Rails for PHP Developers - Blog to go along with the book of the same name. Powered by WordPress, a PHP application.
Tags: php wordpress ruby rails railsforphpdevelopers
scot hacker?s foobar blog > Notes on a Massive WordPress Migration - Lots of details on how they moved CDT from MovableType to WordPress.
Tags: movabletype wordpress
Why Did I Change My Mind? | AlwaysOn - Logic behind MySQL selling to Sun instead of going ahead with the IPO.
Tags: mysql sun
ixr - Google Code - Looks like Simon took his IXR XML-RPC library here
Tags: php xmlrpc ixr
Autocomplete HTML/CSS/JavaScript/python/xml/php/c with CTRL-X CTRL-O - parsed.org - Add autocomplete features to Vim. Wish I’d come across this sooner.
Tags: vim autocomplete php javascript html python
OpenID Splash - Looks like Yahoo has taken major dive into the OpenID pool.
Tags: openid yahoo
woork: Digg-like navigation bar using CSS - Add this to my collection of pretty rounded menu bars.
Tags: css digg menubar
HTML Purifier - Filter your HTML the standards-compliant way! - Makes some big claims, would be interesting to see it put to the test.
Tags: html php htmlpurifier filter xss
zfs - Trac - Source and binaries for ZFS on Mac OS X. Seems safe to say that we’ll see ZFS as a built in feature in some future release of OS X (10.6 perhaps?).
Tags: zfs macosx filesystem
woork: Digg-like navigation bar using CSS - Add this to my collection of pretty rounded menu bars.
Tags: css digg menubar
HTML Purifier - Filter your HTML the standards-compliant way! - Makes some big claims, would be interesting to see it put to the test.
Tags: html php htmlpurifier filter xss
zfs - Trac - Source and binaries for ZFS on Mac OS X. Seems safe to say that we’ll see ZFS as a built in feature in some future release of OS X (10.6 perhaps?).
Tags: zfs macosx filesystem
Recover Truncated PHP Serialized Arrays // ShaunInman.com - Another example of why databases should NEVER silenty truncate data. If the data doesn’t fit in the field then the insert/update needs to fail.
Tags: php database
Facebox 1.0 - Another lightbox clone in the style of Facebook. Requires JQuery.
Tags: facebox jquery javascript lightbox
Beastie Blog | Using Screen to log yourself. - I’ve never used the logging feature of screen, might use it next time I setup a new server though.
Tags: screen
GrabFS: The Screenshot File System - Not sure I’ll ever use it, but this is just an awesome hack.
Tags: macosx screenshot grabfs fuse macfuse
PuTTY Tray - Always important to have a good ssh client for your Windows box.
Tags: putty puttytray ssh
40+ Excellent Freefonts For Professional Design | Fonts | Smashing Magazine - That’s right, another font list.
Tags: fonts
favikon - Web tool for creating favicons.
Tags: favikon favicon graphics
WPhone Admin Plugin - iPhone admin for WordPress.
Tags: iphone wordpress wphone
A reversible password encryption routine for PHP - Encrypt and decrypt routines writing in PHP.
Tags: encryption php security
Tips For Creating Great Web Forms - CSS-Tricks - Making forms line up and look nice is still one of those things that is often too much work with CSS only.
Tags: css forms
WordPress Complete - Hey, it’s a WordPress book, neat.
Tags: wordpress book
State of Utah Elections Office - The number of registered voters in the State of Utah, by county. Just under 1.5 million total.
Tags: utah vote stats
The BabelFish Blog, Limitations of MetaWeblog API - Couple of years old, but a good list of complaints.
Tags: xmlrpc metaweblog
PHP mail() and The Path of No Return ? All in the head - If you are using PHP’s mail() function then make sure that Sendmail is happy with the From address on the envelope.
Tags: php mail sendmail
WLW+AtomPub, Part 4: Categories | whateverblog. - Sounds like categories in AtomPub will still need some work.
Tags: windowslivewriter atompub
Box.net Technical Blog | Blog Archive | How to Debug PHP with Vim and XDebug on Linux - Debugging PHP from Vim. Nice.
Tags: php vim debug xdebug
Porting WWIV 4.23 to FreeBSD UNIX - Now that is old school hacking!
Tags: wwiv bbs freebsd
JavaScript-based Amazon Web Services Simple Monthly Calculator - Quick way to determine how much it will cost you to use Amazon services (S3, EC2, etc).
Tags: amazon aws calculator ec2 s3
WordPress Tests - SVN Repo - Unit tests repository for WordPress. Go Alex!
Tags: wordpress unittest
WordPress Super Cache 0.1 at Holy Shmoly! - This sounds promising, I’ll have to try it out. Even if I’m not in danger of getting Digg’d any time soon.
Tags: wordpress plugin supercache cache
NYGirlOfMyDreams.com - If he finds her I expect to see a follow up on how the first date went :-)
Tags: nygirlofmydreams
RussellBeattie.com - Mobile Browser Detection in PHP - It’s unfortunate that mobile browser detection still relies on user agent sniffing. But if you have to do it, at least do it fast :-)
Tags: php mobile
Innodb Performance Optimization Basics | MySQL Performance Blog - Some good tips on starting with performance tweaks on InnoDB.
Tags: mysql innodb performance
Heikki Tuuri answers to Innodb questions, Part II | MySQL Performance Blog - More details on InnoDB.
Tags: mysql innodb performance
WordPress Super Cache 0.1 at Holy Shmoly! - This sounds promising, I’ll have to try it out. Even if I’m not in danger of getting Digg’d any time soon.
Tags: wordpress plugin supercache cache
NYGirlOfMyDreams.com - If he finds her I expect to see a follow up on how the first date went :-)
Tags: nygirlofmydreams
RussellBeattie.com - Mobile Browser Detection in PHP - It’s unfortunate that mobile browser detection still relies on user agent sniffing. But if you have to do it, at least do it fast :-)
Tags: php mobile
Innodb Performance Optimization Basics | MySQL Performance Blog - Some good tips on starting with performance tweaks on InnoDB.
Tags: mysql innodb performance
Heikki Tuuri answers to Innodb questions, Part II | MySQL Performance Blog - More details on InnoDB.
Tags: mysql innodb performance
Earlier this month Microsoft contributed a SQL Server Driver for PHP. They even have a SQL Server and PHP blog and their SQL Server forum now lists as PHP in their client list. The blog has an interesting post on development of the driver.
So, what does this thing do? It is for PHP5 only (not a big deal considering PHP4 will only be getting security updates after this year) on Windows (this part is a bummer, but not surprising) to access SQL Server 2000 and 2005 (anyone running anything older than that in production?).
You could work with SQL Server from PHP prior to this using FreeTDS. I’ve used the mssql_* PHP functions backed by FreeTDS on FreeBSD for years so this new driver from Microsoft isn’t a major game changer at this point.
That said, I find this a pretty exciting development.
Microsoft is actually providing a PHP library to work with some of their own software. I think that is great, although the really huge win would have been if it was available for non-Microsoft operating systems. This is great stuff though, not just talk, but real live code. Combining this with better PHP on IIS support I have a glimmer of hope that we’ll see more good things from Microsoft for PHP.
There has been plenty of PR about Microsoft doing more in this area, but providing real code and tools is what we actually need.
Microsoft’s IIS.net site has a new section: PHP on IIS. This is kind of strange on several levels. First off is the idea of Microsoft supporting non-Microsoft server side languages in IIS. Yeah, you’ve been able to do this for a long time (I remember running a perl ISAPI module in IIS in the 90s), but quite frankly it wasn’t that great. Just getting it to run usually involved way too much voodoo. It looks like we are starting to get something that resembles official support for PHP on IIS.
Another strange think is that this was announced in conjunction with their Go Live release of FastCGI for IIS 5.1 and IIS 6.0. Those using IIS 7 will have to wait until Vista SP1 or running Server 2008 Beta 3 or better. I suppose IIS 7 doesn’t have a large share of the IIS web server market so perhaps it isn’t much of an issue.
It looks like FastCGI will be the official way to run PHP on IIS going forward.
The IIS.net site has some documentation on how to get various PHP apps running on IIS, including WordPress on IIS.
My first choice is still a un*x box though :-)
I’ve been really enjoying working with Tim Bray, Pete Lacey, Elias Torres and Sam Ruby on improving AtomPub in WordPress. This work is in WordPress 2.3, which will be released later this month. You can try it out right now by downloading the beta. Sam has also started some documentation on AtomPub in WordPress at http://codex.wordpress.org/AtomPub.
There is a lot of ground to cover in the post so to start with I want to distinguish between two topics that are closely related, but for our purposes today are also separate and distinct from each other. The first is authentication, specifically HTTP Basic Authentication. The second is security, which will focus on SSL/TLS (i.e. using https:// URLs).
To start with, the AtomPub spec has a section on Securing the Atom Publishing Protocol that deals with authentication. In general, you can use nothing or what ever you want, but HTTP Basic Authentication with TLS needs to be able to work. Think of it as HTTP Basic Authentication being the lowest common denominator that AtomPub clients and servers have to support, along with TLS if you’d like.
In WordPress there are actually two ways that a user could be authenticated when using AtomPub, HTTP basic and cookies. The cookie mechanism just looks to see if you sent along an authenticated WordPress cookie with your request. Since we’d been using Tim’s Atom Protocol Exerciser (APE) for testing, all authentication was being done via HTTP basic. Which worked fine, most of the time.
I started running APE against WordPress running under different situations and I ran into a problem with authentication when PHP was being run as a CGI under Apache. When running as a server module (mod_php) PHP takes care of decoding HTTP basic for you (see HTTP basic authentication in PHP). When a using HTTP basic PHP will automatically populate $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] variables with the username and password that were provided. IF and ONLY IF PHP is being run as a server module (like mod_php). If you are running PHP as a CGI then those two variables won’t get created at all, ever, even when using HTTP basic authentication. And since you can’t do anything in WordPress via AtomPub without authenticating you are dead in the water. Well, not exactly.
PHP not supporting HTTP basic auth when being run as a CGI is a known issue, so folks have come up with clever work ways to work around this. One common work around is to use mod_rewrite to add HTTP basic auth into $_SERVER['HTTP_AUTHORIZATION']:
RewriteEngine on
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
The idea here is that mod_rewrite watches for an HTTP basic auth attempt and then injects the HTTP header in to the PHP environment as HTTP_AUTHORIZATION. From there is it an easy job of parsing and decoding the HTTP header and manually populating $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] yourself. This is currently being done in the WordPress AtomPub code, so if you are on a host that runs PHP as a CGI and you have access to .htaccess and mod_rewrite then you can try it out.
Unfortunately I’ve seen times where this doesn’t work either. A modified version of this that I’ve had better success with is to pass the authentication back in via GET. Here’s an example from a test WordPress blog that redirects AtomPub authentication:
RewriteEngine on
RewriteBase /test/atompub/
RewriteCond %{HTTP:Authorization} !^$
RewriteRule wp-app.php wp-app.php?HTTP_AUTHORIZATION=%{HTTP:Authorization} [QSA,L]
Instead of parsing and decoding from $_SERVER['HTTP_AUTHORIZATION'] you would do it from $_GET['HTTP_AUTHORIZATION']. This isn’t exactly ideal either, but I’ve had better luck getting it to work in PHP as a CGI environments. Code to support this isn’t in WordPress AtomPub yet, but we might add it.
The four of us went back and forth on this a bit then Tim Bray asked the elephant in the room question: why doesn’t PHP support HTTP basic when running as a CGI? I didn’t have a good answer for him, so I went hunting on Google. It turns out that this has nothing to do with PHP, it is how Apache works. Apache does not pass the HTTP basic headers to CGI applications, so they never see them. This has been mentioned in several places, for brevity I’ll only quote one, from Jon Udell talking about CGI and mod_perl:
“Note that such a module has complete access to the HTTP headers sent by the client. If you write a CGI script to enforce a security policy, Ã la the ByteCal example above, that script will normally see only the user’s name (HTTP_REMOTE_USER) and not the full credentials (HTTP_AUTHORIZATION).
That’s because Apache, as a security measure, withholds the Authorization header from CGI scripts. (If you really want to build a CGI-based access-control script, you can tweak Apache to make it send this header.) But an Apache/Perl authentication module, running inside the server, knows everything that Apache knows about a request.”
So far I’ve used WordPress and AtomPub as an example, but this problem is not specific to either. This is an issue with CGI applications being able to use HTTP basic authentication, and the ways people have worked around it. While there are ways to deal with this (like the two I mentioned above), they aren’t ideal and only work if you can use .htaccess and mod_rewrite.
There have been lots of alternatives to authentication that get around this issue. Lots of people have looked at this, hopefully we’ll have a generalized way of dealing with this at some point. Until then it looks like we’ll see API specific variations of authentication.
Ok, I also mentioned that we’d talk about security. This one is more to the point, if you aren’t using SSL/TLS then your communications aren’t secure. Although HTTP basic doesn’t send your plain text password and username, it is the next best thing (base64 encoded). So anyone with access to your traffic (wireless network sniffing anyone?) can easily grab your username and password. So how do you secure this authentication process? By doing it over SSL/TLS. If your web traffic isn’t using SSL/TLS it isn’t secure.
In the context of WordPress there is a trade off here. We can’t guarantee that every WordPress install is going to support SSL/TLS, so we can’t make it a requirement. That said, there is nothing in WordPress (or the APIs: AtomPub and XML-RPC) that prevent you being able to use SSL/TLS. This leaves it up the person running the WordPress blog to decide what level of security is needed.
On WordPress.com we support TLS/SSL. You can point your XML-RPC client at https://<your_blog_here>.wordpress.com/xmlrpc.php and it will encrypt the data back and forth between your computer and WordPress.com servers. Same for AtomPub, only the URL would look like https://<your_blog_here>.wordpress.com/wp-app.php.
Hopefully everyone takes away two things from this. One, you can’t depend on HTTP basic authentication working. Two, if you aren’t using SSL/TLS then your traffic isn’t secure.
Just a day for talking about PHP I guess :-)
PHP 4 end of life announcement:
Today it is exactly three years ago since PHP 5 has been released. In those three years it has seen many improvements over PHP 4. PHP 5 is fast, stable & production-ready and as PHP 6 is on the way, PHP 4 will be discontinued.
The PHP development team hereby announces that support for PHP 4 will continue until the end of this year only. After 2007-12-31 there will be no more releases of PHP 4.4. We will continue to make critical security fixes available on a case-by-case basis until 2008-08-08. Please use the rest of this year to make your application suitable to run on PHP 5.
The clock is ticking, with about 200 days of PHP4 releases remaining, after that all bets are off. What I was really hoping as part of this announcement is a commitment to a PHP6 time line. I’m sure there are plenty of people who would rather just go directly to PHP6 instead. I think they should have waited to make this move until the first PHP6 release.