StatCounter

Tuesday, December 16, 2008

CakePHP security issue - even in thechaw.com (written by core dev)

CakePHP security issue



Recently I have stumbled upon thechaw.com--written by CakePHP core dev and developed in CakePHP. I just wanted to check if they have fixed the old security issue in CakePHP and found that the issue is still open.

Proof of concept


CakePHP Security Issue

CakePHP memory error



In another time, found a famous memory error even in bakery.cakephp.org

CakePHP memory error

Bottom line



CakePHP is open source and so you can fix these issues by yourself

Sunday, October 26, 2008

Save American College, Madurai

This post was written in 2008 and outdated now. For update, please check Save American College, Madurai (Update 2011)

Update (2011-01-16): Save American College, Madurai (Update 2011)

I'm highly privileged to have 3 degrees (B.Sc. (Spl. Physics), PGDCA and MCA) from The American College, Madurai, South India. Unlike other "commercial" colleges, American College has given room for poor students and uplifted them. And unlike other "elite" colleges who'd give seat only for "intellectuals", American College has produced geniuses.

In the recent months, the saddening thing is that the college is under divide (Principal Vs. Bishop). Here is the email I sent to alumnae lately informing about the informations that I received about the developments:



Update (2011-01-16): Save American College, Madurai (Update 2011)

All:

I was thinking that the "Save American College" campaign was a FUD. But, when I tried to understand the problem through my friends, it's a great shock that the college has lost it's greatness--and it seems that the name would deteriorate further. Semester exam is coming in next month--but, still many students are not attending the classes and the revised curriculum wasn't yet approved by board of council.

So, what's the real problem? (Note: my version may also be wrong)


  • Principal (Chinnaraj Joseph) and Bishop (Christopher Asir) were close for sometime

  • There were a power/ego clash started between the two after sometime in decision making (For example, Bishop appointed Prof. Christopher of Mathematics department--who was said to be junior and nephew of Bishop--as a Bursar)

  • Then there comes open allegations between the two

  • Staffs and students had to align with one party

  • Bishop has dismissed Principal (the legality is a question and now on court)

  • Principal party

    • Comprises mostly of 1. Self-financing staffs, 2. Non-teaching staffs, 3. Few of Government staffs. All are boycotting classes for last 2 months.

    • They don't want the Bishop's role in college

    • Headed by Prof. Solomon Pappiah, Prof. Sam George, etc



  • Bishop party

    • Comprises mostly of dioceses people, Government staffs and few self-financing staffs and non-teaching staffs. There is also some feeling that those who don't want to take the risk of their job are this side.

    • They're now controlling the college--taking classes, etc.

    • They're now targeting Self-financing staffs and non-teaching staffs and trying to replace them as they're boycotting the classes.





Who has more power?

It is said that Bishop party has more power and may win the legal case as they have more diocese money. For example, the lady judge has avoided to take the case so far, by going on leave.

Who has more morals?

(According to my sources) Principal. It is also better that Principal party wins the case so that the non-teaching staffs and self-financing staff jobs are not at stake. But, they seems to lack funds and other support.

What you/we may do?

If you think that Principal party has to win legally, you may send funds to Prof. Sam George (retired Zoology Professor and also a popular Indian blogger now) http://saveamericancollege.blogspot.com/2008/10/donors-for-cause-of-our-struggle.html and may also lend supports in other ways.

Regards,
R. Rajesh Jeba Anbiah
95PHY15, 98DCA21 & 99MCA30

Update (2011-01-16): Save American College, Madurai (Update 2011)

Sunday, October 19, 2008

Rasmus Lerdorf's humbled LinkedIn profile

I recently stumbled upon Rasmus Lerdorf's (creator of PHP) profile in LinkedIn. His profile humbly reads "Developer at PHP".

On the other side, I also stumbled upon
John Resig
's (creator of jQuery) profile in LinkedIn. His profile reads "Creator, Lead Developer at jQuery JavaScript Library".

I'm really surprised by Rasmus Lerdorf's humbleness which reminds me of Dr. Dennis Ritchie's (creator of C) humble email to me. Long live Rasmus Lerdorf and his humbleness.

Monday, October 06, 2008

Solved: Safari Flash full screen issue

Some common problems when trying to use Flash video embed code (e.g., YouTube like embed code)

1. When using lightbox on the page, it's getting hidden behind the Flash video player

Solution: Add wmode="transparent" to the embed tag

2. On IE7, getting "click to activate"

Solution: Inject the embed code through JavaScript. (Useful libraries: jQuery Flash Plugin, SWFObject)

3. XHTML validation issue

Solution: Use unobtrusive JavaScript embedding. (Useful libraries: jQuery Flash Plugin, SWFObject)

4. On Safari the full screen doesn't work -- even if we add allowfullscreen="true" (this is the issue I faced lately and google wasn't helpful). In all other browsers, it works fine.

Solution: Add type="application/x-shockwave-flash" to the embed tag

Friday, August 29, 2008

Problems with CakePHP - follow-up

Some people have responded including the Datepicker fame Marc Grabanski. So, this follow-up...

First of all, I was not ranting nor complaining; I've just blogged/documented my experience.

The common problem most of the people pointed out are that it scales for addons.mozilla.com. Those who have accessed their source code can understand that they've done lot of things and also the site is not database-intensive. You should really create a real database-intensive website to understand what I mean.

The other point that been pointed out is about open source and community. Lot of people may not be knowing that it's 2 people pushing it and don't want others to be credited. The generic model or dynamic model idea was originally been from grigri and Marcel. It's hard to be called as open source as only few and sycophants are driving it's direction (I'm not talking about svn access)

So, here are my humble checklist before you start shouting at me

  • Did you read and understand my post?

  • Can you code or at least read PHP? -- This is very important. My post is not indented for some naive people who want to create software in 2mins without really understanding the programming languages and tools.

  • Have you looked at the framework's source?

  • Have you tried to profile the code?

  • Have you witnessed the xdebug crashing due to deeper cyclic chains when you profile?

  • Have you created any application where you have to replace regexp calls to increase speed?

  • Have you optimized the DB and tried to scale a database-intensive site?

  • Have you referred the frequent discussion page? (It was originally created by me and I have contributed to the most of it) -- You'll hit that page only when you create webpage and get into problems. I have a strong opinion that some sycophants and Evangelist aren't using CakePHP at all. (Evangelist is always trying to sell his "intellects" with philosophical/unscientific remarks and bootlicking some naive people whom intern want networking. Note, this is not a flame, but my strong opinion)

  • Have you read codes of cakebaker, ad7six, grigri, franky, baz...? Do you think, they have a better fork with them?

  • Have you removed some/many automagic things? or Have you used it just for dispatching?

  • Have you checked source of Akelos, Solar, CI or fase?

  • Finally, have you read Rasmus's Simple is Hard?



If you answer "Yes" to most of the above list, you may be with me.

And, at this moment, like I mentioned, the state of my mind is that, the need for the contemporary world is to have a better toolkit, which I believe could be developed with good readability, coding standards/practices, scalability and simplicity.

Update (2008-09-06): My apologies for Chris Hartjes, who found the post to be personal attack on him. I understand that I could have used better wordings.

Sunday, August 17, 2008

Open source PHP frameworks and problems

I was using CakePHP for sometime and proposed CakePlus, another UIMS toolkit on the top of CakePHP but also altering some problematic core of it. The thread should explain the outcome of the post. And, then I noted Akelos framework has most of the things built in.

Issues with frameworks esp. CakePHP



  • Scalability not a priority - Developers aren't aware that we can't throw more and more hardware

  • Excessive use of regular expressions

  • Evangelist isn't aware that the framework throws many queries unnecessarily

  • More memory consumption - 100M would never be enough for a simple project

  • Poor coding standards and practices - Prolong use of extract() often leads to more memory consumption

  • Can't use the native approaches or baked codes. The override approach always lead to hard to debug codes

  • Poor architected codes and no clear defined approaches. People belong to the cult drives the direction and often throws unprofiled codes. No native provision to share codes between M-V-C and no distinction between "libs" and "vendors".

  • Overlooked wrappers

  • Community - Only few are educated, majority overlook the common application features, some freelancers use it for networking and sycophancy to get jobs

  • Not actually open source



Update (2008-09-01): Follow-up

Saturday, August 16, 2008

Working with Jeremy Zawodny, Alan Knowles, Cal Henderson

My life and career are full of surprise...


  • I wanted to work in film direction

  • Wanted to work in AT&T Bell Labs with Dr. Dennis M. Ritchie (creator of C)

  • Wanted to work in Borland with the great developers of Delphi


But, none of these dreams came true. And, after 6 years of my career into Web Application Development, I informed the company about my humble desire to work with the great minds I came to know through internet--to see if the company can offer employment for them: Jeremy Zawodny, Alan Knowles, Cal Henderson. Peter (who is actually from UK), who approached them updated me that Jeremy cannot join the company due to his marriage and Alan feels that the company may not offer the international salary.

And, my dreams are just dreams!

If anyone wants to work with me, ping me through LinkedIn

Track previous link of a site in PHP

I just spotted through Google that Raj Shekhar has quoted my post to comp.lang.php in his Blog Ideas page:

mr_burns wrote:
> Is it possible to get the previous url. For example, if I am on page
> page01.php - and I then click to - page02.php - from page02.php, can
> use script to determine that I have come from page01.php? It doesnt
> have to be the entire url, even just the file name. Cheers

Add this line in the beginning of every script or possibly using a
global-common include file say config.php

output_add_rewrite_var('referer', htmlspecialchars($_SERVER['PHP_SELF']));

www.php.net online manual user notes contributions

Sometime ago I had lot of interest in contributing to the www.php.net online manual's notes. Thought lot of them are deleted now and not even relevant now, I'd thought of archiving them for my own reference:

http://www.php.net/ref.pdf#32797
Date: 7 Jun 2003 06:42:11 -0000

If you want to create PDF without using PDFlib library, you may try FPDF ( http://www.fpdf.org ).

If you want to know, how to use FPDF in PHP scripts, you can look at the source code of phpMyAdmin as phyMyAdmin uses this FPDF. ( http://www.phpmyadmin.net )


http://www.php.net/ref.array#32969
Date: 12 Jun 2003 11:32:58 -0000

If you want to remove a particular element from the array without loosing the keys, you can use the following function:


function RemoveArrayElement($arr, $element)
{
if (($key=array_search($element, $arr))!==false)
unset($arr[$key]);
return( $arr );

}/*---------RemoveArrayElement()----------*/



Example:


$arr = array("a","b","c","f","x","d","e","z","l");
print_r($arr); //debug
$arr = RemoveArrayElement($arr, "a");
print_r($arr); //removes the "a"
$arr = RemoveArrayElement($arr, "xxx");
print_r($arr); //no match of "xxx"; so displays the original array




http://www.php.net/uniqid#33113
Date: 17 Jun 2003 07:21:58 -0000

A nice article/code for creating auto-password with uniqid is at http://www.phpbuddy.com/article.php?id=25


http://www.php.net/date#33251
Date: 20 Jun 2003 05:14:08 -0000

A very nice class to play with dates is available at http://www.phpinsider.com/php/code/Date_Calc/

You can look at it's application at http://www.phpinsider.com/php/code/Date_Calc/showCalendarMonth.php


http://www.php.net/date#33252
Date: 20 Jun 2003 05:35:33 -0000

If you want to just compare any two dates, store them in ISO format (yyyy-mm-dd) and compare with < or > or == operators.

For example, $date1 = "2003-12-30"; $date2 = "2004-02-15";

if ($date1 < $date2) echo "date1 is less than date2";

Note, $date1 & $date2 are just strings. You can use this logic in MySQL too.


http://www.php.net/ref.mail#35384
Date: 29 Aug 2003 10:20:47 -0000

[Recently realized a flaw in my previous note related to sending mail using ArGoSoft Mail Server. Only the IP 127.0.0.1 should be used to relay, otherwise others may anonymously send spam mails using that IP. So, here is the improved note about the stuff]

For Windows users who work on local machine:

If you want to send emails from your local machine you can try ArGoSoft Mail Server ( http://www.argosoft.com/applications/mailserver/ )

Step1:
1. Install ArGoSoft Mail Server
2. Open the ArGoSoft Mail Server and click Tools > Options to configure.
3. Enter the DNS server name or let the ArGoSoft Mail Server to auto-detect.
4. In the IP Homes tab, enter 127.0.0.1
5. Start (run) the ArGoSoft Mail Server and make sure there is no error.
6. Now, the "localhost" (127.0.0.1) is your SMTP & POP3 server.

Step2:
1. Open your php.ini
2. Enter the value of SMTP like SMTP = localhost

That's all!

Do not trust "sendmail_from" of php.ini. Always set headers parameter in mail() function.


http://www.php.net/getenv#35496
Date: 3 Sep 2003 08:04:27 -0000

[Worked depending upon the comment of "hanez at forpresident dot com". Reviewed Anders Winther and "Joenema at aol dot com"'s "bullet-proof" IP address fetcher and came out with a new tight code.]


<?php

//Get the real client IP ("bullet-proof"???)

function GetIP()
{
if (getenv("HTTP_CLIENT_IP") && strcasecmp(getenv("HTTP_CLIENT_IP"), "unknown"))
$ip = getenv("HTTP_CLIENT_IP");
else if (getenv("HTTP_X_FORWARDED_FOR") && strcasecmp(getenv("HTTP_X_FORWARDED_FOR"), "unknown"))
$ip = getenv("HTTP_X_FORWARDED_FOR");
else if (getenv("REMOTE_ADDR") && strcasecmp(getenv("REMOTE_ADDR"), "unknown"))
$ip = getenv("REMOTE_ADDR");
else if (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], "unknown"))
$ip = $_SERVER['REMOTE_ADDR'];
else
$ip = "unknown";
return($ip);
}/*-------GetIP()-------*/

?>




http://www.php.net/fgetcsv#35602
Date: 08-Sep-2003 03:32

Important note about the CSV format:
There should *not* be any space in between the fields. For example,
field1, field2, field3 [Wrong!]
field1,field2,field3 [Correct-No space between fields]

If you add space between the fields, MS Excel won't recognize the fields (especially date and multi-line text fields).


http://www.php.net/header#35667
Date: 10 Sep 2003 12:15:03 -0000

Since IE 5.5, IE has a typical bug called "IE title refresh bug". If the connection is broken while browsing certain sites, IE will show "Cannot find server" page and the title will remain "Cannot find server" even if the page is get loaded after the connection is established. AFAIK, there is no fix for this bug.

I have recently found that Google's pages don't have this problem; Google uses header('Cache-control: private')


http://www.php.net/explode#37004
Date: 30 Oct 2003 12:03:12 -0000

The improved CSV Explode function of "hhromic at udec dot cl" again has one limitation with MS Excel.

His version returns "" for """". But the expected result is " for """"

And so, I have modified his code with additional inside check.



<?php

//Explode CSV (MS Excel) string

function csv_explode($str, $delim = ',', $qual = "\"")
{
$len = strlen($str);
$inside = false;
$word = '';
for ($i = 0; $i < $len; ++$i) {
if ($str[$i]==$delim && !$inside) {
$out[] = $word;
$word = '';
} else if ($inside && $str[$i]==$qual && ($i<$len && $str[$i+1]==$qual)) {
$word .= $qual;
++$i;
} else if ($str[$i] == $qual) {
$inside = !$inside;
} else {
$word .= $str[$i];
}
}
$out[] = $word;
return $out;

} /*-------csv_explode()------------*/

//Test...
$csv_str = 'a,"""","""",d,e,f';
print_r( csv_explode($csv_str) );

?>




http://www.php.net/ref.sqlite#37243
Date: 7 Nov 2003 12:19:21 -0000

Very nice MS PowerPoint presentation titled "SQLite and PHP" (author: Wez Furlong) can be downloaded at http://www.php.net/~wez/SQLite_and_PHP.ppt [134 KB]


http://www.php.net/ref.pfpro#38301
Date: 16-Dec-2003 04:49

Zend has a nice tutorial titled "Accepting payments using Verisign's Payflow Pro" at http://www.zend.com/zend/tut/tutorial-staub.php


http://www.php.net/ref.pfpro#38302
Date: 16 Dec 2003 06:56:22 -0000

This is just a comment on the note by "jason at thinkingman dot org". His note should be better modified to give the idea that it's a workaround for Win32 Platforms. Also, the Editor's link is missing.


http://www.php.net/getmxrr#40236
Date: 26-Feb-2004 04:41

Here is a better workaround for Windows platform. Tested on Windows XP. Highly impressed by "geoffbrisbine A T y a h o o DOT c o m"'s idea of nslookup usage.


<?php
function getmxrr($hostname, &$mxhosts)
{
$mxhosts = array();
exec('nslookup -type=mx '.$hostname, $result_arr);
foreach($result_arr as $line)
{
if (preg_match("/.*mail exchanger = (.*)/", $line, $matches))
$mxhosts[] = $matches[1];
}
return( count($mxhosts) > 0 );
}//--End of workaround

//test..
echo getmxrr('yahoo.com', $mxhosts);
print_r($mxhosts);
?>




http://www.php.net/ref.sdo#63280
Date: 18-Mar-2006 01:07

Some useful links on SDO:
1. Quick intro ( http://www.obalweb.net/wppro/?p=19 )
2. SDO for Zend Conf 2005 ( http://www.ibm.com/developerworks/forums/weblogs/data/SDOforZendConf2005.pdf ), Presentation, [481 KB], Graham Charters, 2005-10-18
3. Introducing Service Data Objects for PHP ( http://www.zend.com/pecl/tutorials/sdo.php ), 2005-08-05
4. Service Data Objects specification ( http://www.ibm.com/developerworks/library/specification/j-commonj-sdowmt/ ), 2003-2005


http://www.php.net/iconv#43463
Date: 22-Jun-2004 08:40
Here is a code to convert ISO 8859-1 to UTF-8 and vice versa without using iconv.


<?php
//Logic from http://twiki.org/cgi-bin/view/Codev/InternationalisationUTF8
$str_iso8859_1 = 'foo in ISO 8859-1';
//ISO 8859-1 to UTF-8
$str_utf8 = preg_replace("/([\x80-\xFF])/e",
"chr(0xC0|ord('\\1')>>6).chr(0x80|ord('\\1')&0x3F)",
$str_iso8859_1);
//UTF-8 to ISO 8859-1
$str_iso8859_1 = preg_replace("/([\xC2\xC3])([\x80-\xBF])/e",
"chr(ord('\\1')<<6&0xC0|ord('\\2')&0x3F)",
$str_utf8);
?>




http://www.php.net/ord#46267
Date: 05-Oct-2004 08:01

[Fixed a bug in my previous note; ord() is missing in first condition]

uniord() function like "v0rbiz at yahoo dot com" (Note# 42778), but without using mbstring extension. Note: If the passed character is not valid, it may throw "Uninitialized string offset" notice (may set the error reporting to 0).


<?php
/**
* @Algorithm: http://www1.tip.nl/~t876506/utf8tbl.html
* @Logic: UTF-8 to Unicode conversion
**/
function uniord($c)
{
$ud = 0;
if (ord($c{0})>=0 && ord($c{0})<=127)
$ud = ord($c{0});
if (ord($c{0})>=192 && ord($c{0})<=223)
$ud = (ord($c{0})-192)*64 + (ord($c{1})-128);
if (ord($c{0})>=224 && ord($c{0})<=239)
$ud = (ord($c{0})-224)*4096 + (ord($c{1})-128)*64 + (ord($c{2})-128);
if (ord($c{0})>=240 && ord($c{0})<=247)
$ud = (ord($c{0})-240)*262144 + (ord($c{1})-128)*4096 + (ord($c{2})-128)*64 + (ord($c{3})-128);
if (ord($c{0})>=248 && ord($c{0})<=251)
$ud = (ord($c{0})-248)*16777216 + (ord($c{1})-128)*262144 + (ord($c{2})-128)*4096 + (ord($c{3})-128)*64 + (ord($c{4})-128);
if (ord($c{0})>=252 && ord($c{0})<=253)
$ud = (ord($c{0})-252)*1073741824 + (ord($c{1})-128)*16777216 + (ord($c{2})-128)*262144 + (ord($c{3})-128)*4096 + (ord($c{4})-128)*64 + (ord($c{5})-128);
if (ord($c{0})>=254 && ord($c{0})<=255) //error
$ud = false;
return $ud;
}

//debug
echo uniord('A'); //65
echo uniord("\xe0\xae\xb4"); //2996
?>




http://www.php.net/getrusage#47467
Date: 17-Nov-2004 10:51

Here is a nice comment on benchmarking PHP codes using getrusage function http://blog.rompe.org/node/85


http://www.php.net/output_add_rewrite_var#53966
Date: 19-Jun-2005 02:41

This function obeys url_rewriter.tags ( http://www.php.net/ref.session#ini.url-rewriter.tags ) configuration and hence can be used to rewrite selected tags.


http://www.php.net/ref.session#53965
Date: 19-Jun-2005 03:37

The note regarding url_rewriter.tags and XHTML conformity in the manual is bit confusing; it's applicable only when we use <fieldset> tags. Refer http://bugs.php.net/13472

Friday, August 15, 2008

"A to Z of C" book turns 5

A to Z of C, the DOS/Turbo C programming book written by K. Joseph Wesley and myself turned 5 on August 1.

Initially, we felt bad for spending our time in writing a book that were rejected and deceived by publishers. Now we get quite reasonable appreciations from people around the world--even though it's having technical and grammatical errors. Long live the internet publishing!

Probably a time for "A to Z of PHP" ?

Blessed with a girl baby

It's been quite long time since I last blogged... and for the sake of blogging/record, Heleena and myself are blessed with a wonderful girl baby on February 21, 2008