VT’s Tech Blog

HTML5 source code

If you’ve been hearing about the buzz about HTML5 and what it is – here’s a brief post and ways to get to know HTML5 better.

HTML5 is the latest version which newer HTML and XHTML documents should confirm with. This version of HTML aims at simplifying and overcome issues with the older HTML4 presented.

The first thing you’ll notice in HTML5 is that the HTML declaration itself is simplified. To declare a HTML document, all you need to do is to declare the document in this way:

< !DOCTYPE html>
<html>
<head>
  <meta charset="utf-8">
  <title>Sample HTML5 Document</title>
</meta></head>
<body>
This is my first HTML5 document
</body>
</html>

You’ll notice that the standard DOCTYPE declaration which is required in HTML4 is missing here. This is the first in many simplifications which eases up development in HTML5.

There’s simplifications on other tags also. For example HTML5 features a <video> tag which makes it easy to embed videos in your page, without any third party plugins, as simple as this:

 <video src="mymovie.webm" controls>
If you are seeing this, your browser may not be fully HTML5 compliant.
</video> 

There’s still debate about what the default format for HTML5 videos should be, Google in the meanwhile has introduced the WebM format which royalty-free high quality video compression codec for use on the web. This format has eventually gotten the support of Mozilla, Apple, Opera and Google. The newer nightly builds of Firefox and Chrome support this format.

If you are looking at exploring the differences between HTML4 and HTML5, this links should be of help – HTML5 differences from HTML4. Another very useful site for developers who are new to HTML5 is Dive into HTML5. The author of this site explains the basics of HTML5, what’s new with it and how to do stuff with it in a simple way.

To get you started on HTML5, here’s a screencast by Addy Osmani which takes you through the basics in under 5 minutes.

Even though the HTML5 specs are still evolving, and browser support for the new features may time sometime to stabilize, the power of HTML5 is the way to go. The first uses of HTML5 is going to be what is powering the mobile web, since most Smartphones these days are running Webkit browsers which are HTML5 compliant.

I’ll be taking a deeper look into HTML5 in the future posts, so look in the HTML5 section here for updates. Here are the links from this article for your reference:

• HTML5 Specification
• HTML5 – differences from HTML4
• Dive into HTML5 – a Guide to development on HTML5
• HTML 5 Validator

Image credit – via Wikipedia

Here’s something in the making, a PHP extension which caches MySQL queries irrespective of the extension being used. It’s a plugin for mysqlnd, the native MySQL driver for PHP called  mysqlnd_qc. This currently requires PHP 5.3.3-dev which is still in development.

The extension allows caching buffered queries through mysql_query and mysqli_query. It allows cache-invalidation though TTL or a user defined callback. This extension is still in the protoype stage right now and will evolve as the project progresses.

The Query Cache is implemented as a PHP extension. It is written in C and operates “under the hood” of PHP. During the start up of the PHP interpreter it gets registered as a mysqlnd plugin to replaces selected mysqlnd methods.

At PHP run time it proxies queries send from mysqlnd/PHP to the MySQL server. If a query string starts with the SQL hint (/*qc=on*/) to enable caching of it and the query is not cached (Cache miss), the query cache plugin will record the raw wire protocol data send from MySQL to PHP to answer the query. The query cache records the wire protocol data in its cache medium and replays it, if still valid, on a cache hit.

Note that the query cache does not hold decoded result sets consisting of zvals (C struct representing a PHP variable). It stores the raw wire data of the MySQL client server protocol. In case of a cache hits, mysqlnd still needs to decode the cached raw wire data into PHP variables before passing the result to the user space. This approach has one major advantage: simplicity.

You can get more information and installation instructions over at the MySQLND Query Cache Project page at Mysql Forge.

Check out this slide which gives you more information about this extension:

Here’s a very good e-book on the Zend Framework called Zend Framework: Surviving The Deep End by Pádraic Brady. You can access this book from it’s site at www.survivethedeepend.com. It’s not yet available in print or download, but the author does mention that there’s a print book coming out in the near future.
Here’s a top level Table of contents of the subjects covered in this book:

1. Introduction

2. The Architecture of Zend Framework Applications

3. The Model

4. Installing The Zend Framework

5. A Not So Simple Hello World Tutorial

6. Standardise The Bootstrap Class With Zend_Application

7. Handling Application Errors Gracefully

8. Developing A Blogging Application

9. Implementing The Domain Model: Entries and Authors

10. Setting The Design With Zend_View, Zend_Layout, HTML 5 and Yahoo! User Interface Library

A. Creating A Local Domain Using Apache Virtual Hosts

B. Performance Optimisation For Zend Framework Applications

C. Copyright Information

If you’re already working on the Zend Framework, take a look at the section on Performance optimizations for apps built on the Zend Framework, which has some useful tips.

ZeroDayScan in an online scanner which can scan your site for the following issues:

• Detects Cross Site Scripting attacks (XSS)
• Detects Hidden Directories and Backup Files
• Looks for Known Security Vulnerabilities
• Searches for SQL Injection Vulnerabilities
• Automatically detects zero day bugs
• Performs Website Fingerprinting

Once the service finishes scanning your site for issues and vulnerabilities, it emails you a PDF with what they found for your site.

In order to prevent sensitive security reports like this going out to others, ZeroDay scan asks you to add a text file with some security text to be added to your site. This ensures you can scan only sites which you have control over.

Check out this service at www.zerodayscan.com

Planning on starting a project with REST webservices? You’ve gotta check out this new framework called FRAPI. This API framework built in PHP eases development of REST webservices, by allowing you to add actions, responses and even create users and assign API keys to them for accessing the services you create. Here’s a video showing an overview of FRAPI and how simple it is to deploy and manage webservices.

This project is still quite new and their documentation is down to the bare minimum. They do have the required documentation for you you’ll need to get your hands dirty with FRAPI. First you’ll have to download the sources and set it up on your own. One you’ve downloaded the files and setup the directory permissions, you’ll also have to make the Apache Virtual host settings to get FRAPI to start working.

FRAPI has the following requirements for it to run:

• PHP 5.2.2 or later
• APC: Required for caching of actions, errors, etc.
• HTTP: (http://pecl.php.net/pecl_http
• PEAR: (http://pear.php.net)
• PEAR::HTTP_Request2: This could be replaced by pecl_http however it is used in the bundled ArmChair package which is used to access CouchDB (http://pear.php.net/HTTP_Request2)

Some of the advantages I see after playing around with FRAPI is that it auto-generates the code skeleton for you to work on so you just have to go fill in the blanks to create your service. You also don’t have to worry about transfoming the your data into different formats, FRAPI supports JSON, XML, PHP, and plain text natively. This enables you to make your webservices cross-platform and even power mobile apps. You also don’t have to tweak around with code which handles http requests and responses while creating your webservices.

For more information on this project, head over to their site  getfrapi.com or their project page on github.

Most of us just write applications to be deployed on a webserver without thinking about what to do when the server becomes overloaded. What happens in most cases is that the application would go trying to run itself on every request, and on a heavily loaded system, it just goes on the aggravate the problem, making increasing the load on the server, till finally the server becomes unreachable.

What if you could actually check the server load in your PHP application? Would you think about checking the server load before doing some heavy computational task or database accesses? There’s function in PHP which will allow you to check the load averages on a server.

The sys_getloadavg() in PHP gives you the load averages for your server. You can use this to check the load on your server before processing a request.

$serverload = sys_getloadavg();
print_r($serverload);

The code above gives the output:

Array
(
    [0] => 1.07
    [1] => 0.89
    [2] => 1
)

The output from the code shows the system load averages where [0] is the load averages for the past 1 minute, [1] is for the past 5 minutes and [2] is for the past 15 minutes.

On an ideal server, the load averages on the server shouldn’t go above 3. A load average of more than 15 would mean that the server is already running much lower than normal, and you may not want to add more load to this.

You can use this output to decide whether to serve a process intensive page depending on the server load. Here’s a pseudo-code on how you’d do something like this:

$serverload = sys_getloadavg();
if ($serverload[0]<10)
  {
    // process loads of data now
    some_big_process();
  } else
     {   // Send a 503 header stating that the server is overloaded.
         header('HTTP/1.1 503 Too busy, try again later');
         die('The server is busy at present and cannot process your request.');
      }

You can also run the application in such a way that you can wait till the load on the server decreases to run your process. This is useful if you are running a cron for processing data:

set_time_limit(0);
//set time limit to 0, so PHP's max execution time doesn't interfere with the processing script
$serverload = sys_getloadavg();
//Check load and see if it's low enough to start processing
while ($serverload[0]>5)
{  //Wait for 1 minute to check load again
    sleep(60);
}
// out of the loop - so let's do some processing now!
some_big_process();

To ensure that the script doesn’t run endlessly on a permanently overloaded server, time check in the while loop to auto-end the script it the server load remains high for a certain amount of time.

More reading:
Load & Load Averages on Wikipedia
PHP function – sys_getloadavg

Just a quick heads up in case you missed out on the announcement. The Bangalore PHP Meetup’s happening this month on the 24th. For a change, I’m not involved much in the organization of this event. Indus Khaithan took care of the venue arragements and Harsha MV’s taken up co-ordinating with the potential speakers and finalizing the talk list. Thanks a ton guys for taking taking the initiative.

Harsha’s put up a tenative list of talks for this month’s event:

• Developing Facebook Application using PHP by Sriram Kumar
• Job Queues by Abhinav Lal
• Zend ACL Component - Bare_Acl by Sudheer Satyanarayana

Here’s the link to this month’s meetup event – www.meetup.com/Bangalore-PHP-Users/calendar/13135127. We’ll keep that page updated with the latest details about the event. If you are planning on coming for this, join our Meetup group and RSVP ‘YES’ to the event.

As always – Please forward that link to your friends who you think would be interested in our group as well.

Google has released a Web Application Security Scanner over at Google Code. This can be used to scan you site for possible security issues which might be lurking around. Skipfish prepares an interactive site-map for the targeted site by carrying out a recursive crawl and dictionary-based probes.

This scanner is easy to setup on an Ubuntu machine. You’ll need to have the packages for gcc and make installed on your system in order to compile Skipfish from it’s sources. Once you install these, download the Skipfish package from the project download page. Once you download it, unzip the files to a folder of it’s own and head over to that folder in your terminal window and issue a make command by just entering this in the terminal.

make

After the package compiles you can test to see if it was successful by issuing the following command in the terminal

./skipfish -h

This should show you a the Skipfish help screen. If you don’t get that, check the make output to see if there were any errors during the compile process.

Once you get Skipfish compiled and ready on your system, head over to their documentation pages to learn more on how to use this to tool to scan your site.

This tool creates a html report of the scan in the output directory you specify and the output looks like this:

Skipfish has a highly optimized HTTP handling which allows you to achieve up to 2000 requests per second on servers which can take that load. It also doesn’t depend on the technology you use to host and build your web application.

If you’re interested in what types of scans are currently implemented on this tool, here’s what it supports (from their documentation page):

• High risk flaws (potentially leading to system compromise):
  • Server-side SQL injection (including blind vectors, numerical parameters).
  • Explicit SQL-like syntax in GET or POST parameters.
  • Server-side shell command injection (including blind vectors).
  • Server-side XML / XPath injection (including blind vectors).
  • Format string vulnerabilities.
  • Integer overflow vulnerabilities.

• Medium risk flaws (potentially leading to data compromise)
  • Stored and reflected XSS vectors in document body (minimal JS XSS support present).
  • Stored and reflected XSS vectors via HTTP redirects.
  • Stored and reflected XSS vectors via HTTP header splitting.
  • Directory traversal (including constrained vectors).
  • Assorted file POIs (server-side sources, configs, etc).
  • Attacker-supplied script and CSS inclusion vectors (stored and reflected).
  • External untrusted script and CSS inclusion vectors.
  • Mixed content problems on script and CSS resources (optional).
  • Incorrect or missing MIME types on renderables.
  • Generic MIME types on renderables.
  • Incorrect or missing charsets on renderables.
  • Conflicting MIME / charset info on renderables.
  • Bad caching directives on cookie setting responses.

• Low risk issues (limited impact or low specificity):
  • Directory listing bypass vectors.
  • Redirection to attacker-supplied URLs (stored and reflected).
  • Attacker-supplied embedded content (stored and reflected).
  • External untrusted embedded content.
  • Mixed content on non-scriptable subresources (optional).
  • HTTP credentials in URLs.
  • Expired or not-yet-valid SSL certificates.
  • HTML forms with no XSRF protection.
  • Self-signed SSL certificates.
  • SSL certificate host name mismatches.
  • Bad caching directives on less sensitive content.

• Internal warnings:
  • Failed resource fetch attempts.
  • Exceeded crawl limits.
  • Failed 404 behavior checks.
  • IPS filtering detected.
  • Unexpected response variations.
  • Seemingly misclassified crawl nodes.

• Non-specific informational entries:
  • General SSL certificate information.
  • Significantly changing HTTP cookies.
  • Changing Server, Via, or X-... headers.
  • New 404 signatures.
  • Resources that cannot be accessed.
  • Resources requiring HTTP authentication.
  • Broken links.
  • Server errors.
  • All external links not classified otherwise (optional).
  • All external e-mails (optional).
  • All external URL redirectors (optional).
  • Links to unknown protocols.
  • Form fields that could not be autocompleted.
  • All HTML forms detected.
  • Password entry forms (for external brute-force).
  • Numerical file names (for external brute-force).
  • User-supplied links otherwise rendered on a page.
  • Incorrect or missing MIME type on less significant content.
  • Generic MIME type on less significant content.
  • Incorrect or missing charset on less significant content.
  • Conflicting MIME / charset information on less significant content.
  • OGNL-like parameter passing conventions.

You can get more information about Skipfish and download it from their project site on Google Code.

Links:
Skipfish Project on Google Code
Skipfish Documentation
Skipfish Downloads

Here are some webinars from Zend which you may find interesting:

Webinar – PHP Development Best Practices: The Untold Story of Geekville
January 19, 2010 – 9:00 am PST – your computer via webex

Have you ever wondered how you could advance your PHP development? Have you considered using an Integrated Development Environment (IDE), an Issue Tracker or a Version Control tool, but were concerned about how complex it might be? Taking PHP development to the next level may be easier than you think.  Attend this webinar, hosted by Atlassian and Zend More Information/Registration

Webinar – Troubleshooting PHP Issues: Best (and Worst) Techniques
January 28, 2010 – 8:00 am PST – your computer via webex

Understanding what’s causing your PHP application to be slow or just break is often time-consuming, and almost always frustrating. Join this information-packed webinar, delivered by a senior Zend PHP consultant, to learn what techniques PHP professionals use for pinpointing PHP issues in development, testing and production. More Information/Registration

Here’s a free PHP Ebook from Bruce Perens’ Open Source Series. More about this book:

In this book, PHP 5′s co-creator and two leading PHP developers show you how to make the most of PHP 5′s industrial-strength enhancements in any project—no matter how large or complex. Their unique insights and realistic examples illuminate PHP 5′s new object model, powerful design patterns, improved XML Web services support, and much more. Whether you’re creating web applications, extensions, packages, or shell scripts—or migrating PHP 4 code—here are high-powered solutions you won’t find anywhere else.

Review PHP’s syntax and master its object-oriented capabilities—from properties and methods to polymorphism, interfaces, and reflection

• Master the four most important design patterns for PHP development
• Write powerful web applications: handle input, cookies, session extension, and more
• Integrate with MySQL, SQLite, and other database engines
• Provide efficient error handling that’s transparent to your users
• Leverage PHP 5′s improved XML support—including parsing, XSLT conversions, and more
• Build XML-based web services with XML-RPC and SOAP
• Make the most of PEAR: work with the repository, use key packages, and create your own
• Upgrade PHP 4 code to PHP 5—compatibility issues, techniques, and practical workarounds
• Improve script performance: tips and tools for PHP optimization
• Use PHP extensions to handle files/streams, regular expressions, dates/times, and graphics
• Create original extensions and shell scripts

If you’re a software developer new to PHP, you’ll leap quickly into PHP and its new object-oriented capabilities. If you’re an experienced PHP programmer, you already recognize PHP’s convenience and simplicity. Now, discover all of its extraordinary power!

Free Ebook download: Download PHP 5 Power Programming (PDF)
If you like this book and would like to order the Print book, check out Amazon’s deals on PHP 5 Power Programming.