Category Archives: web authoring


Rasmus Lerdorf on security, hormones and PHP

PHP inventor Rasmus Lerdorf spoke yesterday at the Future of Web Apps conference in London. It was the highlight of the conference: at once funny, insightful, techie and thought-provoking.

“I had no intention of writing a language”, he told us. “I hate programming with a passion. It’s boring. It’s tedious. It’s hard. I love solving problems. You endure the pain to get to the end destination.”

In case there are any non-geeks reading, I should explain that PHP is the most popular server-side programming language on the Web. This blog is driven by a PHP application called WordPress. PHP is also free, and one of the big successes of open source.

Lerdorf related the history of PHP, which originally stood for “Personal Home Page tools”. They were little scripts he wrote for his own home page, “my own little hack to reuse the C code I had written”. He then shared his work with friends. He showed us some code samples. Here is PHP in 1994:

<!--getenv HTTP_USER_AGENT--> 
<!--ifsubstr $exec_result Mozilla--> 
Hey, you are using Netscape!<p> 

By 1995 PHP looked more like what we would recognize at PHP. By 2007 it has sprouted all sorts of modern object-oriented features and Lerdorf noted that while he understood the importance of these, it has somewhat moved away from its original intent as a quick and dirty tool.

Lerdorf made PHP a completely open source project in 1997. He was fed up with maintaining scripts for other people and realised that he could not do it alone. “No one person can possibly learn 20 different database APIs”. So he contacted all the people who had made suggestions to him, gave them access to PHP’s source on CVS (a source code management system), and relinquished control.

This was the lead-in to some reflections on why people bother to contribute to open source software. Lerdorf gives 4 reasons:

  1. Self-interest
  2. Self-expression
  3. Hormones
  4. Improve the world

The last of these is, in his view, the least important. But why hormones? His theory is that open source is one way geeks get human interaction, despite preferring keyboards and screens to going out and meeting people. It follows that factors like recognition (within their circle) and a sense of ownership are critical to successful open source projects, or even to any form of user-generated content. “You have to think about how people feel about themselves”, says Lerdorf. In fact, his comments chimed nicely with what Kevn Rose said about Digg.

Performance and security

Next, Lerdorf addressed the two major hurdles facing web applications. He is a strong believer in performance as a feature. “Unless you can make it work, there’s no point.” He dived into a couple of profiling tools to make his point, showing how to identify bottlenecks in PHP applications.

Security on the web is awful – I fully take the blame

Then security. “Security on the web today is awful. I know a lot of people blame PHP for that … I fully take the blame for some of it, but not all of it.”

What could he have done? Well, PHP does not spoonfeed security; Microsoft’s ASP.NET is actually better in that respect (my comment, not his). It could be more secure by design. On the other hand, as Lerdorf notes, “there was no such thing as cross-site scripting in 1995”. He gave us a great explanation of how cross-site scripting works; it is not the easiest thing to explain. PHP 5.2 has a new filter function for making user-input safe.

How to be safe on the web? “You can never click on a link. Sorry. Unless you understand everything in that link, and some of them are huge. You can never be sure that it is safe….most people are really easy to trick.”

Finally, Lerdorf gave us a few general comments on future directions, the possibilities opened up by geocoding in Flickr, for example. He says don’t make new portals, “We have enough portals out there.” Use the APIs published by major sites, and finally – make it fast.

Technorati tags: , , , , , ,

More Future of Web Apps hits and misses

The Carson Future of Web Apps London conference is over; here are my quick reflections on day two.

Adobe covers old ground

Adobe’s Mark Anders (formerly at Microsoft and much invoved in ASP.NET) spoke about Flex and Apollo, explaining how FlexBuilder and MXML form a developer-firendly way to compile Flash binaries; this is familiar ground for me and I was disappointed that he didn’t go into more depth, expecially considering that we had a similar talk from Andrew Shorten at this event last year. Still, there were some interesting performance comparisons showing off the JIT compiler in Flash 9.0 – it is much faster for ActionScript, as I’ve confirmed with my own tests.

Chris Wilson on IE

Microsoft’s Chris Wilson (co-author of the first NCSA Mosaic for Windows) spoke on IE7; his talk was billed as “The Future of the Browser” but it was not about that, it was more of an apologia concerning why IE was frozen for 5 years between IE 6.0 and IE 7.0 (I think it is worse than that, since IE 6.0 was not really a major advance on 5.0). He gave three main reasons: in 2001 few people were building browser-based rich web apps so there seemed little point investing in the technology; in 2002 Microsoft’s security push drained resources; and complacency from lack of competition. Wilson assured us of Microsoft’s commitment to standards, reminded us of compatibility issues (“don’t break the web”), and said that we can expect better standard support, improved user experience, and further security features in future versions of IE. A good bridge-building talk.

I caught Chris Wilson afterwards and explained my disappointment with Outlook’s use of the IE7 RSS platform, which is a botch (see here for why). I’ve asked several others at Microsoft this same question and received mumbled answers and promises to follow up that have not materialized. Wilson by contrast says he is aware of the problem and that many of Microsoft’s employees are complaining about it as well; he’s turned off RSS sync in Outlook 2007 himself, for exactly this reason. He says it will be fixed somehow but gave no clues as to when; at worst it could be the next version of Office.

I also asked when we can expect IE8. Wilson says it will be no later than two years from the release of IE7, but probably close to that. IE is no longer tied to major releases of Windows itself.

Design challenges at the New York TImes

Khoi Vinh is Design Director at and gave us some great insights into the problem of maintaining strong design when content is changing rapidly. In essence, he said that tools cannot keep pace with real-time, forcing compromise. He also spoke about how changing media means many-to-many interaction (not 1-to-many), and how user interface design should risk offending experts, by going for ease of use with perhaps some compromises on advanced features, rather than offending novices with UIs they cannot make sense of. Excellent talk.

The promise of OpenID

Simon Willison gave an animated talk on the future of OpenID, enthusing about the benefits of single sign-on. This was mostly a great presentation, pitched at the right level with examples, and honest about the risks and pitfalls as well as the advantages. He mentioned how Microsoft’ s CardSpace helps solve the phishing problem, by moving the authentication UI into the browser, but mistakenly said this is a feature of Vista – it is not, it is a feature of .NET Framework 3.0 and available for Windows XP. (I spoke later to Chris Wilson about this, who hinted that progress in implementing CardSpace for other browsers such as FireFox and Safari is well advanced). I particularly liked the way Willison brought out some potential future benefits from a well-supported Internet identity standard, such as networks of trust enabling whitelists to combat problems like comment spam.

Google, Vodafone disappointments

After three strong presentations in a row I was feeling upbeat about this conference, but sadly it took a dive. Carson had decided to experiment with user-generated content, giving attendees the chance to put forward their own presentations; attendees voted on which ones they would like to see, and the top three got 15 minutes each. Good idea, but didn’t work well in this instance for several reasons – lack of presentation skills, not enough participation, perhaps none of the submissions was really strong enough.

Jonathan Rochelle from Google spoke on “How web built Google Docs & Spreadsheets”. I had been looking forward to this session, but it was a big disappointment, very high-level with no real insight into how the application was put together. Rochelle is too much a company man and gave little away. Then Daniel Applequist from Vodafone spoke on the mobile internet, observing that there are 1000 million XHTML-capable mobile phones versus a mere 150 million wi-fi equipped laptops. Unfortunately Applequist didn’t succeed in enthusing the conference, perhaps the mid-afternoon timing was to blame.

Great PHP talk and closing words

It was worth hanging on for Rasmus Lerdorf’s presentation on PHP. This was outstanding and I am going to post separately about it. In part this may be because I had not heard him speak before; but I really enjoyed this talk.

This post is already too long, and I’ve already posted about NetVibes, so I will close by just mentioning the entertaining Moo session from Richard Moross and Stefan Maddalinski. They love the UK’s Royal Mail.

Thanks to Carson for a thought-provoking couple of days – but please make the wi-fi work properly next time!

Netvibes Universal Widget API and OpenID

Widgets are a great concept – the user interface components of Web 2.0, perhaps? Problem: which widgets? Google Desktop? Microsoft Live? Dashboard on the Mac? Konfabulator? Or Netvibes?

Netvibes CEO Tariq Krim reckons he has the answer, announcing at the Future of Web Apps conference in London his Universal Widget API. Not sure exactly how this will work, but the idea is that you write your widget once and it runs everywhere. Dashboard and Google were specifically mentioned, along with “a bunch of others.”

After the announcement he left the stage, then dashed back, grabbed the microphone, and added a promise to support OpenID. More momentum.

Technorati tags: , , , ,

Notes on the Future of Web Apps

This is the beginning of the second day at Carson’s Future of Web Apps conference in London. I was drawn by the excellent speaker line-up, including Kevin Rose from Digg, Werner Vogels who is the CTO at responsible for services including S3 and EC2 (web storage and on-demand virtual servers), Mike Arrington from TechCrunch, and PHP inventor Rasmus Lerdorf. There are also speakers from Adobe, Microsoft, Yahoo, Google, NetVibes and various other organizations flying under the Web 2.0 banner.

The first day was worthwhile but mixed. I am a little jaded I guess, having been to a number of these sorts of conferences. There is too much Web 2.0 tub-thumping, too many sales pitches, and not enough investigation of hard questions. In particular, I would like to hear more about business models. Cool free apps are great, but sustainability is important too.

I was disappointed by Werner Vogels’ talk yesterday. A shame, since I remain impressed by what Amazon is doing. He gave pretty much a repeat of what we already know about S3, EC2 and Mechanical Turk. Having heard Jeff Barr present the same stuff on two other occasions (including this same conference last year), I was hoping for more. How is S3 coping when stressed, is performance holding up, what have been the pressure points? Is the pricing sustainable (I think it is too cheap)? Why is there still no SLA? What are the main feature requests from users, and how will they be addressed?

I don’t mean to pick on Vogels; some of the same criticisms apply to other speakers.

Fortunately there is good stuff here as well. The second part of Rose’s talk on Digg was interesting and I plan to cover this separately. Bradley Horowitz from Yahoo gave a though-provoking talk on automatic content filtering, detecting “interesting” Flickr images, and distinguishing between synonyms like Jaguar (car) and Jaguar (animal) in user-generated content. I enjoyed the brief talk from ThinkFree on its online Office suite, though TJ Kang mystified me by being seemingly unconcerned about the business aspect. ThinkFree has an online Microsoft Office viewer which looks useful – upload your .doc or .xls, have users view it in HTML.

There is a small exhibition here with stands from Google, Yahoo, Microsoft, Adobe and others. Adobe has a neat Apollo app on show, a desktop application which uses the EBay web service API to give you full access to EBay without having to visit the site. I’ve asked for a screenshot as this type of application will be increasingly common in future. Of course it could just as easily be written in Microsoft’s WPF, but without the cross-platform compatibility.

A couple of notes on Microsoft, a newcomer to this conference and showing off the Expression range of design tools. First, I noticed that several ex-Macromedia folk are now working for Microsoft, including Andrew Shorten who presented Flex here last year. Shake-out from the Adobe merge, but good for Microsoft in my view. Second, the first release of WPF/E will be soon, but without C# and CLR support; this will follow in the second release. Interesting, especially since Flash 9 already has a JIT compiler for its JavaScript implementation. However the plan is that there won’t be a long wait for the updated WPF/E – less than a year, I was told.

Microsoft is giving away free copies of Expression Web Designer. It is actually a decent product, but what do you do when everyone (at a conference like this) is using Dreamweaver?

Oh yes, and Java? Hardly mentioned here (though ThinkFree uses it, so does Flex server-side of course).

IE7 script madness

Ever seen this guy?

Stop running this script dialog in IE7

I’m writing a piece on Javascript. In the new world of AJAX, web applications may run large amounts of client-side code in the browser. I’m having a look at performance issues, so I wrote some code that does some processing in a tight loop and tested it in IE7, FireFox 2.0 and Flash 9.

Getting timings was difficult, because IE7 pops up this “Stop running this script” dialog when my code is running. Nor will it let go. You click “No”, and 1 second later the dialog pops up again. And again. And again.

I’ve trawled through the IE7 options looking for a way to switch this thing off, but cannot find one. I’m hoping I’ve missed it, or that there is a secret registry key I can change, because it is really annoying.

I don’t understand why there is no option for “don’t ask me again”, or “allow long-running scripts at this site”. After all, this scenario is going to get increasingly common. Neither FireFox nor Flash suffers from this problem.

I appreciate that IE7 is trying to be helpful here. There is though a fine line between helpful and annoying. Without any obvious way to prevent it, this falls in the latter category.

That said, I did find a way to get my timings, because of my experience with the htmleditor.  If you host Mshtml in an application, you can implement the COM interface IDocHostShowUI. This has a ShowMessage function which IE calls when it wants to show a dialog. This enables you to catch the over-helpful “stop this script” message and not show it.

Unfortunately this solution isn’t something users can easily apply. It requires creating your own customized version of IE. There must be some easier way and I look forward to learning what it is.

One last comment: why does Microsoft still come up with poorly thought-out UI elements like this? It is easy to think of better ways than a brutal modal dialog. How about a “stop script” toolbar button that appears only when scripts are taking too long or grabbing too much CPU?


FireFox does exactly the same thing, also with a modal dialog, “A script on this page may be busy” …

Still, two benefits to FireFox. First, the timeout is set to a more reasonable 10 seconds. Second, you can easily amend it. Navigate to about:config. Find the entry dom.max_script_run_time. Change it from 10 to whatever you like. 

Further update

A comment has pointed me to this knowledgebase article.

Here’s the fix:

  1. Using a Registry Editor such as Regedt32.exe, open this key:

    Note If the Styles key is not present, create a new key that is called Styles.

  2. Create a new DWORD value called “MaxScriptStatements” under this key and set the value to the desired number of script statements.

    By default the key doesn’t exist. If the key has not been added, Internet Explorer 4 defaults to 5,000,000 statements executed as the trigger for the time-out dialog box.

Technorati tags: , , ,

Reinventing HTML: it may be too late

The Director of the W3C, official guardian of web standards, says HTML will be reinvented. In his blog entry, Tim Berners-Lee says the W3C has failed to drive adoption of XML, the well-formed web:

The attempt to get the world to switch to XML, including quotes around attribute values and slashes in empty tags and namespaces all at once didn’t work. The large HTML-generating public did not move, largely because the browsers didn’t complain.

I applaud his honesty; yet at the same time this is a huge admission of failure. The W3C’s HTML strategy for the last seven years at least has been based around shift the web to XHTML, an XML specification. HTML 4.x was frozen and has not been touched since December 1999. If you have heard talk of HTML 5.0, it is because of the work of What WG, not the W3C.

A W3C-approved HTML 5.0 would likely have had significant impact back in, say, 2002. No doubt IE7, FireFox 2.0 and Safari would all now support it.

But now? I’m not convinced this will make much impact. As Joe Clark says:

HTML is a topic of interest. But it isn’t an outright fiasco. HTML, in large part, works fine right now.

The reason it works fine is that the world is moving on. Interesting things on web pages now happen outside HTML. The big story in web design over the last couple of years is about (separately) Flash and Javascript/AJAX – though AJAX does use the HTML DOM (Document Object Model). Now we are watching Microsoft to see if it can pull off Windows Presentation Foundation/Everywhere, its answer to Flash. HTML is becoming a container for other types of content.

Another question: if the W3C has failed to achieve XHTML adoption, why will HTML 5.0 be any different? Berners-Lee suggests that it will be different because the process will be better:

Some things are very clear. It is really important to have real developers on the ground involved with the development of HTML. It is also really important to have browser makers intimately involved and committed. And also all the other stakeholders, including users and user companies and makers of related products.

Fair enough; and Daniel Glazman for one is buying it. I’m not sure. Will the process really be so different? The key question is what the de facto powers of the web will do, the likes of Microsoft, Adobe, Google, and Mozilla. Without their support, HTML 5.0 is nothing – and I don’t mean just the token person on the committee.

The W3C doesn’t need to reinvent HTML. It needs to reinvent itself.

Technorati tags: , , ,

Brief notes on IE7

I upgraded to Internet Explorer 7.0 on three machines this morning. I have to say the experience was very smooth, though not especially quick. You have to pass a validation dialog as well as a new licence agreement, so I guess there are hassles if Microsoft decides your not on “Genuine Windows”; but plenty has already been said on that subject.

IE7 is long overdue and probably won’t wean many off Firefox, but it’s a decent upgrade, with tabbed browsing perhaps the number one feature; of course FireFox has had this since its first release. Even if you use Firefox, I’d still be inclined to upgrade to IE7 simply because it’s pretty much a system component. You may not use it for browsing; but embedded IE will likely still turn up in a few apps you use. Web developers will need it for testing if nothing else.

I’m particularly interested in the centralized RSS platform which comes as part of IE7. I’m a satisfied user of Omea Reader, which is superb and deserves more attention than it gets; but I really like the idea of a single feed store in the OS, so I thought I should try migrating to IE7. First question: can IE7 import an OPML feed list? It turns out that it can, but the feature exposes some silliness in Microsoft’s new browser.

You see, Microsoft has gone for a clean look with no menu by default, just a few icons and an address bar. Unfortunately, this means there is significant functionality hidden by default, and finding it is not particularly intuitive. In this case, you have to click the Tools drop-down and select Menu Bar, then choose File – Import and Export, then choose Import Feeds.

It worked, I’m glad to say, and now all my subscribed feeds are in IE7. However, now that I’ve realised the importance of the Menu Bar I don’t want to hide it again, so I’ve lost the clean look; in fact, it feels odd having the menu bar below the address bar and I wish I could put it at the top where it belongs.

Will I be able to live with IE7 as a feed reader, or go running back to Omea in a day or two’s time? I’ll let you know.

Finally, a note for any Borland developers reading this. If you use Borland Developer Studio, you need to update the registry to avoid access denied errors with ASP.NET. See Resolving Access Denied errors in the BDS ASP.NET designer with IE7 installed.

Update: A comment to this blog tells me that import and export is also accessible through the Add to favorites icon. So showing the menu bar is not essential after all; it’s just a bit obscure as I’d presumed that Add to favorites only does what its name implies.

Technorati tags: , , ,

Live Writer good, performance bad

A side-effect of migrating this blog to WordPress is that I can now use Windows Live Writer to author posts. It’s a great little app, as noted today by James Governor, and has been favourably reviewed around the web since its first public beta in August (though I wish the team would add spell checking in languages other than US English). This review by Phil Wainewright is my favourite, because it gets the strategic potential. In addition, if Microsoft can get us hooked on Writer, we’re more likely to start using other Live services like  Maps – Writer has “insert Windows Live Map” on its menu bar – which ultimately results in more Live traffic and ad income.

A snag with this grand scheme is the poor performance of Microsoft’s Live properties. For me, Live Writer works much better with WordPress hosted on my own site than with the Windows Live Space that I’ve set up as a trial, purely because Spaces is so slow. Live Local Maps is tardy too. As for the Live plugin gallery, this is what I get right now:

Live gallery reporting an error

This is where Google scores so highly. It is not immune to problems, but most of the time it is remarkably responsive, whether for Search or Maps or other services.

I sometimes wonder if the folk in Redmond with fast local links just don’t see these performance issues. It not just me though: here’s the A9 report on Live Spaces: shown as very slow

I don’t mean to be negative. Writer is excellent, and offers a better user experience than any browser-based editor that I’ve seen.

Tags: livewriter microsoft .net

IE7 to be released 18th October, three years late

Microsoft’s updated browser is released next week, and will be distributed via automatic update from November 1st.

It is three years late. Here’s the release history:

  • Version 1.0 August 1995
  • Version 2.0 November 1995
  • Version 3.0 August 1996
  • Version 4.0 September 1997
  • Version 5.0 March 1999
  • Version 6.0 August 2001

On a (reasonable) two year release cycle, we should have had version 7.0 in 2003. Let me add that version 6.0 was really a disappointment; more like version 5.1 in some ways. Microsoft won the browser wars, then stalled the progress of web standards for five years. It was the growing popularity of Firefox, released in November 2004, that persuaded Microsoft to restart development. There would in any case have been some sort of update in Windows Vista; but without the open source competition I doubt it would have amounted to much.

The history leaves a bad taste and makes it hard to enthuse about IE7. Nevertheless, it is a badly-needed update. I’m inclined to leave the blow-by-blow comparison with Firefox to others.

The one piece I can enthuse about is the centralized RSS store that comes as part of IE. This makes a lot of sense and I’m looking forward to it.


Who cares about W3C validation?

While reseaching a piece in today’s IT Week, I checked out several prominent home pages in the W3C Markup Validation Service. There wasn’t room for all the results in the piece, so I’m posting them below, best to worst:

  • passed
  • 1 error
  • 2 errors
  • 5 errors
  • 15 errors
  • 18 errors
  • 41 errors
  • 43 errors
  • 45 errors
  • 130 errors
  • 263 errors
  • 1134 errors

Disclaimer: This was early last week; the exact figures will have changed by now. I found it interesting that only IBM managed a pass, others such as Microsoft and Sun are clearly trying to comply, while the likes of MySpace, eBay and Amazon apparently could not care less.

Does anybody care? Mostly not; all we care about is web sites that work in our favourite browser, though in theory there is a connection between the two. Which was the point of my article: the W3C seems to be of decreasing relevance these days.

Still, kudos to IBM.