Unpredictable hashes for humans

It is not uncommon for web developers to have to generate random ids or hashes, for instance large scale project or frameworks may want to implement their own PHP session handlers either completely abstracted in their API, or overloading PHP's internal API using session_set_save_handler(). If you do so, unless you want to entrust PHP's core to do it, one thing you will have to take care of is generating unique session ids to send as a cookie to your users, allowing the session to persist. Other common use cases for such unique hashes is to generate CSRF tokens to insert in forms or URLs, and finally authentication tokens for email validation or such.

Proceed to the article to learn more about it in a -hopefully- easy to grasp way, this wasn't written for security experts but rather any PHP coder out there that is remotely interested in security, and you really should.

Continue reading...

May 10, 2010 // PHP // Post a comment

Project management in PHP with Arbit

I would like to attract everyone's attention on the 0.3-alpha release of Arbit.

For those that do not know Arbit yet, it is a project management and issue tracker build in PHP. It uses CouchDB as a storage backend by default but work to support RDBMS via PDO is in progress.

Interestingly, it also provides experimental support for continuous integration, also fully PHP-based, unlike other popular solutions. This is not enabled by default in this release since it isn't fully ready but feel free to stop by the irc channel (#arbit on freenode) to know more.

The full announcement contains details about what we fixed and implemented in the 0.3.

Get involved!

As all open source projects, Arbit needs your help, I joined the project early this year and we have had a few contributions from other people since then, but we can always use more help. Therefore if you are interested and wish to take part by developing new features, fixing bugs or at least reporting them, please don't hesitate and get in touch! And as Elizabeth Naramore's article recently pointed out most people are afraid to contribute, I would like to say that no matter how skilled you are, contributions are welcomed. We will provide assistance if needed.

April 05, 2010 // News, PHP // Post a comment

New design

In recent news, this site got a new design, I thought I could make the content more readable and accessible, so I killed my old templates and style sheets and started from scratch, without photoshop this time.

There is also mobile browser (android/iphone) support which is by the way achieved with this very interesting CSS media instruction:

<link rel="stylesheet" type="text/css" href="/mobile.css" media="only screen and (max-device-width: 800px)" />

This means any device with a monitor less than or exactly 800px wide will load the mobile.css file on top of the default one. Note that using media="handheld" is not working for recent smartphones that consider themselves greater than old school internet-enabled cellphones, so this is the only way to do it.

Any feedback, especially bad, is appreciated.

April 03, 2010 // News // Post a comment

Including open source in the hiring process

We were discussing the difficulty of the hiring process from a company point of view last week at the github meetup in Paris, and more specifically how hard it is to get quality people without relying on test assignments, which most agree are total bullshit, or on a couple of interviews, which can also be very misleading since it depends a lot on the person's social skills, or lack thereof.

One big thing that is overlooked in my opinion is participation in open source projects, be it a single patch or long term commitment. As an employer you can see that the guy has enough interest in programming in general that he has taken the extra step to contribute something, and also that his work was accepted by a peer as valid. It is obviously not the full story and we all know some open source projects' code is utter crap (disclaimer, this also applies to closed source software, you just don't get to see it), but I still believe it gives you a better metric than just some code the guy did (or didn't) code and is presenting to you during an interview.

You can use ohloh to track your open-source-CV of sorts, and I would very much like it if more companies would push the open source involvement forward in their job ads, probably not as a requirement but at least as a big plus. It would benefit both companies that are trying to hire good people, and good people to be recognized. Of course it would also benefit the open source community at large if the work you do there gets you more recognition, pushing more people to take the leap to contribute. It is definitely helping already, if only for the contacts you get, which are always good when looking for a job, but increasing the perceived benefit of contributing to the open source world would be great, so I would very much like if all you HR people would give it a thought, and other readers please mention it to HR in your company, or your friends looking for work, your little brother starting to study, anyone can contribute.

Any other ideas on how to find great developers? Is your company using open source as a criteria? Did it help?

February 22, 2010 // PHP // Post a comment

Symfony Live 2010 - Symfony2, speaking and stuff

Overall the conference was pretty interesting since I don't have a lot of experience with symfony I learned quite a bunch of things about it's usage. I also met a lot of nice people, and ended the trip yesterday evening at the github meetup, after going for food with a couple phpBB guys who are really much nicer than the forum software they stand for. They were also very open to us bashing phpBB and seem to be headed towards a brighter future for the next version, which I'm sure nobody will complain about.

I also had my first session at a conference, accompanying Lukas though so I wasn't really flying by myself yet but it was still a nice and interesting (and stressful) experience that I will try to renew. We didn't get all that much feedback by the way so feel free to do so (also here if you are too lazy to register on joind.in), the organizers need it and obviously I wonder how the talk was received as well.

As for Symfony 2 (which now comes with a capital S please), I kind of saw the flexibility coming since we already implemented the dependency injection container in our Okapi framework at Liip, but I was still impressed by the jump away from symfony (1) Fabien conceded, many people would have tried to keep more BC at the cost of going forward, and I'm really glad he didn't, I think it will pay in the long run. The new version of the framework will basically be able to be totally ripped apart to fit your needs better if you have high performance requirements, which was the major pain point of symfony 1 as far as I'm concerned, and one of our reasons to keep working on Okapi which is pretty much a baseline micro-framework you can build upon. We will have to see if adopting Symfony in its place will make sense, but it sounds promising and it would offload some maintenance away from us which is always good.

Obviously Symfony 2 isn't going to be stable for a while, and there are some rough edges that still need to be discussed and improved, mostly in the way bundles are handled imo, but it looks very good already and I'll definitely give it a try asap. I would also encourage everyone to do so, especially framework developers, because the dependency injection is a pretty awesome thing to have, both for the testability of code and flexibility of the development process. Although if it's your only interest in it, checking out the Okapi 2 core (or the liip.to app ported to use it) is probably easier as there is less code to read, and we didn't add any of the abstraction to the dependency injection layer that Symfony 2 has.

February 18, 2010 // PHP // Post a comment

Dwoo is better than Twig

It's lame catchy title day, a more appropriate one would be "Think for yourself", but I want to get my point across.

This is a general purpose idea of course, I don't think there is any case in your life where you shouldn't think for yourself, but this particular post is about programming.

I just read someone (and I won't name names, it's not relevant) that was pondering using Dwoo or Twig in his CMS, who ended up picking Twig because, and I quote: "but twig says they're better than dwoo so ...". Now I sincerely couldn't care less if someone decides to use something else over Dwoo - which I'm working on in case you wouldn't know. It's your own choice, and even I wouldn't say Dwoo is the best choice for every damned purpose out there.

What bothers me though, is that obviously the guy read Fabien Potencier's article about php template engines, which was obviously not so much of an objective post, but that has already been discussed so let's not go to deep into it. Anyway, the guy most likely read it, and all it says about Dwoo to dismiss it is "Unfortunately, Dwoo has no sandbox feature and its core is not flexible enough". So.. out of this most enlightening comment, you decide to trust Fabien and just assume Twig is better? I just don't get it.

So again, please, just think for yourself.

December 08, 2009 // PHP // Post a comment

Major glob() fail

I just had the pleasure of discovering another of PHP's little quirks and since it's been almost a year since my last post, I thought it would be a good occasion.

Working on some personal project that lists a bunch of stuff on my hard drive, I found out that directories that contain square brackets (those []) don't return any results for the simple reason that glob reads [stuff] as a character class, just like in regular expressions. When you know it it makes perfect sense, but when you don't, the documentation is really not so helpful. Of course it mentions libc's glob() and unix shells, but not everyone knows what that implies at first glance.

My first reaction when I noticed that those directories were missing was to try and escape them with backslashes, which works on unix systems, but not on windows since the backslash is the directory separator. The cross platform solution is to enclose them in brackets (i.e. [[]), which effectively creates a character class with only the opening bracket in it, so it matches correctly.

I then wrote this glob_quote function which, just like preg_quote, escapes the meta characters that glob uses.

function glob_quote($str) { 
    $from = array( '[', '*', '?'); 
    $to = array('[[]', '[*]', '[?]'); 
    return str_replace($from, $to, $str); 

Another detail worth noting while I'm at it is that this problem also occurs when you do glob('*.txt') if your cwd contains brackets, since in this case the cwd is pre-pended to the pattern, the solution being to escape it as well as such:

That's it for today, so until next year..

December 02, 2009 // PHP // Post a comment

Multiton base class

While I like the Singleton pattern every now and then, I prefer the flexibility that the Multiton potentially offers, and well it's just an extended version of the Singleton, so it's "compatible" with the Singleton model.

Anyway, to the point, PHP5.3 is coming, and with Late Static Binding you can do a base Multiton (or Singleton if you insist), which wasn't possible before. Now I like this very much because you can simply extend it rather than rewriting those (few, I know, but still) lines each time.

Continue reading...

December 23, 2008 // PHP // Post a comment

The joys of user stylesheets

User stylesheets are a way to inject some CSS in all the sites you visit, each browser has his own way of setting it up (if you use opera step 2 there should be replaced with: "Tools > Preferences > Advanced > Content > Style Options > Select your css file in My stylesheet"), but the idea is always the same.

I've recently found a couple of use for these styles so I thought I might as well share :

Changing gmail's font

I like gmail, but losing my dear monospaced font was annoying me - especially when reading code-related mails with snippets in them. So this little hack allows you to choose the font used in the mail body area of the page. It's made for the "old" gmail interface since I don't have the new one yet, but it can probably be adapted if it doesn't work with the new one.

.XoqCub .ArwC7c {
  font:16px proggytinytt, "courier new", courier !important;
  font-size:16px !important;

This uses the proggytinytt font by the way, which is my font of choice for all monospace purposes, however if you don't have it it falls back on courier new/courier.

Saving flickr's images peacefully

Some images on flickr seem to be protected with a file called spaceball.gif that's overlayed onto the actual image, so that when you right-click it to save, you hit the transparent gif and can't save the image. With the help of that great CSS3 selector :nth-child(N), you can make sure you hide the gif if it's there.

.photoImgDiv img:nth-child(2) {
	display:none !important;

If you've anything useful, feel free to post it in the comments.

November 28, 2008 // Web // Post a comment

Dwoo v1.0 is out

Now that Dwoo's user base has grown a bit and that I've received enough feedback and fixed quite a bunch of bugs and design flaws, I feel confident it's time to go stable, so here comes Dwoo 1.0.0

For those that missed it, Dwoo is a template engine compatible with Smarty templates, with a lot of new features and syntax sugar and a new PHP5 codebase, if you want to read more I suggest you have a look at my earlier post, and its website.

Continue reading...

October 22, 2008 // PHP // Post a comment

First page< Newer entries 1 2 3 4 [5] 6 Older entries > Last page