Articles tagged in php

  1. Securing PHP-FastCGI on Nginx

    Via Hacker News. Setting up PHP-FastCGI and nginx? Don’t trust the tutorials: check your configuration! I have in fact written quite a few tutorials and published automated scripts that are vulnerable. Seems the easiest way to prevent this issue is by adding a try_files statement (or a if (-f $request_filename) if Nginx -V < 0.7.27) into location ~ \.php block. For example

    location ~ \.php$ { # For nginx -V >= 0.7.27
      try_files $uri =404;
      fastcgi_pass localhost:8080;
      ...
    }
    location ~ \.php$ { # For nginx -V < 0.7.27, i.e. Debian 5
      if (-f $request_filename) {
        fastcgi_pass localhost:8080;
      }
      ...
    }
    
  2. Stuck

    On the left hand side, we have multiple vulnerabilities with PHP release 5.2.1 or less.

    Remote attackers might be able to exploit these issues in PHP applications making use of the affected functions, potentially resulting in the execution of arbitrary code, Denial of Service, execution of scripted contents in the context of the affected site, security bypass or information leak.

    On the right hand side, we have HTTP_RAW_POST_DATA bug in PHP 5.2.2.

    So $GLOBALS['HTTP_RAW_POST_DATA'] is not set. The PEAR::XML_RPC package actually uses $HTTP_RAW_POST_DATA on the receiving end, but that doesn't appear to be set either. And the always_populate_raw_post_data option in php.ini doesn't make a difference.

    That means, any PHP code that assumes the existence of $HTTP_RAW_POST_DATA will simply fail as that variable is no longer populated. With all the API, web services, etc, there are actually many applications that use raw post data, which could be XML, JSON, or any other package formats. Pingbacks simply won't work in WordPress, although WP 2.2 has a work around on this PHP 5.2.2 bug.

    So I basically upgraded all my servers to PHP 5.2.2 early last week. found many web services code I wrote were broken, and was forced to revert back to vulnerable PHP 5.2.1. The bug has been fixed and there's a work around, but I would rather wait for 5.2.3 to hit the street, which I hope to be sooner than later.

  3. Performance Comparison with 6 Leading Web Frameworks

    Alrond's technoblog: The performance test of 6 leading frameworks. Very interesting read, as Alrond tested Django (Python), TurbGears (Python), Ruby on Rails 1.1.6/1.2.1 (Ruby), Catalyst (Perl), Code Igniter (PHP) and Symfony (PHP), using various load and memory testing utilities. His conclusion? Django is fast, and …
  4. Ohloh: PHP and Ruby Comparison

    Ohloh: PHP Eats Rails for Breakfast. A clearly link bait title, as it is in fact analysing by the "language", i.e. PHP vs. Ruby, instead of frameworks. However, the analysis is interesting. As well as Brad Feld's feedback on this article. Some of my thoughts: I won't say it …
  5. Gravatar Cache 0.1 Released

    Last couple of nights I have hacked a generic URL-based cache for Gravatar, the globally recognized avatar. If you have been blogging or reading other people's blog, "gravatar" would not be foreign to you, as it has been implemented on many blog sites of various platforms. Gravatar Cache is an …
  6. PHP -- Good or Bad?

    It all starts with Tim Bray's little rant on PHP a few days ago. Tim can't stand PHP, because ...all the PHP code I've seen in that experience has been messy, unmaintainable crap. Spaghetti SQL wrapped in spaghetti PHP wrapped in spaghetti HTML, replicated in slightly-varying form in dozens of …
  7. Ease of Deployment Matters

    Peter Hunt took a look on "How Python wins on the Web". He argued that framework does not really matter -- not all those efforts mimicking Ruby on Rails anyway, as RoR and .NET has already won the hearts of developers. Instead, Pythonists should focus on killer re-usable applications. Here's what …
  8. Faster PHP on Resin/JVM

    The Server Side reports Caucho adds PHP support to Resin to allow it to run up to 6 times faster. It is done by compiling PHP into Java bytecode so that it can be executed in highly optimised Java virtual machines. From this comment, Quercus (the PHP module for Resin …
  9. Andreessen on Java and PHP

    Via ZDNet News, Marc Andreessen of former Netscape endorse PHP over Java for website development, because it is open source, having easier environment, widely used and have big companies behind it. Interesting description about Java: Java is much more programmer-friendly than C or C++, or was for a few years …
  10. PHP XML-RPC Vulnerability

    As discussed on Slashdot, is another PHP library vulnerability that affects PEAR's XML-RPC module. James at GulfTech has demonstrated this vulnerability with an exploit. It turns out the PHP XML-RPC library uses eval() without checking, which allows arbitary PHP code to be executed if the XML-RPC message is cleverly crafted …
  11. IBM, LAMP and rebuttal

    Ryan Tomayko rebuked Daniel Sabbah of IBM's claim where LAMP cannot scale and the model should "grow up". He argued the traditional 3/n-tier design cannot scale due to its complexity, and a simple state-less design would be more scalable, faster and easier to develop. I am not really convinced …
  12. PHP Syntax Hilighting 1.3

    I've just got the chance to start visiting my old WordPress plugins after upgrading this site to WP 1.5. Syntax highlighting with Enscript is broken, so I've made some changes to get it going again. Here's a list of changes: Detect whether we are running under WP 1.5 …
  13. PHP Prediction in 2005

    Harry Fuecks wrote about his predictions of PHP in 2005, with unrealistic ones like 'In January 2005 PHP will win an award as "Programming Language of the Year, 2004"'. To me, PHP has never out grown its stereo type as a web language, and a program who knows only PHP …
  14. Scripturizer for WordPress 1.4

    Thanks to Glen Piper for pointing out the incompatibility caused by Bible Gateway changes, I have made some minor modification to the Scripturizer for WordPress and release it as 1.4. Download Scripturizer 1.4 Changes: Bug Fix: Change the URL so it shall now work with updated Bible Gateway …
  15. Scripturizer for WordPress 1.3

    Jon Mark Allen added some interesting features into Scripturizer for WordPress, and released it as Scripturizer 1.2. So I took what he has done, borrowed the idea of Bible translation customisation, added a bit of code of my own, and released it as Scripturizer for WordPress 1.3. Download …
  16. PHP Syntax Hilighting 1.2

    Here is an updated version of my PHP Syntax Hilighting script (standalone or as WordPress plugin). It fixes the issue whether tag is used by enscript which renders the whole page non-XHTML compliant. A preg_replace() call replaces them with standard compliant XHTML code. Download syntax_hilight-1.2.php …
  17. PHP5 vs. ASP.Net

    Sean Hull wrote an comparison of the new PHP5 verses ASP.Net. It feels just like touching the surface, and did not address many issues, especially when PHP5 is still a glorified template language, whereas ASP.Net includes a whole application server suite.
  18. Turck MMCache for PHP

    I have heard quite a lot of good reports on how Turck MMCache for PHP can improve performance. Performance does not just matter the high traffic sites, but with sites hosted on over-saturated shared hosting, or on a wimpy box like mine, it is still a good thing to have …
  19. Scripturizer for WordPress

    In response to MeanDean's request, I have migrated my original PHP scripturizer to the same level of functionality as his latest Perl version, as well as adding WordPress plugin capability to add Bible reference links through content filter. Download: scripturizer-1.4.php (21 Dec 2004 - blog entry) Download: scripturizer-1.3 …