Dopo molti lunghi mesi, ecco finalmente una nuova puntata del diario di Giorgia dall’Etiopia, in cui si parla del mitico biciclown.
Il biciclown in Etiopia
May 14th, 2007A comparison of JSON libraries for PHP, RELOADED
April 25th, 2007I have updated the article comparing the different php libraries that allow encoding/decoding of JSON data.
Besides testing the latest version of all the libraries involved and briefly summarizing the evolution since the november test, he new page has benchmark results for php 4.4.
Here it is.
Enjoy.
The daily Firewall WTF part III
April 6th, 2007Tales from the trenches.
Two companies develop a communication protocol to exchange information between their respective systems. SOAP is picked up, presumably because of all its enterprise-trendiness.
One company builds a J2EE application, the other one a single C++ builder win32 exe. Both sides can receive and send messages.
The applications get tested by the developers while at their respective office, and declared ready to go….
…but fail to exchange a single message when deployed in the production environment, which includes quite a few extra devices:
- https encryption over the internet part
- your run-of-the-mill layer 3 firewall
- an application-layer firewall terminating the https connections and applying layer 7 http filtering
- another application-layer firewall applying antivirus scanning
The developers have no clue as to what might be causing the problem, and are prone to point fingers against the “bad firewalls”.
In fact:
- the java guys are helpless in locating errors, because they never look at the http layer which should supposedly be carrying the xml messages. All they know are the java objects that the framework builds for them. If any error occurs in handling the http connection, xml (de)serialization or https handshake they do not know – all they get is an empty pointer (note: presumably the informative, verbose exception that would help in debugging is being catched too early inside the framework itself, and the coders do not dare split it open)
- the c++ guys are helpless in locating errors, because their app in fact knows nothing about xml and much less about http. It reads strings from sockets and writes strings to sockets. The received strings are parsed, presumably by regexps, while the outgoing messages are built from .txt template files with very basic token substitution
There is really something interesting in comparing the two approaches to development: on one side the communication protocol is completely abstracted away, so much in fact that it cannot be examined at all; on the other side the protocol is not handled at all, and old-school quick-n-dirty pragmatic coding has produced the bare minimum necessary to fake understanding the language, while in reality not being able to speak it at all.
A comparison chart of PHP Environment variables
February 13th, 2007One of the little quirks the php framework developer has to face when confronted with the daunting task of writing real portable code is figuring out which global variables will be available in every single conceivable user setup (and in most of the unthinkable ones), and what kind of values they will assume.
Although the online manual does a pretty good job in describing where the environment variables are supposed to come from, and their supposed usage, it sports no single, comprehensive list of all the junk that might – or not – be filling up the “Environment” section of the global namespace.
Having wrestled with php deployments ranging from SCO Openserver (brr…) to windows to solaris 32 and 64 bits, I set up to publish my own findings.
The list can be found here: http://gggeek.altervista.org/sw/env_vars_comparison_chart.xhtml. People on slow links please note it weights in at 300k.
In its present incarnation it is based exclusively on windows installs. I plan to add some more unix goodiness later on, but any contribution is welcome (a printout of your phpinfo will do, or, in case you value privacy and security, a plain list of the values in the ‘env’ and ’server’ sections).
The colors, more or less, indicate:
- red: value or variable name changes from server to server (eg. some values change casing, such as PATH vs. Path, COMSPEC, )
- yellow: variable is in the cgi spec, but the server omits it…
- gray: variable is present in all setups tested: it can be used reliably
- blue: variable should not be present in CLI versions, it can be thus safely used to test if app is called via web or not
Also note that “script name” in some settings will point to php executable, not php script.
In no particular order, things that should be done before the table is considered reliable include: add a column with exaple values, testing all php setups without a php.ini file active, test with IIS in isapi mode, apache 1 in mod_apache mode, apache in ssl mode, cgi mode when run from command line, version 4 cli, linux / solaris installs, separate clearly variables from the windows environment from the more “general” ones, add some insight on usage of REGISTER_GLOBALS, variables_order, and other assorted ini settings that might influence the php environment.
Edit: (2007/02/14)
A similar table, with better formatting, can be found here, while a discussion on this topic a little while ago was here
Shrink the size of your javascript with js min (the php way)
December 22nd, 2006Getting more and more into javascript coding, two tools I found I could not do without are JSMin and JSlint, from Douglas Crockford.
On the JSmin webpage, a php version is available for download, but it did not fit my needs really well (in fact, the js version did, but, being a php-head, I got that one first), so I patched it a bit:
- made all the code work with PHP 4 (removed usage of splfileiterator, exceptions are replaced by triggering errors, class constants are turned into global constants, etc…)
- constant VERSION changed to JSMIN_VERSION to avoid name clashes
- added a new function to class JSMin to cleanly separate writing to output stream from parsing
- make sure that newline chars passed inside the comments parameter do not break output
- the file can now be included in a php app (whether cli or web hosted) and used as library (just define JSMIN_AS_LIB before including jsmin.php)
- when used as library, the class can operate on php strings instead of files
- i could not resist the urge to remove excess whitespace here and there in the php source, too (phpmin-syndrome???)
The new code is available here. Take a look at the comments inside for more info.
There is some other (php) work done on jsmin from a guy named Ed Eliot there
Got my javascript yellow belt!
December 13th, 2006A very well kept secret: I had done very few to not-at-all javascript development until now. My personal philosophy can be summed up as “if it can be done on the server, do it on the server”.
Alas, I have at last succumbed to the ajax craze, and waded knee-deep into the murky javascript pools, in search for diamond and pearls and api-compatible library reimplementations.
Not only have I discovered that translating php into javascript is almost as simple as translating “->” into “.”, “.” into “+” and “gettype” into “typeof”, but my mind got bended and warped forever while trying to rationalize the prototype-based inheritance model.
If the result of such perilous journeys has been something of interest, I let the readers judge.
For now, the visible part is a graphical editor of xmlrpc / json values, added to the online xmlrpc debugger available here: http://gggeek.damacom.it/debugger/ (to see it, click on ‘Execute method’ then on the ‘Edit’ link).
A comparison of JSON libraries for PHP
November 13th, 2006The recent release of php 5.2.0, which includes by default an extension for converting php values from and to the JSON format, is a good occasion for comparing the different existing php libraries which aim to provide the same capabilities.
Here you can find a detailed analysis of the features, performances and encoding/decoding capabilities of 4 of the main implementations: 3 “pure php” libraries and the native extension.
I have to warn readers: I personally maintain one of the four libs in exam.
Any correction, criticism or feedback is welcome.
Edit 2007/04/25 – an update version of the comparison has been posted here
The daily firewall WTF, part II
October 18th, 2006Most personall firewall application fail in a very basic (and essential) aspect of their operation: giving the user a clear and concise way of identifying the software that is trying to access the network.
Even though this is widely known and has been discussed to death, it never really struck me until I installed the ADSL modem I recently got for free, courtesy of my telephonephone line operator.
The windows 2000 version of the modem driver starts up and greets me with this nice dialog box as soon as I log in into my computer:
Allowing “rundll32.exe” to always connect to the web is to be considered a safe practice or not?
How many users, when pestered with this annoying dialog popping up every day, are savvy enough not to dismiss it once and forever?
Please note that the standard version of the dialog message gives even less details about the outgoing connection than the screenshot pasted here, and only identifies the offending executable by filename: no path information, no version information, no nothing.
How many will take the time to properly configure the firewall to only let the offending driver connect to the local subnet?
Now, this is arguably a bad design decision on the part of the writers of the modem driver, but there is a much simpler and cleaner way for wannabe virus writers to bypass any security measure that personal firewalls provide blocking outgoing connections: simply use the web browser to connect to the web. Both IE and firefox are powerful enough to provide support for a variety of web protocols, as well as easy scripting interfaces, and one of those two has been durely flagged as “connect to the net without asking consent”, most likely both.
The daily firewall WTF
October 6th, 2006Everyday is a great day to learn something new…
Sometimes ago I had the incredible luck of supervising the installation of an “application-layer-firewall”.
It is, for those of you who never heard about it, a black-box device, usually using internally lots of open source software but nevertheless sold for big buck$, built to protect web server from being hacked. It achieves this goal by filtering all incoming HTTP requests (possibly outgoing responses, too), and blocking those that look suspicious enough / violate a defined set of rules.
Many of these devices offer a lot of extra functionality, such as providing HTTPS termination for those webservers that do not support it natively, rewriting of incoming requests etc… All in all, very useful boxes.
It is the very principle upon which they are built that left me baffled the first day we tried to configure ours, and it still has me unconvinced, namely that sloppy coding on part of the programmer can be overcome by adding an extra layer of black-box filtering that works without any knowledge of the functions implemented on the webserver.
I have been told umpteen times that the http firewalls follow the 80%/20% rule, warding off common attack vectors such as buffer overflows and escape sequences in urls, and this is useful enough by itself to justify their cost.
But in the modern-day internet, phising, xss and sql-injections attacks are more and more common, and while nobody is interested in defacing your site anymore, a lot of crackers are eager to get to your database where customer credentials are kept. And while http firewalls excel at the former, they are very poor at the latter.
The daily PHP WTF
September 25th, 2006A couple of days ago I succeeded in the daunting task of bringing a production server to a grinding halt. In fact the server was a sturdy linux box, and despite all my wrongdoings it kept chugging along, but all php services running on top of it where rendered useless (it was the company intranet server, and people where not happy).
Since this is quite an extraordinary event, I thought I might capitalize on the experience gained through this accident and share it for the benefit of future generations.
To make a long story short, here is the sequence of the events that lead to the catastrophe:
- I installed on the web server a shrink-wrapped php package, which I shall not name here, without taking the time to sift properly trough the code line by line, but following as carefully as I could the install instructions
- After toying around for a while, I decided to implement some new must-have feature, and within a couple of hours had on my hands code that looked good enough on my development box.
- So I promptly dumped the code to the production server, and fired up my browser to see the final result, but…
- …a nasty php error message greeted me. The code was trying to read from a file descriptor that was not open (in the fact the php variable delegated to hold the file descriptor was not even declared at the point it was used)
- The fix was really quick: a close look revealed an error in nesting code blocks, so that code was being executed where it was not supposed to. Hey presto, edit, save, redeploy and test!
- And this time, BINGO! the new functionality was fine and dandy. I dashed down the corridor to announce the new amazing functionality to fellow coders, and after discussing it and future evolutions for a while, I packed up and went home, happy and satisfied with my rapid-development skills and the incredibly apt platform that php had once again proved to be
But things are seldom as simple as they seem…
…and I was greeted by angry sysadmins and furious customers the next morning when returning to my cubicle.
The problem had been promptly identified: there was an error log file that kept growing at incredible speed, and it had saturated during the night the /home partition. Since the main website, based on a template engine and php opcode cache, was using the same partition to hold both the compiled templates and cached php scripts, it was having a hard time writing to disk its necessary files.
The sysadmins could not understand what was causing the log to grow indefinitely, but the mere fact that it was the php error log flashed a big nasty disaster sign in my mind. Sure enough, the culprit was to be found in my modifications of the previous day, but how on earth could the application, fixed and tested the day before, have kept running erroneously for the whole night, and still causing damage at early morning?
The worst part of it is the error log was reporting accesses to the web server from my very own development machine, which had been switched off during all that time.
Being well versed in php, I know for a fact that any php script is bound to end within a specified time limit (specified in php.ini that is), or be terminated by the php engine.
It is also very unusual for a script to keep running after the client that requested the web page terminates the http connection, such as when the user hits the STOP button or quits the application.
After a quick and dirty Apache restart, the error log finally showed a normal behaviour, everybody calmed down, and I was left alone with my dark train of toughts: was it possible that I had hit a bug of php, or, heaven forbids, Apache itself? Impossible! The j2ee goblins would have laughed at me for months to come.
As that old Jedi saying goes, use the source, Luke.
