Category Archives: php

Zend PHP Framework adds support for Adobe Flex, AMF

The PHP company Zend has announced a collaboration with Adobe to integrate AMF (Action Message Format) into the Zend Framework. AMF is an efficient binary format which is more efficient for transmitting data than text-based formats like XML or JSON. Zend and Adobe are also collaborating to improve their tools for work with applications that use PHP on the server and Flex or AIR on the client.

More info here.

Technorati tags: , , , , ,

Debugging PHP code to fix a WordPress problem

How do you debug a PHP application? Traditionally developers resort to outputting variable values to HTML, or peering through logs, but why not set breakpoints and step through code just as you would in C# or Java? Maybe because it can take some effort to set this up, as I was reminded today.

I was motivated by an annoying WordPress problem which I’ve blogged about before. For historical reasons, I have a lot of subscribers to an old RSS url which delivers the feed in the now deprecated RSS 0.92 format. I prefer to have a full text feed, and this used to work fine with WordPress, which placed the entire blog post in the element of the feed.

At some point this stopped working, and subscribers got a summary only. In fact, the feed broke completely for a while, after I switched to pretty permalinks; but even after fixing that, I still had the problem with summary items. I tried upping the length of the description, but it was delivered without any HTML formatting so that did not work.

Next I tried the WordPress support forums. There are lots of good folk there; but if you review the posts its clear that many queries go unanswered. That’s nobody’s fault; it is a community, and for whatever reason there seem to be more people seeking help than there are experts with the time to give free advice.

So how about debugging the PHP code and working out what was happening? It seemed a good opportunity to try the latest Eclipse Ganymede, released a couple of weeks ago, along with the PHP Development Tools (PDT). I also figured it would be easier to set this up on Linux, to match what I use on the web server. I used the same Ubuntu on VirtualBox setup that worked well for trying out SproutCore. It worked…

Debugging PHP with Eclipse Ganymede

…but I can’t pretend it was wholly straightforward. Here’s how it went. I installed the latest Ubuntu distro versions of Apache, MySql and PHP – easy. Ubuntu’s Eclipse is not the latest, so I downloaded it from the Eclipse site and used some tips to set it up tidily. Note: make sure Sun Java is installed; I set it as the default JVM. Adding the PHP development tools was more fiddly. I’d half expected this to be part of a standard Eclipse download by now, but it is not, and if you try to install it into Ganymede using the standard update site is does not work because of dependency issues (a big problem with Eclipse). You have to download a 2.0.0 build from here instead.

I’d decided to use the Zend debugger – that’s a separate Eclipse update too, as explained here. Note that even after updating Eclipse, you still have to install the separate Zend debugger server from here, if you want to debug real web applications. I had a few problems getting this working, mainly because of the zend_debugger.allow_hosts directive which you have to edit in php.ini, and which is not brilliantly documented.

I replicated my blog on the Ubuntu virtual box – easy. But how do you get your Eclipse PHP project pointing at this existing code? The method I settled on after a couple of experiments was to start a new PHP project, uncheck the Use default option for project contents, and select the blog directory in /var/www. You then get a scary dialog which observes that files already exist. You can either create your project as a subdirectory, in which case you cannot debug with the existing files, or else pass the scary warning:

Create project in /var/www/blog
(Deleting the project will delete the entire /var/www/blog folder)

I mis-read this at first, thinking it would delete all the files when creating the project. That’s not what it says. Everything was a backup anyway, so I took the plunge; it worked fine. In fact, if you look closely at the screenshot above (click for a full size image) you can see that it is nicely done. You can see the call stack at top left, current variable values, output as it is being generated, and the usual options to step into or over the code.

That said, I did have some problems with Step Into. Just when it was going to be most useful, it bombed out with a message that said Error. If you looked at the detail, that also just said Error. The only fix I found was to set breakpoints in the actual file I needed to debug.

Still, it worked. I found that by adding a single argument to a line in feed-rss.php I could get my full text feed back. I’ve duly reported this in the WordPress support forums.

A couple of observations.

First, I don’t much like the WordPress code. Sorry, because the product is marvelous, but the code seems like a typical PHP tangle. Using pretty permalinks, which I regret, makes it worse.

Second, are there not plenty of developers who use both Java and PHP and would like it to be a tiny bit easier to set up in Eclipse? I’m being a little unfair, since Ganymede is just out and I guess the PDT will integrate better with it soon. Even so, Eclipse is still not quite the smooth plug-in dream that I once hoped it would become.

Note that if you don’t mind paying, you can have Zend Studio which I should think makes life easier. Or perhaps Delphi for PHP.

Windows server compromised by PHP application

Susan Bradley has posted her analysis of how her Windows server was hacked.

This is interesting to me, as Bradley is an expert on server administration and patching; I’m glad she has had the courage to post all these details, thus benefiting the community, rather than pretending the server was down for emergency maintenance or the like.

She thinks it was a security bug in IceWarp Web Mail. This appears to be a PHP application. Although the bug has been fixed, she was running an old version because the new one broke some important features.

The explanation sounds plausible to me. So is it applications rather than operating systems that form the most critical security weaknesses today? Yes, but both are involved. I would be interested to know whether the same bug in a Linux installation of IcwWarp would have been equally easy to escalate to the entire OS.

Technorati tags: , , ,

Cenzic web app report highlights security problems

Will we ever get a secure Internet? There’s no cause for optimism in the latest Cenzic report into web app security. A few highlights:

  • 7 out of 10 Web applications analyzed by Cenzic were found vulnerable to Cross-Site Scripting attacks
  • 70% of Internet vulnerabilities are in web applications
  • FireFox has the most reported browser vulnerabilities at 40%; IE is 23%
  • Weak session management, SQL Injection, and poor authentication remain very common problems
  • 33% of all reported vulnerabilities are caused by insecure PHP coding, compared to 1% caused by insecurities in PHP itself.

OK, it’s another report from a security company with an interest in hyping the figures; but I found this one more plausible than some.

The PHP remarks are interesting; it would be good to see equivalent figures for ASP.NET and Java.