Ilia once again shared his excellent article about web security here. This article talks about two well known security threats, CSRF and XSS, how malicious hackers do that, how to prevent them, and most importantly why our common solutions that we think has solved this problem doesn’t actually work.
Hey guys, check this out. CodeGear, the company now responsible for continuing former Borland’s developer tools announced this week their new interesting product, Delphi for PHP.
According to the data sheet, this tools contains some promising features,
Integrated Development Environment
- Integrated visual form designer
- Two-Way-Tools automatically synchronize code and visual representations
- Object Inspector for visual customization of components without writing code
- Code Explorer to simplify navigation
- Project Manager to view and organize project files
- Structure Pane shows the hierarchy of components displayed on the designer
- Data Explorer to browse database server-specific schema and objects
Visual Component Library for PHP (VCL for PHP)
- Customizable palette of over 50 reusable components
- Standard components for menus, buttons,edit fields, images, notebook tabs, grids, tree views, list boxes, combo boxes, check boxes, labels, and more
- Database components for accessing databases, tables, queries, and stored procedures, as well as data grids and navigation
- Extend the VCL for PHP at any time with third-party libraries or with your own components
Powerful Editing
- Customizable source code editor
- Color syntax highlighting
- Code Insight to assist in the selection of properties and methods
- Bookmarks to ease navigation through large files
Integrated Debugging
- Integrated debugger helps find and fix errors
- View breakpoints, local variables and global variables
Documentation and Help
- On-line help for the IDE
- Sample applications
- PHP language reference
What’s more interesting to me is this,
VCL for PHP is based on the most popular open source PHP scripts and libraries, including Qooxdoo, Adodb, DynAPI, Smarty, XAjax and JSCalendar. Inspired by VCL for Delphi, the component architecture is 100 percent written in PHP. Developers can create and integrate components into the IDE and extend the existing components to fit their needs. VCL for PHP is an open source library available on SourceForge at http://sourceforge.net/projects/vcl4php.
Neat! 
Well, we’ll see how powerful this RAD will be. Delphi for PHP is scheduled to be available in March with its introductory price of $249. I’m not sure when it will be available in Indonesia, perhaps earlier than the official release .. 
Do we need another blog software? well, it depends on what you really expect from blogging tools. If you’re absolute end user who use blog software just for blogging, then you have more than enough.
But if you need to do more or you want to add certain customizations or you’re a never-satisfied programmer, then you’d want to have choices.
You’d better take a look at this, a new open source blogging software, Habari.
The Swahili word habari translates to ‘news’, as in ‘what’s the news?’ Blogs — personal and professional — are all about spreading the news, so what better name to apply to blogging software?
Habari represents a fresh start to the idea of blogging. The system is fast, easy to use, and easy to modify. New users should have no problem using and enjoying Habari. Advanced users should have no problem tweaking Habari to do exactly what they need it to do.
Habari relies on PHP5 with PHP Data Objects (PDO), and your choice of SQL database (MySQL, PostgreSQL, SQLite). Habari is strongly object oriented, and implements the full suite of the Atom Publishing Protocol. User-created plugins make Habari do nearly anything imaginable, and a robust theme system permits the use of several popular templating solutions.
There are three reasons why you might want to try this out,
First, it’s built from scratch, i.e it’s a clean state .
Imagine starting on the ground floor. There were no presidencies, no set stringent codebase that couldn’t be altered, no existing userbase that might be confused and the list goes on.
Second, it’s using object-oriented PHP5 style. Which mean it’s more simple, elegant in design and easily extensible. No need hundreds more lines of code when you have several simple function which already exists on PHP5.
Third, the developers behind this project has enough experience on another popular blogging software .
Don’t get me wrong, Wordpress is great. But it was build then when we’re still using PHP4. As Stefan Esser said ,
From my point of view, WordPress is not well designed. This starts for example with the fact that they are escaping all input for the database in the beginning, and later when issuing the queries they just put variables directly into the query. The bug I released (charset conversion SQL injection) would not have been possible if they had chosen the more common design, to escape everything right before it is put into the query. Others might argue that they should better use prepared statements and variable binding, but WordPress has to be compatible with old MySQL databases and PHP installations that do not support this. Another problem of WordPress is that it is sooo user friendly that it spits out detailed error messages when a SQL query fails, such that a potential attacker can gain information about the query. This for example leaks the database table prefix.
The problem with many of these big PHP applications like WordPress and PHPBB is that they were started in the days when security was not taken so seriously, and from that day they have grown and grown. In many cases it would have been better to just rewrite them from scratch, but that is of course a lot of work and most people don’t like the idea.
Alright, kids. Grab the source, join the group and spread the words, habari !
Many of you use Wordpress as blogging platform, but only view of you might know who's the guy behind this popular web apps.
Matt Mullenweg is the founding developer of Wordpress. He is a young talented developer lives in San Fransisco, California. He writes a nice blog at photomatt.net which i believe the first wordpress blog in the world.
Edgework's Brian Oberkich talked to Matt in 49:30 minutes interview. You should listen to this. Matt talked about Wordpress, Akismet and the zen of web product development.
As many other open source project leader, Matt is a nice and wise guy. He knows very well how to manage team of developers, how and when to deliver product to the end users, including take an action of any feedback from them.
There's a part on that inteview where he shared a funny story behind Akismet, anti spam system for blogosphere. Some time before he released Akismet to public, his mom gave him a visit to San Fransisco and lived with him for five weeks. Until at certain point when she decided to make a blog of her own.
Worrying his mom would also get spams offering porn site and would think this as what her son's doing all the time, Matt pushed Akismet's team to make a release version as soon as possible.
“If my apps run well on PHP 4, why would i be bothered to take a risk upgrading them to PHP 5?”
That’s what most people says when they’re asked to upgrade to PHP 5.
Well, if you are really a big fan of PHP 4, you should think to upgrade it to PHP 4.4.5, the newest release of PHP 4.x series. As Derick said, this release addresses most of the same issues as PHP 5.2.1.
Anyway, people are still complaining about incompatibilty issue between PHP 4 and PHP 5. They’re screaming about blank pages or bunch of errors found when they’re upgrading to PHP 5.
I don’t know about you, but I don’t really mind with that. Sometime, it is a good thing to have your apps doesn’t work when a new patches applied. That tells us something wrong with our codes. Maybe it contains security holes which shouldn’t be working at all for our own sake.
When your door stop making sound after you change it with a new one, that must be a good thing, right?
Nexen has released PHP stats for january 2007. These stats were generated from the survey they’ve made with about 9.2 millions servers hosted on 2.2 millions IP’s around the world.
What a bit shock to me is the adoption of PHP 5 versus older version as shown here,
although it keeps rising, the usage of PHP 5 (14.08%) is still so small compares to PHP 4 (85.25%).
I mean, PHP 5 has been around for quite sometime now. It’s been almost three years since the first PHP 5x series was released. So, there is no way that this is caused by unfamiliarity.
The compatibility issues between PHP 4 and PHP 5 are also not the excuse. PHP 5 core team has been working hard to make the migration painless. As you can see from the talk here, vast majority of PHP 4 code will work fine on PHP 5.
I’m not a security expert, but if you take a minute to look at the open PHP 4 bugs, you’ll see that most of them include notes indicating that it’s been resolved on PHP 5. I’m telling you, PHP 5 is more stable and secure.
I think, the only reason for this slow adoption of PHP 5 is the PHP installation base on server, which most of the time is beyond developer’s will.
From the developer’s perspective, it is much comfortable to build web apps using PHP 5. But when they have to host their apps on shared hosting or to install on client’s server, there is nothing they can do except to suite their apps with it.
Currently i’m working on a project for a cellular market leader company in Indonesia. This company has strong rules to protect their internal network security. No one can install any program on their computer without written permission from certain people. Let alone touch the server. And they’re happen to have PHP 4.3.9 installed on their server.
I have to work my a** really hard just to do certain things which in PHP 5 just a matter of using a single built in function. And they keep complaining about the speed. Why not using PHP 5 then?
Ilia Alshanetsky, the project manager of PHP 5.x series, announced the release of PHP 5.2.1 today. You can see more about this release in its official announcement here.
As usual, there are many security enhancements in this newest release of PHP 5.x series. So as Ilia put it,
Given the significant number of security issues that were resolved, my recommendation is that all users of PHP, especially those running really old versions (You know who you are
One of the security issue that has been fixed, which is interesting to me, is to prevent search engines from indexing the PHPINFO() page. I have posted about this issue couple months ago (in bahasa). You can see more about this in Ilia’s blog. It’s a simple fix, but very important for sloppy programmer like me.
There are also many improvements in term of performance, especially in Windows environment. Which is why i’m so excited with this release, am downloading now, and how fast it goes.
Good news for LAMP (Linux, Apache, Mysql & PHP)programmer, there is a new alternative way to connect PHP and MySQL, mysqlnd (MySQL native driver). It is an alternative driver to libmysql we are currently using.
The good thing about this driver is it’s licensed under PHP license and it’s developed by MySQL developer for PHP group until it reach the stabil version. So hopefully this will improve MySQL+PHP connection.
Current version is still in alpha and it requires PHP 6. But as Uber Nixnutz said, future versions of mysqlnd will also support PHP 5. Once the missing core functionality between PHP 5 and PHP 6 has been implemented.