Home

June 2003 Meeting Notes

Submitted by usda_organic on Wed, 06/11/2003 - 2:49am.
  1. J. Wynia gave an excellent overview of PHP security issues to be aware of.

    • J. is co-founder of Pragmapool, Inc. Which produces Sokkit and PragmaCMS among other things.
    • Presentation: slides available here
    • used PHP presentation phpresent software created by his company.
    • PHPresent uses Heredoc syntax to work with long strings.
    • Another product is "PHP
      Slideshow      " . I believe this one reads from XML
      files.
  2. Some of the discussion arising from the presentation:
    • BSD has fewer ports exposed as default than linux or windows
    • Security through obscurity is not security: Reason being is
      that even though a web address is obscured to humans and no human would
      ever stumble upon your obscure web page, this is not obscure to
      machines that troll the web looking for web addresses.
    • Register Globals fallout:
      • Default changed in PHP 4.2.1 and threw a lot of people off balance
      • Many books on the shelves still give examples that presume register_globals is on.
      • J. served as technical editor for a new PHP book and
        they were trying to insist that code be portrayed as if register_globals
        was on.
    • Neat PHP function Parse_ini_file() This allows you to read and set settings in .ini files for your application.
    • error logging sends your errors to a .log file instead of to a screen
    • This
      code       provides several options for redirecting error messages including to a seperate browser window.
    • This article has more information about the same subject.
    • File System Functions
      • Good Rule: Never put user supplied variables as arguments to file system functions.
      • Allow_url_fopen is on by default and should be turned off
        unless you have a good reason to allow your server to run php code
        stored on another server.
      • A lot of this stuff becomes a security flaw in
        combination with other settings: allow_url_fopen does not become a problem
        unless your code also calls fopen() AND you allow a user inputted variable
        in fopen. As in fopen($myfile); Then, my friend, you are a goner.
    • Password management
      • random pronouncable passwords
      • Best
        to have one way encryption on passwords and store the encrypted text
        and compare user passwords entered by user by encrypting it and
        comparing it to stored value.
    • includes: .inc files are readable as plain text unless:
      1. You store them somewhere else in the file system outside the web folder
      2. You have apache directives that disallow reading of the .inc file
      3. You name them .php since there is no real reason to name them .inc file except for your convenience when looking at a directory
    • file uploads: Just know that the default behavior of PHP is to
      store any file supplied by a POST in a temp folder. This feature, in
      combination with other settings, could be a problem.
  3. PHP GACL
    has a new version and new documentation since the last time we discussed
    it. The new documentation uses a star
    wars analogy to get the point across. (How completely insulting - Luke
    wasn't a Jedi when he manned the guns in the millenium falcon!)

  4. Spell checking in browser
    • Easiest (For IE only): download iespell . This allows you to import your MS office dictionaries and have full spell check for web input boxes
    • Using Google API is much more effective because it
      has all pop-culture and scientific words as well as formal names in there.
      Drawback is that you can't force your users to get a Google API key and your key
      is limited to 1000 calls a day. (It would be nice if there were other
      pricing options for the Google API in between "Free" and "more than one million
      dollars")
  5. Google and Geography: Google headquarters has the ability to
    spot localized spikes in search terms. For example, they knew almost
    immediately that there was an earthquake in Washington State recently
    because of a spike in searches on the term "earthquake" within seconds
    of the quake. This kind of information would be effective in outbreaks
    of infectious disease ( assuming that when a bioengineered virus begins
    to turn your insides turn into Ragu Chunky Style, your first instinct
    would be to do an internet search) It brings up the question of
    geography related searches, and an expanded zietgiest. Are there plans
    to make APIs into the information that Google is storing about what
    people are looking for as opposed to what they are finding?

  6. PEAR
    • A few Pear modules are included by default with PHP (PEARDB, a few others)
    • Other Pear modules need to be downloaded and installed.
    • The installation until recently was kind of a pain
      in the ass, but they have streamlined this with a Pear installer. But, the
      pear installer itself needs to be installed and until recently it didn't
      work on windows. But now it works on windows [but the frogurt is cursed]
    • Sokkit version 3.3 expected to have PEAR support built in.
  7. Hotscripts.com & phpclasses.org are great places
    to look for code for both examples and for getting your work done
    faster. Chances are, someone has already written the function that you
    are struggling with right now.

  8. Apache2
    • Apache2 is multi-threaded and intended to be truly
      multi-platform. (Apache 1.3 had been ported to windows, but not really built for windows)
    • Setbacks for Apache2 continue because so many people
      are perfectly happy with 1.3 and so many modules not working
      well with Apache2 (PHP, until recently, was one of these). A big
      issue is that the third party open source tools that a lot of these modules
      depend on have not yet been made thread safe. This issue is kind of
      the dirty secret of open source software. All these great
      tools developed for free distribution do not have a developer crew in place to make upgrades such
      as thread support. Then, other open source tools that depend on these cannot advance.
    • Information
      about which open source libraries are thread safe and which are
      not
  9. Short Demo of PragmaCMS . This
    is a content management system built with PHP and MySQL.

  10. HTML Area -
    This is the free browser (IE for now, cross platform Mozilla version
    being developed) wysiwyg tool that allows simple HTML editing in your
    browser window.

  11. dmoz dumps
    • Dmoz is an open source equivalent to yahoo except
      humans do the indexing and editing. What results is a carefully reviewed
      list of links for various subjects

    • You can browse their site or download dmoz data in mind-bogglingly huge XML files that no existing XML parsers can handle.
    • To get around this, you need to break their
      downloads into chunks.
  12. J. did technical editing on new book PHP/MySQL programming for Absolute Beginners

As remembered by Tim McGuire (weblog)
email me with any comments

Posted in | | login to post comments | printer friendly version »