About the Author

Chris Shiflett

Hi, I’m Chris: entrepreneur, community leader, husband, and father. I live and work in Boulder, CO.


All posts for May 2005

PHP Podcast: Hot or Not?

The PHP community now has its own PHP Podcast. You can already listen to the first show - Marcus explains his ideas for the Podcast and mentions some people from the PHP community that he would like to interview (although he prefers to describe such interviews as discussions).

He has asked me help out with the Podcast a bit by being a regular guest on the show and saying something about security. I'm not sure whether anyone really wants to listen to me ramble on about PHP security on a regular basis, but I'm happy to help.

What do you think of the PHP Podcast?

Google Web Accelerator and PHP

You've probably heard about the new Google Web Accelerator, but if you're like me, you haven't bothered to try it out or give it much thought. After all, it can't possibly be worth running Windows. If you develop PHP applications, however, you might want to pay attention.

There is a particular section of the HTTP specification that is frequently violated. Section 9.1.1 of RFC 2616 states the following:

In particular, the convention has been established that the GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval. These methods ought to be considered "safe". This allows user agents to represent other methods, such as POST, PUT and DELETE, in a special way, so that the user is made aware of the fact that a possibly unsafe action is being requested.

What does this mean? If you use $_REQUEST, rely on register_globals, or deliberately use $_GET to process a request that performs some action (other than retrieval), then you're violating the HTTP specification, because a GET request can potentially perform that action. If your page contains links that perform an action (when followed), then the Google Web Accelerator is going to cause you problems. You can already find complaints about this. Of course, the developers complaining are the ones to blame, not Google.

The moral of the story is to adhere to the HTTP specification. If you want to play the web game, you have to play by the rules.

PHP at OSCON 2005

The selections have been made for the O'Reilly Open Source Convention 2005 (US), and there are many great PHP talks to choose from. This was only my second year on the selection committee, but I think this had to be one of the toughest years. There were 600 proposals for 150 slots, and the PHP track seemed particularly strong.

PHP tutorials that made the cut:

PHP sessions that made the cut:

OSCON is returning to Portland, but the venue has changed to the Oregon Convention Center, and it is to be held during the first week of August rather than the last week of July. This has always been my favorite conference, but PHP Quebec is going to be tough to beat this year.

I hope to see you there!

Update: Another PHP session has been added to the lineup: Migrating from PHP 4 to PHP 5 (John Coggeshall).

PHP in Cancun

I've been in Cancun since Wednesday for php|tropics. The resort is very nice. In fact, while Wez and I were standing at the counter to check in, I remarked that this place seems too nice for a PHP conference. As soon as those words left my mouth, a well-dressed man approached and handed us each a glass of champagne. We laughed, gave a toast, and tossed them back.

I gave a BYOL (bring your own laptop) double session on PHP security, and it went very well. This was a new talk, so I was a bit concerned about the timing, especially since there was so much hands-on activity. The timing worked out just fine, and the feedback has been superb. I hope to refine this talk a bit more and add it to my collection of favorite talks. I'll likely incorporate some of this new material in the PHP security training class I teach as part of Brain Bulb's PHP training services.

I'm currently sitting in Jason Sweat's talk on test-driven development. It's mostly about Simple Test, and while I prefer Apache-Test, there is currently an effort to make Simple Test's output TAP compliant. This will allow developers to leverage the power of the Apache-Test framework and still use the Simple Test objects for writing their unit tests. Of course, those who don't want to use objects can still use the test-more.php library bundled with Apache-Test for writing procedural tests.

PHP Security Briefing at NOAA

I spent the past couple of days in Washington, D.C., to give a talk at NOAA's IT Security Conference. (NOAA is the National Oceanic and Atmospheric Administration.) The talk went very well, and I was glad to find such an eager audience. I also got to meet some really cool people from NOAA's Computer Incident Response Team (N-CIRT). It's rare to find others who are well-versed in both PHP and web application security, and while they have a very demanding job, it seems quite interesting.

The talk I gave, PHP Security Briefing, is one that I've been developing and refining over the course of the past few conferences, and I think it's one of my best new talks. You can find the slides on Brain Bulb's web site: