I'm not sure how many of you have been to the Z/PC&E2005 (*) as of late, but it's definitely an interesting visit. While it's not the first PHP conference to feature some pretty impressive sponsors, I think it would be fair to say that it's the first PHP event that is backed by the leading technology companies in the world today. Including some you'd never suspect would be interested (will update tomorrow, stay tuned).

Needless to say, that reflects greatly on PHP.

It's no secret PHP was (and to a large degree still is) a grassroots phenomenon. Most of the companies using PHP today chose to use it based on a developer's decision, as opposed to a management (CIO/CTO) decision. However, in many companies, especially the larger ones - PHP's penetration ended as soon as the developer(s) tried to sell the concept of using opensource in general, and PHP in particular to their boss, and sometimes to their customers.

"How do I sell PHP to my boss?" was one of the key questions that I had to deal with personally in the past. As a proliferator of PHP, this was one of the key challenges Zend faced as well. It has also been the topic of numerous presentations in various PHP conferences. The answer that was always given was based purely on technological merit - it was clear that nothing we (community, Zend, or both) can do can match the mammoth marketing power that was pushing the commercial or even free (Java based) alternatives. Years and years of relentless work to change the world's perception have finally paid off. Today, the same powers are now beginning to push PHP itself, especially into places where it stood no chance to penetrate in the past. And it's not just marketing either - the OCI8 extension and the new SDO extension are just two initial examples of how this involvement is going to translate into additional 'tangible' benefits for the PHP community.

2005 definitely signifies a turning point in the history of PHP. From an underdog that is technologically superior but lacks industry backing, to an overdog(**) - still technologically superior, but an accepted industry standard as well.

I'll see you all at the conference!

---

(*) Zend PHP Conference & Expo 2005
(**) Improvements to this word welcome!

I've been cobbling together a system at work for the last couple months to allow a single place for changing all network passwords. This includes a variety of database sources, as well as passwd files and smbpasswd files. I've been making use of PEAR's File_Passwd and File_SMBPasswd, and they've greatly simplified the task of updating passwords for those types of systems. However, I've encountered some issues that I never would have expected.

I have the web user in a group called 'samba', and I have the smbpasswd file owned by root:samba. I then set the smbpasswd file to be group +rw. Simple, right? The web user should then be able to update the smbpasswd file without a problem, right? Wrong.

I kept getting errors, and on investigation continually found that the smbpasswd file permissions had reverted to 0600 -- i.e., only the root user could access it. I tried using 'chattr -i' on the off-chance that the file had been made immutable (which didn't make sense, as I was able to see the permissions change). No luck.

Based on observations of when the permissions reverted, it appears that the various SMB processes will reset the permissions! An example is when someone attempts to mount a resource from the server; this accesses the smbpasswd file to perform authentication -- and at this point the file permissions change. I can find no documentation to support this; these are simply my observations.

So, to get around the behaviour, I created a script that will set the file permissions to what I want them, and then gave sudo privileges to the samba group for that script. This script is then called via system() in the update script just before processing.

It's a hack, and could be made more secure, but it works.

The Hardened-PHP Project has just announced the release of version 0.4.2 of their Hardening-Patch for PHP.

The release features

• support for PHP 5.0.5
• upgrade to PEAR::XML_RPC 1.4.0
• the new functions sha256() and sha256_file() which work like PHP's sha1() and sha1_file() functions but implement the more secure SHA256 standard
• CRYPT_BLOWFISH support for more secure password hashing with crypt() on all platforms (Thanks to Solar Designer of the Openwall Project for the excellent idea and his free implementation)
• some minor fixes for compilation problems
• additional debugging messages for admins

If the PHP community likes the new sha256() support and the platform independent CRYPT_BLOWFISH support it will both merged into vanilla PHP.

Antony just sent an email that he finished commiting the updates to the PHP OCI8 driver and giving a short overview of the bug fixes and improvements.

The OCI8 extension has had a lot of bugs in the past few years, and it became clear that if this extension was to become supportable, it would need a serious face lift and architectural improvement.

I'd like to thank everyone who contributed to the extension. This includes Christopher Jones from Oracle who has been very active over the years on bugs.php.net trying to support the Oracle users; the OCI team including Srinath, Luxi, and Shoaib who helped a lot in understanding how to best use the OCI API, how to optimize the driver, and even learnt to read PHP extensions and provided feedback for the code itself, Wez who played a huge role in rearchitecting the extension, and of course Antony, who did all the hard work of implementing the extension, rewriting the documentation, writing the gazillion new tests cases, and putting up with the constant nitpicking for improvements (and of course, stepping up in the past to become the OCI8 maintainer and help with damage control).

I encourage all Oracle users to test the new extension. In addition to resolving the many bugs, it also has some performance improvements, mainly in defaulting to a 10 row prefetch, and by supporting statement caching. Also, please review the new documentation which has been significantly improved.

If you bump into any problems, please email Antony or open a bug report at http://bugs.php.net.

Enjoy!

You may have heard of the Zend Core for Oracle; as part of that project the oci8 extension for PHP received a lot of attention from teams of people from Zend, Oracle and OmniTI. As a result, the oci8 extension is now more robust, performant, better documented and more thoroughly tested than ever before (the list of closed bugs is enourmous).

Although the extension is currently marked as beta, it's a significant improvement over the older versions that have shipped with PHP.

The updated code is available now via PECL, and will compile against PHP 4 and PHP 5 (Windows users can obtain the updated extension DLL via snaps).

Installation on unix should be as simple as:

   # pear install oci8-beta

However, if you compiled the oci8 extension statically, you will need to recompile PHP using --with-oci8=shared (or --without-oci8) before this will work.

Read more...

I am still working on making the current LiveUser release cycles bug free. The bugs that are being spotted are getting increasingly rare and harder to encounter. Unfortunately no work on the caching has start as of yet. A bunch of people have expressed interest in helping. As always nothing has materialized to date. Aside from a minor php doc comment contribution there has also been no assistance on the documentation front. This includes MDB2. Oh well, I guess I need to be content with people finding bugs and reporting them. Anything beyond is too much to ask ... *sigh*

Aside from that I am working hard on finishing up my slides for php|works. Looks like I will also be giving a talk on LiveUser. I need to update the slides a bit more. I have already added some things that popup during the last talk in Cancun. I have not yet started in the PEAR talk yet. But I have already spend several days on the SQL talk. This is not suprising at all, since I am doing this talk from scratch and I want to cover quite a large range of topics. The work has been very educational for me already, hope it will be equally useful to the audience.

In terms of work, the paying type, we are slowly getting to the point where we will start adding a bit of dynamics into the GUI design of a little AJAX application we are developing at the moment. The job of the application is to display some information read from an Oracle database. We will be using Apache2 with PHP5 and unfortunately Windows Server 2003 on the server. The display is to refresh on its own at regular intervals and since some people will use this tool on the go, we are to cut down on data traffic and client ressources as much as possible.

Not sure yet if we are going to let the application talk to Oracle directly or not. We will be using SQLite anyways to store all the application specifc data since we want as few services running on the machine as possible. I am considering replicating the necessary data from the Oracle database, applying some necessary computations and caching that information in SQLite as well. That way we only need a little shell script to hit the Oracle database at regular intervals. Might make the application more robust and performant (especially since we still know little about the actualy Oracle server).

We are also ready to start the next phase of developmet for the plan- & reportgenerator advanced prototype we developed. Essentially this application enables people in the pharmacutical industry to keep a datapool of validation criterias and prodecures which they can use to build up validation plans and protocol forms in word (using Openoffice from the shell with a faked x server). The cool aspect of the application notifies the maintainer of every validation plan of any relevant changes made to the datapool and helps in merging those changes in if needed.

The next phase will feature a complete overhaul of the GUI. We have invested a good bit of time to find better ways to do write in combo boxes, fixed headers in tables and inline scrollbars. Should make things alot more pleasent to work with. Additionally we are adding workflow management, risk analysis and reporting. We might also make the integration of new word templates possible without any manual steps between Openoffice and uploading into the system.

With a little vacation playing beach frisbee in mallorca end of october, the international php conference in early november, holding a 4 week online workshop on php5 starting mid november and a possible book project (more on it when the contracts are signed) it looks like the rest of the year is quite planned out for me. In order to finally finish up my computer science degree I will also take the last 2 courses I have to complete on "operating systems" and "creation and executing of surveys", I will have even more on my plate though.

Via Karsten: This has been announced one month ago, but somehow I missed it, so here is my personal, maybe belated take on it:
According to a study conducted by Evans Data Corporation (a company that does a lot of surveys and is generally considered independent) found out that "the number of developers using PHP for development dropped by more than 25% in the last year and the number of developers indicating they would not evaluate or use PHP for future development projects grew by almost 40% in the same time period".
The article goes on and speculates about the reasons. One of the possible reasons given is the "inability of these languages to penetrate the enterprise space", something which I doubt, since a lot of enterprise websites run on PHP (hopefully there won't be a marketing comment by someone who does enterprise work with PHP, though ). One of the actual reasons behind that may be the IDE situation. Meanwhile, there are really several great IDEs for PHP, but compared to the competition, it's still a long way to go (if you need "enterprise features").
However, the Evens study does not bother me. Quality will prevail, and as I always say, a good programmer can create great results with any (above-average) editor (and any technology).

I want to replace the current PHPUnit website with a MediaWiki-driven one. For this I need someone to design a MediaWiki skin in the likes of the Mono or Hula websites.

This skin for MediaWiki should, of course, feature Colin Viebrock's great PHPUnit logo.

Thank you in advance,
Sebastian

About five months ago, during yet another flood of phpBB2 exploits Marco Tabini approached me with an idea of writing a security book for PHP. The idea was to provide a guide for people who want to make their applications safer as well as help them understand the possible consequences of various exploits. I thought the idea was quite appealing, a feeling a bit confident after a fairly extensive article authorship decided to take up the task.

And so, for the next several months I was focused on effectively doing a brain dump of my knowledge on security. The process was extremely educational, since to explain any concept a far greater knowledge then the one needed to simply apply a fix is required, plus writing a book as I have learned is just “a tad” more complex then an article. But with the help of Marco, my technical reviewer and Martin Streicher who has done a tremendous job at cleaning up my ranting, I think we've got an excellent PHP security resource. The book itself is 201 pages, a bit longer then anticipated, but gave me the opportunity to cover each topic in a fair amount of detail.



Table of Contents

1. Input validation
2. Cross-site Scripting Prevention
3. SQL Injections
4. Code Injections
5. Command Injections
6. Session Security
7. Securing File Access
8. Security Through Obscurity
9. Sandboxes and Tar Pits
10. Securing Your Applications
    

The goal of the book is to introduce each type of vulnerability and to explain in greatest amount of detail possible what can lead to it and what are the possible consequences. In my opinion before solving any problem you should have a full understanding of it, so that the fix ends up addressing the cause and not the symptoms. As far as consequences go, it is imperative to know why a problem needs to be fixed and not allowed to linger. If you’ve ever came across a situation where someone dismissed cross site scripting (XSS) or other security problem as a non-issue, this book will serve as an excellent resource in demonstrating how even the most "trivial" exploits can be abused to great effect. Not to leave you handing so to speak, the book also spends a fair amount of time talking about possible solutions to each problem and provides deployable solutions for each one. In addition to talking about specific security issues, it is my sincere hope that it will encourage developers to think about security when designing and auditing their applications and ultimately lead to a better and a far more secure code.

At the present time the book is available via phparch.com website in both paper and electronic forms, and will shortly (within 1-2 weeks) appear on Amazon and Barnes & Noble, ISBN: 0-9738621-0-6. I should mention that the 1st 300 copies sold will be signed, so if you want my doodling on your copy, hurry up and buy it.

Elisa Manara and Salvatore Sanfilippo have put together an interesting little application called PHP Interactive

PHP Interactive is a simple PHP program that lets the user to write code in a text area (actually multiple text areas, with tabs to switch), and see the output of the code just pressing the update button. The scripts are persistent, and the program supports a raw and html output mode, in order to see the raw script output or to interpret it as html.

With a little thought there could be some real nice uses besides being a replacement for php -a. For instance, it might be pretty cool to see this or something similar integrated into Pastebin for those of us that help out in support IRC rooms. It would be nice to be able to see the actual output before and after to see what is going on right there. Obviously though there would be some security risks which might explain why the functionality isn't there right now.