PHP

I will be moderator to the “WebSec Day” on the WebTech 2009 conference in Karlsruhe, Germany. The full-day workshop will consist of several, loosely thematically linked sessions regarding web security. See full entry for abstracts and speakers.


If you want to have a beer, I will only be in Karlsruhe on monday evening and tuesday during the day. You can follow me at twitter (@christopherkunz). I’m looking forward to seeing some of the PHP folks again during the few hours that I will spend in Karlsruhe.

I have recently installed SilverStripe to test if it fits into our shared hosting concept. Read after the break about my impressions.

The automatic updater for WordPress uses FTP to upload data (which is generally a good idea because of safe mode). However, it fails if the FTP account is chrooted (i.e. you cannot change to directories below your home directory).

This is bad, because most, if not all shared hosting servers have chrooted ftp accounts. There is, however, an easy fix. You just recreate the root directory structure within your home directory.

If your home directory has the physical directory “/www/12345/mydomain.com/” and your wordpress is in the “./wordpress” subdirectory, you can just log in with ftp and do this

mkdir /www; 

cd /www; 

mkdir 12345; 

cd 12345; 

mkdir mydomain.com

Then you can use a PHP one-liner to create a symlink to your wordpress subdirectory:

<?php symlink(“/wordpress”, “wordpress”); ?>

After this, you should verify the directory is created OK and can be changed into via ftp:

cd /www/12345/mydomain.com/wordpress

After this, the automatic update worked, at least for me.

I recently read about the APS project and became curious. APS, shorthand for Application Packaging Standard, is - as far as I understand it - a relatively recent standard that provides SaaS providers (i.e., us as a hosting provider) with a standardized format for software packaging. So far, some sounding names from the PHP Open Source community have embraced APS, including the notorious, but indispensable phpBB, Drupal, Magento and Typo3.
For hosters, APS is supposed to be a great addition to their portfolio:

The introduction of APS advances the web hosting industry. By implementing APS, hosting service providers can gain access to a great variety of APS applications. In turn, application vendors that implement APS, can get access to a vast sales and marketing channel via APS-enabled hosting providers.

Unfortunately, I can’t seem to find detailed documentation on the process of implementing an APS socket - the only freely available docs seem to be the standards document and ISV guidelines, both of which don’t really help me.

Now, I reach out to you PHP guys - has any of you ever had something to do with APS (preferrably on the hoster/provider side of things)? Do you have pointers as to where to start the socket implementation? I’m looking forward to your input.

It is not usually my custom to comment negatively or nitpick on other people's articles in magazines, especially not in magazines I have written for. This time however, I really must raise my voice to point out a couple of (well, actually a lot of) issues in an article about SQL injection in the current (October/November) issue of the german "PHP Magazin". I stumbled upon this when Pelle Boese of Mobile SEO fame told me about it.

As a couple of you should still remember, I wrote for that magazine until about one and a half years ago. I stopped writing for a couple of reasons. First and foremost, my shift towards Grid computing, my master's thesis and work took too much time. However, the, let's say, lean editorial process always kinda weirded me out. Mostly, manuscripts were printed as written, with no editorial changes at all. This is very trusting, but sometimes leads to fuck-ups like the one below.

I’ve been playing around with my windows mobile based smartphone in the train today and noticed that while my RoundCube installation is great for normal browsers, it sucks golf balls through garden hoses when you’re trying to access it on a mobile device.

Does anyone know about a PHP-based web mail solution that works on the tiny 320x240 display and does not use an awful lot of javascript magic?

This is mainly a note to myself and anyone who’s had this problem: If you use S9Y and have mod_rewrite rewriting active, there’s a rule saying

RewriteRule (.*\.html?) index.php?url=/$1 [L,QSA]

That means “all requests to top-level .html documents go to index.php?url=, and please append the query string!”
If you want your blog in your Google Webmaster account, you’ll have to upload an empty .html document with a Google-supplied file name to prove you are actually the domain’s owner. S9Y will rewrite that URL even if the file physically exists. You can fix this by prepending a conditional statement to the above line, so it reads like this:

RewriteCond %{REQUEST_URI} !-U
RewriteRule (.*\.html?) index.php?url=/$1 [L,QSA]

Note: This puts a tad more load on your web server due to the sub-request that is issued for each request. If you really, really have a high load on your machine, don’t use this.

I decided to put the “php-security.net” domain out of retirement and slapped a Serendipity installation onto it. The domain is meant to hold all those security articles that I want to be in English and that are somewhat too generic to put on this blog. My first article is titled “X.509 PKI login with PHP and Apache” and tackles a nice little feature that is interesting for most administrative backends. So - go check it out

Gah. My third try now, but I shall succeed!

Yesterday, my review copy of Garvin Hicking’s book “Serendipity - Individuelle Weblogs für Einsteiger und Profis” (Open Source Press, € 39,90, ISBN 978-3-937514-54-3) was in the mail. Unfortunately, this book is currently only available in German, but I’m sure Garvin (or someone else) will translate it and publish it (maybe with the nice guys at Packt publishing?) soon.

First impression: Massive. 750 pages make this one of the largest PHP books I’ve had in my hands so far. Garvin spends these 750 pages well, covering nearly every aspect to Serendipity and thus making the book the documentation that S9Y always needed. It’s with a reason that the front cover sports a “The official handbook” badge.

I’m cleaning up my portfolio and have this domain for sale: php-freelancing.de. It’s currently on sedo (but I’m willing to make the sale off that platform) and has been around for at least 8 years.

Any takers? Drop me a line.

A couple weeks ago, I blogged about PHPshield’s anonymous website, raising more than an eyebrow to the ominous business practices of hiding the true owner’s identity while selling a whitelabelled product.

To my great relief, Adrian responded quickly back then, but to my dismay it seemed like he was only paying lip service. I asked him again today via private mail and his response was swift. The whois entries for phpshield.com now point to his person and we can expect additional information on the web site itself soon.
I like it when things can be resolved like that and I actually think this is a chance for his product rather than a possible competition issue.

By clearly stating what differentiates phpshield from SourceGuardian (his flagship PHP encoding product), Adrian’s company, Inovica, can create user awareness and offer a possibility to make an informed decision for the product that actually fills their needs. I’m sure he thought about something like that already and of course it’s his decision. It’s just that I would probably try to do it that way if I had two products that are not identical, but being marketed in a similar environment.

Anyway, just wanted to update you folks on this rather positive outcome. Have a nice evening. I’ll be trolling again soon

Just by accident (you should never browse your feed reader directly before going to bed), I stumbled upon an incredibly self-ironic posting in some dude’s blog. I have to ask myself: What are you guys taking? Are you seriously discussing any kind of name-dropping as an interview subject?

It’s not only irrelevant who created a programming language, it’s even a hindrance for interviewers since all that small-talk bullshit takes precious time off the actual knowledge assessment. And I’ll be damned before I let someone who happens to know how Rasmus’s mother’s cat’s brother was named get in the way of an actual developer who knows what they are doing. Then again, I’m in the lucky position not to be able (or have to, depending on your PoV) to hire “PHP developers”.

This whole discussion is just fat bullshit. What are you thinking? I couldn’t give a fat fuck about people who know names. I don’t give a shit if someone knows that a dude wrote an, erm... “magazine” about security at O’Reilly or if some dude named Lerdorf thought it’s a great idea to do some dynamic web stuff. I want to know if people know their trade.

Really. It’s unbelievably ridiculous. Get a hold of yourselves. Are you really thinking that knowing names is worth ANYTHING?

By way of a discussion in #php.de @ IRCNet, I stumbled about “phpshield.com” which offers a PHP encoding solution for a deadbeat price of 55 bucks. Other choices, like SourceGuardian, ioncube or Zend are much more pricy.

However, the phpShield.com home page did not offer the slightest clue who actually is behind that product. How someone would entrust their PHP scripts (which obviously include their intellectual property) to a product that’s not only closed-source but also sold by an anonymous third party is beyond me.

It’s common practise to whitelabel your solutions and sell them under different brands with different feature sets to different target audiences. We do this with gameservers and hosting, too. However, we always clearly state who is behind the whitelabelled solution (and we are also obliged to do this by law, which I think is good). The phpshield people do not have any clue on their pages. The domain is registered to this dude:

Administrative Contact:
Whois Privacy Protection Service, Inc.
Whois Agent (qjprnbdw@whoisprivacyprotect.com)
+1.4252740657
Fax: +1.4256960234
PMB 368, 14150 NE 20th St - F1
C/O phpshield.com
Bellevue, WA 98007
US
Hm. Their hoster, hostovo, belongs to an Inovica Ltd. in the UK. Waitaminute... inovica? Ah yes, the guys that sell SourceGuardian for over 4 times the price of PHPShield. And oddly enough, PHPShield.com’s privacy policy lists Inovica Ltd. as the sole proprietor of any IP on the page. I’m seeing a pattern here...

I really have to ask: Why are they trying to hide? To me, that is not acceptable business practice. Incidentially, I’m currently evaluationg PHP encoding solutions for a customer request and I just struck one off the list.

UPDATE: Adrian has responded in a very helpful comment, clearing a lot of the issues up. Please check the comments to this entry.

18:44:03 recorda warum ist mein code scheisse?
18:44:08 @absynth weil er unsicher ist
18:44:25 recorda rennt sowieso über https

Update:



21:49:49 recorda absynth: sicherheitsscripts ist doch voll umsonst wenn ich ne .htaccess mach kann
eh niemand rein in das script ausser dem admin der das cms benutzt

(aus #php.de)

For about 4 hours now, the PHP Vikinger is in full swing. Everyone arrived between 10 and 11, and together we hacked up a makeshift agenda. Remember that this is an “unconference”, so attendees are in full charge of the whole event. Our lead viking Zak, inspired by the mighty power of Thor himself, took it upon him to moderate the scheduling and get everything started. Now, everyone who wants gets up and does a presentation, starts a discussion or - as Kris is currently doing - stipulates brainstorming with the attending core developers and other PHP nerds.

The current discussion is even somewhat strategic, pointing things out that PHP still lacks, things that need to adopt to changes in our environment and stuff that is really good in comparison to other languages. Kris is creating a list of everything that’s thrown at him and every item so far has been diligently discussed.

After that, Ilia and me will do some security stuff, with him doing introductions and me likely focusing on the server side. My obsession with securing servers without touching apps is well-known, plus it’s a good place to show off the Hardening patch.