Joel Spolsky on Twitter:

Although I appreciate that many people find Twitter to be valuable, I find it a truly awful way to exchange thoughts and ideas. It creates a mentally stunted world in which the most complicated thought you can think is one sentence long. It’s a cacophony of people shouting their thoughts into the abyss without listening to what anyone else is saying. Logging on gives you a page full of little hand grenades: impossible-to-understand, context-free sentences that take five minutes of research to unravel and which then turn out to be stupid, irrelevant, or pertaining to the television series Battlestar Galactica. I would write an essay describing why Twitter gives me a headache and makes me fear for the future of humanity, but it doesn’t deserve more than 140 characters of explanation, and I’ve already spent 820.

I couldn't agree more.

I will also be far from being the first to say it, but Twitter is just a poor reimplementation of IRC over HTTP, which is completely inappropriate. Twitter is a constant failure with bad uptime, scalability issues and over-centralization. Twitter is one of the worst things that happened to the Web; it also promotes URL shorteners, which have security issues and double the possible unavailabilities.

Yet another case of trying to be too clever with randomness!

Security is not easy. Programmers should leave things like random number and identifier generation to a library (or at least research the best way to do it). A lot of projects learned it the hard way.

Let's talk for instance of a function I encountered about six months ago:

function generateRandomKey($len = 20)
{
  $string = '';
  $pool   = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
  for ($i = 1; $i < = $len; $i++)
  {
    $string .= substr($pool, rand(0, 61), 1);
  }
 
  return md5($string);
}
 

It is a real gem as it seems it was meant to concentrate everything a programmer should not do.

Flaw 1: Using rand() instead of mt_rand(). Any PHP programmer should know this.

Flaw 2: Using md5() instead of sha1(). Any PHP programmer should know this too.

Flaw 3: Generating a 20 character random string and then hashing it to a 32 character string looks a bit silly. Granted, the hash has less different characters, but still the input can have 7.04423e+35 different values while the output can have 3.40282e+38.

Flaw 4: Calling rand() multiple times. It denotes a strong ignorance on how pseudo-random number generators work. Since the seed doesn't change, it can be easy to guess what will be the next number from the previous ones. It isn't "more random" to call it multiple times.

Flaw 5: Using a very limited range for picking a random number. Also, why choose alphanumeric characters if you are not using them afterwards since they are passed to a hash function? This seems to be very badly designed.

Flaw 6: Feeding md5 with alphanumeric characters, present in all the rainbow tables in the world.

Flaw 7: Ever heard of chr()?

Flaw 8: Why reinvent the wheel? At least if you have a reason, leave a comment (no comments at all on this function).

Without even testing if the results are good or not, any programmer should know this function should be completely rewritten.

Let's see how it should have been done.

 
function generateRandomKey()
{
 
  return base_convert(sha1(uniqid(mt_rand(), true)), 16, 36);
}
 

How did I come up with this? Mostly be reading the PHP manual and not creating a random number generator, but merely using one.

The use of base_convert() is not really important, it is mostly because the database field was too short (nothing is lost from the sha1()). We actually would be better off without sha1() though, it is there mostly for the eye-candy.

uniqid() will take the result of mt_rand() and append it an unique value (but in a predictable range, hence the use of both functions). This is recommended by the PHP manual and is more than enough.

Now you're probably asking yourself where did I find this piece of code.

It is in sfGuardPlugin and sfDoctrineGuardPlugin, for the symfony framework. It's here almost from the start, though it was even wronger. Those are by far the most used plugins, and are endorsed by the official documentation.

What does this mean? On some systems, it will be very easy to brute-force the cookie to log in as any user. Or an user could accidentally become logged as another one, since collisions are highly likely.

Come on, if this is real, someone would have spotted it! I is probably not exploitable.
Actually, it is. I have been able to reproduce it on an older Debian server, and on this server was a website where users reported multiple times getting identified as another user (hopefully this server is retired and the project now runs on the fixed function).
I also tried to reproduce it on a Windows XP virtual machine (since it was the easiest way to get a PHP with a flawed random number generator) with success. Since on these two machines I got a lot of collisions, even on better systems the flaw should be exploitable with some effort.

Why am I doing this?
Because I reported it six month ago, and it received very little attention.
I think symfony is great, but the handling of security isn't (though my other criticisms are more on standard programming or hosting practices encouraged by symfony than on the code; more on the latter in a coming article, be sure to subscribe).

 
    /**
     * returns an array of modified fields and associated values
     * @return array
     * @todo What about a better name? getModifiedFields?
     */
    public function getModified()
    {
        $a = array();
 
        foreach ($this->_modified as $k => $v) {
            $a[$v] = $this->_data[$v];
        }
        return $a;
    }
 
    /**
     * REDUNDANT?
     */
    public function modifiedFields()
    {
        $a = array();
 
        foreach ($this->_modified as $k => $v) {
            $a[$v] = $this->_data[$v];
        }
        return $a;
    }
 

Plugins are great but they are never what you exactly wanted. When they are designed properly, the best way to customize them is to extend them instead of directly editing them.

Now, imagine I have:¹

# Penguin.class.php
class Penguin
{
  public function __construct()
  {
    echo "Windows is bad\n";
  }
}
 

# Herd.class.php
class Herd
{
  public function __construct()
  {
    while ($i++ < 42) new Penguin();
  }
}
 
# test
new Herd();

I want to change Penguin's behavior to something a bit more positive. However I don't want to extend Herd especially if it's tied to Penguin everywhere... I'm stuck with the Penguin class and can't use another one.

With some languages you can alter classes dynamically, and it can be referred as monkeypatching. While it is actually possible in PHP, it is ugly at best; you end up typing code in character strings, losing proper syntax highlighting and the opcode caching. Unless there is a very good language support for these methods it's best to avoid them.

A handful of plugins for Symfony, like sfGuardPlugin (one of the most popular plugins) already have some kind of solution. They come with two classes, a dummy one and a real one:

# Penguin.class.php
class Penguin extends pluginPenguin
{
}
 

# pluginPenguin.class.php
class pluginPenguin
{
  public function __construct()
  {
    echo "Windows is bad\n";
  }
}

Which means you just have to edit the (almost) blank Penguin class.
This is a clean, object-oriented way to solve the problem.

However, there are practicals problems that will arise.

• You still edit an existing file; your modifications would be erased by upgrading to a newer version of the plugin
• It will confuse version control systems if you use one to retrieve the plugin
• Your custom code is in the plugin directory, which is just illogical
• You could chose no to ship any of the blank files, but the user would have to create all of them

There is a very simple solution to overcome all that: the Symfony autoloader will pick classes from local folders (like the lib folder of your project) first.
Which means you can just copy the Penguin.class.php file and customize it:

# Penguin.class.php your project's lib/ folder
class Penguin extends pluginPenguin
{
  public function __construct()
  {
    echo "Linux is good\n";
  }
}

If you don't use Symfony and/or a similar autoloader, there is another solution:

# Penguin.class.php in the sfHerdPlugin directory
require dirname(__FILE__).'/plugin/plugin'.basename(__FILE__);
 
if (is_readable(dirname(__FILE__).'/../sfHerdPluginCustom/'.basename(__FILE__)):
  require dirname(__FILE__).'/../sfHerdPluginCustom/'.basename(__FILE__);
else:
  class Penguin extends pluginPenguin
  {
  }
endif;
 

# Penguin.class.php in the sfHerdPluginCustom directory (optional)
class Penguin extends pluginPenguin
{
  public function __construct()
  {
    echo "Linux is good\n";
  }
}

The cool aspect is that if you don't create any corresponding files in the sfHerdPluginCustom directory, it will still work perfectly.

1. The Herd and Penguin classes are references to GOTO++, a funny programming language.

I recently had to use the serialize() function to store objects in Memcache.

However, I realized that a lot of these objects (Propel objects precisely) were unnecessarily huge when stored: they had a lot of properties with quite long names having their default class value.

That's when I realized I could use the __sleep() function to store only what I wanted. I gave up on using this function before as it would have been to hard to maintain it ...unless you use some meta-programming features of PHP to store only the variables not having their default value! That's what I did, and the results are a faster unserialize(), less memory usage, and no maintenance whatsoever.

Here it is:

 
class Util
{
  public static function cmp($a, $b)
  {
 
    return $a === $b ? 0 : 1;
  }
}
 
class Penguin
{
  function __sleep()
  {
    // Get the name of the changed properties
    $vars = array_keys(
              array_udiff_assoc(
                get_object_vars($this),
                get_class_vars(get_class($this)),
                array('Util', 'cmp')
              )
            );
 
    // Optional part: call the parent's __sleep() function if there is one
    if (method_exists(get_parent_class($this), '__sleep'))
    {
      $vars = array_merge($vars, parent::__sleep());
    }
 
    return $vars;
  }
}
 

If you use unset() on a default variable, my function will not detect it. Doing this would be a very bad idea anyway.

If your final object extends an object that has private properties, you will need to add my __sleep() function to it too. The good news is that Propel objects only have protected properties.

Update: Unfortunately the $_new attribute of Propel's BaseObject is private, and set to true by default, which should not be the case for already saved objects (the ones you are likely to cache). You could either add it manually in your __sleep() function or use this __wakeup() function:

 
class Penguin extends BaseObject
{
  function __wakeup()
  {
     $this->setNew(false);
  }
}
 

Though the proper way would be to add this to the __sleep() function:

 
  $vars = array_merge(array("\0BaseObject\0_new", "\0BaseObject\0_deleted"), $vars);
 

I wish there was a better way to do all this in PHP!

I've seen some articles on how to configure lighttpd to serve a Symfony project, however they usually did at least one mistake:

• Assuming that requests with periods ('.') are for static files (the period is a default separator in Symfony, and is extensively used in the new admin generators).
• Ignoring parameters after a '?' (they are not widely used, except... in the new admin generators, and can be very useful if your application)

For the first part, there is a much simpler solution to handle static files: most of them are in specific directories, except for a very limited number of ones.

My solution also handles assets published by plugins (you might want to edit the corresponding line to a more liberal one though).

You might want to add your sitemap.xml.gz or robots.txt to this list if you generate them statically.

For the second part, you simply have to match explicitly the '?' part.

Here is the magic:

 
alias.url = (
  "/sf/" => "/home/web/symfony_12/data/web/sf/"
)
 
url.rewrite-once = (
  "^/css/.+" => "$0", # directories with static files
  "^/js/.+" => "$0",
  "^/images/.+" => "$0",
  "^/uploads/.+" => "$0",
  "^/favicon\.ico$" => "$0", # static file example
  "^/sf[A-z]+Plugin.*" => "$0", # plugins
  "^/sf/.+" => "$0", # symfony assets
  "^/backend\.php(/[^\?]*)(\?.*)?" => "/backend.php$1$2", # allow access to another application
  "^(/[^\?]*)(\?.*)?" => "/index.php$1$2" # default application
)
 

I guess the usage of periods in the rules also had the benefit of allowing the access to any alternative application automatically. With my solution you have to add each appname.php file manually, unless you use:

 
  "^/([a-z]+)\.php(/[^\?]*)(\?.*)?" => "/$1.php$2$3", # any app (prod)
 

Or for allowing any environment:

 
  "^/([a-z_]+)\.php(/[^\?]*)(\?.*)?" => "/$1.php$2$3", # any app (any env)
 

Note: your application must contain only lowercase letters, but you're free to adapt it to your own usage.

Today is CSS Naked Day!
My blog works perfectly without any CSS, of course; I often use Lynx to check websites I designed.

Seconds, really.

First, why stop using BIND? For me it just happened because I couldn't understand why BIND wasn't working (again). However there are many other reasons to make the switch before it's too late. BIND has a bad security history, PowerDNS's code is more "modern" and its various parts are well-separated (for example, you are not obligated to even install the recursor, it's another daemon).

PowerDNS now has a BIND zone backend, and it works with both primary (master) and secondary (slave) zones. Before that, only database or other fancy backends were available; for hosting only some small domains it would be overkill and a pain to manage.
However the documentation wasn't really clear. Here is how to do it.

How to do it

You should have this in your pdns.conf file:

# Start the bind backend (you can load multiple backends)
launch=bind
# Path to your BIND named.conf
bind-config=/etc/bind/named.conf
# PowerDNS will check if the zones are modified automatically. No need to reload the daemon!
bind-check-interval=300

And... that's it, you're done.

But don't forget to set allow-axfr-ips with the IPs of the secondary DNS servers of your primary domains in pdns.conf (that's allow-transfer in named.conf).

More details

The only thing needed in named.conf are zone entries, anything else is ignored. For example:

zone "example.com" IN {
    type slave;
    file "/etc/bind/sec/example.com.zone";
    masters { 1.3.3.7; };
};
 
zone "example.net" IN {
    type master;
    file "/etc/bind/pri/example.net.zone";
};

If you want to create your first zone file, you can use the BIND zone file creator.

I also encourage you to try out the pdns_control tool that is bundled with PowerDNS.

What did I use to build this blog? First of all, you will notice I am using WordPress. I looked briefly at the alternatives, but the thing that made me stick with WordPress is that they lack a lot of features and more importantly the WordPress community is amazing (numerous themes and plugins). Granted, a lot of plugins are badly written or out of date... but it's still better than nothing.
Anyway, I discovered a pretty promising blog engine, Zine, written in Python and using the impressive SQLAlchemy.

The only thing I miss with WordPress is the ability to use another markup language in the posts; I can't stand WYSIWYG editors but I don't like writing raw HTML either. Earliest versions supported Markdown but it has been dropped progressively.

The Theme

I used the Thematic Theme Framework. There are many other Theme Frameworks for WordPress, like Hybrid or even K2. These theme frameworks usually come with very good HTML (semantic classes, microformats, SEO optimization, you name it) and a basic CSS. I wanted something light, and Hybrid's website annoying and clearly too greedy; K2 is amazing but a bit too much. I then created a child theme.

The Plugins

There are many plugins for WordPress; that's why it's easy to miss very good plugins. Here is what I use.

SEO

Google XML Sitemaps and All-In-One SEO Pack. They are really popular and vital plugins. I use SEO Pack mainly to disable indexing of anything that would lead to duplicate content (archive pages, etc.) and to insert my validation codes in the home pager header. Redirection can automatically create redirections if you change the slug of a post (and it can do much more too).
By the way, you'll notice that my permalinks are different than the default; I didn't include the day number. I don't think users generally care for it.

Stats

FeedBurner FeedSmith redirects the feed to FeedBurner, Ultimate Google Analytics... well, you guess.

Microformats

Most microformats are already handled by the theme. WpLicense includes a Creative Commons license information in the feed and page, MicroID provides MicroID for the blog, posts, and comments and XRDS Simple is a requirement to run an OpenID server.

Publicity

Sociable provides links to popular social bookmarking services. WP Greet Box greets users and encourages them to subscribe to my RSS feed and vote for me me depending on where they come from.

Antispam

Simple Trackback Validation just should be integrated with WordPress. Mollom is like Akismet but better: it can use OpenIDs (reputation) and provides a captcha to recover your comment. http:BL queries Project Honeypot (more about that later) to block spammers before they try to comment or even spider your site. DoFollow rewards good commenters by removing the "nofollow" rel attribute on certain conditions.

Markup

CodeHighlighter for code syntax highlighting using GeSHi. WP-Footnotes¹.

Pages

I actually used only one of these three plugins but they are very useful and surprisingly unpopular; Page Menu Editor, Page Links To and Exclude Pages from Navigation.

Other

Smart Archives Reloaded provides a really nice Archive page listing every post from the start. OpenID allows commenters to prove it's really them commenting (plus, they get a nice icon) and users to login with an OpenID rather than a password. Simple Tags introduces some nice additions to the standard WordPress tag system, like tag suggestion.

1. Hello!