Welcome back to my new column at the Zend Developer Zone, “a week in phpworld”. After releasing it’s first edition at my own Blog “php tidbits?“, Jayson asked me to contribute this one directly on the devzone – and so I’ll do from now on. Happy reading and remember, this summary is neither complete nor objective 😉
Actually this week was the week for a final Release of PHP 5.1.3, but Ilia Alshanetsky didn’t release it due to some security holes found by Maksymilian Arciemowicz from Security Reason that affected all PHP Versions 5.1.2 and prior as like PHP 4.4.2 and prior. The spectrum of these vulnerabilities reaches from Cross-Site Scripting (XSS) in phpinfo(), safe_mode– and open_basedir-Bypasses up to crashes of the apache server process due to local denial-of-service/memory allocation problems. Gael Delalleau explains the possible exploit as follows: “running a shellcode from a PHP script by allocating large amounts of heap memory, then calling a recursive function to make the stack and heap overlap, and finally writing in the heap blocks to overwrite a saved EIP address on the stack“. He points out, that these problems aren’t new and that he discovered these things already one year ago in a talk at the CanSecWest 2005 in Vanouver (slide 22). For those who understand french it can be read in an article published for SSTIC conference 2005 (p. 16 ff.), too. In any case these problems are not as serious as it sounds, as no one should have phpinfo() exposed to the public, recursive function calls are quite normal for a programming language (and dos-attacks should be handled by the OS). Looking at safe_mode and open_basedir – well make up your mind on your own. These bugs/security holes are fixed in the current RC3 of PHP 5.1.3, which was actually not released to the public (why ever), but can be found at the download site from Ilia over at php.net.
Zend now offers new consultancy services at germany, including Zends PHP-Migration Support from PHP4 to PHP5, Zend Application Audit and Zend Jumpstart – a training offer for Zend Platform and Zend Studio. Beside this Zend released a new Version of their Zend Guard, which improves distribution and code protection for PHP applications and answers once again on services, that offer to reverse the encryption for money (no, i won’t list these “services” here). By the way, you can use the ionCube PHP Encoder to encrypt and deliver your scripts, too – they are working as hard as Zend on solutions to make life miserable for those criminals.
In a note from Andi Gutmans on the Zend Framework Mailinglist he said, that they are heavily working on a new release of the Zend Framework – so all of you who are waiting impatiently for a new release, your wait might soon be over. In addition Andi blogged about the new Zend Core for i5/OS and stated out, that Zend will providing all i5/OS users Zend Core for i5/OS for free in order to lower the barrier of entry to get up and running with PHP. “Uh?” – you might think now and say “Hey, the core is for free anyhow, so wtf?!?” – but Andi told me “In this case however, they will all be getting Zend Core which will be supported with the OS and Zend Studio for free. Also we will do a lot of work to get all the language bridges working for that platform which is additional functionality which doesn’t exist in other Zend Core’s.“
World of (PHP-)Databases
Despite of the things going on at PHP or Zend directly, we have some news from database-world related to PHP: Zack Urlocker, MySQL’s vice president of marketing, announced in his Blog, that MySQL and Oracle have agreed to a multi-year extension to the existing contract enabling MySQL to continue to sell and support the InnoDB storage engine. Good news for MySQL-Users, even though one could doubt what exactly a “multi-year extension” means in terms of years (3? 5? 10?). Anyhow, on the one hand it reduces the pressure on MySQL to develop an own transactional storage engine, on the other hand there are already lots of rumours/news, that MySQL is on the jump to unveil a new transaction engine developed by former Netfrastructure president Jim Starkey, who joined MySQL back in January. Jim will have a talk on April 27, 2006 at the MySQL UC about his OLTP Storage Engine.
Shai Agassi, president of SAP’s products and technology group, said that he expects MySQL to be certified to run SAP applications by the end of the year. For those of you who forgot: SAP invested some venture capital in MySQL back in february this year – it was part of a $18.5 million USD VC-Investment that included not only SAP but also Intel Corp. Some more informations can be found at Zack’s Blog.
A little tidbit for smarter use of the mysql-cli this week came from Vidyut Luther. Instead of scrolling back and forth the resultset and scan the rows, you can simply use MySQL’s built-in Pager:
mysql> P less
mysql> PAGER set to 'less'
mysql> select foo,bar from tableG
(use “\n” to escape from Pager). Roland Bouman provided another tidbit for all those MySQL XML-Lovers out there. A documented XML Schema of the mysql command line utility xml format and a little windows batch file that exports schema-related metadata in the ordinary mysql command line utility xml format.
EnterpriseDB has scooped up Bruce Momjian, a leading PostgreSQL developer and member of the open-source database’s Core Team, to serve as senior database architect and also hired Simon Riggs, another major PostgreSQL contributor and an authority on the database’s performance. Good catch!
Last but not least, datanamic released a new version of their DeZign for Databases V4 with full support for MySQL 5 and features like reverse engineering, support for IDEF1X Modeling Notation, enhanced Diagramming Tools and configurable HTML, PDF and MS Word Reports. You can download a 30 days trial or buy it starting at $214 USD for the standard edition.
Some conferences announce their Call for Papers (CfP) this week, among them the international php conference in Frankfurt am Main/Germany (April 30, 2006, so hurry up!!), the 2006 DC PHP Conference (June 07, 2006) and the german FrOSCon (Free and open source conference), finding place June 24 and 25, 2006, where Tobias Schlitt and friends are organizing a PHP-Room.
In addition with PHP Vikinger we have the first PHP “Unconference” ever. According to Wikipedia “an Unconference is a conference where the content of the meeting is driven and created by the participants rather than by a single organizer“. This Unconference will be held on June 24 and 25 (right after the eZ publish conference 2006) in Skien, Norway and parallel to the FrOSCon in Germany. The entrance will cost you 20,- EUR and you can sleep in in the local school for free. They even will provide the attendees with free meals (Note that the food will be very simple and the accommodations are merely space in a local school – bring your own sleeping bag and foam mats) and the conference is really easy (and cheap) to reach, if you are near an airport served by Ryanair. Sounds to become a real big party *g*
In the php-security world there were again some security holes found in php applications like PHPOpenChat, PHPWebGallery, Simplog (multiple Vulnerabilities and Security Issues), PHP121 Instant Messenger and PAJAX Remote Code Injection and File Inclusion Vulnerability – last one even made it on Heise, a very famous german speaking IT-Portal.
Speaking of AJAX, the W3C started works to standardize XMLHttpRequest: The new Web API Working Group has released a working draft of the official specification for the XMLHttpRequest object, which is at the heart of AJAX. Have a look at their draft! By the way, Jim Plush, author of the My-Bic Ajax/PHP framework, announced his Framework to be in top 1% of SourceForge projects in 4 days:”Of 117,000+ projects on SourceForge MyBic has jumped to #1000 in just 4 days and is climbing each day“. Nice guy as he is, he provides us with four My-Bic Video Tutorials to lower the barrier. If you like, there will be an interview with Jim on April 21, 2006 on Pro::PHP Webcast.
And what else? Lukas Smith continued with his series about Open Source (Mis-)Understandings and announced the five “most buggiest” PEAR-Projects. Matt Asay quoted Mahatma Gandhi in his OSS-Article Open source applications: We’ve reached the “laugh at you” phase: “First they ignore you, then they laugh at you, then they fight you, then you win” – so better prepare for the fight now? Chris Shiflett gave us 10 more PHP-related Blogs, that are not listed at planet-php and we could read about “The beauty of Rasmus’s Unframework, and the ugliness of advocates” by a guy called Jonnay. Jan Schneider announced new Versions of IMP H3 (4.1.1) and Kronolith H3 (2.1.1), with a few bug fixes and some interesting improvements. Sebastian Nohn announced some job opportunities for senior web developer at Ligatus and OnVista, so if you are searching for a job, hunt over to his Blog and find more infos.
Justin Silverstone gave us 10 speed improvement tips for apache and a comparison of PHP and Perl, including the statement that PHP was made for Web and Perl not. Moreover he states that PHP was made with built-in Database support, gets easily embedded into HTML (no CGI like Perl), is more secure than Perl, more easy to learn and tends to be more modular. At the end he links to another comparison site and looks at four of their arguments in detail. Interesting to read – especially look at the answers from the Perl-lovers.
Paul M. Jones still seems to love releasing fast and often and therefore released Solar 0.16.0, 0.16.1 and 0.17.0 – and did not forget to tell us about automating release tasks … hehe. If you are interested in using his Solar-Framework, you can find a little snippet on how to create forms from table-definitions automatically.
Last but not least Rasmus Lerdorf in a mail to php-dev mailinglist pointed out, that google is doing their summer of code again this year. “It doesn’t actually mention PHP there yet, but it will soon. So if you are a student and have an interesting idea for a PHP-related project, start thinking about your proposal.” Lukas Smith alluded to a wiki he has set up for PEAR to get organized for this – ofcourse open for other php-projects, too.