About the Author

Chris Shiflett

Hi, I’m Chris: web craftsman, community leader, husband, father, and partner at Fictive Kin.

All posts for Sep 2004

The Race Continues

No one has finished the race yet. Will you win?

ApacheCon Early Bird

Don't forget to register for ApacheCon by this Thursday (30 Sep) to save $300 (and up to $400 on tutorials):

Early-bird registration is priced at US$599 for the full conference package. This gives you access to three days with more than 65 sessions.

There are many good sessions relevant to PHP developers. Some of my favorites from among the scheduled talks are:

  • Scalable Internet Architectures (tutorial)
  • PHP Security (tutorial)
  • Locking down your Apache Web Server with mod_security
  • The Next Wave of PHP: Introducing PHP 5
  • URL Mapping
  • Why PHP 5 Sucks! Why PHP 5 Rocks!
  • Testing PHP with Perl: Two Great Tastes that Taste Great Together
  • LAMP and the REST architecture. Step by step analysis of best practice
  • Apache performance
  • Real World Scalability
  • ApacheCon Lightning Lottery Talks
  • XML on Crack - The hidden beauties of XML in PHP
  • HTTP Caching and Cache-busting for Content Publishers
  • XML on Speed - How to write fast and scalable PHP/XML code

You have less than a week to convince your boss, spouse, or whomever to let you go and still get the discount. If you don't need the extra money, you can always blow it on gambling (it's in Vegas, after all) or treat some friends to dinner.

I hope to see you there, and I hope you count me as a friend if you're doing that dinner thing.

Shared Hosting with PHP

My column from the Mar 2004 issue of php|architect is now available for free: Security Corner: Shared Hosting

This article explains, among other things, that safe_mode is no substitute for a secure server, and no shared host is ever going to be as secure as a dedicated one. However, if you're stuck on a shared host, I give some advice for making the most of your stay.


php|works turned out really well. Marco and everyone else at php|architect did a super job with everything.

The conference was split into three tracks: two technology tracks and a business track. This meant that there were always three talks to choose from, although most attendees were technical people. During my talk (PHP Session Security), the other technology talk was something on DB2, so my room was very crowded (standing room only). Apparently the DB2 talk had a total of 2 people in the audience, and Derick explained that this is referred to as being rasmussed (some other people thought the correct term was harasmussed, so I'm not sure). I think this was the first time I've rasmussed someone, and I promise it was an accident. :-)

Having the business track was interesting. It provided a nicer mix among the conference attendees. While I found myself often in disagreement with speakers from the business track, I always enjoy having my opinions challenged and getting a glimpse into other perspectives.

As an example, I don't understand why people still choose Java for creating Web applications when it's the more expensive and time-consuming choice, developers are more expensive and less competent (on average), and there doesn't exist a Java Web application that doesn't suck. Do people who make this decision think they can beat the odds or something? Well, I still don't have an answer that has any merit, but Richard Rosa explained why some companies make this decision, and he also pointed out that Java isn't such a bad choice for middleware.

While in Toronto, I also made a trip to Tucows, which was interesting. In addition to getting a squishy cow with their logo on it, I met Joey deVilla of The Farm. I was surprised to learn that domain registrations and other Internet services now make up the vast majority of their business.

There has been plenty of coverage elsewhere - I'll try to mention the links I know about:

If you know about any other links, please feel free to add them to the comments.

PHP Session Security

My talk for php|works, PHP Session Security, is now online.

As with most of my talks, the slides only provide a vague outline. I hope to offer a more useful resource for session security (similar to the PHP Security Workbook) sometime soon.

In Toronto for php|works

I'm sitting in the atrium of the Holiday Inn Yorkdale in Toronto, enjoying the free wireless access. I'll be here all week for php|works, a conference hosted by the fine folks at php|architect. I'm giving a talk on PHP Session Security on Thursday, and I fly back to New York on Friday.

When filling out the card for customs, I paused when it asked whether my trip was for business or pleasure. It's pretty nice to do something you love - I felt like checking both boxes. Technically, I suppose this is a business trip, so that's what I went with. When I got to customs, the lady there inquired about the purpose of my trip:

What sort of business are you on, Mr. Shiflett?

I replied that I was attending a computer conference, which seemed descriptive enough, but she persisted:

What's the conference aboot?

(Yes, I misspelled about, but that's not how it sounded to me.) I explained that it was about PHP, a programming language. Then came the awesome question:

PHP? What does that stand for?

As you can imagine, the term recursive acronym came up shortly thereafter. I found it pretty amusing, even if she didn't.

(PHP stands for PHP: Hypertext Preprocessor.)

Zach Braff has a Blog

I finally saw Garden State tonight. I expected to be impressed, and it exceeded my expectations. Apparently Zach and I also share similar taste in music, since I was able to piece together a good bit of the soundtrack using my existing collection.

As is my habit, I returned home to read more about the movie on the Web. One of the first things I found (after the obligatory visit to IMDB) was Zach Braff's Blog. Being the geek I am, I found it particularly cool that Zach uses Perl, even if he doesn't know it. His blog is powered by TypePad, and if I were Mena or Ben, I'd be particularly proud of this. Here is a guy who has just written, directed, and starred in an amazing movie, and in between all of the traveling and PR, he is able to use his BlackBerry to keep a blog. If that's not a good testament to the convenience and practicality of TypePad, I don't know what is. He also seems to be appreciative of how the blog brings him closer to his audience, and he claims to read all the comments (he gets quite a few more than most of us geek bloggers).

Within his blog you'll find some gems that reveal his sense of humor:

Gas money: Some of you have asked me to reimburse you for the gas money you spent driving so far to see the film. This I can do. I have made an arrangement with every gas station in the country. (Except the Shell's in Raleigh; those guys bargain hard.) All you have to do is tell them that Zach Braff said you could have free gas to drive to see Garden State. If they look at you like, "What the fuck are you talking about?" Don't worry, that's just the code.

and some that reveal more than that:

When I wrote Garden State, I was completely depressed, waiting tables and lonesome as I've ever been in my life. The script was a way for me to articulate what I was feeling; alone, isolated, "a dime a dozen" and homesick for a place that didn't even exist. I guess one of the cool things about the success of Garden State is that those of you out there who are "in it" and feeling all these things, can take comfort in the fact that there are so many people commenting on this blog (including me) that can relate. And as lonely as you ever feel, you are not alone.

You have to respect someone this genuine, and I think his personality shines in this movie. I rarely blog about movies, but this is definitely one worth watching.


Steve Mallett has just announced a new project called DataLibre. The principles surrounding the project are best described in Steve's discussion on Applying Distributed XML to The Open Source Paradigm Shift that I referenced in an earlier blog post.

While I'll still be busy for the next few weeks as I finish writing PHP Security, I plan to play a part in Steve's efforts with a specific project of my own, tentatively named Blogosaur. I'll provide more details about that soon.

For now, check out DataLibre and join the effort to own your data.

Securing PHP Code with Zend

I worked hard on the PHP security tutorial that I gave at OSCON this year, and I have been delighted by the attention it has been receiving since. The PHP Security Workbook that accompanied the talk is still a frequent recommendation among PHP sites worldwide, and people continue to express their interest in attending a similar course.

For those who don't have the time or money to attend this course at a conference (I'll be giving it next at ApacheCon in Las Vegas), Zend has a solution: Zend Online Training. These courses are delivered online using Interwise iClass. While this appears to be an excellent training platform, it only runs on Windows, which is a bummer. Personally, I'll be emulating Windows on my Apple PowerBook using VirtualPC (yes, I bought a Microsoft product to help me teach a security course). I realize that the platform restriction likely poses a problem for many PHP developers, but hopefully you can emulate Windows or borrow a friend's computer for a few hours.

I'll be giving a 3 hour course entitled Securing PHP Code, and the cost is only $99 (USD). The course is described as follows:

Security is critical to every PHP application - don't let insecure programming practices leave you vulnerable. Firewalls and secure servers cannot compensate for an insecure application, and the majority of the responsibility lies in the hands of the developer.

This class teaches secure programming practices by demonstrating common types of attacks and practical methods to defend against those attacks.

Through careful examination of each attack, you not only gain a better appreciation, but also a deeper understanding of the protective measures being discussed. You can use the best practices you learn in this class to improve the security of both your current and future PHP applications.

If you have 3 hours and $99 to spare, join me on 18 Oct 2004 at 11 AM EST (3 PM GMT) and learn how to improve the security of your PHP applications.

Foo Camp and Electronic Voting

I'm at Foo Camp this weekend, an ad hoc gathering hosted by Tim O'Reilly. Tim describes Foo Camp as follows:

Foo Camp is a creation of the people who attend. We're inviting people who're doing interesting works in fields such as web services, data visualization and search, open source programming, computer security, hardware hacking, GPS, and all manner of emerging technologies to share their works-in-progress, show off the latest tech toys and hardware hacks, and tackle challenging problems together.

One of the challenging problems we have tackled is electronic voting. While Foo Camp attendees span all corners of the technology industry, we all agree on the basic approach that needs to be taken in order to offer a reasonably secure, feasible, and simplistic solution.

The most interesting aspect of the proposed solution is that it actually involves less technology and sophistication than other solutions that have been proposed in recent years - and this from a group of technology enthusiasts. The basic idea is that a two step process is needed:

  1. In the first step, the voter uses a machine to select the desired candidate, and this machine prints a ballot that displays the selection in a standardized font that is easy to read using an OCR technology. This ballot does not include any personal information about the voter; only the voter's selection is indicated.
  2. The second step involves the voter presenting this ballot to the election officials, and this is where voter eligibility and such are verified. An eligible voter then inserts the ballot produced by the first step into a counting machine (the one that performs the OCR), and here it is recorded. The consumed ballot is kept for confirmation.

There are quite a few benefits to this solution, the biggest of which is that it does not attempt to be a perfect solution. It also manages to closely resemble the existing process while making several notable improvements. Other benefits include:

  • No reliance upon the security of the first step (because the ballots are not counted until the second step) in addition to the opportunity for third parties to make financial gains (proprietary implementations are fine, since security only matters in the second step).
  • The first step allows for multiple methods of error reduction as well as evidence of each vote due to the fact that a physical ballot is generated.
  • Potential for future improvements, including the ability to generate ballots (first step) from locations outside of the secure voting area (because another ballot can always be created in the secure voting area, eliminating concerns of coercion).
  • The voters themselves have an opportunity to verify the first step, because the output is human readable, and this output is exactly what is read and recorded.
  • The second step relies upon an open standard, and implementations are required to be open source and thoroughly reviewed by software professionals.
  • Multiple implementations of the second step are possible, strengthening the reliability and security.
  • There is little cost in increasing the verification efforts for situations where the vote is closer than the tolerance level of this system.

There are other details, but this should give you a general idea. More formal specifications and such are in the works. Feel free to suggest weaknesses and improvements to this system; this is still a work in progress.

HTTP Developer's Handbook Feedback

There has never been a lot of attention given to my HTTP Developer's Handbook. I've always believed that this is a direct reflection of the topic and the fact that there is (of course) no community surrounding HTTP like there are with programming languages. The book is also more theoretical in nature, and most developers are very pragmatic.

Recently (within the past week or two), I've noticed some positive feedback on the free sample chapters that I have on my Web site.

Jim O'Halloran writes:

A commenter on my previous How SSL works post, pointed me towards the SSL explanation from Chris Shiflett's HTTP Developer's Handbook chapter on SSL which is a really nice explanation of SSL (including public/private and symetric key encryption.

Scott Granneman writes:

I host Web sites, but we've only recently had to start implementing SSL, the Secure Sockets Layer, which turns http into https. I've been on the lookout for a good overview of SSL that explains why it is implemented as it is, and I think I've finally found one: Chris Shiflett: HTTP Developer's Handbook: 18. Secure Sockets Layer is a chapter from Shiflett's book posted on his web site, and boy it is good.

Shiflett is a clear technical writer, and if this chapter is any indication, the rest of his book may be worth buying.

As anyone familiar with my writing knows, I'm always in favor of making as much of it available for free as possible. With the complimentary comments I've seen lately, I may try to polish up the existing sample chapters (if any graphical artists want to volunteer to redo the artwork, that would be great) as well as make a few additional ones available. I'm allowed to make up to 25% of the book freely available, so please feel free to suggest some chapters (perhaps after looking at the Table of Contents if you don't have a copy).

Thanks to Jim and Scott for the kind words. This author really appreciates it.

Yahoogle and Flickr

I just read Nat's blog entry about Why Yahoo and Google Still Don't Get It. First, I must say that Yahoogle is the best word I've seen since Orkwhore.

What is Flickr anyway? It seems everyone is talking about it lately. I even see people talking about Flash again (and not in a derogatory manner). Maybe it is something I should consider using instead of Gallery, since I have some pictures of OSCON and my trip to Italy that I want to post. At first glance, it looks like a slightly better Ofoto, but there must be something more.

I would poke around a bit more and find out, but the registration page currently tells me:

Flickr is currently closed.

I also thought Nat made an interesting point about the influence of blogs, at least those of people he calls alpha geeks and influencers:

I see the world working like this: Tech reporters and widely-read people like Tim watch alpha geeks to figure out what's new and important. The general public learn from their alpha geeks and from tech reporters. So if you (generic firm) can't get the alpha geeks talking about your product, you face an uphill battle to get the general public aware of it and using it.

I wonder how closely that resembles how the world really operates. I certainly agree that the blogs of alpha geeks and influencers are collectively the best research tool for any tech reporter, but I wonder whether there are really that many who realize this.


I finally decided to start using del.icio.us to manage my bookmarks, because I have a disorganized collection residing on multiple computers and in multiple browsers - I can never find what I'm looking for. As an example, I can never remember the name of that Web site where you can check any mailbox or that list of PHP powered sites. Of course, this also means that it will take me quite a while to locate all of my bookmarks and import them into my del.icio.us bookmark collection.

Now, if only there were browser plugins for Firefox and Safari that integrated del.icio.us into the standard bookmark mechanism (with some intelligent caching to minimize traffic). I should be able to add a bookmark on any of my computers and see it in my bookmarks list on any other, and all that should be required is that I first set things up with my username and password. I should also be able to indicate whether a bookmark is public (del.icio.us) or private (local). If del.icio.us supported private bookmarks, there could be a third option.

I've looked at this Firefox extension, but I fail to see what it offers that I don't already have. Giving me the ability to post is great and all, but this bookmarklet already does that (I use the popup version).

So, if anyone is looking for a great project, write a del.icio.us Firefox extension. I would ask Apple to do the same for Safari, but I'll be satisfied when they finally fix the bug that prevents tabbing to select lists within HTML forms. If a browser can't handle simple HTML form elements correctly, del.icio.us integration is a bit too much to ask.

I think Joshua Schachter has created a really useful tool. Here's hoping that browsers catch up.

Steve Mallett on "Infoware"

You should read Steve Mallett's discussion on Applying Distributed XML to The Open Source Paradigm Shift. In Steve's words:

Herein I propose a possible solution to insuring the freedom to innovate and improve as we do with open source software as it may apply to the Open Source Paradigm Shift.

If you haven't already, you might want to read Tim O'Reilly's Open Source Paradigm Shift first.

Steve keeps up with all things open source, and I think he has made a very good case for keeping information distributed. As I vaguely referenced in my previous blog entry, I think we are standing at the edge of a new era of innovation. Creative thinkers are sure to be rewarded.