JEMGames Launched
June 6th, 2008 by Aaron
JEMGames has finally joined the 102 Degrees network. JEMGames is an experiment comparing the successfulness of a custom programed websites versus off the shelf open source PHP scripts.
No More “The Triangle”
June 6th, 2008 by Aaron
Well, I’ve officially resigned from “The Triangle.” Don’t worry, I’ve got a new place to keep bring experience to this blog. I look forward to my new opportunities.
Prototype JS - form elements need names, not just IDs
June 6th, 2008 by Aaron
So, I got stuck on this bug for an hour - so I thought I’d write it down.
I was using prototype js’s serialize command on a form. I was also using a strict xhtml doctype. My form elements had IDs only - and did not have names. Well, serialize kept coming back empty. Turns out that prototype requires there to be names on each of the elements.
UPDATE: Der - according to W3C, the ‘name’ attribute of the ‘form’ tag is deprecated, not the name attribute of the form elements…
*hits head with hand*
Finally - PHP has NoIndex on phpinfo output
June 4th, 2008 by Aaron
Security Issue?
A big issue with PHP security had been the developers creating a php info page and not removing it from a production site. As you may know, phpinfo() will dump a ton of useful information (for the developer - as well as the cracker) to the screen:
View CodePHP | |
1 | phpinfo(); |
I can’t imagine how many versions of that are out on various servers…
Actually, let’s take a look with this google query…
More than a million returns (granted they’re not all phpinfo() calls… but it gives you a good idea…)
There is Hope
With the release of 5.2.1 of PHP, phpinfo() now outputs the following meta tag:
View CodeHTML | |
1 | <meta name="ROBOTS" content="NOINDEX,NOFOLLOW,NOARCHIVE" /> |
This will slowly but surely stop compliant robots (see: google, yahoo… not crackerMcCrackenstein.com) from archiving these… yes!
PHP Script Configuration Class with Logic built in
June 2nd, 2008 by Aaron
Sometimes we have static configuration options, such as the name of the company or the location of a particular partner’s website. Other times, there are more dynamic configuration options - such as the current location’s URL or database connection credentials.
For this article, I wanted to build on my previous article here, and make a config class that could still get all of this information from a static method, while making decisions to create accurate config options.
Continue reading PHP Script Configuration Class with Logic built in
PHP Script Configuration Options - Class Constants or MySQL
May 31st, 2008 by Aaron
I’m trying to figure out the best way to do configuration options for my newest PHP scripts that I’m working on. My requirements are simple:
1) You cannot change the config option once it is loaded
2) The options are easy to modify quickly
3) Must call a method to get values, no matter if they’re available globally or not (this is just in case I want to change the logic in the future)
Non-Requirements:
1) Does not need to make dynamic configuration options or choose configuration options based on logic (IE, one mysql credential for LIVE vs another for development)
with this in mind, lets figure out what may work best:
Continue reading PHP Script Configuration Options - Class Constants or MySQL
Dig for Windows
May 30th, 2008 by Aaron
For those of us who develop on windows, we can sometimes feel linux tool envy. One particular tool is the ‘dig’ command. Well, luckily, you can get this to run on windows easily:
Download Bind from ISC
Visit the www.isc.org/sw/bind/index.php download page to download the Windows binary version.
Create folder and Extract necessary Files
Create a folder called ‘dig’ - or just push all the dlls and exe’s into your windows/system32 folder. Extract the following:
dig.exe libbind9.dll libdns.dll libisc.dll libisccfg.dll liblwres.dll
Run Dig
c:\>dig ; <<>> DiG 9.4.2 <<>> ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 752 ;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 12 ;; QUESTION SECTION: ;. IN NS ;; ANSWER SECTION: . 4060 IN NS e.root-servers.net. . 4060 IN NS b.root-servers.net. . 4060 IN NS f.root-servers.net. . 4060 IN NS a.root-servers.net. . 4060 IN NS c.root-servers.net. . 4060 IN NS i.root-servers.net. . 4060 IN NS g.root-servers.net. . 4060 IN NS h.root-servers.net. . 4060 IN NS m.root-servers.net. . 4060 IN NS d.root-servers.net. . 4060 IN NS k.root-servers.net. . 4060 IN NS l.root-servers.net. . 4060 IN NS j.root-servers.net. ;; ADDITIONAL SECTION: e.root-servers.net. 71529 IN A 192.203.230.10 b.root-servers.net. 71529 IN A 192.228.79.201 f.root-servers.net. 85723 IN A 192.5.5.241 a.root-servers.net. 85723 IN A 198.41.0.4 c.root-servers.net. 71529 IN A 192.33.4.12 i.root-servers.net. 71529 IN A 192.36.148.17 g.root-servers.net. 71529 IN A 192.112.36.4 h.root-servers.net. 71529 IN A 128.63.2.53 m.root-servers.net. 25212 IN A 202.12.27.33 d.root-servers.net. 71529 IN A 128.8.10.90 k.root-servers.net. 85723 IN A 193.0.14.129 j.root-servers.net. 85723 IN A 192.58.128.30 ;; Query time: 15 msec ;; SERVER: 10.30.12.26#53(10.30.12.26) ;; WHEN: Tue May 27 10:49:05 2008 ;; MSG SIZE rcvd: 433
Yay!
Thanks to Todd Keup @ magnifisites for this tip.
PHP application plugins - force the interface
May 27th, 2008 by Aaron
The other day I was experimenting with some PHP plugin scripts and trying to develop my own robust plugin system. I started thinking: how can I guarantee that a 3rd party developer sticks to my plugin standards?
Well the obvious answer is an interface. But, I wanted to make sure that their plugin actually implemented it.
Enter instanceof
I had previously only thought of instanceof as a way to verify if an object was of a specific type of class - but this can be extended to interfaces. let’s check out my test code here:
View CodePHP | |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 | interface pluginInterface { public function update(); } class thirdPartyPlugin implements pluginInterface { public function __construct() { print 'constructed'; } public function update() { print 'update ran'; } } $a = new thirdPartyPlugin(); if ($a instanceof pluginInterface) { print 'is good'; } else { print 'discard me.'; } |
The first section is the plugin interface. For our example, I’m making a very simple interface: all plugins must have a method called update().
Next, we have the third party plugin which implements pluginInterface. It has the update method - as well as any other methods.
Finally, our plugin loader will make a new instance of the plugin, and then verify its of the type of pluginInterface. This makes sure that we’ve loaded this interface with our third party plugin. In this code, if you were to remove ‘implements pluginInterface’ from thirdPartyPlugin, the ‘instanceof’ will fail and print ‘discard me’.
Make the parameters in the Interface more exacting
So, let’s say that every single update() method should do something to the object ‘testObject’. With this modified code, I make sure that the update() method of the 3rd party plugin expects its first parameter to be testObject. If you do not match up the exact type of object in the declaration as the interface, it will fail. (note: the object’s variable name does NOT need to match)
see code:
View CodePHP | |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | interface pluginInterface { public function update(testObject $tO); } class thirdPartyPlugin implements pluginInterface { public function __construct() { print 'constructed'; } public function update(testObject $object) { print 'update ran'; } } class testObject {} |
Can this help with security?
Sure! Think about this: you install a 3rd party plugin, but you don’t have time to review all of its code line by line. Ok - so this malicious 3rd party plugin now wants to access your database connection and drop all of your records. It expects to pass in the database connection to its update function… so it defines the function as this:
View CodePHP | |
1 | public function update(testObject $object, $dbConnection) |
Well, sure enough, this will fail as well - you must match EXACTLY to the interface.
Note: I’m not advocating that this is your only security measure in your application. There are other ways for 3rd party plugins to take advantage of your system - but as a responsible developer, you should make multiple layers of security.
XDebug’s settings reminded me - no output to the browser if sending headers
May 20th, 2008 by Aaron
So, I admit it - I’ve become lazy. Well, in all fairness, the programmer before me at “the triangle” was also lazy. And after messing with XDebug and setting output_buffering to off and implicit flush to on… I was reminded of our laziness.
Because of these changes, some of the spaces that we had in our code are now sending output directly to the browser (even though we have an output handler…). For example, this is bad code:
View CodePHP | |
1 2 3 4 5 | /** and some more fun here**/ ?> <?php /** start second block of code **/ |
I know it is bad - you know it is bad… *sigh*. But because of this, I’m not able to use Xdebug’s debugging feature on my ‘triangle’ code. I’d have to put through a project to REMOVE SPACES. Hah.
XDebug and Eclipse PDT on Windows - From Start to Finish
May 20th, 2008 by Aaron
XDebug and Eclipse PDT on Windows - From Start to Finish
With our recent upgrade to php at “the triangle,” I felt it was time to start working on using a debugging and code profiling tool. When I say felt like it was time… I meant our PHP version finally supported it. *sigh*. Anyway, from start to finish, this is what I did in order to get Xdebug to integrate into my current eclipse PDT - as well as investigate the other features of xdebug. I tried to detail all of the mistakes I made as well as what I figured out. Let’s go:
Continue reading XDebug and Eclipse PDT on Windows - From Start to Finish
Subscribe