There’s a Singapore PHP User Group gathering @ SMU on 14th November at 2000 hrs at the School of Information Systems @ Seminar 2.2, Level 2.

8:00pm The session started off with Michael highlighting the events for the evening. The PHP User group was started in mid 2006, but it was not the first PHP user group and it is currently the only active one. There are also a list of PHP user groups in Singapore but apparently all are inactive.

The mission of the PHP User Group is to develop a bigger and more effective pool of PHP developers in Singapore. It also aims to promote the use of PHP in the Singapore corporate scene, and also to promote PHP’s adoption in education institutes in Singapore

The programs that are available includes monthly meet-ups, wiki-community help, curriculum for education institutes, providing a directory of PHP developers and users as well as plans to have a PHP conference. Imagine! Suntec City!

While he was approached by Zen to have a PHP conference here, Michael isn’t so sure if there is enough interest in Singapore to have a conference indeed. There is a call to action, where people are encourage to be volunteers to form the core team. Business leaders and educators are also encourage to help in the curriculum for PHP.

Michael also had a call for newbies which was refuted by someone in the audience if he was trying to rub it in.

8:10pm Some of the topics that will be covered includes development environment and 4 things to code anything. The described development environment includes PHP 5.2.x, a web server like apache 2.x, a DB server such as MySQL 5.x, a web based DB admin tool as well as a WAMP/MAMP Server (http://www.wampserver.com or http://www.mamp.info for Mac); and oh, all notes will be put online tonight.

Other components of the environment includes adobe dreamweaver, php designer, eclipse and textmate – for those who are too lazy to start development from scratch.

8:15pm Someone’s transformer ringtone went off – reminder: please turn off your handphones. =P

4 things that you would have to know will be covered tonight: presenting stuff on scrieen, types of information, passing information around and program controls. Firstly, how do you show stuffs on your screen? For a simple example, you can try the following:

< ? php
echo "Hello World";
?>

where the tags are used to confine the php codes. “echo” and “print” should produce the same results. “print_r” was supposed to be extremely useful, but it didn’t work during the demostration.

The next thing that is covered is data types. What are the types of information available and hw to manipulate them? The first one is 1 dimensional information, such as words, which are strings. “Hello World” is an example of a string. One good thing about php is that we do not have to tell php what type we are going to put in.

To join 2 strings together, we use a full stop, such as:

echo “Hello ” . “World”;

There are also other string manipulators that are available and you can find out more from php.net; or http://sg.php.net/manual/en/ref.strings.php

For numbers, there is no need to place any quotation marks and you can do things such as:

echo 200;

where the system automatically recognises the data type. We can also use number_format() with some parameters to format the numbers. It is particularly useful if we want to present numbers in financial formats.

Lastly there is the Date/time format, which can be easily written and recognised by the system.

Next, there is multi-dimensional data type, such as arrays. An example of such a usage is:

print_r(array(”one”,”two”,”three”));

or if you need the array to start from a 1, you just need to do:

print_r(

array(
1=> “one”,
2=> “two”,
3=> “three”

));

You may also embed arrays within arrays such as:

print_r(

array(
1=> “one”,
2=> array(”one”,”two”,”three”),
3=> “three”

));

There are also other types such as XML, JSON or binary files.

The next thing we look at is variables, which is like maths: a = 20. So, how do you pass variables around? In php, it’s handled:

$< name_of_variables> = value;

We replace print_r() with the $ if we want to assign an array to a variable. In addition, when we want to retrieve multi-dimensional variables, we can use:

echo $< name_of_variable>[position];

There are also some predefined data types in PHP, including $_GET["name"] and $_POST["name"], which is used primary for form handling. In the earlier versions of PHP, the inter-usage of these 2 variables proved to be a security flaw, which is then fixed in the later versions.

Hence, for passing of information between pages, we can either do it through URL parameters or from form post/form get or through sessions and cookies, which will not be covered today.

Lastly, there are control structures. Control structures are instructions that tell the system what to do or when to do – like providing some intelligence into the system. Some of these include if(){..};, if(){..}else{..}; or if you have more criteria, you might want to consider if(){..} elseif() {..} else {..};. Something to take note if is that comparisons uses “==” instead of “=”, which is an assignment instead of a comparison.

If there are more than 2 criteria, then we use something called the

switch(variable) {
case 1: …

break;

case 2: …

break;

default: …

break;

};

The next control that we look at is the while() function which is used as:

while(condition) {

};

It is important to plan the “condition” properly because an empty string will return a “false” condition. PHP equates empty strings as false – so there is caution when using a string variable as a condition. The work around is using:

while(isset($variable_name)) {

};

The other control that is commonly used is the for() function which is used in:

for(initialization;condition;next_step);

And also

foreach($variable as $some_variable) {

};

which runs through the array or each field or a record and assigns that value to $lender. Statements within the {..} then uses $lender instead of $variable.

One other thing, there are programming language specific features, where we will learn how to reuse code and doing object oriented programming in PHP. The last lesson is to RTFM @ http://sg.php.net/manuel/en/.

This brings to the end of Michael’s segment, which was overran by 10 minutes =) Raymond, CEO of Occamlogic Consulting is the next presenter.

9:03pm Raymond has about 8 years experience as a business consultant, where he feels that the business trend thends to follow IT trends. Today’s outline includes looking at business trends, IT and PHP’s techno-social model.

There was something about steamboats, but I think I missed it totally.

Next, Raymond talked about Mountain Bikes, where the consumers were the first ones to discover/invent the mountain bike, but the bigger businesses do it on the bigger scale. Consumers are like co-inventors, or even people who supported the businesses – consumer co-development.

The next example he gave was books, where some books can be easily downloaded but people will still buy the books. Then, there is Nokia, where consumers co-develope the ringtones and wallpapers, which rides on the need for expression of individuality.

Another example is Linux, which is open-source, but rides on user co-development. Other applications include facebook, youtubes, wiki and blogs. Facebook probably develop a couple of applications, but the consumers probably developed the majority of the applications.

Linux also contains a core codebase in which, developers contribute a majority of plugins and codebase for sharing. Blogger also allows users to create the content for them, while they apparently earned from Google Adsense. Lastly, there is Wiki, which is created by a few 1000 people, yet read by millions of readers.

Today, we will look at business trends and consumer co-development. An example is PHP.

He next touched on a typical infrastructure, where the business logic lies on top of web scripting, on top of web server and then the DB and finally the OS. The example he gave is that the business logic runs on top of PHP, apache, MySQL and Linux. He feels that PHP, as a techno-social model, should support the business logic, which is usually not consumer co-developed – since the rest of the model: PHP, apache, MySQL and Linux are.

Someone highlighted that most banks do not run PHP or Linux; which are usually influenced by a particular market segment of technology developers. In addition, because PHP is only a recent phenomenon, while banks have existed for the longest time, it is natural that they still to something that is proven track.

Someone else also highlighted if Raymond is suggesting that PHP is superior because it is consumer co-developed, but Raymond rebutted that PHP is married in today’s environment because of social reasons rather than technological reasons. Other reason that was added by a member on the floor was that it is easy to sue IBM for flaws whereas it is hard to pinpoint to someone in the PHP community. However, it is still possible for someone or organization to take responsibility of development in PHP.

Next, there is the closed techno-social model, where the business logic sits on top of ASP, IIS, Oracle/MSSQL and Windows. The point about this is that the entire logic is lying on a model that does not have a consumer co-development model. The risk from a management point of view is that the consumer is dependent on the few people who controls each of the segment, which can be quite traumatic should each of the segment decide to “screw the consumer up” (quoted from Raymond).

Comparing this to Linux, Redhat and Mandrake can go bankrupt for all Raymond cares, but there are still other versions of Linux that the consumer can still depend on.

By comparing the technology, it’s not a matter of whether one is better than the other – although if we compare the OS, we can probably tell that Windows usually crash after a few days. However, it is possible that Microsoft may one day decide to change their roadmap and consumers will have to follow. On the other hand, development cost in Linux is free, which then allows the business to concentrate on the business logic – which is the bread and butter for the consumer.

Hence if Windows is deemed to be risky ground and if a business logic is rest on risky ground, then the business may not be as robust. In addition, if a logic is rested on stable, open grounds, then the logic moves with technological advancement. Raymond also highlighted that Microsoft did not take into account the evolution costs – which comes free in an open techno-social model.

There is also the issue of licence cost, which a member from the floor mentioned that it is very expensive to expand a windows cluster than a linux cluster. Other issues that one may need to consider is the quality of a programmer that he’s going to hire (certification?) and technical support (24 hours for PHP in the open-source community?).

Raymond next covered on websites that runs on PHP, which includes Joomla, Wordpress, MediaWiki (which is the technology behind Wikipedia), Wikipedia itself, ELGG (a social-networking software, very much in the line of friendster and facebook @ elgg.org), vtiger (open source CRM management system), friendster (which wasn’t developed on PHP when it first started), facebook and activeCollab – which then brings to the end of his presentation.

Someone from the floor noted that for Wikipedia, there is little moderation compared to that of Britannica – which Raymond refuted that people who edit Wikipedia are immensely intelligent because they have to be really interested in it. Another member also added that there are also people who vandalizes Wikipedia when they are free. However it is also noted that more popular topics are quickly corrected while more obscure ones are not.

9:50pm Next up is Uzyn, who will be covering on security in PHP. However, there is a 10 minute break for all who needs the loo. =) Will be back soon! Stay tuned.

10:00pm Welcome back! We now continue with the meet-up. Uzyn is the founder of ping.sg which is an aggregator of local blogs. He was initially employed by Michael’s company and had been programming in PHP for the past 4 years. He’s currently no longer freelancing and is working for some projects now.

Back to the topic, PHP is secured but it just has a bug – just like Windows and Mac Mini. The insecurity usually lies in the hands of the programmer who assumes that the code is secured. In particular, it lies in the lack of security measures in designing an application. It is also important to update the version of PHP because security issues will be updated in the latest version.

And oh, he’s nervous, because he’s a programmer and not a speaker. =)

The first thing that he covered is Cross site Scripting, which can be of different forms (see comics from xkcd.com). An example of malicious input is:

Username: anything
Password: abc’ or 1=1 or password=’abc

which can bypass any security measures if the SQL statement is not robust. One way to prevent disaster from happening is to escape SQL queries using mysql_real_escape_string();. This converts quotes (’) into escaped characters (’).

The other issue is Cross-Site Request Forgeries (CSRF), which is a little complicated to explain here. It basically means to forge other trusted users’ request to a site using the following code: < img src="http://192.168.0.1/post.php?subject=foo&message=bar"/>. This would require knowledge of the internal infrastructure.

Some couter measures to use is to use POST instead of GET which does not post data in the URL. The other measure is to request verification from user, while the last one is to use an anti-CSRF token, which is a token that is assigned when the user first accesses the site. $_POST['token'] can then be verified and timeout can also be applied. Hence, the token is stored as a cookie or in a session.

HTML fingerprinting – Another thing to take note of is to remove common application footers like “Powered by…” and if there is an exploit in that particular information, hackers may then know which sites can be exploited. By removing all these metadata, hackers will have a harder time of knowing what software or plugins are being ran.

Hidden fields / security by obfuscation. Programmers often mistake hidden fields as constant fields reliable to send POST data. However, such fields are usually accessible by the users and is not really safe to do so. Javascript and AJAX that transfer sensitive information is not really safe too because users may see what is being transferred in the backend. Implement privileges by hiding URLs from sight is also not secure because it is possible that users know the URL (like Windows Vista, IE 7).

It is also dangerous to use variables to access files, such as http://www.foo.com/show.php?file=about.htm, which really asks the server to show any file that is being defined as the file variable. A hacker may ask the server to do something like show.php?file=passwordfile.htm if the hacker is familiar with the internal server system. Hence loading of files from variables allows malicious user to access any files on the server, even those that are out of web server’s root. Thus, programmers should apply strict sanitization if you REALLY REALLY have to do it – and the same applies with other dangerous PHP functions such as eval().

The other mistake that programmers make is that they forget that password files are stored as text. Such files should be denied access, such as placing them out of the web server conf. or out of the web root. Programmers should try to use .php instead of .inc. This is because .inc may be displayed to users in its entirety.

Global variables are also dangerous! They should be turned off because they can be retrieved using GET exploits. There are no counter measures and they should be turned off.

Encryption should be used but sometimes even one-way hash is not entirely safe. A counter measure is to use salt (sodium chloride? no, it’s a long string before the password), or enforce strong password requirement.

Lastly, error messages should be turned off because it is a form of HTML fingerprinting and provides clues to your application’s loopholes. In the less serious case, the users may see what variable names are being used; and in the more serious case, names of files accessed may be shown. Some counter measures include turning off error message for live sites (always do!) or to log the error messages offline.

The floor is now open for Q & A. There are many reasons on how and why confidential data can be leaked, which may not always be due to technical loopholes. Programmers should always look at all these from a holistic view (anyone tried googling for “facebook source code leaked”?).

Slides are available from http://uzyn.com.

10:35pm The Singapore PHP User Group session is now closed. I will try to get the slides presented today and put them up here. The next meet up will be on 12th December 2007 where AJAX, PHP and Microsoft components will be covered.

Goodnight!

PS: Supper anyone? =)



Reader's Comments

  1. uzyn | November 14th, 2007 at 8:16 pm

    Wow! Good work!

  2. knight | November 14th, 2007 at 8:46 pm

    nice … real time !

  3. knight | November 14th, 2007 at 9:25 pm

    $ = value;

  4. Simply Jean | November 14th, 2007 at 9:26 pm

    @uzyn: haha.. thanks! just trying my luck to live blog again =P

    @knight: thank you! hehe.. by the community, for the community =P

  5. Simply Jean | November 14th, 2007 at 9:46 pm

    @knight: fixed… haha… there’s a technical glitch

  6. LZ | November 14th, 2007 at 10:10 pm

    haha.. sorry the disruption by my SMS… earlier.. haha

  7. Simply Jean | November 14th, 2007 at 10:25 pm

    @LZ: no worries ;)

  8. ClappingTrees | November 14th, 2007 at 10:36 pm

    Cool! :-)

    I have a friend whose husband is looking for Web developers. Can I get a few contacts to pass along?

  9. Tianhong | November 14th, 2007 at 10:37 pm

    Nice and keep it up. I would have went if not I’m in the midst of exam. One question is how does PHP fare when comparing against Pyton?

  10. Kelly (The Missing Variable) | November 14th, 2007 at 11:30 pm

    Man… It was almost like I was at the event!

    Nice work everyone. I hope that I can make it for the event in January.

    Keep it up!

    P.S. Michael learns to rock ;-)

  11. PG | November 14th, 2007 at 11:42 pm

    Super Stuff…

  12. Damien | November 14th, 2007 at 11:55 pm

    Cool stuff.

    Thanks for the live update!

  13. qh | November 15th, 2007 at 12:02 am

    your typing was madness.. : )

    Great work!

  14. ProFire | November 15th, 2007 at 12:03 am

    Awwwwwww…..

    This is so cool!!!

  15. Keith | November 15th, 2007 at 12:17 am

    heys! i was desperately looking for the person typing at this event… where r u exactly sitting at? good job… (:

  16. Simply Jean | November 15th, 2007 at 1:13 am

    @ClappingTrees: hi there! Thanks! I think miccheng might have some answers for you. Mic, are you there? =)

    @TianHong: No worries, there’s still the next one on the 12th December 2007. Will post up details soon. =) Erm, mic, you have any answers for pyton?

    @Kelly: Heh.. thanks! I hope you liked it. =) The next one’s in December on the 12th. Will you be coming? =) Yeah, michael rocks! ;)

    @PG: Heh heh… thanks!

    @Damien: thanks! hope you liked it. would you like to come for the next one? =P

    @qh: haha… it’s just ok. it’d work better with a better keyboard though =P

    @ProFire: thanks! I’d still need more practice =)

    @Keith: hehe.. thanks! I was sitting at the topmost row on the left of the speaker facing the audience, but on your right from the audience prospective. Probably 3rd or 4th from the rightmost. =)

  17. DK | November 15th, 2007 at 1:35 am

    Wah cool.

    Couldn’t attend the event cause I got something that pop out last minute. Thanks for your notes. :)

  18. BL | November 15th, 2007 at 1:50 am

    Great job with the live-blogging. Awesome with the coverage. :)
    Looks like I can now attend most of these events without a computer. :)

  19. Willy Foo | November 15th, 2007 at 1:53 am

    It was a good gathering..
    Anyway a humoruos way to answer the question on how PHP compares with Python.. take a look at http://www.thealmightyguru.com/Humor/Docs/ShootYourselfInTheFoot.html

  20. Simply Jean | November 15th, 2007 at 1:53 am

    @DK: Hehe.. thanks! No worries. I think there will be slides. Soon. =P

    @BL: thanks! heh… still picking up. Heard that you are one of the pioneers in live blogging =P

  21. Simply Jean | November 15th, 2007 at 2:00 am

    @Willy Foo: Yes, i think it’s a pretty good gathering and the turn out was just nice =)

  22. Miccheng | November 15th, 2007 at 2:05 am

    Thank you, Jean. You made my day (or night). :D

  23. Miccheng | November 15th, 2007 at 2:07 am

    For more info, do visit http://www.php.com.sg

    Join our Facebook group or just contribute to our Wiki. :D

    Michael

  24. Neil | November 15th, 2007 at 3:58 am

    Wow, Jean this is an amazing synopsis, thanks! even though I can’t remember my passwords, i’ll have no trouble recounting this great event in vivid detail!

  25. Simply Jean | November 15th, 2007 at 10:18 am

    @Miccheng: hey! thanks! no worries =)

    @Neil: thanks! haha… this live blogging is still lacking, and i’m working harder to ensure that I get as many things in as possible. thanks for dropping by! =)

  26. claudia | November 15th, 2007 at 10:31 am

    You rock girl! I’ll never be able to do this. Haha…

    Anyway, nice seeing you again yesterday. Will post my entry later tonite with photos. :)

    Cheers!

  27. Dinu | November 15th, 2007 at 10:36 am

    Wow….nice work. Who needs a secretary when Simply Jean’s around.

  28. Keith | November 15th, 2007 at 11:52 am

    ah. i got it finally.. the lovely lady sitting near shannon. (:

  29. Daniel CerVentus | November 15th, 2007 at 12:22 pm

    Too bad I missed this one.

    Wah transformer Ring tone.
    hahahaha.

    Michael, hopefully get to join you guys next year.

  30. Simply Jean | November 15th, 2007 at 12:30 pm

    @claudia: haha.. I’m just starting out not too long ago too, after live blogging the popout’07 event. heh.. looking forward to your photos! =)

    @Dinu: haha… nay.. you still need a secretary! haha…

    @Keith: oh, is it? hehe.. nevermind, claudia’s photos will be out tonight =P

    @Daniel CerVentus: oh, there’s still the next one in December! Come, come! =) Transformer… more than meets the eye…

  31. Simply Jean » Blog Archive » Get your PHP User Group presentation slides here! | November 15th, 2007 at 4:32 pm

    [...] you have missed the Singapore PHP User Group meeting @ SMU yesterday, fret not! There’s the live blog entry earlier as well as the slides (in PDF format so you can read it on most platforms) [...]

  32. coleman yee | November 15th, 2007 at 6:50 pm

    great effort, and great stuff!

  33. Simply Jean | November 15th, 2007 at 10:14 pm

    @coleman yee: thanks! =)

  34. I miss the Singapore PHP User Group last night | November 15th, 2007 at 11:38 pm

    [...] you can read the live blogging about this whole event on Simple Jean  and she share with us the slides that they are discussing about last night, for her contribution [...]

  35. Singapore Entrepreneurs ~ Venture Capital Funding in Singapore » Blog Archive » Event: Singapore PHP Group Meeting on 14 Nov 2007 | November 16th, 2007 at 11:33 pm

    [...] of PHP for beginners. If you want to know what transpired during the event, do check out Simply Jean’s live-blogging of the whole event, blogs of Keith and U-Zyn. You can also see the photos taken during the event. If you want to catch [...]

  36. Singapore PHP Usergroup Nov Meet-up... The Lighter Side | November 17th, 2007 at 12:15 am

    [...] you need to know about the meet-up can be found on SimplyJean’s blog and in facebook. What you’ll be seeing here is the lighter side of the meet-up… from [...]

  37. Singapore PHP User Group - Report: November 2007 Meetup | January 2nd, 2008 at 11:42 am

    [...] >> Read the Live Blog here! [...]

  38. sdgdsgs | February 25th, 2008 at 2:24 am

    zlCvxJ Thanks you =(((((((

  39. ben | March 20th, 2008 at 9:54 am

    see this thanks

  40. Abigailpez | April 10th, 2013 at 11:42 am

    printer memory nintendo ds trma veterinary practice for sale apparel woman knfilters ルブタン
    psicologia clinica pipefitter tools vemma inner circle niagara falls olympus digital slr oster 5712 private collection bed linen wooden music stands frost free upright freezers ski exercise エルメス バーキン
    5 color tv the best wax summit freezers pistashio nuts france pictures potty trainer seats plextor cd drives packet filters エルメス スカーフ
    crash bandicoot ps1 emergency weather radio anime costumes for sale indoor umbrella stand wiccan candles

  41. plalcherjww | September 19th, 2013 at 11:43 pm

    navigator lincoln vcl dh1758 shining through centre for children with tism p330i dive puter reviews rx 75 albertson’s grocery 17′ tv dvd bo rotator cuff syndrome spongebob bedding UGG 銉欍偆銉兗銉溿偪銉?/a> UGG 銈偊銉堛儸銉冦儓 ups for puter rbrowser lite video mic digital rifle scopes christopher Howard planet earth bbc eddie ber booster seat playmaxx yo yo sanzar outward hound 銉愩兗銉愩儶銉?婵€瀹?/a> photoflex litedisc indoor basketball court colt single action s97s shade grown coffee mercial steam iron swarovski chandeliers cast iron burners

  42. gaming laptops under 1000 | October 17th, 2013 at 7:12 pm

    You can get between three to four hours of battery life from your six cell battery, along
    with the 6 lb weight is pretty reasonable. In addition to
    standard features (internal wireless card, Card reader slots, Fire
    - Wire, etc. Also, this model does not have any DVI port and instead making you readily HDMI to DVI adapter cable.
    The push-button control also will navigate the PS3 menus and control video play
    back on the PS3.

    my page :: gaming laptops under 1000

  43. best laptop for the money | November 28th, 2013 at 1:31 pm

    You can have a look at images of all of the Razer Mass Effect 3
    peripherals within our slideshow gallery.
    Thunderbolt port with native Mini Display – Port output plus support
    for DVI, VGA, dual-link DVI, and HDMI (requires adapters, sold separately).
    The Onza TE Mass Effect 3 Edition provides enhanced combat effectiveness through adjustable resistance on both analog sticks and also the addition of two
    fully -programmable multi-function buttons. The Router function ties all of it together and lets your entire network share a higher-speed cable or DSL Internet connection.

    Feel free to visit my web-site – best laptop for the money

  44. www.youtube.com | February 18th, 2014 at 7:38 pm

    Of course if you hit the momentum curve early and are already making big bucks, why worry about
    it. From 2005-2009, new distributors were required to pay
    a $49. Since Monavie has been uniquely formulated with all natural products and palatinose, the key metabolite, it emits a steady stream of energy that gets you through the day.

  45. wordpress deveolper | March 3rd, 2014 at 12:53 pm

    It is designed to be user-friendly and even if you don’t have much
    knowledge about computer and technology, the
    interface would guide you properly and help you through all the
    tasks. To customize your Word – Press blog is not difficult at
    all and you can easily learn how to customize Word – Press yourself and take
    matters in your own hands. Once the Word – Press website is developed by
    an expert Word – Press developer then managing it on later stages are just
    a child’s play.

  46. Talons Louboutin | July 29th, 2014 at 2:48 am

    It’s genuinely very difficult in this full of activity life to listen news on Television, so I just use the web for that purpose, and get the newest news.

  47. http://www.thedigitel.com/s/charleston/search-best-hair-stylist-throuh-online-160929-556992 | November 3rd, 2016 at 10:07 am

    I drop a leave a response each time I appreciate a article on a website or if I have something to contribute to the discussion. Usually it’s caused by the fire
    displayed in the article I looked at. And on this article
    Live Blogging from Singapore PHP User Group » Simply Jean. I was moved enough to write
    a commenta response :) I actually do have a couple of questions for you if it’s okay.
    Could it be only me or does it look like
    like some of the remarks appear like they are left by brain dead visitors?
    :-P And, if you are writing at additional online sites, I would like to
    follow you. Would you make a list every one of all your social sites like your twitter feed, Facebook page or linkedin profile?

Leave a Comment