There’s a Singapore PHP User Group gathering @ SMU on 14th November at 2000 hrs at the School of Information Systems @ Seminar 2.2, Level 2.

8:00pm The session started off with Michael highlighting the events for the evening. The PHP User group was started in mid 2006, but it was not the first PHP user group and it is currently the only active one. There are also a list of PHP user groups in Singapore but apparently all are inactive.

The mission of the PHP User Group is to develop a bigger and more effective pool of PHP developers in Singapore. It also aims to promote the use of PHP in the Singapore corporate scene, and also to promote PHP’s adoption in education institutes in Singapore

The programs that are available includes monthly meet-ups, wiki-community help, curriculum for education institutes, providing a directory of PHP developers and users as well as plans to have a PHP conference. Imagine! Suntec City!

While he was approached by Zen to have a PHP conference here, Michael isn’t so sure if there is enough interest in Singapore to have a conference indeed. There is a call to action, where people are encourage to be volunteers to form the core team. Business leaders and educators are also encourage to help in the curriculum for PHP.

Michael also had a call for newbies which was refuted by someone in the audience if he was trying to rub it in.

8:10pm Some of the topics that will be covered includes development environment and 4 things to code anything. The described development environment includes PHP 5.2.x, a web server like apache 2.x, a DB server such as MySQL 5.x, a web based DB admin tool as well as a WAMP/MAMP Server (http://www.wampserver.com or http://www.mamp.info for Mac); and oh, all notes will be put online tonight.

Other components of the environment includes adobe dreamweaver, php designer, eclipse and textmate – for those who are too lazy to start development from scratch.

8:15pm Someone’s transformer ringtone went off – reminder: please turn off your handphones. =P

4 things that you would have to know will be covered tonight: presenting stuff on scrieen, types of information, passing information around and program controls. Firstly, how do you show stuffs on your screen? For a simple example, you can try the following:

< ? php echo "Hello World"; ?>

where the tags are used to confine the php codes. “echo” and “print” should produce the same results. “print_r” was supposed to be extremely useful, but it didn’t work during the demostration.

The next thing that is covered is data types. What are the types of information available and hw to manipulate them? The first one is 1 dimensional information, such as words, which are strings. “Hello World” is an example of a string. One good thing about php is that we do not have to tell php what type we are going to put in.

To join 2 strings together, we use a full stop, such as:

echo “Hello ” . “World”;

There are also other string manipulators that are available and you can find out more from php.net; or http://sg.php.net/manual/en/ref.strings.php

For numbers, there is no need to place any quotation marks and you can do things such as:

echo 200;

where the system automatically recognises the data type. We can also use number_format() with some parameters to format the numbers. It is particularly useful if we want to present numbers in financial formats.

Lastly there is the Date/time format, which can be easily written and recognised by the system.

Next, there is multi-dimensional data type, such as arrays. An example of such a usage is:

print_r(array(“one”,”two”,”three”));

or if you need the array to start from a 1, you just need to do:

print_r(

array(
1=> “one”,
2=> “two”,
3=> “three”

));

You may also embed arrays within arrays such as:

print_r(

array(
1=> “one”,
2=> array(“one”,”two”,”three”),
3=> “three”

));

There are also other types such as XML, JSON or binary files.

The next thing we look at is variables, which is like maths: a = 20. So, how do you pass variables around? In php, it’s handled:

$< name_of_variables> = value;

We replace print_r() with the $ if we want to assign an array to a variable. In addition, when we want to retrieve multi-dimensional variables, we can use:

echo $< name_of_variable>[position];

There are also some predefined data types in PHP, including $_GET[“name”] and $_POST[“name”], which is used primary for form handling. In the earlier versions of PHP, the inter-usage of these 2 variables proved to be a security flaw, which is then fixed in the later versions.

Hence, for passing of information between pages, we can either do it through URL parameters or from form post/form get or through sessions and cookies, which will not be covered today.

Lastly, there are control structures. Control structures are instructions that tell the system what to do or when to do – like providing some intelligence into the system. Some of these include if(){..};, if(){..}else{..}; or if you have more criteria, you might want to consider if(){..} elseif() {..} else {..};. Something to take note if is that comparisons uses “==” instead of “=”, which is an assignment instead of a comparison.

If there are more than 2 criteria, then we use something called the

switch(variable) {
case 1: …

break;

case 2: …

break;

default: …

break;

};

The next control that we look at is the while() function which is used as:

while(condition) {

};

It is important to plan the “condition” properly because an empty string will return a “false” condition. PHP equates empty strings as false – so there is caution when using a string variable as a condition. The work around is using:

while(isset($variable_name)) {

};

The other control that is commonly used is the for() function which is used in:

for(initialization;condition;next_step);

And also

foreach($variable as $some_variable) {

};

which runs through the array or each field or a record and assigns that value to $lender. Statements within the {..} then uses $lender instead of $variable.

One other thing, there are programming language specific features, where we will learn how to reuse code and doing object oriented programming in PHP. The last lesson is to RTFM @ http://sg.php.net/manuel/en/.

This brings to the end of Michael’s segment, which was overran by 10 minutes =) Raymond, CEO of Occamlogic Consulting is the next presenter.

9:03pm Raymond has about 8 years experience as a business consultant, where he feels that the business trend thends to follow IT trends. Today’s outline includes looking at business trends, IT and PHP’s techno-social model.

There was something about steamboats, but I think I missed it totally.

Next, Raymond talked about Mountain Bikes, where the consumers were the first ones to discover/invent the mountain bike, but the bigger businesses do it on the bigger scale. Consumers are like co-inventors, or even people who supported the businesses – consumer co-development.

The next example he gave was books, where some books can be easily downloaded but people will still buy the books. Then, there is Nokia, where consumers co-develope the ringtones and wallpapers, which rides on the need for expression of individuality.

Another example is Linux, which is open-source, but rides on user co-development. Other applications include facebook, youtubes, wiki and blogs. Facebook probably develop a couple of applications, but the consumers probably developed the majority of the applications.

Linux also contains a core codebase in which, developers contribute a majority of plugins and codebase for sharing. Blogger also allows users to create the content for them, while they apparently earned from Google Adsense. Lastly, there is Wiki, which is created by a few 1000 people, yet read by millions of readers.

Today, we will look at business trends and consumer co-development. An example is PHP.

He next touched on a typical infrastructure, where the business logic lies on top of web scripting, on top of web server and then the DB and finally the OS. The example he gave is that the business logic runs on top of PHP, apache, MySQL and Linux. He feels that PHP, as a techno-social model, should support the business logic, which is usually not consumer co-developed – since the rest of the model: PHP, apache, MySQL and Linux are.

Someone highlighted that most banks do not run PHP or Linux; which are usually influenced by a particular market segment of technology developers. In addition, because PHP is only a recent phenomenon, while banks have existed for the longest time, it is natural that they still to something that is proven track.

Someone else also highlighted if Raymond is suggesting that PHP is superior because it is consumer co-developed, but Raymond rebutted that PHP is married in today’s environment because of social reasons rather than technological reasons. Other reason that was added by a member on the floor was that it is easy to sue IBM for flaws whereas it is hard to pinpoint to someone in the PHP community. However, it is still possible for someone or organization to take responsibility of development in PHP.

Next, there is the closed techno-social model, where the business logic sits on top of ASP, IIS, Oracle/MSSQL and Windows. The point about this is that the entire logic is lying on a model that does not have a consumer co-development model. The risk from a management point of view is that the consumer is dependent on the few people who controls each of the segment, which can be quite traumatic should each of the segment decide to “screw the consumer up” (quoted from Raymond).

Comparing this to Linux, Redhat and Mandrake can go bankrupt for all Raymond cares, but there are still other versions of Linux that the consumer can still depend on.

By comparing the technology, it’s not a matter of whether one is better than the other – although if we compare the OS, we can probably tell that Windows usually crash after a few days. However, it is possible that Microsoft may one day decide to change their roadmap and consumers will have to follow. On the other hand, development cost in Linux is free, which then allows the business to concentrate on the business logic – which is the bread and butter for the consumer.

Hence if Windows is deemed to be risky ground and if a business logic is rest on risky ground, then the business may not be as robust. In addition, if a logic is rested on stable, open grounds, then the logic moves with technological advancement. Raymond also highlighted that Microsoft did not take into account the evolution costs – which comes free in an open techno-social model.

There is also the issue of licence cost, which a member from the floor mentioned that it is very expensive to expand a windows cluster than a linux cluster. Other issues that one may need to consider is the quality of a programmer that he’s going to hire (certification?) and technical support (24 hours for PHP in the open-source community?).

Raymond next covered on websites that runs on PHP, which includes Joomla, WordPress, MediaWiki (which is the technology behind Wikipedia), Wikipedia itself, ELGG (a social-networking software, very much in the line of friendster and facebook @ elgg.org), vtiger (open source CRM management system), friendster (which wasn’t developed on PHP when it first started), facebook and activeCollab – which then brings to the end of his presentation.

Someone from the floor noted that for Wikipedia, there is little moderation compared to that of Britannica – which Raymond refuted that people who edit Wikipedia are immensely intelligent because they have to be really interested in it. Another member also added that there are also people who vandalizes Wikipedia when they are free. However it is also noted that more popular topics are quickly corrected while more obscure ones are not.

9:50pm Next up is Uzyn, who will be covering on security in PHP. However, there is a 10 minute break for all who needs the loo. =) Will be back soon! Stay tuned.

10:00pm Welcome back! We now continue with the meet-up. Uzyn is the founder of ping.sg which is an aggregator of local blogs. He was initially employed by Michael’s company and had been programming in PHP for the past 4 years. He’s currently no longer freelancing and is working for some projects now.

Back to the topic, PHP is secured but it just has a bug – just like Windows and Mac Mini. The insecurity usually lies in the hands of the programmer who assumes that the code is secured. In particular, it lies in the lack of security measures in designing an application. It is also important to update the version of PHP because security issues will be updated in the latest version.

And oh, he’s nervous, because he’s a programmer and not a speaker. =)

The first thing that he covered is Cross site Scripting, which can be of different forms (see comics from xkcd.com). An example of malicious input is:

Username: anything
Password: abc’ or 1=1 or password=’abc

which can bypass any security measures if the SQL statement is not robust. One way to prevent disaster from happening is to escape SQL queries using mysql_real_escape_string();. This converts quotes (‘) into escaped characters (‘).

The other issue is Cross-Site Request Forgeries (CSRF), which is a little complicated to explain here. It basically means to forge other trusted users’ request to a site using the following code: < img src="http://192.168.0.1/post.php?subject=foo&message=bar"/>. This would require knowledge of the internal infrastructure.

Some couter measures to use is to use POST instead of GET which does not post data in the URL. The other measure is to request verification from user, while the last one is to use an anti-CSRF token, which is a token that is assigned when the user first accesses the site. $_POST[‘token’] can then be verified and timeout can also be applied. Hence, the token is stored as a cookie or in a session.

HTML fingerprinting – Another thing to take note of is to remove common application footers like “Powered by…” and if there is an exploit in that particular information, hackers may then know which sites can be exploited. By removing all these metadata, hackers will have a harder time of knowing what software or plugins are being ran.

Hidden fields / security by obfuscation. Programmers often mistake hidden fields as constant fields reliable to send POST data. However, such fields are usually accessible by the users and is not really safe to do so. Javascript and AJAX that transfer sensitive information is not really safe too because users may see what is being transferred in the backend. Implement privileges by hiding URLs from sight is also not secure because it is possible that users know the URL (like Windows Vista, IE 7).

It is also dangerous to use variables to access files, such as http://www.foo.com/show.php?file=about.htm, which really asks the server to show any file that is being defined as the file variable. A hacker may ask the server to do something like show.php?file=passwordfile.htm if the hacker is familiar with the internal server system. Hence loading of files from variables allows malicious user to access any files on the server, even those that are out of web server’s root. Thus, programmers should apply strict sanitization if you REALLY REALLY have to do it – and the same applies with other dangerous PHP functions such as eval().

The other mistake that programmers make is that they forget that password files are stored as text. Such files should be denied access, such as placing them out of the web server conf. or out of the web root. Programmers should try to use .php instead of .inc. This is because .inc may be displayed to users in its entirety.

Global variables are also dangerous! They should be turned off because they can be retrieved using GET exploits. There are no counter measures and they should be turned off.

Encryption should be used but sometimes even one-way hash is not entirely safe. A counter measure is to use salt (sodium chloride? no, it’s a long string before the password), or enforce strong password requirement.

Lastly, error messages should be turned off because it is a form of HTML fingerprinting and provides clues to your application’s loopholes. In the less serious case, the users may see what variable names are being used; and in the more serious case, names of files accessed may be shown. Some counter measures include turning off error message for live sites (always do!) or to log the error messages offline.

The floor is now open for Q & A. There are many reasons on how and why confidential data can be leaked, which may not always be due to technical loopholes. Programmers should always look at all these from a holistic view (anyone tried googling for “facebook source code leaked”?).

Slides are available from http://uzyn.com.

10:35pm The Singapore PHP User Group session is now closed. I will try to get the slides presented today and put them up here. The next meet up will be on 12th December 2007 where AJAX, PHP and Microsoft components will be covered.

Goodnight!

PS: Supper anyone? =)



Reader's Comments

Leave a Comment

%d bloggers like this: