I just got through reading the latest issue of php|architect - always a good read.
Sean starts by announcing the departure of Marcus Baker as a columnist. I've always enjoyed Marcus's perspective on things, primarily because it's different. Luckily, Sean follows this announcement with very good news - Jeff Moore is going to take over the column. I've been reading Jeff's blog for the past year or two, and I'm really looking forward to reading more from him in future issues.
Marco has an interesting article on applying the poka-yoke concept to input filtering and output escaping. (A poka-yoke is a behavior-shaping constraint.) A few of the principles he describes mirror design principles in one of the Zend Framework components, but more on that soon. :-)
In this month's Security Corner, I pull together a few topics I've been discussing in my blog, all related to character encoding:
I'm also announcing a short break from the column:
I want to give my sincere thanks to Ilia Alshanetsky, who has agreed to take over Security Corner for a few months. It has been my pleasure to be the author of this column for the past few years, and I hope a short break can give me renewed enthusiasm and a fresh perspective. I also think it's valuable to hear from different sources of security expertise. Ilia is a well-known PHP expert and educator, and I'm confident that you'll learn a lot from what he has to say.
It's been a few months since Episode One, but thanks to Marcus, Ask Chris is back on the air. The format is a bit different - instead of doing separate shows, we'll be doing a short segment at the end of each interview.
This interview is with David Sklar of Ning. He and Marcus discuss Ning, of course, but David also provides some good perspective on the state of technology and how the definition of a programmer is becoming more and more inclusive.
This episode of Ask Chris is about email injection, a topic of growing concern for PHP developers. We recorded this immediately after I had returned from a trip, so hopefully I don't sound too weary. If you have any questions you'd like to have answered or topics you want me to discuss with Marcus, please leave a comment here or contact him directly.
Thanks for listening!
I've been away for a week, and a lot has happened in the PHP world during that time.
Tim Bray sparked a debate with his discussion On PHP. Greg and Marcus were quick to point out how silly it is to be comparing tools. It reminds me of soccer players who are proudly showing off their shiny new Predators while getting their asses kicked by the guy wearing 10-year-old shoes. Or, as Marcus puts it:
Pick your weapon and master it and stop wasting time, life is short.
Harry posted a nice pro-PHP rant that's worth reading. I was reminded of George's why PHP scales explanation from a few years ago, which is still as relevant and useful today as it was back then.
Via Jeremy and Simon (two blogs worth reading), I noticed that Yahoo has released a Design Patterns Library and a UI Library. More recently, they've published a PHP Development Center.
Lastly, Zak announced that ApacheCon EU is going to be held in Dublin this year. How awesome is that? :-)
A few days ago, I posted my Top X List of Mac OS X Annoyances. As predicted, there were a few useless responses from the zealots who felt a need to defend the Mac, but there were also many useful comments - more on those in a minute. Some people seem to confuse being the best with being perfect. A valid defense of an annoying characteristic of Mac OS X is not that it's better than Windows - that's setting the bar awful low, don't you think?
The other thing that many people seem to miss is the fact that my list comes from years of using Mac OS X and Linux (not Windows). If Linux is tainting my perspective by offering a better desktop experience, the Mac has serious problems. Isn't it supposed to be the archetype of usability?
The reason why I want to find solutions for the things that annoy me is because I want to buy a new MacBook Pro (or whatever the cool laptops are called by the time I buy one) and use it exclusively, plugging in peripherals when I'm at my desk. In most cases, I've tried to adopt "the Mac way," because I know it's futile to try to affect change in the Mac world. (It's almost as much of a quagmire as US politics, where people are quick to place you on "the other team" if you dare speak out of line.) However, there are a few things that are quite simply annoying, and regardless of whether you agree, it's hard to ignore the fact that there's room for improvement.
Luckily, most of the annoyances can be resolved. Before I get to the solutions, however, I want to list the two major annoyances for which no solution has been offered (please feel free to make a suggestion):
I learned that the little green button is a "zoom" button. (In other words, maximizing isn't broken - it just doesn't exist.) Regardless of whether you think the zoom feature is useless (I do), it's no replacement for maximizing.
I frequently speak at conferences. If you've ever seen me demo something during a talk, you've probably seen me open a terminal window. I manually resize the window to be as small as possible, increase the font size to a comfortable viewing level (which increases the size of the window), then manually resize the window to fill as much of the screen as possible. I'd rather maximize the window and be done.
When I'm using my 12" PowerBook, I'm impaired by the resolution. I don't mind, because that's part of having such a small laptop. (I love it.) However, I'd like to maximize my windows rather than manually resizing them to fill the screen. Yes, having lots of maximized windows is usually annoying, but Expose pretty much eliminates any disadvantage. Plus, even without maximizing, it's hard to grab the edges once you have more than a few windows, so depriving us of this feature offers no real benefit.
At first, it might seem that selecting between applications instead of windows is a good thing, but not when you consider other characteristics of the Mac. First, when you close the last window of an application, it continues running. This isn't annoying in isolation, and there are advantages to leaving apps running, but it has a nasty side-effect: command-tab pollution. The Finder is always running, so there's some pollution by default. Plus, if you command-tab to an application with only minimized windows, they stay minimized. Again, in isolation, these characteristics may not seem so bad, and they're not. Combined, they make command-tab on the Mac almost useless. Yes, Expose is great, and I use it frequently, but it's no substitute. (A possible fix is Witch, but this is one thing that shouldn't be broken in the first place.)
Except for a few annoyances that are just part of "the Mac way" and not likely to change, most of my other annoyances can be solved:
Only One Desktop
The solution to the "only one desktop" problem seems to be Desktop Manager. Quite a few people have suggested it.
Nate Klaiber sent me a solution to the clock annoyance. The trick is that the clock format is under the "International" section of your preferences. Thanks, Nate!
Adam pointed me to MenuCalendarClock, which looks even better. wClock looks good, too.
Matt Simpson pointed out a "Full Keyboard Access" option that you can set to "All Controls" to make Safari behave correctly. In other words, you can navigate forms without a mouse. Thanks Matt!
In summary, although the Mac has many shortcomings by default, the vast majority of them can be resolved, and only a few of them require the installation of additional software. Thanks to everyone who offered suggestions about how to make the Mac less annoying! :-)
Luke Welling has been doing a bit of research about his fellow countryman, Dale Begg-Smith, who won an Olympic gold medal last night in the freestyle skiing moguls.
Described as an Internet entrepreneur, Begg-Smith is also known as "Spam Man" and owner of CPM-Media, producer of spyware, malware, and adware. He also has ties to mass email campaigns and popunder ads.
Read Luke's blog for the full story and supporting links.
While adding links to my feed, I noticed similar security vulnerabilities in both Digg and Furl. (Josh Ribakoff of DevNetwork Forums played a part in discovering Furl's vulnerability.) Of course, I immediately notified each of them and offered a simple example exploit. I was happy to find that both sites provide contact information. Digg's is easy to find (a Contact Us link at the bottom), and Furl's takes some digging (sorry for the pun), but my experience with other sites has been much worse.
I was disappointed by their initial response. I don't mean to suggest that I expected a personal email or acknowledgement, but I had hoped to see the vulnerabilities fixed within a relatively short period of time. After a week or two had passed, I decided to contact them again, stressing the severity of the vulnerability (and simplicity of the solution). Digg immediately replied:
Thank you for your concern and feedback, we will sure look into it.
Within a few days, the vulnerability was fixed.
Furl did not respond, nor have they fixed the vulnerability. At best, this illustrates a breakdown in communication. At worst, it shows a lack of concern for their users' safety.
Update: Michael from Furl responded (see comments), and he left a direct email address that you can use to report security issues. The vulnerability has not been addressed, but hopefully that will happen very soon.
About a month ago, I added links to a few different services in my RSS feed. If I write something that people want to remember (or share), they can bookmark it (or promote it) with del.icio.us, Digg, or Furl. They can also see related posts with Technorati.
If you want to add these to your own feed, just use the following URLs:
Note: The [TITLE] and [URL] placeholders refer to a URL-encoded title and URL.
Thanks to everyone who wrote to let me know that Essential PHP Security was Slashdotted yesterday. Slashdot still amazes me. I think the book's Amazon.com Sales Rank is a testament to the power of Slashdot:
Here's a closer view:
The review is very complimentary, but I'd like to address one point:
In light of the author's expertise, one would presume that he would make every effort to write the definitive volume on PHP security - covering every conceivable topic, including: execution of system commands, verification of user IDs and authorization, email spamming via web forms, (the related topic of) exclusion of bots, and remote procedure calls.
I replied to this, stating:
I deliberately chose to focus this book on the 80%, and I'm happy that I did. PHP's reputation suffers because of security concerns, and I'm sure you'll see some of that expressed here. I want PHP developers who read this book to focus on what's most important, and the principles and practices that they learn along the way should prepare them to deal with more minor concerns.
Luke Welling comments:
I guess leaving your readers hungry for more of the same is a compliment of sorts.
Well put, Luke. Thanks. :-)
As far as desktop operating systems go, they all suck, and
Mac OS X sucks the least. Although I
use Linux as my primary
desktop OS, that's because it has been the best choice for me - a software
developer (primarily interested in server-side technologies) who wants a decent
Lately, I find myself considering an exclusive use of Mac OS X on the
desktop. Now, I don't consider myself a power user. (That's a term for people
who are proud of their desktop OS expertise. They can fix your printer.) I
really only use four desktop apps with any frequency:
Of these, about 80% of my day is spent in a terminal. In other words, I
think my needs are pretty basic, so it should be pretty easy for me to switch
to a different OS, right? Well, I hope so, but there are still some things
about Mac OS X that annoy me, and I've taken the time to come up with my Top
X List of Mac OS X Annoyances:
Separating Menu Bar from Window Is
Usability studies supposedly disagree, but I don't care - having the
menu bar miles away from your focus is stupid. This should be common sense.
It's annoying enough on a 12" screen. I'm sure it will seem much worse on a
23" screen. (Usability studies can be wrong by focusing on general ideas
out of context. Location consistency is usually good.)
Apps Don't Really Close When You
When I close the last window of something, why is it still running? I
know the command-Q shortcut, but that's a dangerous habit. Using the
shortcut instead of clicking close just means that I'm more likely to
accidentally close another window of the same app, not realizing that I
still have it open. Computers are supposed to keep up with this stuff for
us. That's their job.
(My Linux desktop has more than a hundred processes running, and they
don't screw up my desktop experience, so you'll have a hard time convincing
me that this is a feature.)
Maximizing Is Broken.
How hard can this be? Seriously. If you want to be different, that's
cool, but not when it means being broken. When I maximize something, it
should take up the whole screen. Get it? Leaving little gaps everywhere
just means that I'll bring another app to the foreground when I
accidentally click on it.
Alt-Tab to a Minimized App, and It
(Yes, I know it's really command-tab, but who says that?) There are lots
of reasons why alt-tab on the Mac sucks, and this is one of them. Combine
this with the fact that apps don't really close when you close them, and
the result is alt-tab pollution. You switch apps, but nothing happens. Is
the app closed? Is it minimized? It is just the damn Finder again?
Too Many Option Keys.
Function, control, alt, option, and command (which used to be called
open apple and is sometimes referred to by its symbol). Which one do I use
to right-click again? Which one makes the delete button delete? Surely we
can get rid of one or two of these.
No Dedicated Page Up, Page Down,
Home, or End Keys.
I didn't realize how much I used these until they were gone. Can't we
get rid of some of those option keys to make room? Even if we can't, do we
really need two command keys? And how about that extra enter key? Get rid
of those, and at least give us home and end.
Only One Desktop.
Only one 12" desktop. Yes,
Expose is cool,
but it's no substitute. What's wrong with having both? Microsoft is finally
adding tabs to IE - surely we can have a few desktops.
The Clock Sucks.
It really sucks. Sun 10:00 AM. I want to know the date - I know it's
Sunday, for crying out loud. Maybe I can change the format. Let's go look.
Nope, but I can add seconds or flashing separators. Who needs the date when
you can make those colons flash?
(My Linux clock not only shows me some useful information, but I can
also get a quick glimpse of the calendar by clicking it. Sorry Mac, but the
Linux clock kicks your clock's ass.)
I know pictures are big, and I know it's tough to manage thousands of
them, but damn, figure it out already.
Safari was released three years ago. I still can't tab to a select list.
But, to be fair, that's probably really hard to do. (Update: See Adam's comment below.)
I hope you enjoyed my list and had a few laughs. Feel free to point out ways
to get around these annoyances, and of course, let me know if any are just a
result of my own ignorance. :-)
Have a great week!
The 8th annual O'Reilly Open Source Convention is returning to Portland this July (24 Jul - 26 Jul). It's easily my favorite conference, partly because of its diversity - the best of the best from all of the open source disciplines are there, and the cross-pollination is enriching.
Of course, conferences are expensive, especially if you have to pay your own way. Want to know the secret? Propose a talk, and you might get in for free! :-) The OSCON dealine is this Monday (you can still submit talks on Monday), so there's still time.
This year also brings us the inaugural NYPHP Conference, being held at the historic New Yorker Hotel on 34th St. NYPHP is a great user group, and I'm sure this will be a great conference. Let me know if you plan to attend - maybe we can schedule a PHPers dinner. :-)
Just remember the secret - submit a talk for NYPHPCon, and you might get a chance to attend for free. We all benefit from more diversity - I'd love to see what other PHP developers are up to.
For those who missed the news, Luke Welling (of PHP's "Luke and Laura") has started blogging. It was via his blog that I learned of Waterfall 2006, sure to be one of the best conferences this year. Talks include gems such as:
- Pair Managing: Two Managers per Programmer
- Testing: Saving the Best for Last
Of course, PHP developers will be particularly interested in Luke's talk:
From the abstract:
Naturally, the first phase is requirement gathering. Fortunately, there is only one requirement - a catchy domain name.
There's also a tip of the hat to Mark Fletcher (who can build anything in three months):
The only thing set in stone about the implementation phase is that it must take three months.
This is all taking place on 01 Apr 2006 at Niagara Falls. Be sure to register now, because this conference is sure to sell out in record time!
A little more than a week ago, I received an email from Robert Peake. According to the subject, it was a reply to an ongoing discussion we had been having. The contents of the email, however, were tragic. Robert and his wife had just lost their first-born son, James Valentine Peake.
This news hit me hard. I replied to his email, trying to put into words the sympathy I felt for him and his family, but expressing such things isn't easy. I hesitated to share the news, because I know different people handle tragedy in different ways. Some appreciate the support of friends and family, and some prefer to mourn in isolation.
Just before the weekend, Robert shared the sad news himself:
James Valentine Peake was born on Tuesday, January 24th by emergency Caesarian section. He lived only three days, and died in my arms on Friday, January 27th.
If you know Robert, please take a moment to send him a message of support, and let this remind us all of the important things in life.
In the tradition of test-more.php, Mike Lively adds to the growing list of reasons to be using TAP (Test Anything Protocol) by creating test-harness.php, a TAP-compliant PHP testing harness. This provides yet another testing option for PHP developers:
- Easy: Apache-Test (with any TAP-compliant library)
- Easier: test-harness.php (with any TAP-compliant library)
- Easiest: test-more.php
Are you testing your PHP applications yet?
I can never remember the PHP Easter egg strings, so I'm putting them in my blog. This probably isn't news to anyone, but here they are for reference:
- PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 - PHP Credits
- PHPE9568F34-D428-11d2-A769-00AA001ACF42 - PHP Logo
- PHPE9568F35-D428-11d2-A769-00AA001ACF42 - Zend Logo
- PHPE9568F36-D428-11d2-A769-00AA001ACF42 - Easter Egg
Here's an example usage:
The current Easter egg is Zeev's dog Scotch:
It used to be Stig's dog Nadia (thanks to Ilia for confirming this):
If you've been using PHP for a while, you probably remember this picture of Thies:
The logo displayed on a phpinfo() page uses the PHP logo string except on April Fool's Day (01 Apr), when it uses the Easter egg string instead, giving some people quite a surprise.
These strings are useful for determining whether a particular URL is a PHP resource. For example, 37signals (the creators of Ruby on Rails) use PHP for their web site:
They also use PHP for the web sites of Basecamp, Backpack, and even Ruby on Rails.
Note: If you want to find these in the source, they're in ext/standard/info.h. If you want to disable them, set expose_php to Off.
Update: Jeff Moore has written a compelling argument suggesting that Rails is for flexies.
I'm glad to see all of the hype surrounding Ruby on Rails lately. I've always been an advocate of open source software, and Ruby (particularly Ruby on Rails) is yet another feather in the cap. I'm not afraid to say it - I'm glad Rails exists.
I do think it's good to maintain some perspective, and some Ruby fans are more than a bit overzealous. Ruby on Rails is a niche technology, and although all signs indicate that its popularity is growing rapidly, it's a bit premature to be thinking that it will dethrone existing technologies. In fact, history has shown that technologies can happily coexist, even if they target the same problem space. The success of Rails doesn't depend on another technology's failure.
Like Andi, I don't see Rails as a direct competitor to PHP, but my reasoning is a bit different. Both target the web problem, sure, but the ideologies behind them aren't very similar. (Rails seems more like a better J2EE than a better PHP.) Those who prefer one over the other are already of a different mind.
I should elaborate, but I'm hesitant to try to explain such an ethereal topic. Recognizing tendencies can tempt one to make generalizations, and generalizations are rarely useful or accurate. However, I think recognizing tendencies can help us to understand a group of people. Web developers are a diverse group, but I think it's possible for us to be divided based upon the qualities that we tend to admire most in a technology:
- Flexible and Powerful
- Structured and Organized
Of course, these qualities aren't necessarily mutually exclusive, but there is a balance to be made in most cases. Those who prefer "Flexible and Powerful" (let's call them flexies, since they desire flexibility) like to develop in C, C++, Perl, and PHP. Those who prefer "Structured and Organized" (let's call them stiffies, since they desire structure) like to develop in Java, ASP.NET, and Rails. Flexies see stiffies as those who spend more time thinking about problems than doing anything to actually solve them. Stiffies see flexies as those who don't do enterprise development. (Some flexies appreciate structure and organization, but they prefer freedom.)
I think Java has been a burden on the web industry for years. Java apologists have tried to explain to me why it's the best choice for web development, but the truth is that history just doesn't support this stance. A web application built primarily with Java technologies tends to require more developers, more money, and more time. The finished product (if there is a finished product) tends to be substandard. Sure, some developers can make great web applications with Java, and MacGyver can make a bomb out of a stick of gum. I'll take my chances with the gum.
Rails is shaking things up by providing stiffies with a better choice for web development. (It's also lowering the barrier of entry in much the same way that PHP did for the flexies.) Those who prefer (or will prefer) Rails over PHP are probably either not using PHP today or aren't happy to be using it. (Maybe they just think it sucks less than Java and ASP.NET.) I'm glad there's an emerging technology that will let these people be happier and more productive developers. I think we'll see better web applications emerge as a result.
But, it's a bit early to think Rails will replace Java. Maturity matters. (This is especially true for stiffies.) PHP is getting a lot of attention these days in the business community (in fact, one could describe its recent growth as explosive), but many businesses still see PHP as cutting edge. This is a technology that's been around for more than a decade, yet it's considered cutting edge.
It's also important to realize that excitement is subtly different than popularity. Excitement is trendy. Ruby hasn't yet made the TIOBE Top 20 - its popularity still falls far short of Java, C, C++. PHP, and Perl. In fact, Ada and Fortran are more popular than Ruby.
If you're like me, you expect to find that Rails is used to build many of the Web 2.0 applications - you know, the kind of applications you sell to Yahoo for millions:
I sense the presence of flexies. Let's see what else they've been up to:
These are the only Web 2.0 applications I use with any consistency. I honestly expected to find many more Rails applications, so I decided to specifically look for some, and I discovered a list of Rails applications. Apparently most of the good Rails applications are developed by 37signals (they created Rails), and they're all pretty cool:
I think a larger point is that good applications are built by good developers, not technologies. Did you know what all of these applications were written in? Did you care? Be honest.
I'd like to end where I began - speaking about Rails fans. I spoke with a Rails fan the other day who had this to say:
You need to be quite a bit more of an advanced programmer to get into Rails.
This type of argument always makes me raise an eyebrow. It can be restated as "Our technology is better, and if you were smart enough, you'd agree." If I have to be smarter to use your technology, then your technology sucks.
On the Ruby on Rails site, Tim O'Reilly has this to say about it:
Ruby on Rails is a breakthrough in lowering the barriers of entry to programming.
Tim's statement does more to improve the perception of Rails. Easy is good. Let's roll with that.