Tim Anderson’s ITWriting

I’m at Yahoo! Hack day in London – not hacking, but here for sessions on topics such as YUI (Yahoo! User Interface Library) and PHP.

I had a brief chat with Rasmus Lerdorf who is speaking later. I asked him about Zend, which presents itself as the PHP company (that is actually the slogan on its web site). Is it really?

Lerdorf says Zend has no special status. While acknowledging its contribution, he says there are 1300 PHP committers, and only 6 work for Zend. He emphasises that PHP is a community project and that decisions are made by consensus, influenced by who is actually willing to write the code, not by Zend or any company.

I also asked about PDT (PHP Development Tools), the Eclipse-based open source IDE. Lerdorf says there are lots of PHP IDEs, and people who use generic editors for PHP, and none has any more status than any other; he doesn’t use PDT.

From my perspective as press, there are only two organizations who ever encourage me to write about PHP. One is Zend; the other is Microsoft, keen to establish Windows as a credible PHP platform (Lerdorf says PHP on Windows has made enormous progress in the last couple of years). Zend does seem to do more than any other company to promote PHP for commercial and corporate development.

Lerdorf is not surprised. We’re developers, he says, we don’t do PR.

Zend’s effort is broadly beneficial to the PHP community – provided that it does not give a false impression of who owns PHP.

I ran into a strange and surprising PHP error today. I’m working on a little PHP application which has a login page. The login script calls session_start() to start or resume a PHP session. It was working OK so I decided to decorate the page a little (I was working in Eclipse). I like to try a variety of tools, so I ran up Microsoft’s Expression Web, added an image, then re-ran the script to see how it looked.

The answer was not good, because I now had an error:

Warning: session_start(): Cannot send session cookie – headers already sent

I puzzled over this for some time. The error was in line 0 of my login page. I couldn’t see anything that was different from before, except the static image that meant nothing to PHP.

Eventually I worked it out. Eclipse (running on Windows) created the PHP files using ANSI. On saving, Expression Web silently changed them to UTF-8. That in itself was no bad thing – it’s usually a better choice – though I reckon it should ask. The bigger problem was that Expression also added a BOM (byte order mark) to the beginning of the file. This is actually optional for UTF-8, and most non-Windows editors do not add it. It happens to flummox PHP, which interprets them who-knows-how and sends some output to the browser, preventing session_start from working.

This is particularly painful to debug since most editors do not display the BOM; they simply use it to confirm the character set in use. So you can have file A which works, and file B which does not, and they are character-by-character identical.

One way to see and remove the BOM is to open it with Edit.com, which does not understand it at all:

I guess both Expression and PHP could do better here. The bit that puzzles me is that I can’t be the first to run into this. Doesn’t Microsoft know that its UTF-8 BOM breaks PHP files, at least on the two versions I tried (XAMPP on Windows and PHP 5.2.1 on Linux)? I can’t even see a preference in Expression that would prevent it being written. And if you remove it, and then re-edit in Expression, it carefully writes it back. Unlike Adobe’s Dreamweaver, which leaves well alone.

PS if you want to know all about BOMs, see here.

Update: See comments – apparently this was fixed in Expression Web 2.0. Tina Clarke discusses the problem here.

I’m at the Dreamforce conference in San Francisco, where Marc Benioff, CEO of Salesforce.com, and co-founder Parker Harris, are presenting new features in the force.com platform.

The first is a built-in ability to publish your Force.com data as a public web site. The service is currently in “developer preview” and set for full release in 2009. Even in preview, it’s priced per page view on your site. For example, if you have the low-end Group Edition, you get 50,000 page views free; but if you exceed that limit, you pay $1000 per month for up to 1,000,000 further page views. It would be unfortunate if you had 50,001 page views one month.

The second announcement relates to Facebook integration. This is a set of tools and services that lets you use Facebook APIs within a Force.com application, and create Facebook applications that use force.com data. Sheryl Sandberg, Facebook COO, says this is “Enterprise meets social”. The problem: Facebook is consumer-focused, more play than work. Sandberg says this deal will launch Facebook into the Enterprise. This will be an interesting one to watch.

Third, there are new tools linking Force.com with Amazon’s S3 and EC2. Tools for S3 wrap Amazon’s API with Apex code (Apex is the language of Force.com) so you can easily add unlimited storage to your Force.com application. Tools for EC2 delivers pre-built Amazon Virtual Machines (AMIs) that have libraries for accessing Force.com data and applications. The first AMI is for PHP, and simplifies the business of building a PHP application that extends a Force.com solution.

Interesting that Salesforce.com is providing two new ways to build public web sites that link to Force.com – one on its own platform, the other using PHP and in future Ruby, Java (I presume) etc.

It’s worth noting that you could already do this by using the SOAP API for Force.com, and there are already wrappers for languages including PHP. This is mainly about simplifying what you could already do.

More information is at developer.force.com.

I’ve been doing a little PHP work and enjoying it; I like PHP 5.x much better than earlier versions. My PHP development setup is based on Eclipse and the PHP Developer Tools project, or PDT, and one thing I noticed when I set this up is that it is awkward to use PDT with Eclipse 3.4, or Ganymede. I ran into problems again when I updated my Ganymede Eclipse to the latest releases, this time on Windows as it happens. PDT stopped working, and I had to download a newer “integration build” of PDT as well as an update to the Eclipse Dynamic Languages Toolkit (DLTK), using a manual download and import process instead of the built-in Eclipse online update. I also had to remove the Ruby Development Tools as these relied on an earlier version of the DLTK; there might be a way round this but my priority was to get PDT working.

I’m getting this pain because I want to use PDT 2.0 and Eclipse3.4, instead of the older PDT 1.0.3 which has an all-in-one download based on Eclipse 3.3. “All-in-one” means that you download a bundle which includes both Eclipse and PDT, and treat it as a separate standalone IDE. The question though: why wasn’t the PDT properly integrated with Ganymede, which brings together multiple Eclipse projects with the promise that they will all work together?

I looked in the Eclipse PDT newsgroup and found some discussion on the subject. Apparently the PDT team felt it was just too difficult to manage the dependencies. More depressing is that apparently the team feels the same way about Galileo, the follow-up to Ganymede expected in June 2009. It means that the PDT stays outside the mainstream of Eclipse projects, reducing its visibility.

Conspiracy theorists might surmise that major PDT contributors like Zend, which has its own commercial IDE called Zend Studio which uses both Eclipse and PDT, might enjoy keeping the free version low-profile. That (or some other reason) might also explain why Zend Studio uses a 1.x version of PDT along with Eclipse 3.4, which is not meant to work. It turns out that Zend Studio uses PDT 1.0.5, whereas the latest public download (unless you go directly to the source) is 1.0.3. If 1.05 works fine with Eclipse 3.4, why isn’t the public all-in-one based on this combination?

I like the PDT, and my patched together Ganymede + PDT 2.x works very well. Debugging seems more stable since I updated it. Personally I’d like to see PDT get more prominence within the Eclipse community, and for it to be packaged as part of Galileo rather than being left on the sidelines.

I’m at London’s dreary Excel centre for Carson’s Future of Web Apps conference, just before the opening of day two. Yesterday was a mixed bag; good when speakers talk technical; bad when they descend into marketing. The origins of the conference are as a start-up incubator; developers and entrepreneurs getting together to see what’s new and make contacts. It still has some of that flavour, but it has grown beyond that because web apps are a mainstream topic and Carson attracts generally excellent speakers. There is a good crowd here; I’m not sure if every last ticket sold, but it is pretty much packed out, though the dark economic mood is dampening spirits.

Digg’s Kevin Rose spoke briefly about his site’s new recommendation engine, which has been active since July or so. The idea is that Digg learns a user’s profile by examining clicks and votes, using it to customize what the user sees. He spoke about a forthcoming feature, where third-party sites will be able to call the Digg recommendation engine to get profile information that it can then use to customize its own site.

An interesting idea; though it raises several questions. How does it work – would logging out of Digg be sufficient to disable it? Will users opt-out or opt-in? How much of this kind of customization do we want anyway?

This whole theme of contextualization is a big one here; it ties in closely with social networking, and Google’s OpenSocial API is getting quite a bit of attention.

Blaine Cook (ex Twitter now Yahoo, Ruby guy and inventor of OAuth) gave a though-provoking session on scalability along with Joe Stump from Digg (and a PHP guy). They took the line that languages don’t matter – partly a reflection on Twitter’s scaling problems and whether it was Ruby’s fault. Other factors make language efficiency unimportant, they said, such as disk I/O and network speed; and the secret of scaling is multiple and redundant cheap boxes and apps which are segmented so that no one box  is a bottleneck. The case was overstated but the main points strike me as sound.

I’m wondering how many of the developers here are actually having to deal with these kinds of scalability problems. Many web apps get only light use; the problems for everyday developers are different.

I attended a session entitled "The future of Enterprise Web Apps" by Googler Kevin Marks. It turned out to be a plug for the OpenSocial API; not what I was expecting.

Francisco Tolmasky of 280slides.com evangelised his Objective-J and Cappucino JavaScript framework, based loosely on Apple’s Cocoa framework. Hmm, bit like SproutCore.

I give Tolmasky credit for the most striking analogy of the day. The Web is DVD is says, and the desktop VHS. Adobe’s AIR is a combo player. He is talking about transition and leaving us in no doubt about what he sees is the future of the desktop.

Best sessions of the day (that I attended) were Blaine Cook on Jabber and its XMPP protocol, and David Recordon from SixApart on the evolving Internet "open stack". In this he includes:

• OpenID + hCard for identity
• XRDS-Simple for discovery (http://is.gd/3M53)
• OAuth for authentication
• ATOM and POCO  ( or PorC) – Portable contacts)
• OpenSocial

I put these two sessions together because they both addressed the "Web as platform" topic that is really the heart of why we are here. Spotting which APIs and protocols will win is tricky; but if consensus is reached on some or all of these, they will impact all web developers and bring new coherence to what we are doing.

I’ll be covering today on Twitter again – see here if you want to follow.

The PHP company Zend has announced a collaboration with Adobe to integrate AMF (Action Message Format) into the Zend Framework. AMF is an efficient binary format which is more efficient for transmitting data than text-based formats like XML or JSON. Zend and Adobe are also collaborating to improve their tools for work with applications that use PHP on the server and Flex or AIR on the client.

More info here.

How do you debug a PHP application? Traditionally developers resort to outputting variable values to HTML, or peering through logs, but why not set breakpoints and step through code just as you would in C# or Java? Maybe because it can take some effort to set this up, as I was reminded today.

I was motivated by an annoying WordPress problem which I’ve blogged about before. For historical reasons, I have a lot of subscribers to an old RSS url which delivers the feed in the now deprecated RSS 0.92 format. I prefer to have a full text feed, and this used to work fine with WordPress, which placed the entire blog post in the element of the feed.

At some point this stopped working, and subscribers got a summary only. In fact, the feed broke completely for a while, after I switched to pretty permalinks; but even after fixing that, I still had the problem with summary items. I tried upping the length of the description, but it was delivered without any HTML formatting so that did not work.

Next I tried the WordPress support forums. There are lots of good folk there; but if you review the posts its clear that many queries go unanswered. That’s nobody’s fault; it is a community, and for whatever reason there seem to be more people seeking help than there are experts with the time to give free advice.

So how about debugging the PHP code and working out what was happening? It seemed a good opportunity to try the latest Eclipse Ganymede, released a couple of weeks ago, along with the PHP Development Tools (PDT). I also figured it would be easier to set this up on Linux, to match what I use on the web server. I used the same Ubuntu on VirtualBox setup that worked well for trying out SproutCore. It worked…

…but I can’t pretend it was wholly straightforward. Here’s how it went. I installed the latest Ubuntu distro versions of Apache, MySql and PHP – easy. Ubuntu’s Eclipse is not the latest, so I downloaded it from the Eclipse site and used some tips to set it up tidily. Note: make sure Sun Java is installed; I set it as the default JVM. Adding the PHP development tools was more fiddly. I’d half expected this to be part of a standard Eclipse download by now, but it is not, and if you try to install it into Ganymede using the standard update site is does not work because of dependency issues (a big problem with Eclipse). You have to download a 2.0.0 build from here instead.

I’d decided to use the Zend debugger – that’s a separate Eclipse update too, as explained here. Note that even after updating Eclipse, you still have to install the separate Zend debugger server from here, if you want to debug real web applications. I had a few problems getting this working, mainly because of the zend_debugger.allow_hosts directive which you have to edit in php.ini, and which is not brilliantly documented.

I replicated my blog on the Ubuntu virtual box – easy. But how do you get your Eclipse PHP project pointing at this existing code? The method I settled on after a couple of experiments was to start a new PHP project, uncheck the Use default option for project contents, and select the blog directory in /var/www. You then get a scary dialog which observes that files already exist. You can either create your project as a subdirectory, in which case you cannot debug with the existing files, or else pass the scary warning:

Create project in /var/www/blog
(Deleting the project will delete the entire /var/www/blog folder)

I mis-read this at first, thinking it would delete all the files when creating the project. That’s not what it says. Everything was a backup anyway, so I took the plunge; it worked fine. In fact, if you look closely at the screenshot above (click for a full size image) you can see that it is nicely done. You can see the call stack at top left, current variable values, output as it is being generated, and the usual options to step into or over the code.

That said, I did have some problems with Step Into. Just when it was going to be most useful, it bombed out with a message that said Error. If you looked at the detail, that also just said Error. The only fix I found was to set breakpoints in the actual file I needed to debug.

Still, it worked. I found that by adding a single argument to a line in feed-rss.php I could get my full text feed back. I’ve duly reported this in the WordPress support forums.

A couple of observations.

First, I don’t much like the WordPress code. Sorry, because the product is marvelous, but the code seems like a typical PHP tangle. Using pretty permalinks, which I regret, makes it worse.

Second, are there not plenty of developers who use both Java and PHP and would like it to be a tiny bit easier to set up in Eclipse? I’m being a little unfair, since Ganymede is just out and I guess the PDT will integrate better with it soon. Even so, Eclipse is still not quite the smooth plug-in dream that I once hoped it would become.

Note that if you don’t mind paying, you can have Zend Studio which I should think makes life easier. Or perhaps Delphi for PHP.

Susan Bradley has posted her analysis of how her Windows server was hacked.

This is interesting to me, as Bradley is an expert on server administration and patching; I’m glad she has had the courage to post all these details, thus benefiting the community, rather than pretending the server was down for emergency maintenance or the like.

She thinks it was a security bug in IceWarp Web Mail. This appears to be a PHP application. Although the bug has been fixed, she was running an old version because the new one broke some important features.

The explanation sounds plausible to me. So is it applications rather than operating systems that form the most critical security weaknesses today? Yes, but both are involved. I would be interested to know whether the same bug in a Linux installation of IcwWarp would have been equally easy to escalate to the entire OS.

Will we ever get a secure Internet? There’s no cause for optimism in the latest Cenzic report into web app security. A few highlights:

• 7 out of 10 Web applications analyzed by Cenzic were found vulnerable to Cross-Site Scripting attacks
• 70% of Internet vulnerabilities are in web applications
• FireFox has the most reported browser vulnerabilities at 40%; IE is 23%
• Weak session management, SQL Injection, and poor authentication remain very common problems
• 33% of all reported vulnerabilities are caused by insecure PHP coding, compared to 1% caused by insecurities in PHP itself.

OK, it’s another report from a security company with an interest in hyping the figures; but I found this one more plausible than some.

The PHP remarks are interesting; it would be good to see equivalent figures for ASP.NET and Java.