|
Friday, December 15. 2006PHP 5.2.1 RC1 Available for testing
The first release candidate of PHP 5.2.1 scheduled for late January is now available for download. The tarballs can be found here:
php-5.2.1RC1.tar.bz2 (md5sum: cc6024531e3d4058e32cf740e2fe535f) php-5.2.1RC1.tar.gz (md5sum: bafcdff32bcaa564f65293c1c42d117e) For win32 users binaries are available courtesy of Edin php-5.2.1RC1-Win32.zip (md5sum: 00d6833308931fa58581574b8d364e12) php-debug-pack-5.2.1RC1-Win32.zip (md5sum: ac86975945193455658d85921d835e60) This release is primarily aimed at improving the stability of the language and finalization of features introduced in 5.2.0. There are over 70 different bug fixes, a great deal of performance improvements for Windows users, corrections to the memory manager and the improvement in the filter functionality. I'd like to ask everyone to try this release out and let us know if you come across any issues and/or regressions. Wednesday, December 13. 2006mail() logging for PHP
One of the common problems faced by web hosting companies offering PHP is the abuse of the mail() function to send spam. This problem has became further exasperated lately due to use of automated tools that seek sites vulnerable to PHP code execution and use the security hole to inject mailer code that then proceeds to send tons of spam.
This of course causes a series problem for a web host such as increased server load, possibility of getting blacklisted and thus having all mail generated by the server rejected and even problems with an up-stream provider. One of the problems with solving the mail() abuse is figuring out who is doing it or perhaps what script was exploited to do it, since the mail() function does not offer any logging mechanism. The uid identifier is generally useless because when PHP is ran as an Apache modules all script share the web server's uid, which yet another reason to use FastCGI. To address this problem one my client's had asked me to write a mail() logging and tracking facility that can be used to quickly identify the offending scripts and was kind enough to permit me to share the code with with the community. The mailing logging patch, which you can download here, offers two features which can be controlled via INI settings for the entire PHP setup or on a per-virtual-host level. The first option, mail.add_x_header (boolean) allows you to enable the addition of the X-PHP-Originating-Script header to each mail sent by mail(), which will include the uid of the script and its name. The combination of the two should be sufficient to identify the user to whom the script belongs and via a simple find command locate the actual script. This option is intended primarily for instances where you have a bounced e-mail or a forwarded mail with a spam complaint, allowing you to quickly identify the offender. The second option, mail.log (takes a filename) allows you to enable logging of every single mail() call, each log line will include the fullpath of the file and the line where the mail() was called from in addition to the "To" address and any headers (to keep track of CC, BCC) that were part of the function call. To ensure that each log line is 1 line long, \r and \n are replaced with spaces. Wednesday, December 13. 20062007 PHP Conferences
It looks like my first two conferences for 2007 are finalized.
Things will start in March with the annual PHP Quebec conference where I'll be giving a tutorial on Securing PHP Applications and a session on Migration to PHP 5.2. The conference has an excellent selection of speakers, which includes Rasmus, Derick, Andrei, Marcus and many others and a slew of interesting topics. I'd definitely recommend attending it, especially to Canadians for whom this is probably going to be the closest conference this year. The next conference, PHP|Tek is about two month later in Chicago, organized by PHP|Architect, who are trying a new city every year  . I have a fairly full agenda, courtesy of Sean, with two tutorials and a session, so I fully expect to lose my voice after the first day. The tutorials will be on High Performance PHP & Securing PHP Applications and will be followed by a quick session on PHP Security Pitfalls two days later. A lot of great speakers during this conference as well, with Sara, Marcus, Derick, Chris, Wez and others making an appearance. While the location is not particularly exciting, it is easy to travel to and should simpler to convince the boss to go to then the previous PHP|Tek's outings. For US folk, it does not even require crossing the border, which if the rumors are to believed is a BIG motivator 
Monday, December 11. 2006Why are you not using PHP 5?
Damien has published the November stats for PHP usage and the year to date summary and a few interesting trends emerge.
It would seem that despite a 300% growth (from <4% to >12%) in PHP 5.X usage in 2006, it still only commands about 12% of the entire PHP user base. Majority of people still use PHP 4 and when it comes to upgrading (as you can see from a drop in <4.3 usage and the rise if 4.4 usage) upgrade to latest 4 version. So, the question emerges, why are people not upgrading to PHP 5 and what can be done to help ease the migration? Some of the old complains about speed have already been addressed, and in our tests 5.2 shows to be faster then any prior version of PHP to date. There have also been an enormous amount of work done to make things stable, if you look at the open PHP 4 bugs, you'll note that most of them include notes indicating that the issue was resolved in PHP 5. The migration pains are also nearly non-exists as you can see from this talk, vast majority of PHP 4 code will work without changes on PHP 5. As a 5.X release master, I am very interested in hearing what's holding back 5.X adoption and what can we, as the developers do in 2007 to help speed of 5.X adoption. Friday, December 1. 2006IE6 and IE7 Testing Simplified
With the release of IE7 many web developers were faced with a need to test their applications on the different versions of IE, but had no means to do so since only one IE can run on Windows. Now there were different hacks available around it, but in most instances you ended up using portion of IE7 libs for IE6 emulation and thereby not getting quite the same behavior.
Today on IE blog a much better solution was offered by Microsoft (kudos guys). Basically they've allowed Windows owners (after genuine advantage check, which now can be done via Firefox as well) to download WinXP SP2 image with IE6 and run via a free download of "Virtual PC 2004". This means you can safely upgrade you WinXP box to IE7 and run IE6 via an image, thus giving you 2 versions of IE on the same machine this minimum amount of hassle. |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||
