Serialized Objects, Heredoc, and strings…
It’s been some time since I last posted, due a rather hectic schedule and today I fly off to Loret De Mar, Spain for a week with the lads and two weeks after that to Miami. I’m sure this will help to take my mind of things.
As with anything you constantly learn from your mistakes and encounter various challenges and I have found that there are some problems with PHP itself from a recent and ongoing project.
Serialized Objects, Heredoc, and strings. (PHP Version 4.3.2)
Writing a serialized object to a a flat published file can hold its benefits, however this can become exceptionally large. One of the fundamental issues I found was that a fairly large serialized object inside the Heredoc syntax, would halt execution of php. Apache would log memory limits in the apache logs, however using base64 encoding and decoding on a serialized object and placing it within string literals, would execute fine. From observation, the fault would incur directly during the closing chevron’s.
URL’s with double slashe at the beginning
A single slash at the root directory will point to the sites root directory. e.g.
<a href="/root_script.php">/root</a>
I’m quite surprised i’ve never encountered this issue before, however you can manage to get URL’s to point to http://directory_name/script_name.php when the target is actually pointing to http://www.thehistorychannel.co.uk//directory_name/script_name.php for example, (note the double slash at the root directory).
When the script’s action simply contains:
< ?php
print "<form action="{$_SERVER['PHP_SELF']}" method="post">";
?>
I’m not sure if anyone else has encountered this problem?
Switching to Mac
Well, I purchased a Mac Book Pro roughly a month ago and considering I have never used a Mac, i’m quite surprised as to how quickly I have adapted. Within a week I had a good grasp of the platform and now I have everything sync’d to or through my laptop, whether that be incoming phone calls on my mobile or syncronising data between multiple servers.
The fundamental aspects I like about Mac is the degree of control, you have over the OS with applescript or shell. As mentioned above, I am now making my Mac work for me with proximity detection via bluetooth, and/or trigger applescripts when motion is detected via the iSight. I find this extremely useful to actually log phone calls in iCal, or pause iTunes when on the phone. I’m also tempted to write some applescript to automatically log me onto the the intranet at work, and track my time keeping for me, with aspects such as this it just makes my life that little bit easier.
With that said, i’m not a complete Mac convert, as I have got my windows machine at work & at home constantly shelled into the Mac, I’m finding that I am only using windows to test against IE 6 or as an extra keyboard. Despite some of its gains I am still yet to figure out how to get my Exchange account at work to work completely remotely with it using a reverse proxy, I guess thats simply time and patience I need to get that setup. I guess the key things now are finding out what else is possible, and making my development experience better.
Anyway, I found the following links useful.
www.kernelthread.com
www.opensourcemac.org
www.petermaurer.de
Oh, and a pointer from Eric…
SubEthaEdit from CodingMonkeys
BLOGZOT 2.0 on MacZOT.com
MacZOT and TheCodingMonkeys will award $105,000 in Mac software, which seems pretty generous to me:).
Automate PHP Install on Windows.
Well, i’ve been rather busy at work, which is nothing short of typical now, however I thought I would post up a script that I wrote to automate the installation of PHP on Windows. In general I’m a very lazy person, and found it irritating going to the PHP site, downloading and manually installing PHP in the same mundane fashion that I have described in the past. Oh, and that even means monitoring the PHP.net site for new releases.
The script I wrote uses a batch file, JScript on the client using WSH,WMI, and a few applications I have bundled with this quick distribution. Which copies, SVN, CVS, and an unzip package (located in the directory bin). It will then download a number of packages that I like to keep tabs on such as:
- Propel
- Prado
- Wact
- Phing
- phpMyAdmin (Which I set the domain in the hosts file to phpMyAdmin)
- Mojavi
- FCKeditor
- Symfony
Simply execute “CVS.PHP.bat”
Whilst, I have only set this to download CVS phpweb, and extract each. Anyway, I realise that it does struggle with PHP4, however that simply requires some DLL’s into the SAPI dir for example, anyway I haven’t got time to do anymore on this, considering i’m now using a Mac Book Pro.
There are a couple things, I haven’t automated such as virtualhosts, and setting the hosts file, however if someone has some spare time, would be nice to get that working too…
Note: requires Apache 2 and I have this scheduled to run every day at 6.30pm.
Anyway for those lazy people enjoy 
Plesk API Error Resolved
After upgrading to the very latest build of Plesk the API error seems to have been resolved, and no longer causes an API error of “Domain adding was failed. Error: Can`t resolve ID for IP ()“.
Previously:
[Server 3]# rpm -qa |grep -i psa-api | sort
psa-api-cli-7.5.2-rhel3.build75050130.17
psa-api-common-7.5.2-rhel3.build75050130.17
psa-api-rpc-7.5.2-rhel3.build75050130.17
psa-api-rpc-doc-7.5.2-rhel3.build75050130.17
psa-api-rpc-protocol-7.5.2-rhel3.build75050130.17
Now:
[Server 3]# rpm -qa |grep -i psa-api | sort
psa-api-cli-7.5.4-rhel3.build75051014.16
psa-api-common-7.5.4-rhel3.build75051014.16
psa-api-rpc-7.5.4-rhel3.build75050930.11
psa-api-rpc-doc-7.5.4-rhel3.build75050930.11
psa-api-rpc-protocol-7.5.4-rhel3.build75050930.11
Perhaps upgrading on windows too will also resolve this issue.
Plesk don’t fully support API
I found this a little amazing, but SWSoft don’t actually fully support their own software.
“Unfortunately, SWSoft does not fully support the API that is built in to Plesk and more than likely, they will request that we first perform an upgrade to the latest version of Plesk before they provide any further support.”, Rackspace.
The Fault:
“Domain adding was failed. Error: Can`t resolve ID for IP ()”
NOT Working Correctly
* Server 3 (Plesk 7.5.2)
Working Correctly
* Server 2 (Plesk 7.1.7)
* Server 1 (Plesk 7.5.4)
The IP Address does exist in the domains table, for all servers.
Working Servers:
* Server Name: Server 2
mysql> SELECT * FROM IP_Addresses;
+----+-----------------+-----------------+-------+-----------+--------------------+-------------------+
| id | ip_address | mask | iface | type | ssl_certificate_id | default_domain_id |
+----+-----------------+-----------------+-------+-----------+--------------------+-------------------+
| 2 | 212.100.254.166 | 255.255.255.0 | eth0 | shared | 1 | 47 |
| 3 | 10.230.166.4 | 255.255.255.192 | eth1 | exclusive | 1 | NULL |
| 4 | 192.168.1.20 | 255.255.255.0 | eth0 | exclusive | 1 | 22 |
| 5 | 10.230.166.8 | 255.255.255.192 | eth1 | exclusive | 1 | NULL |
+----+-----------------+-----------------+-------+-----------+--------------------+-------------------+
4 rows in set (0.00 sec)
—————-
Server Name: Server 1
mysql> SELECT * FROM IP_Addresses;
+----+---------------+-----------------+-------+-----------+--------------------+-------------------+
| id | ip_address | mask | iface | type | ssl_certificate_id | default_domain_id |
+----+---------------+-----------------+-------+-----------+--------------------+-------------------+
| 1 | 70.85.198.202 | 255.255.255.248 | eth0 | shared | 1 | NULL |
| 2 | 70.85.198.203 | 255.255.255.248 | eth0 | shared | 1 | NULL |
| 3 | 70.85.198.204 | 255.255.255.248 | eth0 | exclusive | 1 | 65 |
| 4 | 70.85.198.205 | 255.255.255.248 | eth0 | shared | 1 | NULL |
| 5 | 70.85.198.206 | 255.255.255.248 | eth0 | exclusive | 7 | 15 |
+----+---------------+-----------------+-------+-----------+--------------------+-------------------+
5 rows in set (0.00 sec)
—————
Failed Server
Server name: Server 3
mysql> SELECT * FROM IP_Addresses;
+----+---------------+-----------------+-------+-----------+--------------------+-------------------+
| id | ip_address | mask | iface | type | ssl_certificate_id | default_domain_id |
+----+---------------+-----------------+-------+-----------+--------------------+-------------------+
| 4 | 10.230.166.7 | 255.255.255.192 | eth1 | exclusive | 1 | 0 |
| 5 | 192.168.1.22 | 255.255.255.0 | eth0 | shared | 1 | 0 |
| 6 | 192.168.1.223 | 255.255.255.0 | eth0 | shared | 1 | 0 |
+----+---------------+-----------------+-------+-----------+--------------------+-------------------+
3 rows in set (0.00 sec)
——-
One fundamental aspect that I noticed from observation is that Server3 had the columns default_domain_id default value set to 0 where as on all other installations had the value set to NULL. The assumption was that the record 0 for the default IP ID against the domain. Although ALTER’ing the table and testing against each resulted without sucess.
Testing against all IP’s in the waidev6 table results in the following.
* 1. [10.230.166.7] – Domain adding was failed. Error: IP address ‘10.230.166.7′ is not present in client ip pool.
* 2. [192.168.1.22] – Domain adding was failed. Error: Can`t resolve ID for IP ()
* 3. [192.168.1.223] – Domain adding was failed. Error: Can`t resolve ID for IP ()
The XML response for this is…
<?xml version="1.0" encoding="UTF-8"?>
<packet version="1.3.1.0">
<domain>
<add>
<result>
<status>error</status>
<errcode>2307</errcode>
<errtext>Domain adding was failed. Error: Can`t resolve ID for IP ()</errtext>
</result>
</add>
</domain>
</packet>
The payload of the XML document sent across via the XMLRPC request.
<packet version="1.3.1.0">
<domain>
<add>
<gen_setup>
<name>testgen8.com</name>
<client_id>1</client_id>
<status>0</status>
<ip_address>192.168.1.223</ip_address>
<vrt_hst>
<ftp_login>catalina0</ftp_login>
<ftp_password>057177a</ftp_password>
<ftp_quota>0</ftp_quota>
<fp>false</fp>
<fp_ssl>false</fp_ssl>
<fp_auth>false</fp_auth>
<fp_admin_login>miaumiaul
</fp_admin_login>
<fp_admin_password>lalalalallaa<fp_admin_password>
<ssl>false</ssl>
<shell>/bin/false</shell>
<php>true</php>
<ssi>false</ssi>
<cgi>false</cgi>
<mod_perl>false</mod_perl>
<mod_python>false</mod_python>
<asp>false</asp>
<asp_dot_net>false</asp_dot_net>
<coldfusion>false</coldfusion>
<webstat>awstats</webstat>
<errdocs>false</errdocs>
<at_domains>true</at_domains>
</vrt_hst>
<htype>vrt_hst</htype>
</gen_setup>
<hosting>
<vrt_hst>
<ftp_login>catalina0</ftp_login>
<ftp_password>057177a</ftp_password>
<ftp_quota>0</ftp_quota>
<fp>false</fp>
<fp_ssl>false</fp_ssl>
<fp_auth>false</fp_auth>
<fp_admin_login>miaumiaul</fp_admin_login>
<fp_admin_password>lalalalallaa
</fp_admin_password>
<ssl>false</ssl>
<shell>/bin/false</shell>
<php>true</php>
<ssi>false</ssi>
<cgi>false</cgi>
<mod_perl>false</mod_perl>
<mod_python>false</mod_python>
<asp>false</asp>
<asp_dot_net>false</asp_dot_net>
<coldfusion>false</coldfusion>
<webstat>awstats</webstat>
<errdocs>false</errdocs>
<at_domains>true</at_domains>
</vrt_hst>
<htype>vrt_hst</htype>
</hosting>
<prefs>
<www>true</www>
</prefs>
</add>
</domain>
</packet>
I have also been told that this error also occurs on Windows.
Internet Explorer 7 Beta 2
Here are a few snapshots of Internet Explorer 7 Beta 2. Interestingly enough ASP.NET does not display correctly in Internet Explorer 7 Beta 2. I can’t say i’m keen on the new design or see any feature that particularly appeals to me, however it may grow on me. Also memory usage whilst using a single tab seems very low, however opening multiple tabs soon crept upto 120k.
Admittedly I don’t know too much about XAML, however its interesting to see some permissions mapped into Internet Explorer, already. As mentioned in my previous post, I now have “Microsoft Expression Interactive Designer” installed, so, I can dabble with XAML.
Firstly, with the RSS integration you cannot distinguish whether you have read an individual post, as it marks the entire feed as read when selecting a feed, you also cannot mark the entire feed as un/read, and it does not allow you to customise the RSS feed with XSL or CSS. I’m sure some of these short comings will be resolved in new’er versions.
Playing with Microsoft, Live.com, Max, Messenger Beta…
Lately i’ve been playing with a number of beta’s from Microsoft.
Firstly was Microsoft MAX, after watching a fairly recent cast on channel9 and installing WinFX Runtime Components September CTP, I received the following error in Outlook 2003 “Could not initialize CLR MANAGED MAPI SERVICE CATASTROPIC FAILURE, Unknown error”. After finding out that The WinFX Runtime Components September CTP relies on a pre-release version of .NET Framework 2.0 and if you install it after you have installed the release version of .NET 2.0, it will completely mess up the CLR (This is easily fixed by uninstalling/installing the .NET Framework). So it looks like I will have to wait for the next release from the MAX team.
<script language="JavaScript" src="http://favorites.live.com:80/js/omniture.js?exp=11.0.1123.2"></script>
I must admit I am fairly fond of MSN Messenger 8.0 Beta, from what i’ve seen so far, its not differed very much besides its user interface. Some of the key changes are Shared Folders, and storing Contact details for users. Although one thing that is missing is allowing you to move your favourite groups in a custom order.
 |
 |
 |
I haven’t played with Sparkle yet, and i’ve also noticed “Microsoft Prerelease Software WinFX Runtime Components – January 2006 Community Technology Preview (CTP)“, so I will give it a try shortly. Hopefully this will fix, Max, so I can get that working too.
Exceptions, Exceptions, Exceptions
Lately, i’ve been reading Advanced PHP Programming, by George Schlossnagle, which I must say is an excellent book. Below is an excerpt, which I find particularly interesting on the topic of error handling.
“Production Display of Errors
How to notify users of errors is often a political issue. All the large clients I have worked for have had strict rules regarding what to do when a user incurs an error. Business rules have ranged from display of a customized or themed error page to complex logic regarding display of some sort of cached version of the content they were looking for. From a business perspective, this makes complete sense: Your Web presence is your link to your customers, and any bugs in it can color their perceptions of your whole business.
Regardless of the exact content that needs to be returned to a user in case of an unexpected error, the last thing I usually want to show them is a mess of debugging information. Depending on the amount of information in your error messages, that could be a considerable disclosure of information. “, PHP Error Handling
Along with some brief discussions with Håvard Eide on some SQL Injection Attacks, I found in a large public site, the end result was simply terminating the execution, and displaying the error. E.g.
Note: The database is using MySQL 3. MySQL supports multiple result sets, from multiple statements, although this is a flag in MySQL 4.1+. So, when upgrading we have numerous secruity exploits, that has the potential to delete or drop the entire database. Also, with more rigorous permissions on the credentials used would also help alleviate such problems.
“If $userid is passed in, unvalidated, from the end user, a malicious user could pass in this:
$userid = “10; DELETE FROM users;”;
MySQL (like many other RDBMS systems) supports multiple queries inline, if this value is passed in unchecked, you will have lost your user’s table. This is just one of a number of variations on this sort of attack. The moral of the story is that you should always validate any data in queries.”, George Schlossnagle
mysql_query('') or die('MySQL Error: '.mysql_error());
Firstly, if there was a fatal error such as that, someone with a malicious intent can use the debugging information printed to acquire further knowledge and deduce other methods of attack. Also, from a usability point of view, why is the execution terminated? At least give something more meaningful or redirect to an errors page. Ultimately, a message such as that should never, ever, be shown on a live site.
More to the point of this post, displaying a cached version of the page is a great method, it gives the end user the content that they were looking for, and illudes the fundamental issue of deteriorating your users perception. Now, this entails a number of further questions to think about:
- What if it is a dynamic service, such as a search?
- Caching Policy and retention.
Whilst, dynamic services would be very difficult to cater for, and each case would be unique, in terms of search. Some possibilities, are to cache paged results, and apply some business logic on the retention of that cache (We don’t want to serve out-dated content), also state that the user is searching cached content and for any new terms, that haven’t been cached display an error page. This could become very convoluted, and in essence results in how critical the information is or the service!
You also don’t want to display partial pages where execution has ultimately terminated, this should be rather trivial with output buffering. However, it can be a rather gray area to associate, every possibility and as George Schlossnagle mentioned each company has different requirements.
It would be interesting to expand out and detail case examples.
I would be interested to understand better about one of the statements in the book…. “Exceptions expose the possibility of leaking memory.”, if anyone has more information on this, I would be very interested to hear further…
Further Information:
The addslashes() Versus mysql_real_escape_string() Debate
mysql_real_escape_string() versus Prepared Statements
Security Corner: SQL Injection
Usability
I started writing this a while back, and I figured I might as well publish it, despite being some what incomplete…
I always find that usability is a difficult topic to cover and as such, there are very limited resources that solely address this issue separate to the notion of accessibility. As the two topics are usually discussed both in context with each other, I have included and brief description of their distinctions.
Usability is a term used to denote the ease with which people can employ a particular tool or other human-made object in order to achieve a particular goal. Usability can also refer to the methods of measuring usability and the study of the principles behind an object’s perceived efficiency or elegance.
Web accessibility refers to the practice of making pages on the Internet accessible to all users, especially those with disabilities.
From experience, I have noticed a number of aspects that can aid in usability, although these may seem rather trivial, the number of headaches I have had explaining these to apparently IT literate people is an uphill struggle.
-
Selecting Options from a drop down menu
- Always predefine a default value, to purge users to select a value.
-
Removing string literals from a text box.
- This may seem rather silly, however from observation, some people cannot distinguish that removing an string literal they have entered into a text box is removed by holding the backspace and the delete button.
Heres some interesting analysis with labels and form alignment and why you should right align form labels?
 |
 |
| Figure5 – Eye Movement in a Left Aligned Form. Triangular Pattern. |
Figure6 – Eye Movement in a Right Aligned Form.Triangular Pattern. |
About
About the author
- Real name
- Andrew Johnstone
- Alternate names
- Gadget
- Location
- London, United Kingdom
- Contact
- See below
About this site
Contacting the author
- Contact form
- http://blog.ajohnstone.com/contact/
- andrew<at> ajohnstone <dot> com
- MSN messenger
- andrew<at> ajohnstone <dot> com