PHP-Blog PHP-Blog
From time to time I see bugs in the code and I start thinking "really? is it possible that no one noticed that bug before? am i the first person to see this code?". I thought it might be worth writing a little post on what helps me to deal with bugs and software quality in general and what are the common pitfalls in developer's thought process. Although it is not a very extensive post i hope it may inspire some developers to try new approaches :-)
In general it is extremely rare for me to commit bugs that would make it into production (maybe less than one a year? hard to say as it is really rare). To be honest I can't remember a serious issue with my code for last 5 years.
Unfortunately i have to support PHP 5.2 and i also need to run my Mac in 32 bit mode as my VPN client does not support 64 bit :(
This causes quite a lot of hassle as PHP 5.2 is less and less supported by frameworks, extensions etc. It is also waste of time as i have to manually build stuff instead of using regular packages, ports etc.
Here is a quick step by step guide on how to get mongodb and PHP5.2 mongo pecl extension going on your MacOSX in 32bit mode!
NOTE: 32 bit mongodb binaries have 2GB address space limit so you wont be able to process too much on your laptop. You will still be able to code and connect to remote instances just fine.
There are many ways to implement mobile version of your website but easiest and probably cleanest one is to use mobile subdomain.
Once you have your mobile website you want to implement an automated test suite to be able to regression test the functionality after every release. You also want the test suite to be easy to configure and run it against test environment. In perfect world you want the test suite to run as part of the continous integration setup. Jmeter allows for all of that and is free. As a huge fan of jmeter i recommend you download it and play around with it as soon as possible.
In this article I describe how to create a test suite for mobile website redirects, you can also download my jmeter test plan and customise it to test your own websites.
Lets make something clear from the very start: JUST BECAUSE THERE IS https:// IN THE URL OF THE REMOTE SERVICE IT DOES NOT MEAN THE CONNECTION IS SECURE!
I am sorry for the tone of this post but i am enraged by how popular this issue is online. If you ask why i suggest a little experiment.
Steps to follow
- Change your host file settings to point something like www.somedomain.com to your development server
- Create a self signed certificate for this domain and setup a https virtual host to serve it on local IP or alias
- Put a test file on that URL
I have been thinking a bit recently how to manage dependencies and how to structure Zend Framework based applications to make the code less coupled, more testable and less dependent on the global scope.
I don't mean to be negative but I am not too happy about the web application structure that most articles and books present. In Zend Framework world controller seems to be the place when things get done. Controller is the workhorse and this is where all the logic seems to be buried. It also seems to me that model in MVC is reduced to database integration but there is no services layer for some reason. Where ever you look you will see the same examples with controller doing all the work and models being simple Zend_Db_Table or Zend_Db_Table_Row instances. You will not see business logic focused classes, Controller or DB Model, thats all you can choose from.
It is a bit frustrating that i have to use mac and can not just use the same system that we have in production but well, that is the standard now. So to make the best of it you have to adapt and learn how to deal with operating system issues ;)
I found it a bit tricky to compile PHP extensions like PECL memcache or whatever on my mac for a few reasons. My mac comes with PHP 5.3 and i need to run my site on 5.2 that i got from MAMP. In addition i have 64 bit system that runs PHP in 32 bit mode so i have to tell compiler to use 32 bit mode only.
Few days ago i had to write a groovy test for a java class and i had a long chain of calls to mock. I was not sure how to test it nicely and i started wondering is there a nicer way to do it in PHP. Usually in PHP there is a nice way to do almost anything :D
I have been working on a little piece of code on the weekend lately and i thought it would be useful to have a numeric range similar to Groovy's range. Maybe there is such code already but quick google search did not give me anything useful so i hacked it together myself.
Later on I thought maybe it would be worth sharing it so here it is.
Please make sure you upgrade your PHP version to the latest version as soon as possible as it has a major security flaw which makes websites subject to the following DOS attack.
All you have to do is make PHP interpreter (older than 5.3.5 or 5.2.17) to convert string "2.2250738585072011e-308" to be casted into a numeric type. So if you have a form that accepts numbers which are then cast from strings into numeric values on server side you are probably affected.
I have played around with CouchDB half year ago and it's performance was just horrible. I have heard a lot of good about mongodb recently so i thought i will have a look at it.
I think that NoSQL can have really good use cases in web. The problem is that you need a really performant and stable system if you want to use it in production. I ran just a few simple tests so its not a real benchmark or anything. It is just a simple test trying to figure out how far behind are nosql solutions (performancewise).
I know it is obvious but i guess people still ignore the fact that documentation and knowledge sharing is important. Through my career as developer (so far 8 years) i have not joined a single project nor company that would have a proper up to date documentation. As a result it takes half year to catch up, instead of 3 months, for every new person joining the team and it causes constant headaches. I believe that could be improved if there was proper high / mid level documentation.
I know, I know, all the 'lazy developers' will jump and scream "but you should not waste time on documentation! code should document itself!". Well great, should IP addresses, web services, database schemas also document themselves? Being lazy is not a virtue, even that it seems to be cool.
There are two similar security issues both taken care of by Suhosin patch and strict escaping/encoding rules. They both relate to injecting new lines into headers of network protocols. They are not very well known and i think its worth mentioning it.
HTTP response splitting is a web based attack where hacker manages to trick the server into injecting new lines into response headers along with arbitrary code. If you use GET/POST parameters in the headers like cookie or location, then someone could provide new lines with XSS attack.
Common example would be server redirecting to new location based on some variable (like url). To do it safely you should always encode/escape/cast strings before passing them into header PHP function.
I am happy to present the first release of Ultimate web encoder.
I am a developer and i work a lot with ajax, javascript, PHP, json etc. It is quite often that i need to decode, replace encode something and i always go through the same process of searching for base64 encoder or decoder or other tools via google.
So lately i thought 'how about i do it once and for all', and this is how Ultimate web encoder came to live : )
It is a free online tool that will let you build a chain of transformations with a few simple frag and drops. It will also allow to apply the transformation multiple times as you do not even reload the page. Its all AJAX under the hood.
Circuit breaker is a component that supports high relaiability of web sites. It helps discovering, at runtime, which of the external dependencies are failing. Having that knowledge application can avaid wasting time on trying to call them untill they are back online.
Motivation
Current PHP application may depend on several databases, soap/rest web services, external cache providers or data grids, mail, ftp etc.
It is important for the application to keep on functioning even if some of these dependencies fail. To do that application has to be able to track when services become unavailable and when they become active again.
If a database or web service is down we want our application to detect it as soon as possible and react accordingly. Maybe application has a secondary slave database that can be read from? Maybe there is a way to load cached data? If all fails maybe its best just to hide some function or display message that service will be fully functional soon. What we want to avoid is making every user wait 30s for the database connection (which has to fail any way).
In my previous companies we used to serve sessions from mysql via a custom made session handlers and to be honest we never really had any problems with it. I cant actually remember the traffics and concurrency rates but it was not that low. Currently the solution im working with uses memcached for sessions storage, the default build in session handler. I am a bit worried about the way it works with memcached.
Problems with memcached sessions in PHP
First of all memcached is a cache storge engine and it was not designed with sessions in mind. The way php extension uses memcache causes a few more problems in the long run. Here are my concerns:
