About the Author

Chris Shiflett

Hi, I’m Chris: entrepreneur, community leader, husband, and father. I live and work in Boulder, CO.


All posts for Nov 2004

ApacheCon 2004

I'm off to Vegas for this year's ApacheCon. It looks like it will be a really great conference with lots of good talks and good times.

I'm most excited about my Testing PHP with Perl talk with Geoff Young. If we succeed in explaining how cool all of the PHP features we've added to Apache-Test are, I think we'll change how people develop PHP applications. If you're a PHP developer attending ApacheCon, this is the one talk you don't want to miss.

I'll also be giving my PHP Security tutorial, based upon a slightly enhanced PHP Security Workbook. If you can't make it to ApacheCon, you can always sign up for my Securing PHP Code online training class with Zend. It's only $99 - less money than you would lose in Vegas during its three hour duration.

I'll try to have daily conference coverage in my blog. I'm still finishing up my book (PHP Security), so I may not have as much free time as I'd like.

Installing PHP and Apache

As part of the work Geoff and I are doing with Apache-Test, I wrote some instructions for installing PHP and Apache with my favorite options.

To install PHP as a shared library:

$ tar -xvzf apache_1.3.33.tar.gz
$ tar -xvzf php-5.0.2.tar.gz

$ cd apache_1.3.33
$ ./configure \
      --prefix=/usr/local/apache \
      --enable-module=most \
      --enable-shared=max
$ make
$ sudo make install

$ cd ../php-5.0.2
$ ./configure \
      --prefix=/usr/local/php \
      --with-apxs=/usr/local/apache/bin/apxs \
      --with-gd \
      --with-mysql=/usr/local/mysql \
      --enable-sockets \
      --with-zlib-dir=/usr/include
$ make
$ sudo make install

To install PHP as a static library:

$ tar -xvzf apache_1.3.33.tar.gz
$ tar -xvzf php-5.0.2.tar.gz

$ cd apache_1.3.33
$ ./configure

$ cd ../php-5.0.2
$ ./configure \
      --prefix=/usr/local/php \
      --with-apache=../apache_1.3.33 \
      --with-gd \
      --with-mysql=/usr/local/mysql \
      --enable-sockets \
      --with-zlib-dir=/usr/include
$ make
$ sudo make install

$ cd ../apache_1.3.33
$ ./configure \
      --prefix=/usr/local/apache \
      --activate-module=src/modules/php5/libphp5.a \
      --enable-module=most \
      --enable-shared=max
$ make
$ sudo make install

If you're planning to attend ApacheCon, you don't want to miss our talk, Testing PHP with Perl. It will (hopefully) change the way you develop PHP applications.

Election Reflection

This is a nonpartisan collection of some of my thoughts about the recent election of the President of the United States. Discussing politics is considered taboo, but there are two issues that I think are huge.

  1. Why must America treat elections like sporting events? The reason that discussing politics is considered taboo is that most people have chosen a team to cheer for (Republican or Democrat), and they can't rationally discuss anything that doesn't favor their team. Most people don't even seem to care who the players are.

    This is hurting America.

    We have freedoms that allow us to question our leaders and to hold them accountable for their actions, but our tendency to consider every topic either for our against our team of choice guarantees that we effectively squelch our own voice. In short, we're squandering our own freedoms. If you want to be heard, you have to respect other people's right to be heard.

  2. Why is our process for tallying votes so fundamentally flawed, and why is this accepted? The legitimacy of this election is in question. The problems with the Diebold electronic voting machines are no secret (they've been discussed on Slashdot more times than I can remember), and there is very strong evidence to suggest that voter fraud involving these machines changed the results of the 2000 election. Yet, we let the same thing happen again. If smart people learn from other people's mistakes, average people learn from their own mistakes, and stupid people never learn, which are we?

    The top two concerns regarding the Diebold machines are that they provide no paper trail (or any other means of auditing the results), and they have known software flaws. Without any way to verify the results, there is no way to ease concerns about voter fraud in this election. With the exit polls indicating strong wins for Kerry in Florida and Ohio, the CEO of Diebold "committed to helping Ohio deliver its electoral votes to the president," the media suspiciously altering the exit polls to reflect the actual results, and the evidence of fraud from the previous election, it's easy to see why people are concerned. I don't blame them. We deserve a transparent voting and tallying process, and we deserve to have confidence in the credibility of any Presidential election. Anything less is unacceptable.


Important issues aside, I have decided to have a little bit of fun with election data to determine who the smart people vote for. Note that this is all in good fun and should not be considered to mean anything important. During an election, a common claim people make is that those with a different choice for President are less intelligent. Determined to get to the bottom of this, I have combined the Education State Rankings with the election results:

<?php 
$x1
= 0;
$y1 = 0;
$x2 = 5;
$y2 = 50;
$gradient = imagecreatefrompng('50x250.png');

foreach (
$ranks as $rank => $state)
{
if (
$state['kerry'] > $state['bush'])
{
$color = imagecolorallocate($gradient, 0, 0, 255);
}
else
{
$color = imagecolorallocate($gradient, 255, 0, 0);
}

imagefilledrectangle($gradient, $x1, $y1, $x2, $y2, $color);
$x1 = $x2;
$x2 += 5;
}

imagepng($gradient);
?>

For the sake of brevity, I have removed the creation of the $ranks array, but the following illustrates how it is constructed, using the smartest state as an example:

<?php 
$ranks
['1']['name'] = 'massachusetts';
$ranks['1']['kerry'] = '62';
$ranks['1']['bush'] = '37';
?>

The resulting image is 50 pixels tall and 250 pixels wide. Each state is represented by a rectangle that is 50 pixels tall and 5 pixels wide. The smarter a state is, the closer it is to the left. The result is a gradient that represents each state's choice for President - blue represents Kerry, and red represents Bush:

electoral.png

With a simple change, I can represent each state with a color that represents the popular vote rather than just the electoral vote:

<?php 
$red
= $state['bush'] * 2.55;
$blue = $state['kerry'] * 2.55;
$color = imagecolorallocate($gradient, $red, 0, $blue);
?>

The resulting image is the same, except that we now have shades of red and blue that represent the polarity of a state's decision:

popular.png

Lastly, let's see what these two gradients look like if we give smarter states a brighter color. I can create a variable called $strength that represents the percentage of 255 that I assign a color, and I'll use the state's rank to calculate this:

<?php 
$strength
= ((102 - (2 * $rank)) / 100);

if (
$state['kerry'] > $state['bush'])
{
$color = imagecolorallocate($gradient, 0, 0, 255 * $strength);
}
else
{
$color = imagecolorallocate($gradient, 255 * $strength, 0, 0);
}
?>

This gives us a weighted electoral vote gradient:

electoral-weighted.png

<?php 
$strength
= ((102 - (2 * $rank)) / 100);
$red = $state['bush'] * 2.55 * $strength;
$blue = $state['kerry'] * 2.55 * $strength;
$color = imagecolorallocate($gradient, $red, 0, $blue);
?>

This gives us a weighted popular vote gradient:

popular-weighted.png

PHP Security Experiments

I've been conducting some experiments lately to test a few security hypotheses that I've had as well as feed my curiosity. The success rate of these experiments has been shocking. The most recent experiment is taking place on the Zend forums, although it's over now (I don't want to needlessly spam the place). You'll notice a lot of topics with a subject of PHP Security Experiment, and they're all posted from different IPs (from all over the world). In short, I'm able to send HTTP requests of my choosing from other people's Web agents.

These experiments aren't testing a single piece of software but rather a specific set of vulnerabilities, and I'm chaining them together. I think I could chain them together even more and make them spread like worms. I'll release more details once I figure out how to properly notify the developers of all vulnerable software first (and allow ample time to fix the problems).

I could use some help. If you consider yourself a pretty proficient PHP developer who has a good understanding of the Web, and you'd like to participate, please contact me or leave a comment. I think there is plenty of work and research to be done.