|
Monday, September 19. 2005Big PDO Change
Today I've had the distinct pleasure of breaking nearly every single PDO based script in existence (my own code included), feels good
 . The break is the result of something that we, the PDO developers forgot to do. This being making PDO constants be class constants rather the polluting the main constant space. After much discussion on the topic at PHP|Works we've decided we need to fix this before it is too late (5.1 final release). So a bit of a pain at this time, should provide for a more robust and flexible interface. What does this mean in terms of your code? Well whenever you've used a PDO constant for example PDO_FETCH_NUM you'd now use PDO class constant PDO::FETCH_NUM. To simplify the conversion I offer the following Perl scriptlet: perl -p -i -e 's/PDO_/PDO::/g' [list of files] Friday, September 16. 2005PHP|Works Webservices Slides
For all who are intrested here are the slides from my webservices talk, as usual they are available in PDF and Powerpoint form.
Enjoy Thursday, September 15. 2005PHP|Works Performance Talk Slides
The slides from PHP|Works performance talk are now up, they are available in either PDF or PowerPoint form.
Thursday, September 15. 2005PHP Security Slides Online
Slides for the PHP Security talk at PHP|Works are now up. You can download them in either PowerPoint or PDF form.
More to come shortly
Wednesday, September 14. 2005lchash 0.9.1 released
lchash is a little PHP extension that you can find at http://pecl.php.net/package/lchash which provides means of accessing and using native hash tables found in libC. The interface is really simple involving just 4 functions:
lchash_create() - initialize a new hash table lchash_destroy() - destroy a hash table lchash_insert() - insert key/value pair into the hash lchash_find() - retrieve a values based on key By using this mechanism you can create a very fast and effecient memory-based data store for a script's duration. Tuesday, September 6. 2005PHP Guide to Security is out!
About five months ago, during yet another flood of phpBB2 exploits Marco Tabini approached me with an idea of writing a security book for PHP. The idea was to provide a guide for people who want to make their applications safer as well as help them understand the possible consequences of various exploits. I thought the idea was quite appealing, a feeling a bit confident after a fairly extensive article authorship decided to take up the task.
And so, for the next several months I was focused on effectively doing a brain dump of my knowledge on security. The process was extremely educational, since to explain any concept a far greater knowledge then the one needed to simply apply a fix is required, plus writing a book as I have learned is just “a tad” more complex then an article. But with the help of Marco, my technical reviewer and Martin Streicher who has done a tremendous job at cleaning up my ranting, I think we've got an excellent PHP security resource. The book itself is 201 pages, a bit longer then anticipated, but gave me the opportunity to cover each topic in a fair amount of detail. Table of Contents
The goal of the book is to introduce each type of vulnerability and to explain in greatest amount of detail possible what can lead to it and what are the possible consequences. In my opinion before solving any problem you should have a full understanding of it, so that the fix ends up addressing the cause and not the symptoms. As far as consequences go, it is imperative to know why a problem needs to be fixed and not allowed to linger. If you’ve ever came across a situation where someone dismissed cross site scripting (XSS) or other security problem as a non-issue, this book will serve as an excellent resource in demonstrating how even the most "trivial" exploits can be abused to great effect. Not to leave you handing so to speak, the book also spends a fair amount of time talking about possible solutions to each problem and provides deployable solutions for each one. In addition to talking about specific security issues, it is my sincere hope that it will encourage developers to think about security when designing and auditing their applications and ultimately lead to a better and a far more secure code. At the present time the book is available via phparch.com website in both paper and electronic forms, and will shortly (within 1-2 weeks) appear on Amazon and Barnes & Noble, ISBN: 0-9738621-0-6. I should mention that the 1st 300 copies sold will be signed, so if you want my doodling  on your copy, hurry up and buy it.
Tuesday, August 23. 2005Monday, August 22. 2005MD5 Dictionary Attacks
While on my daily news crawl, I came across a site (http://gdataonline.com/seekhash.php) offering a free and very quick service designed to decode md5 hashes. The principal used here is a dictionary attack; the operators of the site build a reasonably large, 12 million & counting, database of hashes and their corresponding values. All you need to do is specify a hash and if they got it in their database in less a then a second you get to see its corresponding value. While compromising weak hashes via dictionary attacks was never that hard, it did require wasting some time and processing power in application such as John the Ripper (http://www.openwall.com/john/) trying to find the equivalent value. Now, you can do it quite effectively (I’ve tried) via this online tool in fractions of a second.
Given that many PHP applications (my own included) store passwords as hashes rather the clear-text, it now raises the needed to encourage users to be a bit more creative with their password strings. Use of high-ASCII characters, liberal use punctuation characters and a like are easy but affective tools at defeating dictionary attacks, which are based on a relatively limited data range. After all md5 is 2128, no one is going to offer the entire range of hashes, not to the general public anyhow P.S. The hashing site is written in PHP
Saturday, August 20. 2005Tuesday, August 16. 2005Saturday, August 13. 2005Record Gas Prices
About a year ago when gas prices in Canada have started to rise rapidly my friend and I were trying to guess when they will exceed the $1 per liter mark. After some discussion we've mostly agreed it would not happen till 2006 at the earliest. Alas our predictions were proven false, as the picture below shows today, August 13, 2005 the $1 mark has been surpassed.
 Given that $1 for a liter is a physiological marker for many people, it would be interesting to see what impact it would have on the quantity and type of cars seen on the road. Perhaps it would finally reduce the need for city dwellers to purchase giant fuel guzzling SUVs and similar type vehicles, but only time will tell. One thing's certain however, fuelling up your car will be much more of a hit on your wallet, just a month ago I could relatively easily fuel up for mere “0.80” cents a liter. A 20% increase in such a short time is highly noticeable and most unwelcome. **NOTE** For those of you who don't use the metric system or don't know latest conversion from US to funny money (Canadian Dollars) here are some stats. 1 liter = 0.264172051 gallon 1 USD = 1.1971 CAN Wednesday, August 10. 2005Performance Article
My article on performance has just been published in Oracle Technology Network, you can read it at: http://www.oracle.com/technology/pub/articles/deployphp/alshanetsky_deployphp.html
The article has some Oracle and Oracle httpd (variant of Apache) specific optimization, however for the most part it can be applied to virtually any PHP installation. To those interested in improving the speed of their PHP application it should (I hope) prove to be an interesting read. Thursday, August 4. 2005OSCON 2005
Finally got a semi-stable internet connection, a pretty amazing thing during a convention of this size. So, while George is serenading the audience with the wonders of DBXML, I get to do a bit of blogging
. The conference so far is a great deal of fun, had a chance to meet with many developers from other non-PHP projects, which is quite neat as most conferences I have a chance to attend to be PHP specific. The brief talk on performance I gave yesterday went rather well, with probably one of the largest audiences I've had at a conference and seemed to have gone rather well. The slides, to those interested are now available online (just click "talks" link at the top of the page and scroll down). While for me OSCON is almost over :-(, I got an early flight back to Toronto tomorrow the next two conferences are already in the works. I will be speaking at php|works Conference in Toronto around mid-September and I will be giving quite a few talks at International PHP Conference in Frankfurt in early November. Wednesday, July 27. 2005IE -> Mozilla Code Migration
Came across a rather interesting article by IBM on how to convert IE specific web apps to work with Mozilla. Aside from the obvious, by listing the different approaches each browser adopts it serves as an excellent resource for making a web app cross-browser complaint. I hope they will update article with the other two commonly (relatively) used browsers, Konqueror/Safari (KTHML Engine) and Opera.
Monday, July 25. 2005cURL and parse_url() tweaks
With the release of PHP 5.1.0b3 the dev tree has been closed for new features, allowing only bug fixes to facilitate the stabilization of the code for the upcoming (don't ask me when) 5.1.0 stable. This however created a unfortunate situation where PHP does not have a development tree for feature enchantments, so any improvements remain lingering on developer's boxes until development tree is once again available...
In the past few weeks I've been doing some work, which involved using parse_url() and cURL extension quite a bit and in the process came up with few improvements. parse_url() tweak [ patch ] This patch adds a 2nd optional parameter to parse_url() which allows the function to return a particular URL component rather then an array. Ex: PHP: cURL improvements [ patch ] The patch does two things; first of all it allows the user to retrieve the request sent by cURL to the server. I found this to be very handy and necessary when trying to analyze the full content of the client to server communication. PHP: The second part of the patch introduces the convenience function, curl_setopt_array() that allows setting of multiple configuration directives via a single PHP function call. The array of option is based on option name, numeric CURLINFO key and its value. PHP: |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||
