VT’s Tech Blog

Ever since the upgrade to Wordpress 2.9, I’ve been having a problem in the scheduled posts in Wordpress. Everytime I set a post to be scheduled in the future, it used to miss the scheduled time and never get posted. When I checked the status of these posts in the posts admin area, each of these posts had the status “Missed Schedule” next to them.

There were some blog posts on the net asking me to get some file from the older version of Wordpress and copy it over, but I wasn’t too comfortable doing that, in case that broke anything in the new version of Wordpress. After a lot more digging I found a solution which fixed the problem using a minor edit in wp-includes/cron.php, where a timeout was set to too small an amount, causing the cron to timeout before the posts are actually published.

To fix this problem, you need to edit the cron.php file which is present in the wp-includes folder. Open the file in your favorite text editor and head over to line 229 (in Wordpress 2.9, the exact line number may change depending on your version). Look for the following line:

wp_remote_post( $cron_url, array('timeout' => 0.01, 'blocking' => false, 'sslverify' => apply_filters('https_local_ssl_verify', true)) );

Change that line to increase the timeout to 20 so the line should look like this:

wp_remote_post( $cron_url, array('timeout' => 20, 'blocking' => false, 'sslverify' => apply_filters('https_local_ssl_verify', true)) );

Remember that you’ll have to make this change manually with each update to Wordpress till they fix this issue – it seems the same issue is present from Wordpress 2.7 onwards and triggers when the server is slow to process the cron.php file. Update: It seems it’s a bug which triggers due to a certain version of PHP’s Curl extension on the server, and will be fixed in the 2.9.1 maintenance release (via)

If you are uncomfortable going and editing this file to fix the problem, you can also try out this plugin which should work for you – Scheduled MIAs plugin.

tip via

XHProf is a heriarcical profiler for PHP originally developed by Facebook and then opensourced. The raw data collection component is implemented in C (as a PHP extension). The reporting/UI layer is all in PHP. It is capable of reporting function-level inclusive and exclusive wall times, memory usage, CPU times and number of calls for each function. Additionally, it supports ability to compare two runs (hierarchical DIFF reports), or aggregate results from multiple runs.

Here are some of the reports that XHProf provides:

• Flat profile (screenshot)
• Hierarchical profile (Parent/Child View) (screenshot)
• Diff Reports : The “flat” view (sample screenshot) & “hierarchical” (or parent/child) diff view of a function (sample screenshot).
• Callgraph View (sample screenshot)
• Memory Profile : XHProf’s memory profile mode helps track functions that allocate lots of memory.

If you are looking for an article which gives you details on how to install this extension in Ubuntu and a quick runthrough of how to use this, Lorenzo Alberton has an excellent article on this at Profiling with XHProf. There’s also a good background article on XHProf and why Facebook developed this extension over at Facebook.

Links:
XHProf Documentation
XHProf on PECL
Profiling with XHProf

Image Credit: from Crestock Photos

When I talk to developers about security in web development, I usually get the answer that the security is taken care by the systems team by securing the server and by using the https protocol. In reality that is just the tip of the iceberg on security. There’s much more you should do as a developer to incorporate security into your applications.

First the myth that using https secures your website – Using the https protocol only secures the communication between the browser and the server. What if the user himself is trying to hack your application? It just secures his session and doesn’t provide security for your website or application at all.

Another assumption I’ve come across is using the form action post is more secure than get. Posted data only seems secure since the data is not visible in the url. If anyone on the network is using a packet sniffer, the post data is still visible if data is transferred through http. Here is where using https helps.

Validate your form data on the server even if you have a super cool looking javascript validation on the browser. Clever users are known to disable javascript on the browser to get around your brilliant client side validation. Which means that if javascript is gone, all your form validation on the browser goes kaput.

On the server-side you have to be strict with your inputs via $_GET and $_POST even if you receive data through the https protocol. Use a good input filter library to clean your input data. Go to the extent of typecasting the inputs to the data-type to what you expect it to be. Using raw inputs to print data on screen or write to database is asking for trouble. This is how cross-site scripting and SQL injection creep into your applications.

I’ve seen really insecure applications take a file name from a query string in the url and go ahead and print the contents on screen. It just makes life easy for the cracker by allowing him to enter the path to a system file and mine the data to get into the server. Don’t ever use public data to craft your file include logic in the code, that’s easily exploitable!

An insecure practice which I’ve noticed is programmers use remote includes into the application, to the extent of having html snippets from other sites in their application. This allows users to inject malicious code from their own servers in your application. Imagine what they can do with this kind of power. Don’t allow users to a remote include code from external server urls whether it’s innocent looking HTML or otherwise.

This is not a comprehensive article on security but a quick one to cover some common issues developers have on web application security. If you need more specifics details, let me know by commenting on this post.

Forum Nokia is launching Qt Mobility Contest,  for which the grand prize is a paid trip to the  upcoming Nokia Developer Summit that takes place in summer 2010 in the USA. To take part in this contest you have to create a working example of an application using QT and QT Mobility API. Don’t stop at making just one application, increase you chances of winning by submitting more, each application you submit could get you to the Nokia Developer Summit.

For more information on this contest, head over to the contest page. You have to register yourself for the contest latest by December 30, 2009.

Links:
About QT
QT Mobility Project
Qt Mobility Contest Page

Over at his blog, Abhinav Singh shows how to use the following extensions to learn more about the internal working of the Zend Engine which powers PHP:

• Tokenizer: The tokenizer functions provide an interface to the PHP tokenizer embedded in the Zend Engine. Using these functions you may write your own PHP source analyzing or modification tools without having to deal with the language specification at the lexical level.
• Parsekit: These parsekit functions allow runtime analysis of opcodes compiled from PHP scripts.
• Vulcan Logic Disassembler (vld): Provides functionality to dump the internal representation of PHP scripts.

He goes on to show how to use these extensions using a sample PHP file and PHP through command line to show what happens when you invoke a script in PHP. Head over to his article to read more.

Link: PHP tokens and opcodes : 3 useful extensions for understanding the working of Zend Engine

Igbinary is a  replacement for the standard PHP serializer. While the PHP serializer uses a texual format to represent the data in the serialized version, igbinary uses a binary format which is compact. This helps in brining down the storage size of the serialized data. This helps while trying to store the data in shared memory or memcache, which uses (limited) RAM to provide faster access to data.

Since I couldn’t find any pre-built binaries, I compiled the code which I got from their site. I compiled the 1.02 build.

Here are quick steps to compile this as a PHP extension for your system ( I tried this on Ubuntu, but should work on other distros as well). Uncompress the contents of the file to a directory and head over to the directory and run the following comands one after the other. Make sure there are no errors in each stage.

>phpize
>./configure CFLAGS="-O2 -g" --enable-igbinary
>make
>make install

If all goes well, the file igbinary.so should be present in your default php extension directory. Once you see this file there, head over to your php.ini file and add the following line at the end of it so that the extension is loaded with PHP.

# Load igbinary extension
extension=igbinary.so

Once you do this, restart your apache server to reload the PHP configurations. When you run phpinfo(), you should see the following lines in the output:

Once you’ve got that in your output, all you need to do is to substitute serialize with igbinary_serialize and unserialize with igbinary_unserialize in your code.

To see the differences in the two formats and see if the serialized and the subsequent unserialize I use the following script with some dummy data to print out the size of the output string of serialize and igbinary_serialize.

$arrc[3]=1;
$arrc[2]=2;
$arrc[0]=3;
$arrc[1][]="Testing";
$arrc[1][]="another data";
$arrc[1][]="structure";
$arrc[]=1;
$arrc[]=2;
$arrc[]=3;
$a = serialize($arrc);
echo "<br />size of Serialize :". strlen($a);
$b = igbinary_serialize($arrc);
echo "<br />size of igbinary :". strlen($b);

The output of this script came up showing that output from igbinary_unserialize does indeed use less space than the the output of serialize. Here’s the output of this script when I ran it:

size of Serialize :126
size of igbinary :74

If you want the igbinary functions to auto replace the default serialize in the PHP session handler, all you need to do is to add the following lines in your php.ini

# Use igbinary as session serializer
session.serialize_handler=igbinary

If you have any experience in using this extension on your projects, let us know your thoughts and observations. You can get more information on igbinary from the author’s site at: http://opensource.dynamoid.com/

If you’re into mobile development, you should head out to this event, the Nokia Developer Convference ‘09. It’s gonna be held at Taj Residency in Bangalore on the 7th of December. Momo Bangalore along with Forum Nokia are having a tweetup tomorrow, so if you’re interested, join in http://twtvite.com/mm3jqk. I’m going for both, so let’s meet up if you’re coming for either of the events. Here’s more information on the conference:

Nokia has recently announced the Forum Nokia Developer Conference’09 to be held on the 7th December 2009 at the Taj Residency, Bangalore. Titled ‘Unlock Star’, the conference aims at leveraging the limitless possibilities of the mobile device to drive developer success. Mr. D Shivakumar, VP and Managing Director, Nokia India along with Ms. Purnima Kochikar, Vice President, Forum Nokia and Developer Community will deliver the opening keynotes, addressing leading software developers, network operators and content partners about Nokia business and technological development opportunities.

Registrations for the conference are now open at www.nokiadevcon.in. Aimed at bringing together attendees from across India to learn, share and explore the latest in application and content development, integration and distribution opportunities for Nokia devices and services, the forum will enable developers to utilize the potential of Nokia’s Ovi Store by ensuring easy access to publish applications and content to millions of Nokia devices. The conference will further help developers acquaint themselves with dynamic technology platforms for creating truly compelling user experiences, equipping them with new skills, new connections, and new ideas to create future technologies. The event would also have information sharing sessions by Industry, Business and Technology experts.

Developer attendees can also schedule one-on-one meetings at the Summit with Nokia technology and business experts to answer open questions. In addition, Forum Nokia’s Technology Expert would share the latest mobile technologies and platforms that promise to substantially broaden the software development and business horizons of mobile developers attending the event.

Over the last decade, Forum Nokia has been working extensively with the developer community in India, providing them all necessary support in terms of tools and distribution channels to bring them at par with the international community. Today, Forum Nokia has over 180, 000 registered developers in India and accounts for the single largest concentration of incoming web traffic onwww.forum.nokia.com from any country.

For more information and to register in advance for the Forum Nokia Developer Conference 2009, visit: www.nokiadevcon.in

About Forum Nokia
Nokia’s global developer program, Forum Nokia connects developers to tools, technical information, support, and distribution channels they can use to build and market applications around the globe. From offices in the U.S., Europe, India, China, and Singapore, Forum Nokia provides technical and business development support to developers and operators to assist them in achieving their goal of successfully launching applications and services to consumers and enterprises. More information is available at www.forum.nokia.com.

Here’s a good set of slides Dmitry Baranovskiy on the HTML5 Canvas tag from one of his presentations.

Last week I was searching the net for a program or application to  move some of our .htaccess directives into Apache’s configuration files. The reason I was looking for this is to improve the performance of the site. When we have directives in the .htaccess file, the performance hit on Apache on when it serves each URL is accessed.

If you have a .htaccess file in your web folders, Apache will have to parse the directives in this file and see if there are any .htaccess files in the parent folder. All this happens before your html or php file is hit by Apache. You can read more about the overheads of .htaccess in  this article. This article .htaccess vs httpd.conf by Dawid Golunski shows that he saw apache served about 6.6% less requests/second when .htaccess was used.

A quick Google search landed me on Paul Reinheimer’s blog where he’s created a php script just for this purpose. His htaccess to httpd.conf script parses all the htaccess files from the current folder and all sub-folders and creates a configuration file with the directives for you to place in your Apache’s configuration file.

Just download his script from this link, and place it in your web-root directory which you want to generate the Apache configuration file and run the following command from the command prompt:

php htaccess.php >~/site.conf

After you run that command, you should have a file site.conf in your home folder. You can open this file to get all the directives for you to place in the Apache configuration file. Once you’ve placed this in the apache configuration file, you’ll need to restart Apache for the changes to take effect. Before you restart, make sure you remove your .htaccess file from your web folders.

When I converted a Wordpress’ .htaccess file using this script, here’s the output I got

<directory var="" www="" blog="">
	<ifmodule mod_rewrite.c="">
	RewriteEngine On
	RewriteBase /
	RewriteCond %{REQUEST_FILENAME} !-f
	RewriteCond %{REQUEST_FILENAME} !-d
	RewriteRule . /index.php [L]
	</ifmodule>
</directory>

I just put this into the apache2.conf and restarted it, removed the .htaccess from the webroot in /var/www/blog and all the rules worked as they should. As with any script, if you have more complex directives in your .htaccess, test your sites thoroughly before pushing your changes into the production server.

The only (minor) disadvantage I found with this method is that the apache server has to be restarted to make changes to your rule-sets you put in the configuration files. It seems apache just has to be reloaded and doesn’t have to be completely restarted to get the changes to the configuration to take effect (thanks Keleo for the tip). Also this conversion will not be possible if your site is running on a shared webhost where you don’t have access to the apache configuration files.

Links:
Paul Reinheimer’s Article .htaccess to httpd.conf
Paul’s htaccess.php Script
htaccess vs httpdconf – Benchmarks

We got the final dates for the Bangalore PHP user’s meet. The Meet up’s happening on the last Saturday of this month – the 31st of October. We’ve already got more than 30 PHP’ers who have RSVP’ed that they’ll be attending this meet. We may be having a few people come in from Chennai also who want to make it to the event.

If you’re interested in joining us on the 31st, head over to http://www.meetup.com/Bangalore-PHP-Users/calendar/11578824/, signup and RSVP ‘yes’ to the event.

We have a proposed list of talks over at this page. If you’re interested in giving a talk at the event, let me know or simply add it to that list. We’ll finalize the talks as we get closer to the event. Remember that the PHP meetups are not just about the talks, it’ll be a great place for you to meet others in the same field of work. Get to know how others are using PHP and related technologies and discuss issues you’re facing with others how may be able to help.

This month, Microsoft has providing us the venue for us to meet, and so we’re meeting at their office which is just off the Intermediate Ring Road. Hope you see you at this month’s meet.

Links:
Bangalore PHP Users Oct Meetup Calendar
Proposed list of talks for the event