Thursday, November 10. 2005
On my way home from the Frankfurt conference right now, according to the in-plane TV we are somewhere just south of Greenland at the moment. That's right, this blog entry is being written from an average altitude of 30,000 feet (9144 kilometers), go go Lufthansa that offers relatively cheap wifi ($30 USD) for entire flight, COOL! That and the fact that they serve free alcohol on economy class, makes this flight even more enjoyable.
I would like to thank the folks are Software & Support for inviting me to their conference, it is quite enjoyable, not to mention quite big, much larger then an average PHP con. I've yet again had the privilege to meet with many people with whom I've only conversed online and met good friends whom I have not seen since previous conferences.
To those of you who've attended my sessions, or had missed them for some reason, the slides are finally up, wifi on a plane is MUCH better then wifi at the conference
You can download them here:
PHP Security Talk: PDF PPT
PHP 5 OOP: PDF PPT
PHP & Performance: PDF PPT
Friday, October 28. 2005
While md5 is a fairly strong hashing algorithm, even with the best algorithm weak passwords based on dictionary words and/or their variants can be easily compromised. There are a few sites on the net that have built searchable databases of "weak" password allowing quick strength checks of md5 hashes. But, each one of those databases has different set of hashes and a different database size, making a "complete" search rather difficult. So, I've come up with a little aggregator script that gathers information from 5 different (tell me if you know of others) sources and offers the resolved data on a single page, thus giving you a fast response from a cumulative database.
The script can be downloaded from here, http://ilia.ws/uploads/hash.php.txt
It is released under BSD license, so anyone is free to use it.
Friday, October 28. 2005
he fourth and final release candidate of PHP 5.1.0 is now available for testing. You can download the source packages from here:
http://downloads.php.net/ilia/php-5.1.0RC4.tar.bz2
4afd68f8e4fe532cea83f30bd2ff26f5
http://downloads.php.net/ilia/php-5.1.0RC4.tar.gz
679a0d12b8cb00c55d56621ea9609013
The Windows binaries will be available shortly from
http://downloads.php.net/ilia/ as well.
In the past two weeks a great deal of effort was put by a number of developers towards stabilization of the 5.1 branch with over 20 bug fixes made during this period alone. Based on our own tests (those wacky phpt files) and those made by QA team and related projects, 5.1 is ready for production. Pending discovery of any critical issues such as crashes, security faults and regressions I intend to release 5.1 final no later then November 10th.
In the meantime I'd like to ask all PHP users to test their code against PHP 5.1 to ensure that no critical issues have been missed. Our own testing methodology while quite extensive does not cover all areas of the code and your help is needed to located any non-yet discovered defects. If you (I hope that you won't) do discover any issues please report them via http://bugs.php.net.
Thursday, October 27. 2005
After nearly 2 months of testing and development I am happy to announce the release of FUDforum 2.7.3, the new stable version. This is primarily a bug-fix release and all users, especially those of the 2.7 series are encouraged to upgrade to it. The upgrade and installation scripts are available at the urls listed below:
Install Script
Upgrade Script
As far as the changes go, this version is virtually identical to the prior release candidate. The one major addition was the integration of the Indonesian translation that now makes the forum available in a whooping 26 languages, 2 more then in the prior stable release. There were a few minor bug fixes as well, details of which can be found below.
Continue reading "FUDforum 2.7.3 Released"
Tuesday, October 18. 2005
I am in release mode this week, first PHP 5.1.0RC3, now FUDforum 2.7.3RC3. Number three seems to work well for me .
Since FUDforum's RC2 there have been a surprising number of small bug fixes many of the important ones aimed at improving (*cough*fixing*cough*) the PostgreSQL support, which now appears to work quite well. So, to ensure that is indeed the case I've decided to make another release candidate.
The upgrade and installer scripts can be found at their usual locations, but here are the direct URLs to them anyway .
Upgrade Script
Installer Script
Continue reading "FUDforum 2.7.3RC3 Released"
Monday, October 17. 2005
Those of you monitoring the PHP development mailing list probably know that I've taken over from Andi as far as PHP 5.1 Release Management. Today I am happy to announce the second (yes, I know its RC3) release candidate of PHP 5.1.0 is out and available for testing. You can grab the source snapshots from here: http://downloads.php.net/ilia/
If you have some spare time in the next week or two, please take a moment to try out 5.1.0 and see if it works with your code/programs. Majority of the test suit passes with this releases, so the only remaining the issue are those waiting to be discovered through "real-life" testing.
Friday, October 14. 2005
To all the people who carelessly claim that Cross Site Scripting (XSS) is not a real security problem here is definitive proof that the threat is quite real. A very creative user of MySpace, Samy created a little self propogating worm via a stored XSS attack.
He was able to inject raw HTML into his profile by breaking the normally disallowed "javascript" into components, relying on IE to "combine" it back together. This code snippet then utilized XMLHTTPRequest, usually used for Ajax to execute a request in the background that would cause the viewer to transparently add Samy (author of the trick) to their buddy list.
The "worm" component of the hack used the same code to insert the attack HTML sequence into the profiles of comprised users allowing the hack to self propagate.
The attack process and why it was possible is explain is fair amount of detail here.
It should be noted that while Samy was careful not to cause any lasting damage, a more malicious person could have used the same code to do a whole lot more, like steal passwords of users and so on. Hopefully, this worm, which will surely get massive exposure in the coming days will prove effective where hundreds of security professionals were not, proving that XSS is a serious issue.
Tuesday, October 11. 2005
I am happy to announce that the SQL Injection chapter from my book, Guide to PHP Security has been published on MySQL's developer zone. You can find this chapter here.
Wednesday, October 5. 2005
Here goes the 2nd and hopefully the final release candidate prior to the final 2.7.3 release. Not a whole lot of changes, nearly all of them bug fixes. One welcome addition is the newly deployed Korean translation which brings FUDforum's localization number to 24 (WOW!). Big thanks to all the people who have and continue spending the time adding and updating the translations.
This RC offers a small number of bug fixes, which is usually a good sign indicating we are nearing the final release. You can download the installer or upgrade script at the listed links.
Some of the "main" changes include the following:
- Updated the French Translation.
- Workaround for Solaris that does not support GLOB_BRACE.
- The message compactor is now fully operational.
- Fixed a bug with search indexing when PostgreSQL is used.
- Fixed a bug when posting message to NNTP from the forum where the NNTP server requires authentication.
Tuesday, October 4. 2005
My book, PHP Security Guide is now available for purchase on Amazon and Barnes & Noble.
Unfortunately both of these stores have the book's title wrong in different and "creative" fashions, more so on B&N where they've decided to come up with their own creative title . Hopefuly these will be corrected in short order and additional info about the book (that was sent to them) will appear as well. Non the less, both stores now carry the book and have stock ready to ship, so if you want a copy you can now get one for under $25.
Monday, October 3. 2005
Two weeks late, but, better late then never, that's what I think .
The September issue of PHP|Architect, has a fairly long and hopefully interesting article on PDO covering all of the new features found at the time. As far as PDO material goes, aside from the manual it is probably the most up to date resource on it that you can find. And even then it does not cover my BC break that was made recently. So if you are considering using PDO, this is definitely something that should be of interest.
The issue also held a pleasant surprise for me, which was a fairly detailed and positive review of FUDforum, yey! It only got 4 stars (out of 5), but I did manage to acquire the missing star directly from Peter (Forum’s Reviewer, thanks for the review btw) on a napkin, PERFECTION!!! .
Friday, September 23. 2005
It is that time of year again! No, its not Christmas it is time for yet another FUDforum release . As usual we start with RC1 and follow it up with the stable final in short order.
This release is going to be a mostly bug fix oriented version with a number minor features enchantments. You can download the installer or upgrade script at the listed links.
If you don't want to read the complete changelog (whole 19 entries of it listed below) here are some highlights.
- Added RSS links to several pages to simplify getting feeds from the forum.
- phpBB2 converter fixes.
- You can now turn on captcha validation for anonymous user postings (BIG help in comment spam reduction).
- French translation is now fully up to date.
Continue reading "FUDforum 2.7.3RC1 Released"
Tuesday, September 20. 2005
As of few minutes ago PDO extension allows constructor overloading, which is something a lot of people had asked for. This means that you can do things like this:
PHP:
<?php
class myDB extends PDO {
public function __construct() {
parent::__construct("DSN", "login","pass");
}
}
?>
Keep in mind that if you don't call the original PDO constructor via parent::__construct() an error will be generated, so exercise caution when using this feature.
Monday, September 19. 2005
Today I've had the distinct pleasure of breaking nearly every single PDO based script in existence (my own code included), feels good .
The break is the result of something that we, the PDO developers forgot to do. This being making PDO constants be class constants rather the polluting the main constant space. After much discussion on the topic at PHP|Works we've decided we need to fix this before it is too late (5.1 final release). So a bit of a pain at this time, should provide for a more robust and flexible interface.
What does this mean in terms of your code? Well whenever you've used a PDO constant for example PDO_FETCH_NUM you'd now use PDO class constant PDO::FETCH_NUM.
To simplify the conversion I offer the following Perl scriptlet:
perl -p -i -e 's/PDO_/PDO::/g' [list of files]
Friday, September 16. 2005
For all who are intrested here are the slides from my webservices talk, as usual they are available in PDF and Powerpoint form.
Enjoy
|