iBlog - Ilia Alshanetsky

Here be dragons.

Home Who am I? Projects Talks Publications Pictures

Guide to PHP Security

Quicksearch

Calendar

Back September '10
Sun Mon Tue Wed Thu Fri Sat
      1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30    

Comments

Mark van der Velden about Beware of the default Apache 2 config for PHP
Wed, 01.09.2010 02:15
Interesting behavior, I've tri ed it with several extension b ack then and it only worked on bogus file extensions. [...]
Ilia Alshanetsky about Beware of the default Apache 2 config for PHP
Tue, 31.08.2010 15:17
Actually with .txt the PHP cod e gets executed, one of the re asons I found the problem out since the test server ha [...]
James Baugh about PHP Excel Extension 0.8.6
Tue, 31.08.2010 13:03
I re-compiled (I did change my PHP version and compiled with --enable-debug) and the probl em went away. Not sure w [...]
Henning Kockerbeck about Beware of the default Apache 2 config for PHP
Tue, 31.08.2010 06:24
Sorry, looks like the filter o n this blog doesn't like Apach e directives with brackets tha t look like HTML tags ;-) [...]
Henning Kockerbeck about Beware of the default Apache 2 config for PHP
Tue, 31.08.2010 06:21
Ubuntu (at least the current 1 0.04 LTS) uses a variant which in my opinion is a better sol ution than switching fro [...]
Mark van der Velden about Beware of the default Apache 2 config for PHP
Tue, 31.08.2010 05:36
This is not entirely correct, it depends on the bogus extens ion. If you append .txt to a P HP file, .txt get's prec [...]
AllenJB about Beware of the default Apache 2 config for PHP
Tue, 31.08.2010 02:29
See: - http://httpd.apache.or g/docs/2.2/mod/mod_mime.html#a ddhandler - http://httpd.apac he.org/docs/2.2/mod/mod_ [...]
Gustavo Lopes about Beware of the default Apache 2 config for PHP
Mon, 30.08.2010 23:32
I mean let's say you have name d test.php. You use MultiViews and URLs without extensions, relying on content negot [...]
Ilia Alshanetsky about PHP Excel Extension 0.8.6
Mon, 30.08.2010 21:56
Can try to compile php with -- enable-debug and see if the er ror happens still? I've tr ied a few times with dif [...]
Ilia Alshanetsky about Beware of the default Apache 2 config for PHP
Mon, 30.08.2010 21:40
Well, it is not about wrong or right, If you want a.php.txt to be treated as a PHP script then, by all means use A [...]

Monday, August 30. 2010

Beware of the default Apache 2 ... Posted by Ilia Alshanetsky in PHP at 14:52

Comments (11)
Trackbacks (0)

Beware of the default Apache 2 config for PHP

About a week ago, I was doing some upgrades on my development machine and came across a rather nasty issue when it comes to how .php(s) files are associated with PHP in Apache. It seems that a number of distros including Gentoo (which is what I was using) are using the following configuration directive to make the PHP module parse PHP files:

<IfModule mod_mime.c>
AddHandler application/x-httpd-php .php
AddHandler application/x-httpd-php-source .phps
</IfModule>


The non-obvious problem with the above is that it will allow not only "file.php" to be treated as PHP scripts, but also "file.php.txt", which means that any file containing ".php" in its name, no matter where in the filename, would be treated as a PHP script. This of course creates a rather nasty security hole, since many upload file validation tools, only check the final extension. Consequently allowing the user to by-pass the validation, by simply prefixing another "harmless" extension like .txt, .pdf, etc... to the filename, but still get the code to execute.

To mitigate this problem you should instead use the following configuration, that would only pick-up of files ending with a .php extension.


<IfModule mod_mime.c>
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
</IfModule>


The difference between the two configurations being that the original uses AddHandler (bad) and the latter uses AddType (good).
Twitter Bookmark Beware of the default Apache 2 config for PHP at del.icio.us Facebook Google Bookmarks FriendFeed Digg Beware of the default Apache 2 config for PHP Bloglines Beware of the default Apache 2 config for PHP Technorati Beware of the default Apache 2 config for PHP Bookmark Beware of the default Apache 2 config for PHP at YahooMyWeb Bookmark Beware of the default Apache 2 config for PHP at reddit.com Bookmark Beware of the default Apache 2 config for PHP at Simpy.com Bookmark Beware of the default Apache 2 config for PHP at blogmarks Stumble It! Print this article! E-mail this story to a friend!

Friday, August 27. 2010

PHP Excel Extension 0.8.6 Posted by Ilia Alshanetsky in PHP at 07:56

Comments (7)
Trackbacks (0)

PHP Excel Extension 0.8.6

PHP Excel Extension 0.8.6

The 0.8.6 version of the Excel extension was released and is now available for download. This version was updated to contain LibXL 3.0 support which introduces Excel 2007/2010 read/write support, which means that this extension can now read and generate any Excel file. Support for XSLX (2007/2010) format can be enabled by passing "true" as the 3rd parameter to the ExcelBook() construtor.

GitHub: http://github.com/iliaal/php_excel/
Source: http://github.com/downloads/iliaal/php_excel/php-excel-0.8.6.tar.bz2
Twitter Bookmark PHP Excel Extension 0.8.6 at del.icio.us Facebook Google Bookmarks FriendFeed Digg PHP Excel Extension 0.8.6 Bloglines PHP Excel Extension 0.8.6 Technorati PHP Excel Extension 0.8.6 Bookmark PHP Excel Extension 0.8.6 at YahooMyWeb Bookmark PHP Excel Extension 0.8.6 at reddit.com Bookmark PHP Excel Extension 0.8.6 at Simpy.com Bookmark PHP Excel Extension 0.8.6 at blogmarks Stumble It! Print this article! E-mail this story to a friend!

Wednesday, August 11. 2010

PHP Excel Extension 0.8.5 Posted by Ilia Alshanetsky in PHP at 15:27

Comments (13)
Trackbacks (0)

PHP Excel Extension 0.8.5

The 0.8.5 version of the Excel extension was released and is now available for download, it contains a number of small build fixes, which makes it possible to compile it against all versions of PHP (5.2,5.3,trunk). The Win32 compilation was also fixed and thanks to Kalle, PHP 5.3 win32 binaries are now available for download as well.

GitHub: http://github.com/iliaal/php_excel/
Source: http://github.com/downloads/iliaal/php_excel/php-excel-0.8.5.tar.bz2
Win32 Binaries: http://github.com/downloads/iliaal/php_excel/php-excel-5.3.zip
Twitter Bookmark PHP Excel Extension 0.8.5 at del.icio.us Facebook Google Bookmarks FriendFeed Digg PHP Excel Extension 0.8.5 Bloglines PHP Excel Extension 0.8.5 Technorati PHP Excel Extension 0.8.5 Bookmark PHP Excel Extension 0.8.5 at YahooMyWeb Bookmark PHP Excel Extension 0.8.5 at reddit.com Bookmark PHP Excel Extension 0.8.5 at Simpy.com Bookmark PHP Excel Extension 0.8.5 at blogmarks Stumble It! Print this article! E-mail this story to a friend!

Sunday, August 1. 2010

PHP Excel Extension Posted by Ilia Alshanetsky in PHP at 14:06

Comments (12)
Trackbacks (0)

PHP Excel Extension

Since I broke my right hand 3 weeks ago while biking, I found myself with a lot of spare time :/. It is amazing just how limited your ability to do things becomes when you can only use one hand. So, to stave off the boredom, I've been slowly toiling away on a PHP Excel extension that I intend to use at work, which I've finally gotten ready for release today.
You can find it on github at: http://github.com/iliaal/php_excel.
Continue reading "PHP Excel Extension"
Twitter Bookmark PHP Excel Extension at del.icio.us Facebook Google Bookmarks FriendFeed Digg PHP Excel Extension Bloglines PHP Excel Extension Technorati PHP Excel Extension Bookmark PHP Excel Extension at YahooMyWeb Bookmark PHP Excel Extension at reddit.com Bookmark PHP Excel Extension at Simpy.com Bookmark PHP Excel Extension at blogmarks Stumble It! Print this article! E-mail this story to a friend!

Monday, June 21. 2010

Google Docs Backup Script Posted by Ilia Alshanetsky in PHP at 11:19

Comments (4)
Trackbacks (0)

Google Docs Backup Script

We are starting to use Google Docs quite a bit more at work and unsurprisingly the question of backup and offline availability comes into play. As part of the backup strategy we also wanted to capture incremental versions of the documents (on a daily basis) in the event we needed to go back to the prior versions.

To this affect I whipped up a small (120 lines) PHP script that will retrieve all your Google documents and save them to a local directory, in the event the document was created/updated in the last 24 hours, thus ensuring snapshot support. Each file name is prefixed with Ymd (Year,month,day) prefix to ensure name uniqueness and provides an easy way to spot similar files or files that were created/updated on the same day. The script has just two dependancies, cURL and Simplexml extensions, which most PHP 5.0+ installs should have.

I am publish the script for anyone with similar needs to use/improve under the BSD license...

Enjoy.

Update

I've made a few improvements to the script, some of which have been suggested by Philip (thanks), and since this looks to be an envolving project I've put it into GitHub.

Git Repository: http://github.com/iliaal/Google-Docs-Backup

Here are the list of changes: Continue reading "Google Docs Backup Script"
Twitter Bookmark Google Docs Backup Script at del.icio.us Facebook Google Bookmarks FriendFeed Digg Google Docs Backup Script Bloglines Google Docs Backup Script Technorati Google Docs Backup Script Bookmark Google Docs Backup Script at YahooMyWeb Bookmark Google Docs Backup Script at reddit.com Bookmark Google Docs Backup Script at Simpy.com Bookmark Google Docs Backup Script at blogmarks Stumble It! Print this article! E-mail this story to a friend!

Saturday, June 12. 2010

APC & Memcache the High ... Posted by Ilia Alshanetsky in PHP, Talks at 07:18

Comments (0)
Trackbacks (0)

APC & Memcache the High Performance Duo Slides

My slides from the APC & Memcache the High Performance Duo talk at Dutch PHP Conference are now up and can be downloaded from here.

Thanks everyone for listening.

Twitter Bookmark APC &amp; Memcache the High Performance Duo Slides at del.icio.us Facebook Google Bookmarks FriendFeed Digg APC &amp; Memcache the High Performance Duo Slides Bloglines APC &amp; Memcache the High Performance Duo Slides Technorati APC &amp; Memcache the High Performance Duo Slides Bookmark APC &amp; Memcache the High Performance Duo Slides at YahooMyWeb Bookmark APC &amp; Memcache the High Performance Duo Slides at reddit.com Bookmark APC &amp; Memcache the High Performance Duo Slides at Simpy.com Bookmark APC &amp; Memcache the High Performance Duo Slides at blogmarks Stumble It! Print this article! E-mail this story to a friend!

Saturday, June 12. 2010

APC & Memcache the High ... Posted by Ilia Alshanetsky in PHP, Talks at 07:18

Comments (2)
Trackbacks (0)

APC & Memcache the High Performance Duo Slides

My slides from the APC & Memcache the High Performance Duo talk at Dutch PHP Conference are now up and can be downloaded from here.

Thanks everyone for listening.

Twitter Bookmark APC &amp; Memcache the High Performance Duo Slides at del.icio.us Facebook Google Bookmarks FriendFeed Digg APC &amp; Memcache the High Performance Duo Slides Bloglines APC &amp; Memcache the High Performance Duo Slides Technorati APC &amp; Memcache the High Performance Duo Slides Bookmark APC &amp; Memcache the High Performance Duo Slides at YahooMyWeb Bookmark APC &amp; Memcache the High Performance Duo Slides at reddit.com Bookmark APC &amp; Memcache the High Performance Duo Slides at Simpy.com Bookmark APC &amp; Memcache the High Performance Duo Slides at blogmarks Stumble It! Print this article! E-mail this story to a friend!

Friday, June 11. 2010

Optimization Mistakes Slides (Dutch ... Posted by Ilia Alshanetsky in PHP, Talks at 06:00

Comments (0)
Trackbacks (0)

Optimization Mistakes Slides (Dutch PHP Conference)

My slides for the "Common Optimization Mistakes" at the Dutch PHP Conference are now available here.

Thanks everyone for listening, I wish there was a little bit more time to allow for questions...
Twitter Bookmark Optimization Mistakes Slides (Dutch PHP Conference) at del.icio.us Facebook Google Bookmarks FriendFeed Digg Optimization Mistakes Slides (Dutch PHP Conference) Bloglines Optimization Mistakes Slides (Dutch PHP Conference) Technorati Optimization Mistakes Slides (Dutch PHP Conference) Bookmark Optimization Mistakes Slides (Dutch PHP Conference) at YahooMyWeb Bookmark Optimization Mistakes Slides (Dutch PHP Conference) at reddit.com Bookmark Optimization Mistakes Slides (Dutch PHP Conference) at Simpy.com Bookmark Optimization Mistakes Slides (Dutch PHP Conference) at blogmarks Stumble It! Print this article! E-mail this story to a friend!

Thursday, May 20. 2010

Scalar Type Hints are Here! Posted by Ilia Alshanetsky in PHP at 16:15

Comments (15)
Trackback (1)

Scalar Type Hints are Here!

About an hour ago, something I've been fighting for almost 2 years happened. The Scalar Type Hinting patch for PHP (the one I wrote almost a year ago) has been adjusted for PHP's trunk tree and committed by Derick.

Thanks to Derick for taking the time (when I didn't) to prep the patch for trunk and make this happen ;-)
Twitter Bookmark Scalar Type Hints are Here! at del.icio.us Facebook Google Bookmarks FriendFeed Digg Scalar Type Hints are Here! Bloglines Scalar Type Hints are Here! Technorati Scalar Type Hints are Here! Bookmark Scalar Type Hints are Here! at YahooMyWeb Bookmark Scalar Type Hints are Here! at reddit.com Bookmark Scalar Type Hints are Here! at Simpy.com Bookmark Scalar Type Hints are Here! at blogmarks Stumble It! Print this article! E-mail this story to a friend!

Monday, May 17. 2010

DevConf Slides Posted by Ilia Alshanetsky in PHP, Talks at 04:35

Comments (2)
Trackbacks (0)

DevConf Slides

The slides from my talk at DevConf in Moscow are now up and can be downloaded here.

Probably the biggest, or at the very minimum the 2nd biggest audience I've had a PHP Conference and the first time I had to give a PHP talk in Russian (with occasional slippage into English ;-p).

Seemed to go pretty well.
Twitter Bookmark DevConf Slides at del.icio.us Facebook Google Bookmarks FriendFeed Digg DevConf Slides Bloglines DevConf Slides Technorati DevConf Slides Bookmark DevConf Slides at YahooMyWeb Bookmark DevConf Slides at reddit.com Bookmark DevConf Slides at Simpy.com Bookmark DevConf Slides at blogmarks Stumble It! Print this article! E-mail this story to a friend!

Thursday, March 11. 2010

ConFoo PHP 5.3 == Awesome! Slides Posted by Ilia Alshanetsky in PHP, Talks at 09:06

Comments (6)
Trackbacks (0)

ConFoo PHP 5.3 == Awesome! Slides

Finally managed to upload my slides from my ConFoo PHP 5.3 == Awesome! talk.
Slides

Thanks for all the attendees, especially those who asked questions ;-)
Twitter Bookmark ConFoo PHP 5.3 == Awesome! Slides at del.icio.us Facebook Google Bookmarks FriendFeed Digg ConFoo PHP 5.3 == Awesome! Slides Bloglines ConFoo PHP 5.3 == Awesome! Slides Technorati ConFoo PHP 5.3 == Awesome! Slides Bookmark ConFoo PHP 5.3 == Awesome! Slides at YahooMyWeb Bookmark ConFoo PHP 5.3 == Awesome! Slides at reddit.com Bookmark ConFoo PHP 5.3 == Awesome! Slides at Simpy.com Bookmark ConFoo PHP 5.3 == Awesome! Slides at blogmarks Stumble It! Print this article! E-mail this story to a friend!

Tuesday, February 2. 2010

My Thoughts on HipHop Posted by Ilia Alshanetsky in PHP at 16:47

Comments (17)
Trackbacks (2)

My Thoughts on HipHop

To paraphrase Marco Tabini if you work with PHP you must be doing so in a pretty deep cave to have not heard of HipHop for PHP and the fervor around it the prior to its official announcement this morning by Facebook.

I had a fortune to be part of the small group of PHP community people who were invited to take a peak at its technology prior to its official release in January. And I must admit it had been quite amusing to read some of the conjectures people were making about what it actually, given how off the mark most of their guesses were.

So what is HipHop?

In the tersest of terms HipHop is a tool that converts PHP code into C++ code that when combined with a PHP compatible engine and extensions (ports of some native PHP extensions Facebook uses) library also written in C++ can be compiled using GCC into a binary. This binary can then be ran on a command line or as a web server daemon that utilizes libevent. According to Facebook this can speed up applications by up to 50%, which is a pretty impressive improvement.

It is not entirely surprising that world's largest PHP deployment, such as Facebook would look at solution that would allow them to halve their not inconsiderable count of servers or double capacity. Releasing this solution as Open Source is I think a great idea, and big kudos to Facebook for doing so.

From a technical perspective the PHP optimization approach of converting PHP into a compiled language is not a completely new one, Roadsend compiler, a commercial product has been around for a few years now and has been doing that with some degree of success. That said it is not a trivial task and from an engineering perspective presents a fairly tricky development challenge, especially when you want to allow regular, off-the-self scripts to work. Perhaps more importantly, HipHop not a theoretical solution, "for you to test", it actually works, with most of the Facebook's servers running it and doing it well, on millions of lines of converted PHP code on daily basis, very impressive.

At this point you are probably thinking, that if it is so great and it works, I'll deploy it on my servers as soon as I can get my hands on the source code. Well, unfortunately things are not quite so simple, there are few technical and deployment challenges you need to overcome. Continue reading "My Thoughts on HipHop "
Twitter Bookmark My Thoughts on HipHop at del.icio.us Facebook Google Bookmarks FriendFeed Digg My Thoughts on HipHop Bloglines My Thoughts on HipHop Technorati My Thoughts on HipHop Bookmark My Thoughts on HipHop at YahooMyWeb Bookmark My Thoughts on HipHop at reddit.com Bookmark My Thoughts on HipHop at Simpy.com Bookmark My Thoughts on HipHop at blogmarks Stumble It! Print this article! E-mail this story to a friend!

Tuesday, January 26. 2010

Speaking at Confoo Posted by Ilia Alshanetsky in PHP at 08:16

Comments (0)
Trackbacks (0)

Speaking at Confoo

I will be speaking again this year at PHP Quebec conference, which has now been renamed to Confoo and covers many more topics then just PHP, which should make things even more interesting. With over 100 talks things looks to be an amazing conference, my own talk with cover PHP 5.3 awesomeness ;-)
Twitter Bookmark Speaking at Confoo at del.icio.us Facebook Google Bookmarks FriendFeed Digg Speaking at Confoo Bloglines Speaking at Confoo Technorati Speaking at Confoo Bookmark Speaking at Confoo at YahooMyWeb Bookmark Speaking at Confoo at reddit.com Bookmark Speaking at Confoo at Simpy.com Bookmark Speaking at Confoo at blogmarks Stumble It! Print this article! E-mail this story to a friend!

Thursday, November 19. 2009

Igbinary, The great serializer Posted by Ilia Alshanetsky in PHP at 11:05

Comments (12)
Trackback (1)

Igbinary, The great serializer

If you are using PHP, chances are that at some point you needed to serialize PHP data, whether it was transparently done for you inside the PHP's session handler or directly so that complex PHP data types (objects & arrays) could be stored in DB or files, most people have done this.

The default way of doing it is via a native PHP serializer, which creates a clear-text version of the data, which if you are serializing a fair bit of information ends up being rather verbose (read: BIG). This means that you end up having to store more data in memory, read more data from disk, etc... all of which slow down your application. As I was reading docs on Andrei's new memcache extension (memcached) I came across a binary serialization extension called Igbinary written by Sulake Dynamoid Oy. This extension promised much more optimal serialization routines by using binary, rather then a clear text format. Sounded, good so I decided to run a few benchmarks on it.
Continue reading "Igbinary, The great serializer"
Twitter Bookmark Igbinary, The great serializer at del.icio.us Facebook Google Bookmarks FriendFeed Digg Igbinary, The great serializer Bloglines Igbinary, The great serializer Technorati Igbinary, The great serializer Bookmark Igbinary, The great serializer at YahooMyWeb Bookmark Igbinary, The great serializer at reddit.com Bookmark Igbinary, The great serializer at Simpy.com Bookmark Igbinary, The great serializer at blogmarks Stumble It! Print this article! E-mail this story to a friend!

Wednesday, October 21. 2009

APC & Memcache the High ... Posted by Ilia Alshanetsky in PHP, Talks at 17:03

Comments (3)
Trackbacks (0)

APC & Memcache the High Performance Duo Slides

My slides from the "APC & Memcache the High Performance Duo" talk are now online and can be found here.

In the slide I mentioned that memcache is available of *NIX only, which thanks to at least two attendees I know to be incorrect. It appears that there is a working (albeit old, circa 2006) memcache win32 version, which you can find here:
http://jehiah.cz/projects/memcached-win32/

Once you install it, you'd need to compile memcache PHP extension on win32 and then you should be set.
Twitter Bookmark APC &amp; Memcache the High Performance Duo Slides at del.icio.us Facebook Google Bookmarks FriendFeed Digg APC &amp; Memcache the High Performance Duo Slides Bloglines APC &amp; Memcache the High Performance Duo Slides Technorati APC &amp; Memcache the High Performance Duo Slides Bookmark APC &amp; Memcache the High Performance Duo Slides at YahooMyWeb Bookmark APC &amp; Memcache the High Performance Duo Slides at reddit.com Bookmark APC &amp; Memcache the High Performance Duo Slides at Simpy.com Bookmark APC &amp; Memcache the High Performance Duo Slides at blogmarks Stumble It! Print this article! E-mail this story to a friend!
« previous page   (Page 1 of 15, totaling 215 entries)   next page »

My Flickr Stream

20091010-20091010-IMG_3164 20091010-20091010-IMG_3154 20091010-20091010-IMG_3149 20091010-20091010-IMG_3148 Nika 20091010-20091010-20091010-IMG_3188_tonemapped 20091010-20091010-IMG_3183 20091010-20091010-20091010-IMG_3171_tonemapped 20091010-20091010-IMG_3139_tonemapped 20091012-20091012-IMG_3236

Archives

Categories



All categories

Syndicate This Blog

Blog Administration

Open login screen

Twitter