Ramblings of a web guy

Earlier this week Terry Chay wrote about his little notebook. I have to wonder if that inspired this xkcd comic or not. Is that your real reason for writing in that notebook Terry?

A coworker of mine has rediscovered the usefulness of a notebook. Yesterday while at our datacenter, he kept notes in his notebook while I typed on my iPhone.

I have self diagnosed myself with dysgraphia. It really does hurt me to write. So, I only do it when I have no other choice. I will type you a book. But, I don’t want to write the shortest note.

A recent thread split on the PHP Internals list has been about the use of the $_REQUEST variable. I have seen more than one person make the following logic mistake:

1. I may get data via GET
2. I may get data via POST
3. Ah, I should use $_REQUEST as it will catch both.

There is a problem with that logic. Cookies! Cookies are also put ino $_REQUEST. In fact, they are put into $_REQUEST last. So, any data that was sent via GET or POST is overwritten by cookies of the same name.

When does this cause a problem? Well, let’s say you have a script that has a form that asks for a user name. You call the field username. So, you are looking for that data in $_REQUEST. Unknown to you, another member of your team makes a cookie named username on a totally unrelated application. His cookie needs to be accessible from several parts of the site, so he assigned the cookie to the path /. So, now, when a user submits your form, the data comes in looking like this:

$_GET["username"] = “user input”;
$_COOKIE["username"] = “Tom”;
$_REQUEST["username"] = “Tom”;


So, now you have bad data for the username you wanted. This becomes even more menacing when you start thinking about security issues like XSS or CRSF. As Stefan Esser, a strong PHP Security advocate, wrote in another reply to the thread:

Just imagine my example…

switch ($_REQUEST['action'])
{
case ‘logout’:
logout();
break;
…
}

When someone injects you a cookie like +++action=logout through an
XSS or through a feature like foobar.co.kr can set cookies for *.co.kr
(in FF atleast).
Then you CANNOT use the application anymore. This is a DOS. You cannot
defeat this problem except detecting and telling the user to delete his
cookies manually…

Yikes! So, now you have all kinds of problems with using $_REQUEST.

So, what is the best way to handle both GET and POST data? Well, here are a couple options.

Merge GET and POST data

You could use array_merge() to merge the $_GET and $_POST variables into one. I would use a new variable for this data. You can overwrite super globals. Some think it is a bad idea. I can’t argue that it could cause confusion if you did this in an environment where several parts of the application are going to be using user input. If you do want to do this you could do the following.

$user_input = array_merge($_GET, $_POST);
// or overwrite $_REQUEST - not recommended
$_REQUEST = array_merge($_GET, $_POST);


Use GET OR POST, not both

I personally like to only use either $_GET or $_POST. I have very rarely seen a case where using both made sense.  I normally favor $_POST if it is set.

if(!empty($_POST)){
$user_input = $_POST;
} elseif {
$user_input = $_GET;
}


Now we have a save array that can be used and we know that the data only came from one place.

I don’t often beg for stuff, but this is not for me per se.  The Phorum team is raising money to get all of our team (all 3 of us) to Santa Clara for MySQL Conference.  We will be part of the DotOrg Pavilion again this year.  We thank MySQL for inviting us.  We just about have all we need for that part of our fund raising.
We also have need of a new server.  We don’t need much.  But, our old Celeron is feeling the pressure of all the new things we are doing with our documentation system.   This is where I am hoping some of you out there can help.  Surely somewhere, someone has a dual Xeon with an older raid card in it that they don’t need anymore.  We do have a need for cpu power and for RAID.  We lost a hard drive a few years ago and while we had backups, it was a hassle.  We were down for days.  We have hosting (from my employer, dealnews), but I guess if the deal was right, I might consider it.  I do run my personal email and another hobby site on the server.  But, 90+% of the usage is for Phorum.

So, if anyone can help us out,  either with hardware or a donation, we thank you.  You can email me at brian@phorum.org.

You should be warned. Amazingly, in 10 years of PHP/MySQL development work I never hit this issue in the manner I did this week. There are several reasons that PHP could not be able to connect to MySQL. The MySQL daemon could be down. It could be an authentication problem. Or, perhas the entire server is offline. The last one there is the one I want to talk about.

In your php.ini you will find a value called mysql.connect_timeout. In the PHP ext/mysql it defaults to 60 seconds. Likewise, the php.ini has the same value. As far as I can tell, this timeout only comes in to play when the server is completely offline. If the server is up, but mysqld is not, the server refuses the connection immediately. I suppose if the server was under high load it could be used as well.

Well, IMO, 60 seconds is way to long to wait on a connection to the database for a web application. We had a server offline and expected the mysql_connect() call to simply fail due to the server not being up. However, it was waiting 60 seconds every time for the connection. This caused the PHP processes to hang and caused huge load on the servers.

So, what should it be? Well, the default MySQL connection timeout was 5 seconds up until October when it was changed to 10. I can’t find why it changed. But, anyhow, IMO, a timeout of 5 seconds should be plenty for a web application.

I am working on a patch that I hope will be accepted to the PHP ext/mysql to set this to something more sane. Just have to find time to do it right, on all the branches and get the email written.

It is that time of year when folks promise themselves to get into better shape.  This is usually my time every year to do that.  The holidays always put some extra weight on me.

I know from going to conferences that there are some health conscious geeks out there.  Well, I found a geeky way to help with that.

Some guys here in Huntsville have started a fitness and health tracking site called Gyminee.  They are in the same business incubator that dealnews was in several years ago.  It is all Rails and MySQL.  It is quite convenient for me and some other guys at work since they built an iPhone interface.  Basic accounts are free and fairly full featured.  There are some advanced features that do require a small membership fee.  If I would just quit buying one latte a month it will pay for it.

For the record, I have no stake in this place.  I am just a user and I happen to have met the guys to give them some pointers on some things on their site.

You can read the full announcement in the news post at phorum.org.

Summary:

When we officially started on 5.2 in March of 2006, we had several goals. I think we achieved most of those. We also accomplished some unplanned things. Our hackathon (me and maurice slept about 8 hours in 4 days I think) at MySQL Conference 2007 helped a lot. Remember, you can help us get there again by donating to our fund.

Some highlitghts:

New Template
New API layers and more hooks
Better MySQL support
Improved bundled modules
New announcement system
New Search, inside and out

In addition to all this, there are things like more caching options, the new hybrid read view, the new feed options (the feed code was rewritten from scratch) and better error messages so that users are less confused.

We hope you all enjoy Phorum 5.2. It is the next step for this project that is over 10 years old now. And please, keep making Phorum all your own.

I am a big college football fan. And I love watching all the bowl games. But, why oh why do they let networks that don’t cover college football during the regular season cover bowl games? I was trying to watch the Cotton Bowl on Fox. But, it was so badly covered and commentated I just could not do it. I had to just find something else. Yuck.

The national championship game is on Fox I think.  I hope they don’t butcher it like they did the Cotton Bowl.