Our highest priority is to satisfy the customer through early and continuous delivery of valuable and working software.

Wednesday, May 30, 2007

Debugging php scripts - Xdebug

Want to debug your PHP scripts :) Use Xdebug.

The Xdebug extension helps you debugging your script by providing a lot of valuable debug information.

The debug information that Xdebug can provide includes the following:

(1) stack and function traces in error messages with:
o full parameter display for user defined functions
o function name, file name and line indications
o support for member functions

(2) memory allocation

(3) protection for infinite recursions

Xdebug also provides:


(1) profiling information for PHP scripts
- Xdebug's Profiler is a powerful tool that gives you the ability to analyze your PHP code and determine bottlenecks or generally see which parts of your code are slow and could use a speed boost. The profiler offers a number of output modes, that are suited for a variety of tasks when analyzing code. Thus allowing you to select the output that would be most suited for your needs. Even output itself can be retrieved in number of ways to allow for maximum flexibility.

(2) script execution analysis

(3) capabilities to debug your scripts interactively with a debug client

Check for more details
http://www.xdebug.org

Link to documentation for Xdebug 2
http://www.xdebug.org/docs/

Download & install Xdebug for debugging your PHP scripts.
http://www.xdebug.org/docs/install

Monday, May 28, 2007

PHP Server Side Validation


I have made a PHP Server Side Validator for PHP4 and PHP5. It is a simple server side validator, which is based on OOPs concept. Those who want to save time while developing any PHP application & wants server side validation of their data on the fly, can use this class.

Use PHP validator class (validation.class.php), follow some simple rules & validate your data.

How to use validation class?

# Include validation class
require_once("validation.class.php")

# Create Object of class validation
$obj = new validation();

# Call add_fields() functions for all the fields, for which you want server side validation
$obj->add_fields($postVar, $authType, $errorMsg);

# Validate your data using validate() function, which will return errors if any...
$error = $obj->validate();

if($error){
# Display ERROR messages...
}else{
# Proceed with other code...
}

How to use add_fields($postVar, $authType, $errorMsg) function?

$postVar: $_POST, $_GET, $_FILES e.g.$_POST['username'], $_FILES['images']
$authType: Authentication/validation Type
(Currently supports 26 validation types as follow)

(01) req - Check for blank, unselected, unchecked field/fields

(02) alpha - Only alphabets are allowed (az, AZ)

(03) alphanum - Only alphanumerics are allowed (az, AZ, 09)

(04) num - Only numbers are allowed (09)

(05) max - Check for maximum character length e.g. max=10
i.e. only a string of maximum length 10 is allowed

(06) min - Check for minimum character length e.g. min=6
i.e. only a string of minimum length 6 is allowed

(07) lte - value should be less than/equal to some value. e.g lte=2
In case of Selection Box, Check Box it checks for minimum no of selections.

(08) gte - value should be greater than/equal to some value. e.g gte=4
In case of Selection Box, Check Box it checks for maximum no of selections.

(09) username - validate username

(10) name - validate first name, last name

(11) address - validate address

(12) phone - validate phone no.Allowed Options:
in-India, us-US, fr-France, sw-Swedish, br-Brazil

(13) mobile - validate Mobile no.

(14) zip - validate ZIP code

(15) uszip - validate US ZIP code

(16) ukzip - validate UK ZIP code

(17) ssn - validate Social Security Number

(18) currency - validate currency

(19) email - validate EMAIL address

(20) url - validate URL

(21) ip - validate IP address

(22) date - validate date default: ddmmyyyy e.g. date=ddmmyyyy,dd/mm/yyyy
Allowed Date Formats:
# ddmmyyyy, ddmmyy, dd/mm/yyyy, dd/mm/yy, dd.mm.yyyy, dd.mm.yy
# mmddyyyy, mmddyy, mm/dd/yyyy, mm/dd/yy, mm.dd.yyyy, mm.dd.yy
# yyyyddmm, yyddmm, yyyy/dd/mm, yy/dd/mm, yyyy.dd.mm, yy.dd.mm
# yyyymmdd, yymmdd, yyyy/mm/dd, yy/mm/dd, yyyy.mm.dd, yy.mm.dd

(23) ftype - validate file types e.g. ftype=jpg,gif,png
Allowed Options:
txt, xml, csv
zip, tar, ctar
pdf, doc, xls, ppt
jpg, gif, bmp, icon, font

(24) fsize - validate file size e.g. fsize=500

(25) imgwh - validate image width, heigth e.g. imgwh=800,600
You will need to compile PHP with the GD library of image functions for this to work.

(26) custom - custom validation e.g. custom=/^some regular exp$/

$errorMsg: Error message to be displayed upon error

Download the source code from
http://sourceforge.net/projects/php-validator/

See Demo at
http://php-validator.sourceforge.net/

Feel free to comment! :)

Monday, May 21, 2007

php|tek 2007 at Chicago, USA [May 15-17, 2007]


Ilia Alshanetsky had given some good sceurity tips in php|tek 2007 at Chicago, USA [May 15-17, 2007]

Ilia Alshanetsky is a primarily a programmer although he frequently dabbles in network/server security. Ilia is a chief software architect for Advanced Internet Designs Inc, a company supplying support and development services to a variety of corporate and government entities. Aside from commercial development, he is involved in a number of Open Source projects. Lately Ilia can be found speaking at various PHP conferences and writing articles for print and online magazines.

Download the presentation slide here. http://ilia.ws/files/phptek2007_secpitfalls.pdf

also, you will find other good resources at http://ilia.ws/talks.php

Friday, May 18, 2007

Internet archive - Yahoo in 1996, Google in 1998 & Microsoft in 1996

One of my friend has pointed me to visit one good website. http://web.archive.org/web/

The website has large no. of Internet Archive. The Internet Archive Wayback Machine puts the history of the World Wide Web at your fingertips.

The Archive contains over 100 terabytes and 10 billion web pages archived from 1996 to the present.

To start using the Wayback Machine to surf the web as it was, just type a URL (a web site address) into the box above, click the Take Me Back button, and start exploring the past.

See below the screen shots of Yahoo in 1996, Google in 1998 & Microsoft in 1996.
Yahoo in 1996


Google in 1998


Microsoft in 1996

Wednesday, May 16, 2007

Edit MySQL stopword list [MySQL full text search]

There are two ways to edit MySQL stopword list. Actually its not editing. Its all about creating a new file with your own stopwords & point MySQL to refer to that file location.

1st option
----------

Create File: e.g. /etc/stopword.txt
* Change permission of this file, so that MySQL can read it.
* Don't put stopword file in /root, because mysql doesn't have permission to access it there.

Edit /etc/my.cnf file
Search for ft_stopword_file
Change Line ft_stopword_file=/etc/stopword.txt

Then run following command to restart MySQL.
service mysqld restart

Run MySQL command, for immediate effect of this action on any table for Full-Text search.
REPAIR TABLE table_name QUICK;

2nd option
----------
You'll need to edit the file myisam/ft_static.c. recompile MySQL, and rebuild the indexes!

See the default list of full-text stopwords @
MySQL default stopwords list

Monday, May 14, 2007

Optimize mysql queries

1. use the explain command
Use multiple-row INSERT statements to store many rows with one SQL statement.

The explain command can tell you which indexes are used with the specified query and many other pieces of useful information that can help you choose a better index or query.

Example of usage: explain select * from table

explanation of row output:
* table—The name of the table.
* type—The join type, of which there are several.
* possible_keys—This column indicates which indexes MySQL could use to find the rows in this table. If the result is NULL, no indexes would help with this query. You should then take a look at your table structure and see whether there are any indexes that you could create that would increase the performance of this query.
* key—The key actually used in this query, or NULL if no index was used.
* key_len—The length of the key used, if any.
* ref—Any columns used with the key to retrieve a result.
* rows—The number of rows MySQL must examine to execute the query.
* extra—Additional information regarding how MySQL will execute the query. There are several options, such as Using index (an index was used) and Where (a WHERE clause was used).

2. use less complex permissions

The more complex your permissions setup, the more overhead you have. Using simpler permissions when you issue GRANT statements enables MySQL to reduce permission-checking overhead when clients execute statements.

3. specific mysql functions can be tested using the built-in “benchmark” command

If your problem is with a specific MySQL expression or function, you can perform a timing test by invoking the BENCHMARK() function using the mysql client program. Its syntax is BENCHMARK(loop_count,expression). The return value is always zero, but mysql prints a line displaying approximately how long the statement took to execute

4. optimize where clauses
* Remove unnecessary parentheses
* COUNT(*) on a single table without a WHERE is retrieved directly from the table information for MyISAM and MEMORY tables. This is also done for any NOT NULL expression when used with only one table.
* If you use the SQL_SMALL_RESULT option, MySQL uses an in-memory temporary table

5. Run optimize table

This command defragments a table after you have deleted a lot of rows from it.

6. avoid variable-length column types when necessary

For MyISAM tables that change frequently, you should try to avoid all variable-length columns (VARCHAR, BLOB, and TEXT). The table uses dynamic row format if it includes even a single variable-length column.

7. insert delayed

Use insert delayed when you do not need to know when your data is written. This reduces the overall insertion impact because many rows can be written with a single disk write.

8. use statement priorities
* Use INSERT LOW_PRIORITY when you want to give SELECT statements higher priority than your inserts.
* Use SELECT HIGH_PRIORITY to get retrievals that jump the queue. That is, the SELECT is executed even if there is another client waiting.

9. use multiple-row inserts

Use multiple-row INSERT statements to store many rows with one SQL statement.

10. synchronize data-types

Columns with identical information in different tables should be declared to have identical data types so that joins based on the corresponding columns will be faster.

Saturday, May 12, 2007

Yahoo Pipes


What is Pipes?
Pipes is an interactive tool that enables you to combine many data feeds, like RSS, into a single aggregate. It is a free online service that lets you remix popular feed types and create data mashups using a visual editor. You can use Pipes to run your own web projects, or publish and share your own web services without ever having to write a line of code.

Building a Pipe
You make a Pipe by dragging pre-configured modules onto a canvas and wiring them together in the Pipes Editor.

Each Pipe consists of two or more modules, each of which performs a single, specific task. For example, the Fetch module will retrieve a feed URL, while the Sort module will re-order a feed based on criteria you provide (you can find a complete list of available modules in the documentation.)

Each module has one or more terminals, represented by small circles in the interface. You can wire modules together by clicking on one module's output terminal and another module's input terminal. Now the output from the first module will serve as input to the second module.

In addition to data feeds, Pipes also lets you add user input fields into your Pipe. These show up at runtime as form fields that users of your Pipe can fill in.

Sharing a Pipe
Once you've built a Pipe, you'll be able save it on our server and then call it like you would any other feed. Pipes offers output in RSS 2.0, RSS 1.0 (RDF), JSON and Atom formats for maximum flexibility. You can also choose to publish your Pipe and share it with the world, allowing other users to clone it, add their own improvements, or use it as a subcomponent in their own creations.

Hosted Pipes
A Hosted Pipe is a web-based interface that Pipes provides which allows you to execute a Pipe that you or someone else has built and published. It's a useful mechanism for quickly determining what type of content a Pipe outputs. It is also a jumping off point for subscribing to a Pipe in your favorite feed reader, viewing how the Pipe was constructed, or cloning it so that you can further tweak it yourself.

Check it out at http://pipes.yahoo.com

Wednesday, May 9, 2007

How to capture error in php if exec() function fails to run some command

How to capture error in PHP if exec() function fails to run some command?

e.g. $command = "ls";
exec($command, $output, $return_value); will give
$return_value = 0 & $output contains list of files.

but if $command = "lk";
In this case error will be "lk: command not found"
But exec() command will not capture error into $output.

So, use this before calling exec() function.
$command .= " 2>&1";

It will redirect the STDERR stream to STDOUT, so that you can capture both OUTPUT as well as ERROR from your PHP script into $output.

Monday, May 7, 2007

print_r() function in javascript

function print_r() in JavaScript, identical to php's print_r() function

function print_r(theObj)
{
if ( theObj.constructor == Array || theObj.constructor == Object)
{
document.write("<ul>")
for(var p in theObj)
{
if( theObj[p].constructor == Array || theObj[p].constructor == Object)
{
document.write("<li>["+p+"] =>"+typeof(theObj)+"</li>");
document.write("<ul>")
print_r(theObj[p]);
document.write("</ul>")
}
else
{
document.write("<li>["+p+"] =>"+theObj[p]+"</li>");
}
}
document.write("</ul>")
}
}

Friday, May 4, 2007

File upload through AJAX

Not Possible.

Why?
because AJAX is nothing more than a faster and more elegant way to do a client side interface online. It is designed for client-side programming. It doesn't actually provide any server-side processing capabilities.

AJAX doesn't actually post forms to the server, it sends selected data to the server in the form of a POST or GET request. As javascript is not capable of grabbing the file from the users machine and sending it to the server, it's just not possible with AJAX. You have to resort to regular old form submit.

If you have read/seen it somewhere, then it is not through AJAX. File uploading occurs through an iframe in this case. You have to use a iframe to upload the files. So, you can use iframe to asynchronous upload (Like AJAX , but its not AJAX).

How file uploading is done in Gmail? Use following JavaScript function, if you want to achieve same functionality.

<html>

<script language="Javascript">
function fileUpload(form, action_url, div_id)
{
// Create the iframe...
var iframe = document.createElement("iframe");
iframe.setAttribute("id","upload_iframe");
iframe.setAttribute("name","upload_iframe");
iframe.setAttribute("width","0");
iframe.setAttribute("height","0");
iframe.setAttribute("border","0");
iframe.setAttribute("style","width: 0; height: 0; border: none;");

// Add to document...
form.parentNode.appendChild(iframe);
window.frames['upload_iframe'].name="upload_iframe";

iframeId = document.getElementById("upload_iframe");

// Add event...
var eventHandler = function() {

if (iframeId.detachEvent)
iframeId.detachEvent("onload", eventHandler);
else
iframeId.removeEventListener("load", eventHandler, false);

// Message from server...
if (iframeId.contentDocument) {
content = iframeId.contentDocument.body.innerHTML;
} else if (iframeId.contentWindow) {
content = iframeId.contentWindow.document.body.innerHTML;
} else if (iframeId.document) {
content = iframeId.document.body.innerHTML;
}

document.getElementById(div_id).innerHTML = content;

// Del the iframe...
setTimeout('iframeId.parentNode.removeChild(iframeId)', 250);
}

if (iframeId.addEventListener)
iframeId.addEventListener("load", eventHandler, true);
if (iframeId.attachEvent)
iframeId.attachEvent("onload", eventHandler);

// Set properties of form...
form.setAttribute("target","upload_iframe");
form.setAttribute("action", action_url);
form.setAttribute("method","post");
form.setAttribute("enctype","multipart/form-data");
form.setAttribute("encoding","multipart/form-data");

// Submit the form...
form.submit();

document.getElementById(div_id).innerHTML = "Uploading...";
}
</script>

<!-- index.php could be any script server-side for receive uploads. -->
<form>
<input type="file" name="datafile" /></br>
<input type="button" value="upload" onClick="fileUpload(this.form,'index.php','upload'); return false;" >
<div id="upload"></div>
</form>

</html>

Wednesday, May 2, 2007

PHP 6

What's new in PHP6?

Unicode
Unicode support at present can be set on a per request basis. This equates to PHP having to store both Unicode and non-Unicode variants of class, method and function names in the symbol tables. In short - it uses up more resources. Their decision is to make the Unicode setting server wide, not request wide. Turning Unicode off where not required can help performance and they quote some string functions as being up to 300% slower and whole applications 25% slower as a result. The decision to move it to the php.ini in my mind does take the control away from the user, and puts it into the hands of the Web Host.

If you compile PHP yourself or are responsible for this on your servers then you may be interested to know that PHP 6 will require the ICU libs (regardless if Unicode is turned on or off). The build system will bail out if the required ICU libs cannot be found. In a nutshell, you'll have another thing to install if you want to compile PHP.

Register Globals to go
Say goodbye folks, this one is finally going. It will no longer be an ini file setting, and if found it will raise an E_CORE_ERROR, pointing you to the documentation on why it's "bad". This means that PHP6 will finally break all PHP3 era scripts (or any script using reg globals) with no recourse at all but to re-code it. That's a bold move, but a needed one.

Magic Quotes to go
The magic quotes feature of PHP will be going, and as with register globals it's going to raise an E_CORE_ERROR if the setting is found anywhere. This will affect magic_quotes, magic_quotes_sybase and magic_quotes_gpc.

Safe Mode to go
This may please developers who have web hosts that insist upon safe mode! But it will now go totally, again raising an E_CORE_ERROR if found. The reason is that apparently they felt it gave the 'wrong signal', implying that it made PHP secure, when infact it didn't at all. open_basedir will (thankfully) be kept.

'var' to alias 'public'
PHP4 used 'var' within classes. PHP5 (in its OO move) caused this to raise a warning under E_STRICT. This warning will be removed in PHP6 and instead 'var' will mean the same thing as 'public'. This is a nice move but I if anyone has updated their scripts to work under E_STRICT in PHP5 it will be a redundant one for them.

Return by Reference will error
Both '$foo =& new StdClass()' and 'function &foo' will now raise an E_STRICT error.

zend.ze1 compatbility mode to go
ze1 always tried to retain old PHP4 behaviour, but apparently it "doesn't work 100%" anyway, so it will be removed totally and throw an E_CORE_ERROR if detected.

Freetype 1 and GD 1 support to go
Support for both of these (very very old) libs will be removed.

dl() moves to SAPI only
Each SAPI will register the use of this function as required, only the CLI and embed SAPIs will do this from now on. It will not be available elsewhere.

FastCGI always on
The FastCGI code will be cleaned up and always enabled for the CGI SAPI, it will not be able to be disabled.

Register Long Arrays to go
Remember the HTTP_*_VARS globals from yesteryear? Well if you're not already using $_GET, $_POST, etc - start doing so now, because the option to enable long arrays is going (and will throw an E_CORE_ERROR).

Extension Movements
The XMLReader and XMLWriter extensions will move into the core distribution and will be on by default.

The ereg extension will move to PECL (and thus be removed from PHP). This means that PCRE will not be allowed to be disabled. This will make way for the new regular expression extension based on ICU.

The extremely useful Fileinfo exntesion will move into the core distribution and enabled by default.


PHP Engine Additions
64 bit integers
A new 64 bit integer will be added (int64). There will be no int32 (it is assumed unless you specify int64)

Goto
No 'goto' command will be added, but the break keyword will be extended with a static label - so you could do 'break foo' and it'll jump to the label foo: in your code.

ifsetor()
It looks like we won't be seeing this one, which is a shame. But instead the ?: operator will have the 'middle parameter' requirement dropped, which means you'd be able to do something like this: "$foo = $_GET['foo'] ?: 42;" (i.e. if foo is true, $foo will equal 42). This should save some code, but I personally don't think it is as 'readable' as ifsetor would have been.

foreach multi-dim arrays
This is a nice change - you'll be able to foreach through array lists, i.e. "foreach( $a as $k => list($a, $b))".

{} vs []
You can currently use both {} and [] to access string indexes. But the {} notation will raise an E_STRICT in PHP5.1 and will be gone totally in PHP6. Also the [] version will gain substr and array_slice functionality directly - so you could do "[2,]" to access characters 2 to the end, etc. Very handy.


OO changes
Static Binding
A new keyword will be created to allow for late static binding - static::static2(), this will perform runtime evaluation of statics.

Namespaces
It looks like this one is still undecided - if they do implement namespaces it will be using their style only.

Type-hinted Return Values
Although they decided against allowing type-hinted properties (becaue it's "not the PHP way") they will add support for type-hinted return values, but have yet to decide on a syntax for this. Even so, it will be a nice addition.

Calling dynamic functions as static will E_FATAL
At the moment you can call both static and dynamic methods, whether they are static or not. Calling a dynamic function with the static call syntax will raise an E_FATAL.


Additions to PHP
APC to be in the core distribution
The opcode cache APC will be included in the core distribution of PHP as standard, it will not however be turned on by default (but having it there saves the compilation of yet another thing on your server, and web hosts are more likely to allow it to be enabled)

Hardened PHP patch
This patch implements a bunch of extra security checks in PHP. They went over it and the following changes will now take place within PHP: Protection against HTTP Response Splitting will be included. allow_url_fopen will be split into two: allow_url_fopen and allow_url_include. allow_url_fopen will be enabled by default. allow_url_include will be disabled by default.

E_STRICT merges into E_ALL
E_STRICT level messages will be added to E_ALL by default. This shows a marked move by the PHP team to educate developers on 'best practices' and displaying language-level warnings in a "Hey, you're doing it the wrong way".

Farewell <%
They will remove support for the ASP style tags, but the PHP short-code tag will remain (<?)

Download PHP6 at
http://snaps.php.net/