There’s a Singapore PHP User Group gathering @ SMU on 14th November at 2000 hrs at the School of Information Systems @ Seminar 2.2, Level 2.

8:00pm The session started off with Michael highlighting the events for the evening. The PHP User group was started in mid 2006, but it was not the first PHP user group and it is currently the only active one. There are also a list of PHP user groups in Singapore but apparently all are inactive.

The mission of the PHP User Group is to develop a bigger and more effective pool of PHP developers in Singapore. It also aims to promote the use of PHP in the Singapore corporate scene, and also to promote PHP’s adoption in education institutes in Singapore

The programs that are available includes monthly meet-ups, wiki-community help, curriculum for education institutes, providing a directory of PHP developers and users as well as plans to have a PHP conference. Imagine! Suntec City!

While he was approached by Zen to have a PHP conference here, Michael isn’t so sure if there is enough interest in Singapore to have a conference indeed. There is a call to action, where people are encourage to be volunteers to form the core team. Business leaders and educators are also encourage to help in the curriculum for PHP.

Michael also had a call for newbies which was refuted by someone in the audience if he was trying to rub it in.

8:10pm Some of the topics that will be covered includes development environment and 4 things to code anything. The described development environment includes PHP 5.2.x, a web server like apache 2.x, a DB server such as MySQL 5.x, a web based DB admin tool as well as a WAMP/MAMP Server (http://www.wampserver.com or http://www.mamp.info for Mac); and oh, all notes will be put online tonight.

Other components of the environment includes adobe dreamweaver, php designer, eclipse and textmate - for those who are too lazy to start development from scratch.

8:15pm Someone’s transformer ringtone went off - reminder: please turn off your handphones. =P

4 things that you would have to know will be covered tonight: presenting stuff on scrieen, types of information, passing information around and program controls. Firstly, how do you show stuffs on your screen? For a simple example, you can try the following:

< ? php
echo "Hello World";
?>

where the tags are used to confine the php codes. “echo” and “print” should produce the same results. “print_r” was supposed to be extremely useful, but it didn’t work during the demostration.

The next thing that is covered is data types. What are the types of information available and hw to manipulate them? The first one is 1 dimensional information, such as words, which are strings. “Hello World” is an example of a string. One good thing about php is that we do not have to tell php what type we are going to put in.

To join 2 strings together, we use a full stop, such as:

echo “Hello ” . “World”;

There are also other string manipulators that are available and you can find out more from php.net; or http://sg.php.net/manual/en/ref.strings.php

For numbers, there is no need to place any quotation marks and you can do things such as:

echo 200;

where the system automatically recognises the data type. We can also use number_format() with some parameters to format the numbers. It is particularly useful if we want to present numbers in financial formats.

Lastly there is the Date/time format, which can be easily written and recognised by the system.

Next, there is multi-dimensional data type, such as arrays. An example of such a usage is:

print_r(array(”one”,”two”,”three”));

or if you need the array to start from a 1, you just need to do:

print_r(

array(
1=> “one”,
2=> “two”,
3=> “three”

));

You may also embed arrays within arrays such as:

print_r(

array(
1=> “one”,
2=> array(”one”,”two”,”three”),
3=> “three”

));

There are also other types such as XML, JSON or binary files.

The next thing we look at is variables, which is like maths: a = 20. So, how do you pass variables around? In php, it’s handled:

$< name_of_variables> = value;

We replace print_r() with the $ if we want to assign an array to a variable. In addition, when we want to retrieve multi-dimensional variables, we can use:

echo $< name_of_variable>[position];

There are also some predefined data types in PHP, including $_GET[”name”] and $_POST[”name”], which is used primary for form handling. In the earlier versions of PHP, the inter-usage of these 2 variables proved to be a security flaw, which is then fixed in the later versions.

Hence, for passing of information between pages, we can either do it through URL parameters or from form post/form get or through sessions and cookies, which will not be covered today.

Lastly, there are control structures. Control structures are instructions that tell the system what to do or when to do - like providing some intelligence into the system. Some of these include if(){..};, if(){..}else{..}; or if you have more criteria, you might want to consider if(){..} elseif() {..} else {..};. Something to take note if is that comparisons uses “==” instead of “=”, which is an assignment instead of a comparison.

If there are more than 2 criteria, then we use something called the

switch(variable) {
case 1: …

break;

case 2: …

break;

default: …

break;

};

The next control that we look at is the while() function which is used as:

while(condition) {
…
};

It is important to plan the “condition” properly because an empty string will return a “false” condition. PHP equates empty strings as false - so there is caution when using a string variable as a condition. The work around is using:

while(isset($variable_name)) {
…
};

The other control that is commonly used is the for() function which is used in:

for(initialization;condition;next_step);

And also

foreach($variable as $some_variable) {
…
};

which runs through the array or each field or a record and assigns that value to $lender. Statements within the {..} then uses $lender instead of $variable.

One other thing, there are programming language specific features, where we will learn how to reuse code and doing object oriented programming in PHP. The last lesson is to RTFM @ http://sg.php.net/manuel/en/.

This brings to the end of Michael’s segment, which was overran by 10 minutes =) Raymond, CEO of Occamlogic Consulting is the next presenter.

9:03pm Raymond has about 8 years experience as a business consultant, where he feels that the business trend thends to follow IT trends. Today’s outline includes looking at business trends, IT and PHP’s techno-social model.

There was something about steamboats, but I think I missed it totally.

Next, Raymond talked about Mountain Bikes, where the consumers were the first ones to discover/invent the mountain bike, but the bigger businesses do it on the bigger scale. Consumers are like co-inventors, or even people who supported the businesses - consumer co-development.

The next example he gave was books, where some books can be easily downloaded but people will still buy the books. Then, there is Nokia, where consumers co-develope the ringtones and wallpapers, which rides on the need for expression of individuality.

Another example is Linux, which is open-source, but rides on user co-development. Other applications include facebook, youtubes, wiki and blogs. Facebook probably develop a couple of applications, but the consumers probably developed the majority of the applications.

Linux also contains a core codebase in which, developers contribute a majority of plugins and codebase for sharing. Blogger also allows users to create the content for them, while they apparently earned from Google Adsense. Lastly, there is Wiki, which is created by a few 1000 people, yet read by millions of readers.

Today, we will look at business trends and consumer co-development. An example is PHP.

He next touched on a typical infrastructure, where the business logic lies on top of web scripting, on top of web server and then the DB and finally the OS. The example he gave is that the business logic runs on top of PHP, apache, MySQL and Linux. He feels that PHP, as a techno-social model, should support the business logic, which is usually not consumer co-developed - since the rest of the model: PHP, apache, MySQL and Linux are.

Someone highlighted that most banks do not run PHP or Linux; which are usually influenced by a particular market segment of technology developers. In addition, because PHP is only a recent phenomenon, while banks have existed for the longest time, it is natural that they still to something that is proven track.

Someone else also highlighted if Raymond is suggesting that PHP is superior because it is consumer co-developed, but Raymond rebutted that PHP is married in today’s environment because of social reasons rather than technological reasons. Other reason that was added by a member on the floor was that it is easy to sue IBM for flaws whereas it is hard to pinpoint to someone in the PHP community. However, it is still possible for someone or organization to take responsibility of development in PHP.

Next, there is the closed techno-social model, where the business logic sits on top of ASP, IIS, Oracle/MSSQL and Windows. The point about this is that the entire logic is lying on a model that does not have a consumer co-development model. The risk from a management point of view is that the consumer is dependent on the few people who controls each of the segment, which can be quite traumatic should each of the segment decide to “screw the consumer up” (quoted from Raymond).

Comparing this to Linux, Redhat and Mandrake can go bankrupt for all Raymond cares, but there are still other versions of Linux that the consumer can still depend on.

By comparing the technology, it’s not a matter of whether one is better than the other - although if we compare the OS, we can probably tell that Windows usually crash after a few days. However, it is possible that Microsoft may one day decide to change their roadmap and consumers will have to follow. On the other hand, development cost in Linux is free, which then allows the business to concentrate on the business logic - which is the bread and butter for the consumer.

Hence if Windows is deemed to be risky ground and if a business logic is rest on risky ground, then the business may not be as robust. In addition, if a logic is rested on stable, open grounds, then the logic moves with technological advancement. Raymond also highlighted that Microsoft did not take into account the evolution costs - which comes free in an open techno-social model.

There is also the issue of licence cost, which a member from the floor mentioned that it is very expensive to expand a windows cluster than a linux cluster. Other issues that one may need to consider is the quality of a programmer that he’s going to hire (certification?) and technical support (24 hours for PHP in the open-source community?).

Raymond next covered on websites that runs on PHP, which includes Joomla, Wordpress, MediaWiki (which is the technology behind Wikipedia), Wikipedia itself, ELGG (a social-networking software, very much in the line of friendster and facebook @ elgg.org), vtiger (open source CRM management system), friendster (which wasn’t developed on PHP when it first started), facebook and activeCollab - which then brings to the end of his presentation.

Someone from the floor noted that for Wikipedia, there is little moderation compared to that of Britannica - which Raymond refuted that people who edit Wikipedia are immensely intelligent because they have to be really interested in it. Another member also added that there are also people who vandalizes Wikipedia when they are free. However it is also noted that more popular topics are quickly corrected while more obscure ones are not.

9:50pm Next up is Uzyn, who will be covering on security in PHP. However, there is a 10 minute break for all who needs the loo. =) Will be back soon! Stay tuned.

10:00pm Welcome back! We now continue with the meet-up. Uzyn is the founder of ping.sg which is an aggregator of local blogs. He was initially employed by Michael’s company and had been programming in PHP for the past 4 years. He’s currently no longer freelancing and is working for some projects now.

Back to the topic, PHP is secured but it just has a bug - just like Windows and Mac Mini. The insecurity usually lies in the hands of the programmer who assumes that the code is secured. In particular, it lies in the lack of security measures in designing an application. It is also important to update the version of PHP because security issues will be updated in the latest version.

And oh, he’s nervous, because he’s a programmer and not a speaker. =)

The first thing that he covered is Cross site Scripting, which can be of different forms (see comics from xkcd.com). An example of malicious input is:

Username: anything
Password: abc’ or 1=1 or password=’abc

which can bypass any security measures if the SQL statement is not robust. One way to prevent disaster from happening is to escape SQL queries using mysql_real_escape_string();. This converts quotes (’) into escaped characters (’).

The other issue is Cross-Site Request Forgeries (CSRF), which is a little complicated to explain here. It basically means to forge other trusted users’ request to a site using the following code: < img src="http://192.168.0.1/post.php?subject=foo&message=bar"/>. This would require knowledge of the internal infrastructure.

Some couter measures to use is to use POST instead of GET which does not post data in the URL. The other measure is to request verification from user, while the last one is to use an anti-CSRF token, which is a token that is assigned when the user first accesses the site. $_POST[’token’] can then be verified and timeout can also be applied. Hence, the token is stored as a cookie or in a session.

HTML fingerprinting - Another thing to take note of is to remove common application footers like “Powered by…” and if there is an exploit in that particular information, hackers may then know which sites can be exploited. By removing all these metadata, hackers will have a harder time of knowing what software or plugins are being ran.

Hidden fields / security by obfuscation. Programmers often mistake hidden fields as constant fields reliable to send POST data. However, such fields are usually accessible by the users and is not really safe to do so. Javascript and AJAX that transfer sensitive information is not really safe too because users may see what is being transferred in the backend. Implement privileges by hiding URLs from sight is also not secure because it is possible that users know the URL (like Windows Vista, IE 7).

It is also dangerous to use variables to access files, such as http://www.foo.com/show.php?file=about.htm, which really asks the server to show any file that is being defined as the file variable. A hacker may ask the server to do something like show.php?file=passwordfile.htm if the hacker is familiar with the internal server system. Hence loading of files from variables allows malicious user to access any files on the server, even those that are out of web server’s root. Thus, programmers should apply strict sanitization if you REALLY REALLY have to do it - and the same applies with other dangerous PHP functions such as eval().

The other mistake that programmers make is that they forget that password files are stored as text. Such files should be denied access, such as placing them out of the web server conf. or out of the web root. Programmers should try to use .php instead of .inc. This is because .inc may be displayed to users in its entirety.

Global variables are also dangerous! They should be turned off because they can be retrieved using GET exploits. There are no counter measures and they should be turned off.

Encryption should be used but sometimes even one-way hash is not entirely safe. A counter measure is to use salt (sodium chloride? no, it’s a long string before the password), or enforce strong password requirement.

Lastly, error messages should be turned off because it is a form of HTML fingerprinting and provides clues to your application’s loopholes. In the less serious case, the users may see what variable names are being used; and in the more serious case, names of files accessed may be shown. Some counter measures include turning off error message for live sites (always do!) or to log the error messages offline.

The floor is now open for Q & A. There are many reasons on how and why confidential data can be leaked, which may not always be due to technical loopholes. Programmers should always look at all these from a holistic view (anyone tried googling for “facebook source code leaked”?).

Slides are available from http://uzyn.com.

10:35pm The Singapore PHP User Group session is now closed. I will try to get the slides presented today and put them up here. The next meet up will be on 12th December 2007 where AJAX, PHP and Microsoft components will be covered.

Goodnight!

PS: Supper anyone? =)

Yes, not kidding you. Until the 15th November, which is tomorrow, all books are off 30% as long as you print out the coupon; and 40% if you are a preferred member! So hurry down to the Borders today! No gimmicks, no frills, but do take note that 1 coupon is valid for 1 book purchase. So if you want to buy 9 books, please print 9 copies of it (or 10 if you want to play safe). Sorry that I am causing more trees to be cut down. =(

Here’s the coupon if you prefer to print from this page:

Here’s the link if you want to trust your own eyes. =P

It’s know that a lot of common essentials such as shampoo, conditioners, makeup powers and even razors contain a certain amount of nanoparticles to either provide the smoothness that your shampoo and conditioners can give you, or to give you that smooth looking skin or even to act as antibacterial agents.

Now, scientists have found out that these very particles that gives you all these good stuffs may actually be giving you cancer. It was found that fishes and mice which have ingested such particles had developed brain cancer and giving lung problems.

While not a worry yet, this insight has given the red alert to some researches who are beginning to discover the uses and possible harm that new technology can give.

Is your shampoo giving you nanoparticles?

SAN FRANCISCO - NANOTECHNOLOGY has been hailed as the science of the future, with micro-particles already powering innovations that remove lines from faces, strengthen beer bottles and clean clothing without water.

Yet early studies also indicate some of these particles, enabled by the latest in engineering science, can cause cancer.

‘We should recognise that there will be mistakes, and there will be hazards,’ said Professor Harry Kroto, who won the 1996 Nobel Prize in chemistry for his discovery of a nanoparticle called the Buckminsterfullerene. ‘On the other had, there’s a possibility that the value of nanotechnology will be overwhelming. For me, it is the science of the 21st century.’ Nanotechnology is the science of creating and working with materials about one nanometer wide, or one-billionth of a meter. A human hair, by contrast, is about 80,000 nanometers across.

Scientists say working with these particles holds the promise of building miniature machines atom by atom, just as every living thing begins with one cell.

‘The big deal here is that we’re domesticating atoms. We’re trying to make the basic building blocks of our world do our bidding,’ said Patrick Lin, director of the Nanoethics Group at California Polytechnic State University.

Some scientists are already using nanotechnology to add small particles of silver, long-known as an antibacterial, to razors, food-storage containers, and ‘anti-fungal’ socks.

Others are exploiting unusual properties that appear at the nano-scale. In the laboratory, for example, normal carbon atoms can be fixed into tube-like shapes, called nanotubes, which are 100 times stronger than steel and only one-sixth its weight.

Such tampering can bring new lighter power to a golf club.

The human impact
The problem is that these particles may be harmful to the human body, and scientists say it will be years before they fully understand their effects. Nanoparticles are small enough to slip unnoticed through a cell membrane but large enough to carry foreign material between strands of DNA.

There are no long-term health studies on the issue, but researchers have seen brain cancer develop in fish that ingest a small number of carbon nanoparticles. Rats that inhale carbon nanotubes have lung problems similar to those caused by asbestos.

‘There’s no reason to think that all of these things are going to be harmful,’ said John Balbus, chief health scientist at Environmental Defense, a public policy group. ‘But we should be prudent because of their ability to get into the body and access parts of it that normal chemicals don’t.’ Federal funding for nanotechnology research has tripled since 2001, but environmental groups complain that regulations have not kept pace.

‘We’re calling on government to invest more money in health, safety, and environmental research so that we can make sure these products are safe,’ said Ian Illuminato, health and environment campaigner at Friends of the Earth.

The Food and Drug Administration announced in July that drugs, cosmetics, or other products manufactured with nanotechnology do not require special regulations or labelling because it said there was no scientific evidence they pose any major safety risks.

Some companies are taking their own steps however.

This year, materials company DuPont agreed to a system - developed with Environmental Defence - for evaluating whether to proceed with projects involving nanoparticles.

Terry Medley, the DuPont lead on the project, described the step as ‘not only common sense but also good business.’ — REUTERS

Article obtained from straitstimes.com on 14th November 2007

Apparently the security cameras in Great World City are fake. Yes, non-working dummy cameras that does not record anything at all. According to the letter sent to the straitstimes.com online forum, a couple had their car damaged in the carpark, where their car was parked in a lot where a camera is supposedly facing it.

When they reported the matter to the security counter, they were told that the cameras are actually fake. The writer also added that “… And it is the same for the cameras in the shopping mall too… ” Is she referring that the other cameras in the buildings are not real too? How about the buildings or shopping centers that are ran by the same management?

Hmm… I suddenly don’t feel very safe…

Security guards claim cameras in Great World City carpark are dummies
LAST week, my husband went to Great World City for dinner.

Being a careful person, he deliberately chose a parking lot near a security camera.

When he went to fetch his car after dinner, he found that someone had knocked his car and that the culprit had already driven off.

My husband immediately headed to the guard room, hoping to trace the culprit from the security camera.

To his surprise, the guard said that all the security cameras in the carpark are dummies. Only the camera at the exit/entrance is real. And it is the same for the cameras in the shopping mall too.

The guard also told him that this issue had been brought up to management a long time ago but that nothing had been done.

Tan Hong Leng (Ms)

Article obtained from the straitstimes.com online forum on 14th November 2007

Sunshine Empire is under investigation because the Monetary Authority of Singapore (MAS) suspects that it is running an illegal investment scheme, as opposed to it being a multi-level marketing firm. Members of the company were supposed to buy and sell products online, from which they would be given a rebate. A particular member had apparently been getting back rebates of $1,440 since his initial investment of $12,000.

It was reported that members may withdraw from the programme anytime, which apparently was not known by some of their members. It is illegal to run an investment scheme in Singapore without seeking approval from the MAS.

Personally, I am quite wary of such schemes because a lot of my friends have fallen into it by the lure of quick money. Even in the proper investment plans there are today, it is not entirely risk free and people should be educated to make proper decisions before putting their money into investments or unorthodox get-rich schemes.

THE Commercial Affairs Department (CAD) said yesterday that it has commenced investigations into controversial multi-level marketing (MLM) firm Sunshine Empire.

It also said it may ask people who have put money into the firm’s schemes to help in the investigation.

According to a company spokesman, the man behind Sunshine’s operations, Mr James Phang, was at the CAD’s office yesterday. He could not be contacted by The Straits Times.

In a statement announcing the probe, the CAD said people who have placed money with Sunshine are advised to wait for further updates from the department on the case.

‘More information will be released in due course, and persons who have placed money with the company may be requested to come forward to assist the CAD in the investigation,’ it added.

Sunshine’s schemes have attracted about 20,000 people here since it was set up in July last year.

But in September, the MLM firm was placed on the Monetary Authority of Singapore’s (MAS) investor alert list.

It attracted the authorities’ interest as its activities appear to be akin to that of a pure investment scheme, for which it is not licensed.

The firm invites people to become ‘merchants’ of online goods, ranging from health supplements to electronics goods.

But concerns centre on the fact that participants can potentially pocket big ‘rebates’ without ever buying or selling these goods.

For instance, businessman Raul Tham, 50, placed $12,000 in Sunshine’s gold plan in August.

Since September, he has been receiving monthly cash ‘rebates’ of $1,440.

The rebates are based on the participants’ cash outlay as well as Sunshine’s global turnover.

Last week, with all the disquiet surrounding Sunshine and with news that Mr Phang was linked to an abandoned Indonesian club project, an award for him was withdrawn.

Mr Phang had been due to receive an Outstanding & Innovative Global Entrepreneur award at yesterday’s Global Business Opportunities Forum, part of the international business networking event Global Entrepolis hosted by Singapore.

Yesterday, the Sunshine spokesman said that ‘business will carry on as usual’, and added that the company had ‘nothing to hide’.

In a statement, the company also said it had recently written to the CAD offering to clarify any misconceptions.

When asked if Sunshine would entertain refund requests, the spokesman said that this has been its policy all along.

He added that there have been no refund requests here so far, but said the Malaysian Sunshine office has received five refund requests, he said.

Most Sunshine participants that The Straits Times interviewed were unaware that they could get refunds.

Meanwhile, the consumer watchdog is advising those who have placed money with Sunshine to ask for refunds if they are worried about the CAD probe.

Consumers Association of Singapore executive director Seah Seng Choon also cautioned investors against putting cash into Sunshine.

He said they are better off putting money in regulated financial schemes, given the higher standards of compliance required by the MAS.

Article obtained from straitstimes.com on 14th November 2007

Heh heh… to friends from ping.sg (miccheng, ridz, daphnemaia, claudia, felix, farinelli, dk, ntt, daniel, tianhong) who came down and my group of friends (steph, kelly, eddy, chin, lynn, jeff and alice) who came down comparatively early - a big thank you to all of you who made the occasion special; else I’d be in lab running my lab rats! =P

For a start, I was late… cos Jeff decided to get me a cake from Secret Receipe. =P Haha.. I didn’t know what was going to be written on the cake until it was opened up in Geek Terminal. When I arrived at GT, I was worried that I’d have problems running between 2 groups… it turned out quite ok, although I have to admit that I spent more time with my group of friends that friends of ping.sg. =( Sorry!!!

Thank goodness friends of ping.sg lived up to the name of GT… cos they brought gadgets and tech stuffs to live up to the title of Geek! Hehe… so much so that I was slightly intimidated by their techi-ness. Haha… and oh,  thanks to daphne for bringing me such lovely flowers!!! And you know what? I was so goon… I forgot to take a picture with daphne! Argh… =(

Lovely flowers right? Sigh… sorry Daphne! Next time need to remind me =P I’m not called sotong for nothing =S

Dinner was a nice soft shell crab pasta (penne) with chilli crab sauce. Heh heh. The taste was fantastic - very much like chilli crab, except that the crab was soft shell. I had to make sure of that else I’d end up peeling shells! The mushroom soup was quite good, but Chin didn’t like his Geek Soup that much. =P He thinks it felt like can soup! =P

Apparently the kitchen took quite a long time to prepare the food - which felt pretty much like a french restaurant. Haha… the chef was supposed to be delicate with his food preparation so as to bring out the best flavour in his food. However, it didn’t turn out to be as good as we thought it’d be… and Kelly gave it the thumbs down…

Oops! Sorry GT, Kelly really doesn’t like your Carbonara. =( Even Eddy who have tasted it gave it the double thumbs down, however, he gave the thumbs up for the Soft Shell Crab Pasta that he ordered; so all’s not lost yet.

Oh, if you happen to order tea in GT, it is served in this dripper style mug, that drains the tea from the leaves. It was speculated that we’d have to wait for the tea to drip - just like coffee, but it turned out that you’d have to press a button on the lid so that the tea can be drained. I’m not sure how long we have to wait for the tea to drip - and whether it’d taste different, but I’m sure by then, the cows would have came home! Moo…

Soon, it was time to cut the cake! Thanks to Chin for helping to get the cake. Yes, it was really nice and yummy… especially if you are a chocolate person! Haha… and oh, Chin is now the official cake cutter for birthday celebrations! Heh heh. Did anyone do a video on his cutting? I think I don’t have it with me

And oh, Chin also like to lick savour the cream on the knife! Haha… isn’t he enjoying it? =P

All good things have to come to an end, and it was really enjoyable to have the company of my friends from ping.sg and my friends from blogcon’05 whom I have known for 2 over years. We should do meetups more often, ya? =P Thanks everyone for coming down. You guys have really made my day! =) To the guys from ping.sg, hey, sorry that I didn’t get to spend much time with you guys. But there’s PHP forum today! Hehe… hope can see you guys there!