About the Author

Chris Shiflett

Hi, I’m Chris: entrepreneur, community leader, husband, and father. I live and work in Boulder, CO.

All posts for Aug 2005

Zend PHP Conference and Expo

Zend has just released the full schedule for their PHP Conference and Expo taking place this October.

It's going to be quite a bit different than the typical PHP conference, because it appears to cater to big businesses (and PHP developers employed by big businesses). It will be interesting to see how PHP is being used in the "enterprise" - it's an area where PHP's role is rarely publicized.

When people question whether PHP is suited for large-scale development, Yahoo is often mentioned in the retort. Michael Radwin will be speaking about PHP at Yahoo, and I'm looking forward to seeing what he has to say. Michael is an excellent speaker, and Yahoo is the busiest web site in the world, so he always has very pragmatic advice about what works and what doesn't in the world's most demanding environment.

I'm also interested in the panel discussion attempting to answer the question, "What Is Scalability?" The panel is being moderated by Joyce Park, who was fired for blogging after disclosing that Friendster had switched to PHP in order to resolve their performance problems. I blogged about the ensuing discussion and was Slashdotted for it.

There are many other exciting speakers lined up, several of which you're sure to recognize.

I hope to see you there.

Quoting PHP Strings

PHP developers generally understand the difference between using single quotes versus double quotes to enclose a string. If you need stuff to be interpreted, you use double quotes. If you need to indicate a literal string, you use single quotes:


= 'two';

'<p>one $string three</p>';
"<p>one $string three</p>";


Do you know what this will output? I think most of you do. You'll see the variable name on the first line and its value on the second:

one $string three

one two three

Try this one:


= 'the\quick\brown\fox';
$two   = 'the\\quick\\brown\\fox';
$three = 'the\\\quick\\\brown\\\fox';
$four  = 'the\\\\quick\\\\brown\\\\fox';



It surprises many people to see that this code produces the following:





Although it's not necessary to escape backslashes inside a string enclosed with single quotes, two consecutive backslashes are interpreted as one. Surprised?

If you want a string that contains single quotes, you need to escape them with a backslash (or enclose the string with double quotes:


= 'O\'Reilly';
$name = "O'Reilly";


What do you do if you need to have a backslash followed by a single quote in your string? You have to escape both:


echo 'Escape single quotes like this: \\\'';


This will output the proper instructions for escaping a single quote:

Escape single quotes like this: \'

Therefore, within a string enclosed with single quotes, PHP needs to allow both single quotes and backslashes to be escaped. I'm not sure if this is explained very clearly in the manual:

To specify a literal single quote, you will need to escape it with a backslash (\), like in many other languages. If a backslash needs to occur before a single quote or at the end of the string, you need to double it. Note that if you try to escape any other character, the backslash will also be printed!

Hopefully it all makes more sense now. :-)

Google Talk

This is probably going to get more attention than it deserves, but apparently Google is announcing their own IM service tomorrow, and it uses the Jabber protocol.

Here's hoping this eliminates the reliability problems I've had with Jabber. From my experience, it is second only to MSN Messenger for worst reliability.

For Gaim users, here's a screen shot to help you get set up. (Click on the image for a larger view.)

Update: Now it's official: Google Talk. Apparently it's only for Windows, but they seem to be pretty agreeable to people using other clients.

PHP Job Market Webcast

A webcast called The PHP Job Market is being offered this Wednesday by Zend. It focuses on the Zend Certification (it's one of the "ZCE Month" promotions), and it features guests that provide a few different perspectives. I'll be there to speak about my role on the Zend Advisory Board as an SME (fancy new acronym I learned that stands for subject matter expert). Other guests include a software architect and a director of open source recruiting. The webcast is hosted by PHP's own Marcus Whitney (of Pro PHP Podcast fame).

My involvement in the creation of the Zend Certification is completely independent of Zend, and I think this has been a healthy approach. I can appreciate that commercial entities have to financially justify their efforts, and I'm glad Zend recognizes the value in helping to legitimize PHP in the eyes of big business decision makers. Robert Peake has been bold enough to state:

I believe the existence of the Zend Certified Engineer Program may do more to further PHP in the enterprise than the release of PHP 5.

I initially had my own doubts about the success of a PHP certification, and I bet I wasn't alone - I think many of us in the open source community are quick to scoff such things. If you're still having doubts, I invite you to sign up for the webcast and listen to what the other guests have to say. You might be surprised.


At OSCON, Don showed me a demonstration of smugMaps, a new service that he has created to "combine the power of Google Maps with over 32,000,000 smugmug photos." What makes Don's implementation really work is that he has made it easy for those of us without geo data in our photos to add it using the Google Maps interface.

Here are some of the highlights, in Don's own words:

  • All smugmug RSS/Atom feeds support geo data, so other apps/services/etc can use this anyway they'd like.
  • Google Earth KML is a supported format for all feeds, too, so we can toss photos across the surface of the earth from anywhere on smugmug. Very cool.
  • Search for photos by address & various different types of smugmug data. We haven't blended smugmug's full-text search with it, yet, but it's coming. Keyword tags, like del.icio.us, do work, as do others.
  • Easy-to-map your photos with interactive Google Maps interface. No need to type Latitude & Longitude directly, and can fine-tune locations on Google Maps.
  • Basic documentation and commented Javascript code, since we're encouraging other sites to do fun things with our feeds or mix them with their own data. We'll continue to enhance and expand the docs to make this easier.
  • "Timeline" feature actually animates the map through your travel path as you took a group of photos. Perfect for vacations.

Want to make your own Google Maps hack? Check out the Google Maps API. There's also a Google Maps with PHP and MySQL tutorial that looks interesting.

In related news, Don, Adam, Steve, and others are at Foo Camp this weekend. Be sure to keep an eye on their blogs for the latest Foo.

Ammar Ibrahim in Linux Journal

I just read an interesting article in Linux Journal about Ammar Ibrahim. It's nice to see the personal side of someone from the PHP community. (I think this approach is what is making the Pro PHP Podcast so popular.)

I've known Ammar for several months now, and he does much more interesting and useful things with PHP (and open source software) than the average developer. He's also a great guy, a fact that doesn't escape the author:

I do not believe one interview can give anyone more than a slight glimpse into the character of a person. Ammar Ibrahim represents the best of humanity. At 23, he seems to have more than a life-time of experience and wisdom to share. He also represents a hope for the future. I easily can imagine him functioning as an emissary or poster boy for a world that works for everyone. I'm grateful that he calls me friend. I consider my life a richer place because he knows how to build bridges and write software.

Isn't the PHP community great? :-)

PHP 6.0 Excitement

Now that Derick has renamed HEAD to 6.0, it's time to look ahead at all the great things that are (or might be) in PHP's future. Of course, a major driving factor in PHP's evolution is the Unicode support that Andrei is now merging in. This alone is enough to generate some excitement - Andrei's goal is to make PHP as good as or better than any other Web development language out there when it comes to Unicode support.

Something I'm also excited about is a new input filter extension that Derick is developing. This looks like it is going to be a great tool for security-conscious PHP developers.

The latest news is from an email Rasmus sent to the internals list earlier today. He mentions doing a bit of spring cleaning and proposes getting rid of several PHP features, including:

  • register_globals
  • magic_quotes
  • safe_mode

I've been wanting PHP to get rid of these things for years, and apparently I'm not alone - the responses have been very supportive. Rasmus also mentions bundling an opcode cache such as APC and removing some stuff that has been deprecated for a long time.

In related news, there is a namespace patch that looks interesting.

Terry Chay on PHP Security

Terry Chay has a new post discussing PHP Security, the oxymoron. He eloquently deconstructs the arguments given in this thread on Slashdot.

It's informative, funny, and well worth your time.

Episode One

No, I'm not talking about Star Wars. The first episode of Ask Chris is now online. In this episode, I am asked about a comment I made during my talk at PHP West. During the talk, someone asked when stripslashes() should be used, and I said it should never be used. I was being a bit cheeky, but I thought it was funny. :-) I went a bit further, noting that if you ever find yourself removing the escaping of something, you've probably screwed up somewhere. I didn't substantiate this remark (because it was tangential to the current topic), so many people have, understandably, questioned it.

Based on the comments, I apparently haven't clarified the issue very well, so let me explain further.

When you send data to a remote system, it often enters a context where it might be interpreted to be something other than data (there are caveats, such as when you're using bound parameters). In order to preserve the data when it enters this other context, you need to escape it. This means different things in different contexts, but the basic idea is consistent.

One common example is the use of data in an SQL query. For example:


        INTO   users (last_name)
        VALUES ('$last_name')"


If $last_name is O'Reilly, this query becomes:

INTO   users (last_name)
VALUES ('O'Reilly')

That's going to break, because the ' in O'Reilly affects the format of the SQL query - it's considered to be something other than data. In order to avoid this, it needs to be escaped. If you're using MySQL, you use mysql_real_escape_string() for the escaping, so O'Reilly becomes O\'Reilly. This makes the query look a bit better:

INTO   users (last_name)
VALUES ('O\'Reilly')

Now, here's the tricky part. Guess what is stored in the database. Easy, right? The answer is O'Reilly (sans backslash). If you don't believe me, try it for yourself. Sure, you can stripslashes() on O'Reilly, but there are no backslashes to be stripped, so it's pointless (plus some day your data might really have some backslashes in it). Now, imagine my surprise when I read this comment:

Of course, you face the problem of what do to if you already have a large number of records already stored in a database that have NOT been escaped with mysql_real_escape_string().

In the words of enygma:

Ow. My eyes.

OSCON 2005 Recap

I had a blast at OSCON this past week. It tends to be my favorite conference each year for a number of reasons - the presence of so many smart, friendly people from the various open source disciplines being one.

I gave a tutorial on PHP security. You can find the slides here:

I got a lot of positive feedback, although most people seemed more interested in the faux cover I created for my upcoming book than the talk itself. C'est la vie. For those who keep asking for it, here you go.

I also gave another PHP Security Briefing, so those slides have been slightly updated:

Don renewed my interest in smugmug, and I created an OSCON 2005 gallery there with my pictures. I took a picture of a spider in the Japanese garden that almost turned out. I couldn't tell until I looked at it on my computer, but the web behind the spider is in focus, and I wanted the spider to be in focus. Oh well. I took a picture of a rose in the rose garden that turned out a bit better.

As always, I spent most of the week forgetting to take pictures, but luckily there were always people with cameras around. One of the funniest moments was when Marcus, frustrated by his camera refusing to take a picture, asked it in desperation, "Do you take pictures?" It was as close to angry as I've seen Marcus, which is what made it so funny.

Geoff told Don about an idea we've had for a while about RSS feeds and related links. It would be nice to see something like this catch on, since all we can do now is scrape pages, which is unreliable to say the least. This open sharing of ideas reminded me a lot of Foo Camp.

Tim unveiled O'Reilly Connection, a new social networking site. Although it's a hassle to go through the add a friend process yet again, at least this one has a FOAF feed, so your data is somewhat free (data libre?). Perhaps they'll add a FOAF import tool soon. Like many of these sites, it's written in PHP. Here's my page. I wasn't as far from sober as my photo makes me appear.

Now I'm left in nostalgia, listening to Hide and Seek by Imogen Heap, a song Tatiana (my O'Reilly editor and friend) played for me while Marcus and I were staring at this.

More conference coverage is available on Planet OSCON.