Hauser & Wenz :: Blog - PHP

Serendipity Upgrade to v 1.5.x Gotcha

nospam@example.com (Christian) — Wed, 23 Dec 2009 08:32:04 +0100

Just a quick note: I just updated Serendipity to version 1.5.1 on one of our servers; yet afterwards I could not log in anymore. Also, Serendipity reported that version 1.5.1 was present, although I did not run the update script from the admin console yet. At first I thought I did something wrong, but a s9y forum posting described a similar issue.

The fix was actually quite simple: for some reason—may it be due to my own fault or due to a bug in the upgrade logic—the SQL upgrade script was not run, but Serendipity still thought it had been upgraded already. The file sql/db_update_1.5-alpha1_1.5-alpha2_mysql.sql contains the required SQL commands (in case you are using MySQL). Just remember to replace {PREFIX} with the table prefix you are using (s9y_ in my case):



ALTER TABLE s9y_authors ADD COLUMN hashtype int(1);

ALTER TABLE s9y_authors CHANGE password password VARCHAR(64) NOT NULL;

HTH. Once again, Happy Holidays.

PHP Advent 2009: JSON Gotchas

nospam@example.com (Christian) — Sun, 13 Dec 2009 10:03:59 +0100

Just a quick note that my JSON Gotchas article has just been published. The editors removed the last sentence, so here it is again: Happy holidays everyone!

Installing PHP on Windows 7

nospam@example.com (Christian) — Mon, 12 Jan 2009 12:45:07 +0100

Microsoft have released the first public beta for their upcoming Windows 7 operating system. To me it looks surprisingly similar to Vista (which is a good thing and a bad thing ), so I thought that installing PHP on it should be easy, as well. Actually, it was really easy, but since yesterday two people indenpendently from each other asked me how to do it, I thought I'd write down the required steps.

Continue reading "Installing PHP on Windows 7"

PHP 4.4.9 Released (And Why You Should Be Worried If You Consider Installing It)

nospam@example.com (Christian) — Fri, 08 Aug 2008 08:43:09 +0200

Today is a day many people have been looking forward to for quite some time. No, it's not mass-marrying on 8-8-08, it's the day after the release of PHP 4.4.9. The important fact of this release is that it will be the final one for PHP 4. Ever. (Well, of course there might be the scenario of companies offering posthumous security patches, but that doesn't count here.) If you are still not convinced that PHP 4 is at the end of its life, just have a look at the changelog: the previous release is seven months old, and since then only five issues have been fixed.

I am aware that many sites, especially those with really old legacy code, will still not update (heck, I even know of some large PHP 3 based sites running strong [and insecure]), but if you have the resources to update your code base, you should do so really soon. PHP 5.3 will (most probably) be released later this year, and PHP 6 will get rid of a lot of stuff that has only been kept for the sake of backwards compatibility.

Zend Studio for Eclipse 6.0 Released (and Zend Studio 5.5.1, too)

nospam@example.com (Christian) — Wed, 05 Mar 2008 14:19:01 +0100

I am probably not the first to notice that, but thought it would be worth mentioning anyway. Zend have released version 6.0 of Zend Studio for Eclipse. Actually, this version 6.0 is the first final version of the Eclipse edition of Zend Studio.
According to Zend,

[they] will provide customers that are currently under maintenance for Zend Studio 5.5 a free upgrade to Zend Studio for Eclipse. If you wish to continue to use Zend Studio 5.5 simply renew as you would normally and licenses will be provided for both products. Any Zend Studio purchase will entitle customers to use both products.

I have to say that I am rather in the "I can achieve better results without Eclipse" camp, but will try the new version nevertheless. So far, the IDE looks very good. The only minur issue I found is that it ships with a quite old version of JRE (1.5.0_08_b03, which translates to 5.0 update 8; the latest version as of today is 5.0 update 15 or, even better, 6.0 update 5). Oh, and the PHP 4 version that comes with it is 4.4.7.

While downloading the Eclipse version, I also found out that "classic" Zend Studio 5.5.1 has been released about a month ago. New features include Leopard and Vista support (finally!); the versions of PHP and Zend Framework have been bumped to 5.2.5 and 1.0.3.
When using the "check for updates" feature of my 5.5.0a installation, it neither showed me the 5.0.0b update nor the 5.5.1 version. When installing 5.5.1, it refused to use my 5.5.0 license key, though. I contacted support and will update this entry when this has been resolved.

Update: The Zend support staff regenerated my license, Zend Studio 5.5.1 now works seamless. And make sure to read the comments: Obviously, the Zend Studio for Eclipse 6.0 release is from January — but it's still not clear why one local Zend subsidiary sent me an email on the "new" release yesterday

Larry Wall on PHP

nospam@example.com (Christian) — Tue, 18 Dec 2007 15:35:06 +0100

Found this in Stefan Fischerländer's (German) blog some time ago, and although I do not quite agree, I found it really funny. Since today is Perl's 20th birthday, I thougt it would be a good day to post that.

Larry Wall recently wrote the very amusing article "Programming is Hard, Let's Go Scripting...". He draws a pretty darn funny line between scripting languages and programming languages. He also mentiones PHP, of course. At first, he compares PHP to JAM (Jury-rigged All-purpose Meta-language), a language Larry wrote himself, in BASIC!

JAM was an inside-out text-processing language much like PHP, except that HTML hadn't been invented yet. We mostly used it as a fancy macro processor for BASIC. Unlike PHP, it did not have 3,000 functions in one namespace. We wouldn't have had the memory, for one thing.

Alright, cheap shot. However the following cracked me up about as much as the Perl 6 release schedule:

We've also seen the rise of PHP, which takes the worse-is-better approach to dazzling new depths, as it were. By and large PHP seems to be making the same progression of mistakes as early Perl did, only slower. The one thing it does better is packaging. And when I say packaging, I don't mean namespaces.

You may agree or disagree with Larry, but the article really is a jolly good read!

Zeev on PHP

nospam@example.com (Christian) — Thu, 08 Nov 2007 16:44:43 +0100

As far as I have seen, a two part interview the German online portal Golem conducted with Zeev Suraski in Mid-October went quite unnoticed in the non-German speaking community, so I thought that I would sum up the most important topics he covered (translation errors are all mine; I also tried to maintain the context of what Zeev said, but you never now):

Zend Studio will continue to exist, even though the Eclipse PDT have been published. A new Zend Studio version should be available in the foreseeable future. Should time tell that everybody migrates over the Eclipse, Zend Studio may be superseded.
[On PHP 6 migration:] Incompatibilities between PHP 5 and PHP 6 may be more severe than they were between PHP 4 and PHP 5. Everything possible is done to make the migration from 5 to 6 as seamless as possible.
It will take at least one year until PHP 6 will be there.
APC may be part of PHP 6, but there will also be a commercial Zend product.
[On new features in PHP 6:] Unicode an PHP setup changes (referring to register_globals etc.). Most other new functionality may also come with PHP 5.3 or 5.4.
Five or six developers work full-time on the Zend Framework.
Zend plans to publish tools to facilitate and speed up development of Ajax applications with PHP [something I have been complaining about since years ;-)]

Some interesting points here. Thoughts/comments?

FastCGI for IIS 5.1/6.0 Go-Live

nospam@example.com (Christian) — Tue, 09 Oct 2007 18:15:24 +0200

I have been following the FastCGI development for quite some time; it is currently available for IIS 7 (i.e. Windows Vista). I just saw that a pre-release version of FastCGI for IIS 5.1 (Windows XP) / 6.0 (Windows 2003) has been released, coming with a go-live license (which means that you may actually use it in production, but have to decide for yourself whether you really want that). Microsoft now dubs it "FastCGI for PHP", wow. Our experiences with previous builds have been quite good, so if you are hosting on IIS (as some of our customers are), you should have a look. And now -- back to the ZendCon keynote

WSO2 Web Services Framework (WSF)/PHP v1.0.0 Released

nospam@example.com (Christian) — Sat, 04 Aug 2007 13:26:02 +0200

I just noticed today that a few days ago, WSO2 released the final version 1.0.0 of their WSO2 Web Services Framework for PHP, or WSO2 WSF/PHP in short. I've worked with some of the beta versions and really liked them.

The framework comes in form of a PHP extension and is available both as source code and as a binary distribution. Additional information exists in form of a manual, an installation guide, and of course release notes. Here are some of the key features:

Client API (consuming web services)
Server API (providing web services)
MTOM attachments
WS-Adressing
WS-Security
WS-Reliable Messaging
WSDL generation and consumption
Transparent SOAP and REST support

Also, WSF/PHP is backward-compatible with PHP5-SOAP, although this feature is still marked as experimental.

As usual, hosters will be rather hesitant to install a third-party extension for their customers, so not everybody will be able to use this extension. But if you need some of the aforementioned features and would like to reduce the hassle involved in implementing the various standards, you should definitely try out this framework.

phpa-norl, a phpa port for Mac OS X and Windows

nospam@example.com (Christian) — Mon, 09 Jul 2007 10:34:23 +0200

phpa is an interactive command line shell for PHP by David Phillips. Stefan Fischerländer, usually known as a SEO expert and Perl admirer, has patched phpa for Mac OS X and Windows (the default builds theredo not seem to support a feature required by phpa). The result: phpa-norl. Stefan successfully ran this on OS X, and I could confirm that it runs on Windows, as well:

phpa and phpa-norl come with a convenient history feature. Using it is simple: type PHP code as you go, with the following special features:

If a line ends with #, phpa/phpa-norl assumes that there is more to come
The command h gives you access to the command history, cursor keys let you navigate through it
The command q quits the application (though something like die(); also works)

SANS Top-20 Internet Security Attack Targets (2006 Annual Update)

nospam@example.com (Christian) — Mon, 27 Nov 2006 09:09:11 +0100

Two weeks ago, the SANS Institute has released its annual Top 20 Internet Security Attack Targets list. Of course you can debate how such a Top list came together and what the real value behind that is, but there are two specific points in this year's list that I found quite interesting.
First of all, there is a new entry: Users (H2). This shows that phishing, social engineering and related attacks are getting more and more prevalent. User education is therefore more important than ever.
Second, PHP is specifically mentioned a couple of times (one wonders why). In entry C2 of the SANS Top 20 (Web Applications), the institute gives some very specific advice:

From the PHP system administration and hosting perspective:

Always test and deploy patches and new versions of PHP as they are released
Frequent web scanning is recommended in environments where a large number of PHP applications are in use
Consider using the following PHP configuration:
register_globals (should be off, will break insecure apps)
allow_url_fopen (should be off, will break apps that rely on this feature, but protect against a very active exploit vector)
magic_quotes_gpc (should be off, will break older insecure apps)
open_basedir (should be enabled and correctly configured)
Consider using least privilege execution features like PHPsuexec or suPHP
Consider using Suhosin to control the execution environment of PHP scripts
Use Intrusion Prevention/Detection Systems to block/alert on malicious HTTP requests. Consider using Apache's mod_security to block known PHP attacks
As a last resort, consider banning applications which have a track record of active exploitation, and slow response times to fix known security issues.

From the developer perspective:

If you use PHP, migrate your application to PHP 5.2 as a matter of urgency.
To avoid the coding issues above:
Develop with the latest PHP release and a hardened configuration (see above)
Validate all input appropriately
Encode all output using htmlentities() or a similar mechanism to avoid XSS attacks
Migrate your data layer to PDO - do not use the old style mysql_*() functions as they are known faulty
Do not use user-supplied input with file functions to avoid remote file inclusion attacks

You could argue whether the PDO migration is superior to using, say, prepared statements (and why no other databases are mentioned). You could also argue why there is such an emphasis on PHP and that all advice is somehow well-known. But fact of the matter is, there are still so many PHP installations and PHP developers that do not follow these guidelines, as for instance Damien's survey shows. In my opinion, there is only one possible solution: Continue to talk with developers, continue to talk with hosting providers.

PHP on IIS7 (Vista) RC1

nospam@example.com (Christian) — Fri, 22 Sep 2006 03:18:02 +0200

Just a quick pointer for those of you who are currently testing the RC1 of Windows Vista: Installing PHP on IIS7 there now works just as easy as it was on older versions of IIS. Read this blog entry by Bill Staples to see how. Basically, just add a mapping to the PHP ISAPI DLL or PHP CGI executable for the .php file extension and you are done.

php|works/db|works 2006

nospam@example.com (Christian) — Fri, 22 Sep 2006 03:14:41 +0200

My schedule was crammed right after php|works 2006, so I could not find an earlier possibility to blog. Anyway, the extended entry contains my short report on php|arch's second conference this year.

Continue reading "php|works/db|works 2006"

ApacheCon 2006 Asia

nospam@example.com (Christian) — Sat, 02 Sep 2006 17:41:37 +0200

Better late than never! Here is finally my brief report from ApacheCon 2006 Asia which was held in Colombo, the capital of Sri Lanka. I was actually the only PHP guy among the speakers, but think that I represented the language well, despite the huge number of Java people. Read on for the full report.

Continue reading "ApacheCon 2006 Asia"

From Mambo and phpShop to Joomla! and VirtueMart

nospam@example.com (Tobias) — Fri, 11 Aug 2006 13:23:47 +0200

Today I had a "nice" experience with an update from Mambo and phpShop to Joomla! and VirtueMart. Our customer imports his products into the shop, using automatically generated CSV from his database. Well actually, he did import: after the update he had a mysterious problem: the products had wrong names, wrong categories and so on. I checked the field configuration in VirtueMart, everything was like before. Then I went to the class ps_csv. After some time, I found the problem: they just cut one CSV value out of the $data array, because it is not used anymore and has created some export problems (so they say). That means all entries after with the index 14 or higher are in the wrong position. There are two fixes: the ugly one is commenting out the lines in ps_csv (arround line 120), the nicer one is to fix the CSV export. So if you are doing a similar update, be aware of this annoying change!