going to look at the latest version of ezPublish in the near future.

Posted by Jacques Marneweck at 11:47 AM | Permalink | Comments (0) | TrackBacks (0)

Good news in PHP6 register_globals, magic_quote* and safe_mode have been banished to /dev/null. About time that this occurred. I'm estatic about this!

Posted by Jacques Marneweck at 1:12 AM | Permalink | Comments (0) | TrackBacks (0)

The guys over at Zend have released an update to their Zend Framework:

Not even a week past our initial release and we have already updated the preview thanks to many great emails and especially our growing community on the mailing list. This release includes bug fixes, the unit test suite, and additional documentation.

The response from the our first release was overwhelmingly positive and we're upgrading our servers to cover the demand so we can open the Subversion repository shortly -- we expected the demand to be high but it exceeded even our expectations. The response from the community has been amazing with several new contributors signing on to submit code and new proposals on the table. This will be the first of many frequent updates on the road to 1.0. Please see the changelog included with the new download and enjoy the release!

Changes that have occurred to the framework:

Zend Framework                                                             NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
=RELEASE 0.1.2 / 8-Mar-2006=
- Unit test suite is now included. (Mike)
- Docs for Zend_Controller are now included. (Mike)
- Coding standards were out of date. Reported by Steph Fox. (Mike)
- Fixed default charset in Zend_Mail constructor. Reported by Jakob Buchgraber. (Mike)
- Fixed several Zend_Filter methods. (Chris)
- Fixed JSON datum encoding.  Reported by Edwin Vlieg. (Mike)
- Fixed FormRadio Helper.  Reported by AJ Tarachanowicz. (Chris)
- Fixed Zend_Uri_Http to work with new Zend_Filter. (Chris, Mike)
- Docs for the Zend_Db::factory() method were incorrect.  Reported by Dinh. (Chris)
- Zend::loadClass() now works inside __autoload().  Reported by Rob Allen. (Mike)
- Fixed notices from Zend_Pdf_Element_Dictionary.  Reported by Ralf Eggert. (Alex)
- Fixed notices from Zend_Search_Lucene_Index_SegmentWriter.  Reported by Jared Williams. (Alex)
- Removed defunct Zend_Db_DataObject docs. (Mike)
- Added NEWS.txt file (Andi)

Posted by Jacques Marneweck at 12:07 AM | Permalink | Comments (0) | TrackBacks (0)

The vapourware has finally materialised yesterday. I've taken a cusory review at the Zend Framework for PHP5.

It is not all that it's cracked up to be. :( I was expecting to see more but Zend and their contributors have renamed files since the directory listing appeared on one of the contributors blogs a few months back.

   % ls                                                                          
   CVS            ZDBAdapter      ZLog             ZTemplate
   ZActiveRecord  ZException.php  ZPageController  ZUri
   ZController    ZInputFilter    ZSearch

Others are also unhappy with Zend about them being slow to release the February preview of the Zend Framework.

According to Zend:

We are glad to finally unveil the Zend Framework project. We have worked hard in the past few months with our partners and the community to get to this stage. We believe the Zend Framework can already be of great use to PHP developers, although we still have a lot of work ahead of us.

From PHP Developer

The Zend group has released today, the initial version of their framework - the Zend Framework Preview Release

We are glad to finally unveil the Zend Framework project. We have worked hard in the past few months with our partners and the community to get to this stage. We believe the Zend Framework can already be of great use to PHP developers, although we still have a lot of work ahead of us.

They have created a new site just for the framework where you can find downloads, a roadmap for the development, some FAQs about the project, and a manual to get all of the details. There will be instructions on how to access the Subversion repository soon.

Zend Framework is a high quality and open source framework for developing Web Applications and Web Services. Built in the true PHP spirit, the Zend Framework delivers ease-of-use and powerful functionality. It provides solutions for building modern, robust, and secure websites.

Posted by Jacques Marneweck at 3:53 PM | Permalink | Comments (0) | TrackBacks (0)

PHP's Marco Tabini has written an interesting article about applying the poka-yoke to PHP code in this months php|architect magazine.

Poka-yoke limits your options to the point where only one choice – the correct one – is possible.

In his example code which is provided, he shows that for example when filtering $_GET and $_POST developers should not be able to just go and set more entries into superglobals like $_GET['foo'] = 'bar'; as well as showing how to only return data via Filter::raw($key) and Filter::html($key) which returns the raw value to the requested key.

Posted by Jacques Marneweck at 10:53 AM | Permalink | Comments (0) | TrackBacks (0)

Rasmus Lerdorf, Benevolent Dictator for Life, posted on his blog an entry The no-framework PHP MVC framework:

So you want to build the next fancy Web 2.0 site? You'll need some gear. Most likely in the form of a big complex MVC framework with plenty of layers that abstracts away your database, your HTML, your Javascript and in the end your application itself. If it is a really good framework it will provide a dozen things you'll never need.

I am obviously not a fan of such frameworks. I like stuff I can understand in an instant. Both because it lets me be productive right away and because 6 months from now when I come back to fix something, again I will only need an instant to figure out what is going on. So, here is my current approach to building rich web applications. The main pieces are:

• PHP 5
• Yahoo! User Interface Library
• JSON

MVC?

I don't have much of a problem with MVC itself. It's the framework baggage that usually comes along with it that I avoid. Even parts of frameworks can be useful as long as you can separate the parts out that you need. As for MVC, if you use it carefully, it can be useful in a web application. Just make sure you avoid the temptation of creating a single monolithic controller. A web application by its very nature is a series of small discrete requests. If you send all of your requests through a single controller on a single machine you have just defeated this very important architecture. Discreteness gives you scalability and modularity. You can break large problems up into a series of very small and modular solutions and you can deploy these across as many servers as you like. You need to tie them together to some extent most likely through some backend datastore, but keep them as separate as possible. This means you want your views and controllers very close to each other and you want to keep your controllers as small as possible.

Goals for this approach

1. Clean and simple design
• HTML should look like HTML
• Keep the PHP code in the views extremely simple: function calls, simple loops and variable substitutions should be all you need
2. Secure
• Input validation using pecl/filter as a data firewall
• When possible, avoid layers and other complexities to make code easier to audit
3. Fast
• Avoid include_once and require_once
• Use APC and apc_store/apc_fetch for caching data that rarely changes
• Stay with procedural style unless something is truly an object
• Avoid locks at all costs

Be sure to read it as he explains how to rethink using the "all powerful" frameworks outthere, which makes things much more difficult to quickly get something out the door. I've been thinking about looking at using MVC but it may be best to stick away from trying for the moment and maybe attempt to try MVC with a new language like Ruby on Rails.

Posted by Jacques Marneweck at 7:13 PM | Permalink | Comments (0) | TrackBacks (0)

Joel has been getting me to rethink my position on starting to use exceptions in PHP5.

Exceptions

People have asked why I don't like programming with exceptions. In both Java and C++, my policy is:

1. Never throw an exception of my own
2. Always catch any possible exception that might be thrown by a library I'm using on the same line as it is thrown and deal with it immediately.

The reasoning is that I consider exceptions to be no better than "goto's", considered harmful since the 1960s, in that they create an abrupt jump from one point of code to another. In fact they are significantly worse than goto's:

1. They are invisible in the source code. Looking at a block of code, including functions which may or may not throw exceptions, there is no way to see which exceptions might be thrown and from where. This means that even careful code inspection doesn't reveal potential bugs.
2. They create too many possible exit points for a function. To write correct code, you really have to think about every possible code path through your function. Every time you call a function that can raise an exception and don't catch it on the spot, you create opportunities for surprise bugs caused by functions that terminated abruptly, leaving data in an inconsistent state, or other code paths that you didn't think about.

A better alternative is to have your functions return error values when things go wrong, and to deal with these explicitly, no matter how verbose it might be. It is true that what should be a simple 3 line program often blossoms to 48 lines when you put in good error checking, but that's life, and papering it over with exceptions does not make your program more robust. I think the reason programmers in C/C++/Java style languages have been attracted to exceptions is simply because the syntax does not have a concise way to call a function that returns multiple values, so it's hard to write a function that either produces a return value or returns an error. (The only languages I have used extensively that do let you return multiple values nicely are ML and Haskell.) In C/C++/Java style languages one way you can handle errors is to use the real return value for a result status, and if you have anything you want to return, use an OUT parameter to do that. This has the unforunate side effect of making it impossible to nest function calls, so result = f(g(x)) must become:

T tmp;
if (ERROR == g(x, tmp))
     errorhandling;
if (ERROR == f(tmp, result))
     errorhandling;

This is ugly and annoying but it's better than getting magic unexpected gotos sprinkled throughout your code at unpredictable places.

Okay. So he mentions that he hates exceptions. Debugging exceptions may be more difficult. I was thinking about throwing exceptions and catching them elsewhere in the code. Going to relook exceptions over the next day, as I was thinking about stopping to rely on using PEAR's Error handling functionality.

Posted by Jacques Marneweck at 10:24 PM | Permalink | Comments (0) | TrackBacks (0)

Interesting posts by Chris and Ilia on their respective blogs.

In The addslashes() Versus mysql_real_escape_string() Debate Chris starts discussing the Google XSS exploit and then goes on to explaining about character set encoding and how one particular character set allows for this exploit:

Last month, I discussed Google's XSS Vulnerability and provided an example that demonstrates it. I was hoping to highlight why character encoding consistency is important, but apparently the addslashes() versus mysql_real_escape_string() debate continues. Demonstrating Google's XSS vulnerability was pretty easy. Demonstrating an SQL injection attack that is immune to addslashes() is a bit more involved, but still pretty straightforward.

In GBK, 0xbf27 is not a valid multi-byte character, but 0xbf5c is. Interpreted as single-byte characters, 0xbf27 is 0xbf (¿) followed by 0x27 ('), and 0xbf5c is 0xbf (¿) followed by 0x5c (\).

How does this help? If I want to attempt an SQL injection attack against a MySQL database, having single quotes escaped with a backslash is a bummer. If you're using addslashes(), however, I'm in luck. All I need to do is inject something like 0xbf27, and addslashes() modifies this to become 0xbf5c27, a valid multi-byte character followed by a single quote. In other words, I can successfully inject a single quote despite your escaping. That's because 0xbf5c is considered to be a single character, not two. Oops, there goes the backslash.

Ilia then goes onto writing in his piece mysql_real_escape_string() versus Prepared Statements he goes more into detail about the exploit.

Chris has written a compelling piece about how the use of addslashes() for string escaping in MySQL queries can lead to SQL injection through the abuse of multibyte character sets. In his example he relies on addslashes() to convert an invalid multibyte sequence into a valid one, which also has an embedded ' that is not escaped. And in an ironic twist, the function intended to protect against SQL injection is used to actually trigger it.

The problem demonstrated, actually goes a bit further, which even makes the prescribed escaping mechanism, mysql_real_escape_string() prone to the same kind of issues affecting addslashes(). The main advantage of the mysql_real_escape_string() over addslashes() lies in the fact that it takes character set into account and thus is able to determine how to properly escape the data. For example, if GBK character set is being used, it will not convert an invalid multibyte sequence 0xbf27 (¿’) into 0xbf5c27 (¿\’ or in GBK a single valid multibyte character followed by a single quote). To determine the proper escaping methodology mysql_real_escape_string() needs to know the character set used, which is normally retrieved from the database connection cursor. Herein lies the “trick”.

Posted by Jacques Marneweck at 10:01 PM | Permalink | Comments (0) | TrackBacks (0)

The PHP development team is proud to announce the release of PHP 4.4.2. This release address a few small security issues, and also corrects some regressions that occurred in PHP 4.4.1. All PHP 4 users are encouraged to upgrade to this release. Some of the key changes of PHP 4.4.2 include:

• HTTP Response Splitting has been addressed in the header() function.
• An XSS problem inside the error reporting functionality has been removed.
• Apache 2 regression with sub-request handling on non-Linux systems has been fixed.
• A regression with the key() and current() functions have been fixed.
• Over 30 various bug fixes.

Further details about this release can be found in the release announcement
and the full list of changes is available in the PHP 4 ChangeLog.

Posted by Jacques Marneweck at 6:40 PM | Permalink | Comments (0) | TrackBacks (0)

Ilia has released another release of the PHP 5.1 branched - PHP 5.1.2.

The PHP development team is proud to announce the release of PHP 5.1.2. This release combines small feature enhancements with a fair number of bug fixes and addresses three security issues. All PHP 5 users are encouraged to upgrade to this release. Some of the key changes of PHP 5.1.2 include:

• HTTP Response Splitting has been addressed in ext/session and in the header() function.
• Fixed format string vulnerability in ext/mysqli.
• Fixed possible cross-site scripting problems in certain error conditions.
• Hash & XMLWriter extensions added and enabled by default.
• Upgraded OCI8 extension.
• Over 85 various bug fixes.

Further details about this release can be found in the release announcement and the full list of changes is available in the PHP 5 ChangeLog.

Posted by Jacques Marneweck at 11:26 PM | Permalink | Comments (0) | TrackBacks (0)

One loves discovering PHP annoyances. Turns out numerous lines like the ones below is caused by a feature called Just In Time (JIT) creation of the $_SERVER and $_ENV super globals.

PHP Notice:  Undefined variable: _SERVER in *snip* on line XX
PHP Notice:  Undefined variable: _SERVER in *snip* on line XX
...

And the simplest way to fix this? either use in the script global $_SERVER; or set in your php.ini file:

auto_globals_jit = Off

When enabled, the SERVER and ENV variables are created when they're first used (Just In Time) instead of when the script starts. If these variables are not used within a script, having this directive on will result in a performance gain. The PHP directives register_globals, register_long_arrays, and register_argc_argv must be disabled for this directive to have any affect.

Posted by Jacques Marneweck at 9:28 PM | Permalink | Comments (0) | TrackBacks (0)

There is a promo code which gives you the personal edition of Komodo for free ;) As a late Christmas present from ActiveState.

Well worth the effort for a IDE and is built upon Mozilla's XUL framework.

Award-winning IDE for dynamic languages, providing a powerful workspace for editing, debugging and testing your programs. Komodo offers advanced support for Perl, PHP, Python, Ruby, and Tcl. Komodo runs on Linux, Mac OS X, Solaris, and Windows.

UPDATE:

The offer ends on December 31st 2005.

Posted by Jacques Marneweck at 11:49 PM | Permalink | Comments (0) | TrackBacks (0)

I've been thinking quite a bit more on the subject of Simplifying PHP Form Processors. I think it would be important for the community to come up with a solution to the problem. The form processor, which I'm busy working on at the moment currently looks like (utilising bits and pieces of code I've developed over the past couple of years):


<?php
/**
 * @author      Jacques Marneweck <jacques@php.net>
 * @copyright   2002-2005 Jacques Marneweck.  All rights reserved.
 * @version     $Id$
 */

Class FormValidator {
    var $errors = array ();
    var $fields = array ();

    /**
     * Generate a signature for form data to verify that the data has not
     * changed
     *
     * @param   mixed   data
     * @return  string  sha1 hash of serialized data
     * @access  public
     */
    function signature ($data) {
        $ctx = sha1(serialize($data));
        return ($ctx);
    }

    /**
     * Check a required field is filled out
     *
     * @param   array   required fields
     * @param   array   post data
     * @return  array   errors
     * @access  public
     */
    function checkrequired ($required, $data) {
        foreach ($required as $field => $reason) {
            if (!isset($data[$field]) || empty($data[$field])) {
                $this->errors[] = $reason;
                $this->fields[] = $field;
            }
        }
    }

    /**
     * Retrieve an array of error messages
     *
     * @return  array   array of error messages
     * @access  public
     */
    function geterrors () {
        return ($this->errors);
    }

    /**
     * Retrieve an array of fields that have missing / invalid data
     *
     * @return  array   array of fields
     * @access  public
     */
    function getfields () {
        return ($this->fields);
    }

    /**
     * Check if the form has errors
     *
     * @return  bool    true if has errors else false
     * @access  public
     */
    function haserrors () {
        if (sizeof($this->errors) > 0) {
            return true;
        } else {
            return false;
        }
    }

    /**
     * Check if a form has successfully validated and does not have
     * errors
     *
     * @return  bool    true if valid else false
     * @access  public
     */
    function isValid () {
        if (sizeof($this->errors) === 0) {
            return true;
        } else {
            return false;
        }
    }
};



There are various things which need to be taken into consideration, which I've been thinking about quite a bit lately which affect various people involved in the normal development process:

• Making it easier from a presentation point-of-view to allow designers to allow say changing the row background to red for a row where there is an error, to displaying say a red exclaimation mark, displaying a error message below / above the field
• a better way for rule processing first checking if the field is compulsory, and then going through the rest of the ruleset checking if there is more errors rather than saying that you need to enter a new password and password confirmation does not match, etc.
• allowing developers to control the rulesets that are required per the specifications document rather than leaving it in the web designers hands to change without anyone noticing / reading the web designers commit messages.

Posted by Jacques Marneweck at 7:18 PM | Permalink | Comments (0) | TrackBacks (0)

Making a simple easy to use web form processor for PHP keeps coming up on projects. The usual way which I've seen people implement form processing are:

• just relying on JS validation on the webbrowser for form processing, which does not prevent people from disabling JS in their webbrowser and you're back at square one without having any form validation as it's bypassed
• minimal error checking for if a value is set
• long winded approach checking each required field is set, etc. as well as verifying that the inputted variables have been scrubbed and are clean, and then get checked against true / false, for dropdowns if a value appears on the dropdown, etc.

Simon Willison has published his implementation of a form processor which looks quite promising for processing forms. This example shows how to call the form and includes all the error code and validation requirements as part of the XHTML document, which it strips prior to sending to the webbrowser.

I was initailly thinking that it would be useful to have a XML document that goes hand in hand with a form (rather than including the form processors ruleset within the form). That way you can have multiple forms on a page and use the various xml files to get the ruleset data for processing.

The form processor would need to do all the variable scrubbing for you. Chris Shiflett's Essential PHP Security: Forms and URLs explains this in more details:

This chapter discusses form processing and the most common types of attacks that you need to be aware of when dealing with data from forms and URLs. You will learn about attacks such as cross-site scripting (XSS) and cross-site request forgeries (CSRF), as well as how to spoof forms and raw HTTP requests manually. By the end of the chapter, you will not only see examples of these attacks, but also what practices you can employ to help prevent them.

<?php 
 
$html = array(); 
 
$html['username'] = htmlentities($clean['username'], 
                    ENT_QUOTES, 'UTF-8'); 
 
echo "<p>Welcome back, {$html['username']}.</p>"; 
 
?>

In the example above Chris demonstrates escaping output back to the webbrowser. I tend to use the Smarty Template Engine to seperate HTML away from the PHP code which I'm developing. In Smarty 2.6.11, you can specify which character set you need to use with the escape function e.g. {$foobar|escape:"htmlall":"UTF-8"}

Posted by Jacques Marneweck at 10:03 PM | Permalink | Comments (0) | TrackBacks (0)

Richard Davey has posted a comic strip called "PHP Life : Dreaded Words".

Disclaimer: This strip does not imply that having your code checked by Stefan would be a nerve wracking experience! Infact I'm certain he'd do an amazing job. But boy, wouldn't waiting for the results worry you just a little?! :-)

Posted by Jacques Marneweck at 12:16 AM | Permalink | Comments (0) | TrackBacks (0)

The developers of the PHP Namespaces in violation of the PHP license :( But lets not go into the license violation. There was a massive thread on the PHP internals mailing list about namespaces and who liked what ascii character to specify namespaces. Rasmus even went as far as to say that : and :: are not going to be valid.

Ideally you can import say PEAR's Date class into the PEAR namespace while using Derick's Date class in the the PHP namespace. Not sure which implementation they are going to implement but apparenlty there are four including one from Dimitry from Zend Technologies who originally wrote the Turck MMCache software.

Posted by Jacques Marneweck at 7:01 PM | Permalink | Comments (0) | TrackBacks (0)

Ilia has released another release of the PHP 5.1 branched - PHP 5.1.1. Nearly four days after the initial release of PHP 5.1.0 and the sneaky code commit which has been disabled :)

The PHP Development Team would like to announce the immediate release of PHP 5.1.1. This is a regression correction release aimed at addressing several issues introduced by PHP 5.1.0, the core changes as follows:

• Native date class is withdrawn to prevent namespace conflict with PEAR's date package.
• Fixed fatal parse error when the last line of the script is a PHP comment.
• eval() hangs when the code being evaluated ends with a comment.
• Usage of \{$var} in PHP 5.1.0 resulted in the output of {$var} instead of the $var variable's value enclosed in {}.
• Fixed inconsistency in the format of PHP_AUTH_DIGEST between Apache 1 and 2 sapis.
• Improved safe_mode/open_basedir checks inside the cURL extension.

The complete details about all of the changes can be found in the PHP 5 ChangeLog.

Posted by Jacques Marneweck at 9:47 PM | Permalink | Comments (0) | TrackBacks (0)

I tend to occassionally respond to emails send to the PHP internals mailing list about the future of PHP. Over the past few days there has been allegations of Derick being dishonest by sneaking new functionality into PHP 5.1.0 before the last release candidate by lieing to Ilia (who took over being release manager).

Then there are flame wars going backwards and forwards about who's fault it is, etc. etc. Now there is a way too many emails about whether to use namespaces.

John found an interesting quote about the software development process:

Later that day... I stumbled on this quote by Dave Winer:

It seems the computer industry hasn't gotten to the stage yet where it can really deliver delight to users. Maybe we spend too much time trying to fuck up the user experience. I think of that when I see pages with fifteen different formats that all do the same thing. Why? There's no need for it. How many of those types of battles were fought inside Apple that resulted in the super-shitty experience I had and Jeremy had. Maybe we need to take a step back and start thinking a bit about how this kind of bullshit keeps us from growing.

I haven't been reading the PHP internals mailing lists since August this year, but because of the rumored PHP 5.1 mishaps, I did. The in-fighting and name-calling is surprisingly heated. Open source is certainly great, the price-point is good, you can fix things yourself (if you have the skill), but the meandering directions that PHP takes can be frustrating. Some people want a more advanced programming language to keep up with the Rubies and Pythons; others (like me), want 100% backward compatibility. The Bazaar (and perhaps all software development for that matter) is sometimes too bizarre.

But in the meantime expect a PHP 5.1.1 release in the next day or two disabling Derick's new date class. The moral of the story is these days wait until a maintenance release comes out before upgrading your PHP install?

Posted by Jacques Marneweck at 10:22 AM | Permalink | Comments (0) | TrackBacks (1)

Christopher Kunz mentions a new patch for PHP which deals with Session Fixation.

PHP has a permissive session system. This has been decided way before I came into the PHP world (I guess in preparation of 4.0), and the reasons for this decision are kinda lost in transit. However, with a small patch by Hardened-PHP Project buddy Stefan esser, this might now change.

A small patch against PHP's ext/session and ext/sqlite adds two new handler functions to validate and create session IDs, as well as the php.ini setting

session.use_strict_mode = 0/1

although under normal circumstances, a strict session mode handler will not bring extremely more security, it will put an end to session fixation (supplying a session ID and have it validated by PHP), some SQL injection issues (if, for tracking purposes, you store each session ID in a database) and some XSS that might arise from providing a session ID including HTML/JS code.

You can check out the patch at: http://www.suspekt.org/session_strict_mode.patch

It will also be part of the next release of the Hardening Patch for PHP.

Hopefully we can see some of the Hardened PHP Patch ideas merged into the main PHP source code in the near future.

Posted by Jacques Marneweck at 12:40 AM | Permalink | Comments (0) | TrackBacks (0)

PHP 5.1.0 has been unleashed on the masses.

[24-Nov-2005] The PHP development team is proud to announce the release of PHP 5.1.0.
Some of the key features of PHP 5.1.0 include:

• A complete rewrite of date handling code, with improved timezone support.
• Significant performance improvements compared to PHP 5.0.X.
• PDO extension is now enabled by default.
• Over 30 new functions in various extensions and built-in functionality.
• Bundled libraries, PCRE and SQLite upgraded to latest versions.
• Over 400 various bug fixes.
• PEAR upgraded to version 1.4.5

In addition to new features, this release includes a number of important security fixes and we recommend that all users of PHP 5.0 and early adopters of PHP 5.1 betas upgrade to this release as soon as possible.
The complete details about all of the changes can be found in the PHP 5 ChangeLog and an upgrading guide is available as well.

PHP 5.1.0 is the upgrade path for the PHP 5.0.X series, which has been in production since PHP 5.0.0 was released in July last year.

Posted by Jacques Marneweck at 11:07 PM | Permalink | Comments (0) | TrackBacks (1)

PHP Encoders Protection where are you? is a blog entry on the PHP Security Blog where Stefan Esser writes:

From time to time people ask if it is possible to use the Hardening-Patch together with the IonCube Encoder or the ZendEncoder. I usually answer, that they should ask the IonCube support or the Zend support, to simply create compatible versions.

This will change in the future. I had a look at both encoders that are most probably the most famous ones and I am kinda shocked. The IonCube Encoder does not offer any protection against oparray_dumping or oparray disassembly. If you want to see this for yourself, then download derick and andrei's vld and apply the following patch: vle-request-hack.diff. After you have applied this, simply load the IonCube Loader as normal and activate vld as usual.

You will see the disassembly of the encoded PHP script in ZendEngine Opcodes and you will most probably not notice any obfuscation at all... (You can always compare the output to the output of the not encoded version)

The good news for all the users of ZendEncoder (or however it is called nowadays) is, that it is a little bit harder to get the disassembly of scripts that were encoded with ZendEncoder, because you will notice that the Opcodes are encrypted. But anyone skilled with runtime encryption layers will be able to decrypt those opcodes. When you have broken the opcode encryption they look like the output of ZendOptimizer. Which means there are some ZentOptimizer specific opcodes in it, that have something todo with cached functionnames...

I think this is quite bad news for Zend and the various other providers of PHP Encoders as they'll have their work set out for themselves to produce a more secure encoding mechanism whereby people cannot easily get to the unencrypted opcodes.

I've found the following comment on a chineese forum:

Hello,

We are aware of this problem, even before it reached China.

There is work being done now to develop the next generation of Zend Encoder that will have stronger encoding and will be harder to crack and decode.

You have to keep in mind that there is no encoding (or even encryption) mechanism that is 100% safe, especially something that needs to be decoded and parsed fast like a php script. Also, even though it is not uncrackable, Zend Encoder is the best solution in the market right now for encoding php code - and it provides a decent protection for most people.

Posted by Jacques Marneweck at 7:36 PM | Permalink | Comments (2) | TrackBacks (0)

Jan Schneider has written an article about How to embed Horde applications into your website

I have written a small howto in the Horde Wiki that explains how to embed Horde applications into your own website or web application.

"Using Horde from a custom website or application" explains how to call API methods in Horde or one of the Horde applications from a PHP script that is not part of Horde itself. The howto contains several code examples and also shows how to embed complete HTML snippets into larger web site pages.

Posted by Jacques Marneweck at 9:22 PM | Permalink | Comments (0) | TrackBacks (0)

Ilia has written a php|architect's Guide to PHP Security and has announced that it has been sent for publishing.

For those who don't know, Ilia is one of the leading PHP security experts in the PHP community.

Posted by Jacques Marneweck at 7:08 PM | Permalink | Comments (0) | TrackBacks (0)

Rasmus Lerdorf has posted Flickr API Fun.

I feel similar to Rasmus about things which one can pick up in an our or two.

Posted by Jacques Marneweck at 10:10 PM | Permalink | Comments (0) | TrackBacks (0)

I'm busy spending time adding more features to my PHP Application Framework called the Tshukudu Application Framework which currently is quite a liteweight PEARish framework for PHP4 and PHP5. It's moving towards dropping PHP4 in the near future.

I've spent some time fiddling with the idea of caching database query results to disk instead of to a memcached servers when in a shared hosting environment to reduce load on a database server when looking up data which does not change very often. By caching database queries, it reduces the amount of work the database has to do to look up data considering the larger the dataset, the more data has to flow between MySQL and PHP.

Quite surprisingly I stumbled across an article titled Caching PHP Programes with PEAR on O'Reilly written by Sebastian Bergmann. Interesting read none the less.

So I created a class called DB_Cache which currently just extends PEAR Cache as well as keeping a DB connection open for sending queries to. The Cache_Memcached connects to Memcached servers to retrieve and store data while DB_Cache (should more likely be called Cache_DB_File in reality) caches database result sets to a file on the filesystem via Cache (which it extends).

A couple ideas behind the framework is to provide functionality for speeding up PHP sites by having different levels of caching within a PHP application such as caching content from remote servers, caching database resultsets, etc.

Utilisation of the code looks something like:

<?php
require_once 'Tshukudu/DB/Cache.php';
$db_cache = new DB_Cache;
$users = $db_cache->query("SELECT * FROM users LIMIT 0,10", 'getall'));

Ugly but needs a slight rewrite to rather extend DB_MySQL in mycase instead of Cache.

Posted by Jacques Marneweck at 6:43 PM | Permalink | Comments (0) | TrackBacks (0)

There has been quite a bit of discussion regarding the start of development on PHP 6.0. Various people have been complaining that we should not be discussing the future of PHP on our blogs, et. al.

Rasmus Lerdorf posted the following comment to Marco's blog, which sums it up nicely.

Posted by Jacques Marneweck at 9:16 PM | Permalink | Comments (0) | TrackBacks (0)

Zeev has rolled PHP 5.0.1 release candidate 1 a little earlier today:

• www.php.net/distributions/php-5.1.0RC1.tar.bz2
• www.php.net/distributions/php-5.1.0RC1.tar.gz
• www.php.net/distributions/php-5.1.0RC1-Win32.zip
• www.php.net/distributions/pecl-5.1.0RC1-Win32.zip

Posted by Jacques Marneweck at 8:39 PM | Permalink | Comments (0) | TrackBacks (0)

PHP is moving on towards gearing itself for PHP 6.0.

Andrei started warning people to not commit to HEAD as he was about to start committing his Unicode support for PHP. He mentions in his blog post:

The project that we have been working on for the past 4 months is finally seeing the light of day: yesterday I merged the Unicode support into the public PHP tree. I was going to say that my part of the hard work is done, but I guess I still have to edu-ma-cate developers about Unicode and other finer things in life. :)

Our Benevolent Dictator for Life, Rasmus Lerdorf, decided to email the internals list discussing a "PHP 6.0 Wishlist" which started a thread of over 150 email messages since Friday evening!

Various things on Rasmus' initial list which interests me from a enterprise adoption view includes getting rid of

• register_globals
• magic_quotes
• safe_mode

The adding of an opcode cache should have been added a long time ago, more to Zend's dislike for that to be included on the list, as when Andi and Zeev implemented the Zend Engine, they left out the opcode cache and built their business around an opcode cache (Zend Accelerator).

Other PHP'ers comments on the 'state of PHP':

• Brainstorming 6.0 (Marco Tabini)
• PHP 6.0 Excitement (Chris Shiflett)
• Suddenly 5.1 Isn't So Exciting (Sean Coates)
• Long Time No Blog (Derek Rethans)
• The Voice of Reason in PHP (John Lim)
• PHP6 - moving forward in a sensible manner (Lukas Smith)
• Input Filter (Derick Rethans)

Posted by Jacques Marneweck at 6:06 PM | Permalink | Comments (0) | TrackBacks (0)

Occassionally apache with mod_ssl just breaks after doing an operating system upgrade or even just upgrading openssl. Doing a backtrace against the httpd.core file (gdb httpd httpd.core) I got a backtrace which revealed to me the following:

Basically what the backtrace gives us back informs us that there is a problem with OpenSSL. Normally the way to resolve this is to recompile apache+mod_ssl as well as php's openssl extension using portupgrade and force it to do the upgrade, and magically next time you run "apachectl startssl" it works.

Posted by Jacques Marneweck at 7:33 PM | Permalink | Comments (0) | TrackBacks (0)

PHP's Benevolent Dictator for Life, Rasmus Lerdorf, wrote a 30 second AJAX Tutorial in response to various people discussing on the php-general mailing list how AJAX is going to change web development.

function createRequestObject() {
    var ro;
    var browser = navigator.appName;
    if(browser == "Microsoft Internet Explorer"){
        ro = new ActiveXObject("Microsoft.XMLHTTP");
    }else{
        ro = new XMLHttpRequest();
    }
    return ro;
}

var http = createRequestObject();

function sndReq(action) {

    http.open('get', 'rpc.php?action='+action);

    http.onreadystatechange = handleResponse;

    http.send(null);

}

function handleResponse() {

    if(http.readyState == 4){

        var response = http.responseText;

        var update = new Array();

        if(response.indexOf('|' != -1)) {

            update = response.split('|');

            document.getElementById(update[0]).innerHTML = update[1];

        }

    }

}

  switch($_REQUEST['action']) {
    case 'foo':
      /* do something */
      echo "foo|foo done";
      break;
    ...
  }

  function sndReqArg(action,arg) {
    http.open('get', 'rpc.php?action='+action+'&arg='+arg);
    http.onreadystatechange = handleResponse;
    http.send(null);
  }

Posted by Jacques Marneweck at 6:35 PM | Permalink | Comments (0) | TrackBacks (0)

Over at I love Jack Daniels there is another article about Writing Secure PHP, Part 3.

n Writing Secure PHP and Writing Secure PHP, Part 2 I covered many of the basic mistakes PHP developers make, and how to avoid common security problems. It is time to get a little deeper into security though, and begin to tackle some more advanced issues.

Posted by Jacques Marneweck at 5:40 PM | Permalink | Comments (0) | TrackBacks (0)

Tobias Schlitt has an blog entry titled A clash of asociality on his blog which made a bit of amusing reading considering certain commit messages to the PEAR website code.

Open sources are great things, annoying things too. For example, take the PEAR project. There is a huge croud of developers in the project (more than 800 registered users on PEARWeb, more than 200 maintainers), which every day try to improve the project, try to work together and try to learn from what they code and from the code they read. They feel the spirit of open source, they invest much time and train their hard skills in coding and their soft skills in the cooperation with a team.

But every now and then it happens that there is a black sheep under those fine 800, someone who even doesn't seem to know, what "soft skills" means. Surely, it happens not often, but some there are. Those re-appear now and then, vituperate as much as they can, hastily commiting some code ("fixing up other peoples crap"), which does not even work or better to say, hasn't even seen a syntax check. Finally those people bring project internal problems to the public perverting the facts as much as possible for their own advantage. But thankfully, those people tend to disappear again as fast as they have appeared before...

Maybe certain people who don't run syntax checkers against their code before committing should loose cvs commit to pearweb for a few days while they learn how to use command line syntax checker? ;)

Posted by Jacques Marneweck at 6:44 PM | Permalink | Comments (0) | TrackBacks (0)

PHP 4.4.0 has been released!

The PHP Development Team would like to announce the immediate release of PHP 4.4.0. This is a maintenance release that addresses a serious memory corruption problem within PHP concerning references. If references were used in a wrong way, PHP would often create memory corruptions which would not always surface and be visible. The increased middle digit was required because the fix that corrected the problem with references changed PHP's internal API. PHP 4.4.0 does not have any new features, and is solely a bugfix release.

Release Announcement.

Posted by Jacques Marneweck at 5:28 PM | Permalink | Comments (0) | TrackBacks (0)

Still working on the my PEAR Cache_Memcached project. The proposal is still in first draft stages as I still have certain things to do prior to changing the proposal from 'draft' to 'proposed'.

Posted by Jacques Marneweck at 3:14 PM | Permalink | Comments (0) | TrackBacks (0)

Regarding my PEAR Cache_Memcached proposal it is still in 'draft' stages. I still have a small amount of work to finish prior to 'proposing' the proposal. Please feel free to comment on this on this blog post.

Posted by Jacques Marneweck at 4:48 PM | Permalink | Comments (2) | TrackBacks (0)

There is a change with references which breaks backwards compatibility in version of PHP >= 4.4.0.

Many people seem, including myself, at times have incorrectly used references in code similar to John's code below:

<?php
function &dosomething($a)
{
    $b = false;
    return empty($a) ? $b : $a;
}

According to resident PHP guru Derick Rethans, "this is actually correct behavior. The ?: operator creates a copy and the you returning by reference doesn't work of course." On his blog he also wrote:

Through Planet PHP I saw the blog entry "Is PHP staying the language I want to work with?", for with comments are cowardly disabled. Although the way classes are handled is debatable, moaning that PHP 4.4 breaks "return ($ret)" when returning by reference only shows that the programmer has had no clue about references in the first place. If you place () around a variable, you're making it an expression. You can only return variables by references, not expressions. The return-by-reference in this function never could have worked as it should have in the first place. Clue: Don't use "return ()", but just "return ".

Derick also has a article in the June 2005 issue of php|architect where he explains what references are in more detail.

The PHP Manual is a bit misleading about returning references on the return() function page but on the returning values page it shows one should be returning references without using the ()'s as part of the call to return.

Posted by Jacques Marneweck at 5:44 PM | Permalink | Comments (0) | TrackBacks (0)

PHP 5.1 Beta 2 is now available! A lot of work has been put into this upcoming release and we believe it is ready for public testing.

Some of the key improvements of PHP 5.1 include:

• PDO (PHP Data Objects) - A new native database abstraction layer providing performance, ease-of-use, and flexibility.
• Significantly improved language performance mainly due to the new Zend Engine II execution architecture.
• The PCRE extension has been updated to PCRE 5.0.
• Many more improvements including lots of new functionality & many bug fixes, especially in regards to SOAP, streams and SPL.
• See the bundled NEWS file for a more complete list of changes.

Posted by Jacques Marneweck at 5:39 PM | Permalink | Comments (0) | TrackBacks (0)

A fine implementation of the object-overloading paradigm has found its way into PHP version 5. This article explores the possibilities of the overload methods __call(), __set(), and __get(). After explaining the basic theory of overloading, it dives straight into the topic by using two practical examples: first, implementing persistable classes, and second, figuring out a way to realize dynamic getter and setter methods. If you do not yet know what these terms mean, don't be afraid--it will become clear to you when you see the example code.

Check out Martin's article.

Posted by Jacques Marneweck at 6:36 PM | Permalink | Comments (0) | TrackBacks (0)

When reporting bugs to the PHP one user claims to be having "Legal Issues", hence he cannot submit repoduce code. Derick reports:

Some times people don't want to submit their code when filing a bug report for PHP because of "Legal Reasons". They simply assume we can fix it even with their very vague reasons. Usually we persist in asking for more information because we're nice and want to help those people who think they found a bug anyway. Sometimes this gives hiliarius responses. Come on, your über-cool "new technology" with PHP - we're that ones that gave you the tool to write your "new technology" in the first place. Even better is when they claim that "they're not allowed to tell you what it is".

But it gets, better - now the guy is even offering that we debug his large application for us, but we need to sign an NDA as well then. I'm not sure in which world this guy lives, but an NDA for a bug report? :) If you can't make a short reproducable case, then you're pretty much lost anyway. I just ended up asking how much they pay.

Posted by Jacques Marneweck at 8:25 AM | Permalink | Comments (0) | TrackBacks (0)

Today marks the 10th anniversary of PHP. Rasmus initially announced PHP 1.0 10 years ago today.

It is amazing how PHP has changed the web coding landscape. I remember back in the day using various combinations of shell scripts to generate HTML pages for various sites I was fiddling on for the 'semi dynamic content'. I rewrote some Novell netbasic scripts in perl for the #Cape_Town website where users had the ability to use the nickbrowser to view details about other people on that channel. The site was rewritten from scratch with a CMS, where the webteam members could post data, users could submit their own profile, and do various other bits and pieces. It was initially written using PHP3 and used Matt Robinson's file based session library which was the de-facto session management library for PHP3. The #Cape_Town website was one of my first websites developed with PHP, as it was much quicker and easier to do web development with PHP compared to perl.

Rasmus really did a great thing by inventing, sharing and nurturing PHP. While many, many people made it all happen, Rasmus (and, indirectly, Rasmus' wife Christine) is the baling wire and duct tape that held it all together.

There are numerous blog entries regarding PHP's 10th anniversary including that entry on the PHP.net homepage.

Zak sums it up better than I could:

Rasmus really did a great thing by inventing, sharing and nurturing PHP. While many, many people made it all happen, Rasmus (and, indirectly, Rasmus' wife Christine) is the baling wire and duct tape that held it all together.

• A Decade of PHP (Zak Greant)
• A Decade of PHP (Derick Rethans)
• Half a Decade of PHP (Davey Shafik)
• A decade of PHP
• 10 Jahre PHP
• John Coggeshall
• A Decade of PHP Wez Furlong
• age(PHP) = 10 years (Andrei Zmievski)
• Viva la PHP! (George Schlossnagle)

Posted by Jacques Marneweck at 7:31 AM | Permalink | Comments (0) | TrackBacks (0)

Sara Golemon, PHP Developer, has written part II to an article on programming extensions for PHP. This article deals with Parameters, Arrays and ZVAL's. Her first article was Part I: Introduction to PHP and Zend.

Core developer and 'PECL Princess' Sara Golemon has written a number of extensions for PHP 4 and 5. She is also the person most likely to respond sympathetically to newcomers' queries about PHP internals.

This combination of hands-on experience and patience made Sara the natural choice to write an introductory series to PHP extension programming for zend.com.

Posted by Jacques Marneweck at 6:24 PM | Permalink | Comments (0) | TrackBacks (0)

Ilia posted a patch some time ago to the PHP Internals mailing list about making it possible to stop parsing a php file when you want to extract content from the bottom of the script such as a tarball.

Ilia has more including some 'sample code'.

Posted by Jacques Marneweck at 6:46 PM | Permalink | Comments (0) | TrackBacks (0)

I suppose one of the things that was hacking me off about php5-fcgi was that it was ignoring the .htaccess file (rightfully so) and required a bit of tweaking of a custom php.ini for the php fastcgi to utilise so that one would get certain settings going prior to utilising my normal auto-prepend file.

For the past few weeks I've had to have quite a bit of stuff towards the top of my php scripts:

<?php
if ($_SERVER['SERVER_ADDR'] == 'XXX.XXX.XXX.XXX') {
    ini_set ('include_path', '*snip*');
    ini_set ('magic_quotes_gpc', 'off');
    ini_set ('magic_quotes_runtime', 'off');
    ini_set ('register_globals', 'off');
    ini_set ('display_errors', 'on');
    ini_set ('display_startup_errors', 'on');
    require_once 'powertrip-prepend.php';
}