Dynamically Typed : OOP and Performance

Posted on January 11, 2005 by Dan

396

Once again, Harry Fuecks says something on [url=http://www.sitepoint.com/blog-view.php?blogid=9]his blog[/url] that makes me think: “Of course! That’s Brilliant!” This time, he tries to debunk the age-old wisdom that an OOP implementation is slower than it’s procedural counterpart.

Of course, this is a correct statement…but, [url=http://www.sitepoint.com/blog-post-view.php?id=223760]as Harry points out[/url]; only if you don’t take advantage of some of the things OOP helps you do. Of course, even your proceduralists out there could read this and think up ways to implement his ideas in functions…so everyone should at least take a peak.

Zend Studio 4.0 Beta now available!!!

Posted on January 11, 2005 by

For all who like the [url=http://zend.com/store/products/zend-studio/beta.php]Zend[/url] IDE there is a new version on the brink of birth, version 4.0. Go to the listed URL to find out more about it.

Cross-site Scripting Article on DevShed

Posted on January 4, 2005 by Dan

I’m sure that many of you have heard of a little thing called “[url=http://www.devshed.com/c/a/Security/A-Quick-Look-at-Cross-Site-Scripting]cross-site scripting[/url].” If you haven’t, or you have never thought about how it may affect you or your websites; please take the time to read [url=http://www.devshed.com/c/a/Security/A-Quick-Look-at-Cross-Site-Scripting]this article[/url] on DevShed. It does a pretty good job at showing you what XSS is, how to prevent it from happening, and why you should care.

Using PHP scripting for sysadmins

Posted on January 2, 2005 by

An [url=http://enterprise.linux.com/article.pl?sid=04/12/22/0028257]article on linux.com[/url] shows a couple of examples of using PHP scripting to perform sysadmin tasks on servers.

More info can be found on the [url=http://www.php.net/manual/en/features.commandline.php]Command Line manual[/url] page on PHP.net.

PHP Hits the Mainstream: Gets worm to prove it!

Posted on December 22, 2004 by Dan

We have had some interesting security-related news in our world these last couple of weeks. You may want to read on if you are running:

php < 4.3.10
php < 5.0.3
phpBB < 2.0.11

Also, I’ve added a little trick you might be interested in to keep your services safe. This is especially imporant if you use a shared host, and don’t have access to update your own software. Read on for more…

As Eric pointed out in the Forums, [url=http://www.php.net/ChangeLog-4.php#4.3.10]PHP 4.3.10[/url] and [url=http://www.php.net/ChangeLog-5.php#5.0.3]5.0.3[/url] are now out. You really need to look into ugrading to one of these as soon as possible.

Also, a new worm targeting phpBB has been written. This initial version used a flaw in phpBB’s highlighting code to deface your site with the worm. Then, the worm would use google to find phpBB sites that had not yet been upgraded to infect. You can [url=http://it.slashdot.org/it/04/12/21/2135235.shtml?tid=220&tid=217&tid=169[/url] read more about it on [url]slashdot.org[/url].

While google has stopped returning requests related to this worm, that doesn’t mean a new variant that uses a different (read:lesser) engine won’t pop up soon.

As “akiy” on slashdot posted:
[quote]It looks like the latest [url=http://www.phpbb.com/phpBB/viewtopic.php?t=244451]phpBB version 2.0.11[/url] or a [url=http://www.phpbb.com/phpBB/viewtopic.php?t=240513]simple patch[/url] will thwart the worm, though. Time to upgrade if you haven’t yet![/quote]

I have to take his word on this, because I can’t get to [url]phpbb.org[/url] right now.

Happy Patching!! Don’t forget to try it in your test environments first if you have one!!

Also, a pretty reliable way to keep things like this from happening is to run your php scripts using a different user than the one that can write to your files.

For example, your website quantumbagel.com runs phpBB. All of the files are owned by qb_admin, and are read-only to everyone else. Then, PHP runs as qb_cgi. The qb_cgi user has no files…maybe some jpeg’s in an upload or avatar directory, but that’s it. If php or your scripts get compromised, the worst thing they could do is jack with your data…but your code would still be clean and intact.

If your php runs as an apache module in Linux, it is probably running as nobody…and unless your permissions allow anyone to write to your files you are probably ok.

I’m not sure how you would do this in windows though. (I have some fuzzy recollections about IIS_USER and the everyone group, or something) Anyone care to enlighten us?

Be safe out there!

Scalable Inline Image Replacement

Posted on December 6, 2004 by Dan

187

This is definatly one of those things that I’m not sure I would ever use, but it is certainly cool enough to share. Using a little php and javascript, [url=http://axisfive.net/aboutsiir/]this script[/url] seemingly allows you to replace the content of any tags (h1 for example) with a nice graphic of the text in any font/size/color you choose.

No image support? no problem…alt property supplied on replace
No JS support? no problem…css marks up your h1 as normal
No visual support? no problem…screen reader reads your h1 or alt tag

Pretty cool in theory. It has built in, server-side cache support, etc. I’m a little squimish about a DoS vulnerability…someone flooding your site with obscene image generation requests. But, that could be trapped. What do you all think?

The PHP WTF?!?

Posted on November 23, 2004 by Eldon

381

For an entertaining read from time to time (They only seem to update once or twice a week).

Check out [url=http://thephpwtf.com/]The PHP WTF[/url].

Funny site that highlights some of the worst PHP code you can imagine.

Todays example shows off some great code where apparently the coder didn’t realize you could pull back more than one column at a time with a sql query.

Maguma Workbench 2.1

Posted on November 4, 2004 by maguma

Maguma Workbench version 2.1 is now available!

Version 2.1.0 represents the latest in the Workbench series offered by Maguma GmbH. This PHP IDE gives the user features like: debugging support via Xdebug, modular plugin architecture for easy extensibility, remote file handling and editing through both FTP and SFTP.

New features added to this enhanced release include PHP5 support, improved remote file support, localized support for the languages english and german (additional languages will be added in future versions), as well as overall increases in stability and compatibility.

With the user community’s active participation through promptly reporting any problems occurring, we have been able to aggressively remove roadblocks to the efficient development of PHP applications with Workbench. This version also includes several long awaited features requested by our users.

Current members can login to download this latest version here.

If you are not a member you can register here to allow you to try out Maguma Workbench for 30 days free of charge.

If you would like to know all the changes included in version 2.1 you may view the changelog here.

phpMyAdmin 2.5.7 vulnerable to remote attacks

Posted on July 14, 2004 by Noah Dunker

351

many of us use phpMyAdmin to help us manage our MySQL databases. If left open to public access, phpMyAdmin is open to a remote attack allowing the attacker to run arbitrary php code.

The best way to protect yourself is to simply password protect phpMyAdmin. On apache, this can usually be done with a .htaccess and .htpasswd file. Hit google for more information on password protecting parts of your website.

The official white paper on the bug is located here:

http://www.packetstormsecurity.org/0407-exploits/phpMyAdmin257.txt

PHP 5 is Released!!!

Posted on July 14, 2004 by Dan

579

Remember the date: July 13, 2004. As of yesterday, PHP 5 has been released as production ready. Be sure to take a peek at www.php.net.

Go there, download it, run it as a CGI if you have to, but go try it out!! This is a great day for PHP and it’s users. A HUGE thank you to each of the thousands of people who helped to make this happen!

Now, go out there and get it!!