|
Monday, June 27. 2011
Imagine a world wide web without cookies. And this might not be the strangest thing, since the use of cookies is severely limited since Wednesday the 22nd of June 2011 in the Netherlands. And more countries will follow: http://www.bbc.co.uk/news/technology-12668552. The Law The (Dutch) law, that requires a user to agree before storing data, doesn't only apply on HTTP cookies. But in fact any kind of data that is stored on the users computer. Such as; HTML5 storage, flash cookies. But also desktop applications, etc.. The law also states that cookies "required" for certain functionality, are allowed without confirmation. Personally I don't see how anything will change, with this exception in place. And I wonder how many experts were involved into making this law. But that is a subject for another article perhaps... What are cookiesCookies are little packages of information stored in the browser of a website visitor, they can contain "small" amounts of data such as an identifiable token or a user preference. What purpose do cookies serveCookies are very generic and can be used for many things, good and bad. The most popular probably being tracking your activity and advertisement. But they are also used to keep a state between requests and to store a preference. Such as "remember me" at a login form, or perhaps "no I do not want to participate in your survey". Cookie problemsIf When the law becomes international, you are potentially violating laws by simply calling something like: setcookie() without the users consent. There are hacks around the typical HTTP cookies, by using flash cookies for example (Oh and btw, here a guide on how to clear those: http://www.macromedia.com/...ngs_manager07.html). And possibly HTML5 storage could play a role here (or any of it's derivatives).
Another thing that has been happening, is visitor awareness and thus browser features. More and more people block cookies to stop advertisement tracking, but unfortunately this also prevents a user to use the features he or she wants to use (such as login sessions, etc.). There is an answer for this and quite a few browser vendor's plan on implementing the "Do Not Track" (http://donottrack.us/) feature, or have already done so. But I'm not too happy with it. The downside of "Do Not Track" is that it's voluntary for website owners and advertisement companies to respect this feature. Other tools include projects such as "Ad Blocker", that only block cookies (and more) for advertisement purposes. It works pretty good, but that is hardly user-friendly. But, back to "no more cookies"... How do you solve the problem of keeping a state between requests over a stateless protocol? Some ideas Well in short, I have some ideas but definitely no real answers. I don't think there is a real answer just yet. Let's take the example of a login session. Where you want to offer a secure section to your visitors, where they can (e.g.) read their e-mail, privately. A few things come to mind: - Identifying yourself in every relevant request, using headers for example or an argument &userId=42 in the request. This however has some big problems on its own.
- Digest authentication on every relevant request.
- Take a look at other technologies, such as IPv6 and move authentication to a lower level.
- Perhaps use a commit and rollback system. Where you can do a variety of actions and only your password will be asked in the end, either applying or discarding your actions. Requiring you only to enter your login once. Not the most ideal solution for e-mail though, I have to admit. With this system you would re-post your data to next screens in a similar fashion as e.g. a wizard.
- Or perhaps we need to move away from complete server-side applications and move to the client, Javascript applications and use the HTTP spec a little better as it was intended and only have web-services.
Many, if not all, of the things I mentioned above would require secure connections (SSL/TLS) to avoid other security problems. Which might not be a bad move anyway.
Personally I think that there is a future, in an improved implementation of digest authentication over SSL. One that uses HMAC and stronger algorithms, SSL would then supply the missing server validation feature. It should also be more strict and not fall back to insecure legacy features.
ConclusionAll in all I firmly believe that the browser should play a big role in this new cookie recipe and should (partially) solve these problems. Also there should be a more clear separation between "generic storage" and authentication versus a simulated persistency. In more perfect world I would vote for a solution that works on other (underlying) layers and make it application agnostic. I suppose the point I'm trying to make with this article is the following: Take away a feature the entire world uses (since 1996), and wait for the brilliant and creative minds, perhaps such as yourself, to come up with a more innovative feature. It's time for something better! Another interesting read: I made some updates to this article, based on some comments.
Tuesday, November 2. 2010
It has been a while, but here is part 4 of the PHP Quiz series! A few questions to crack your brain about, or perhaps you know them all? Try them and find out! Also do read the idea behind these quizzes, here: The PHP Quiz series
As always, think of the answer before you execute the code or look it up. Codepad might help you run the examples. You can find round three here. Visibility is keyNow you see me, now you don't class testClass { private $fubar = "rabuf"; function test ($test) { var_dump($test->fubar ); }}class dummy { function test ($test) { var_dump($test->fubar ); }}$object1 = new testClass; $object2 = new testClass; $dummy = new dummy; $object1->test ($object1); // Can $object1 see the private property of object1 ?$object1->test ($object2); // Can $object1 see the private property of object2 ?$dummy->test ($object1); // Can $dummy see the private property of object1 ? Static, sticky, ickyclass test { public $counter = - 1; public function increment () { static $cnt = 0; $this->counter = ++ $cnt; return $this; }}$object1 = new test; $object1->increment ()->increment (); $object2 = new test; // What will the output beecho $object2->increment ()->counter; Getting the classclass b { function getClassA () { echo get_class($this); } function getClassB () { echo get_class(); } function getClassC () { echo __CLASS__; }}class a extends b {}$a = new a; // What will be returned, 'a' or 'b' ?$a->getClassA (); $a->getClassB (); $a->getClassC (); The strptime function$result = strptime ('2010-11-28', '%Y-%m-%d'); // What is the output?echo $result['tm_mday'] . '-'. $result['tm_mon'] . '-'. $result['tm_year']; The oldtimerfor ($i = 0, $loop = 10, $a = 10; $i < $loop; ++ $i, $a = 0) { ++ $a; }// What is the output ?echo $a;
Tuesday, June 8. 2010
You get NULL! Well you get NULL when you don't cast. Say for example you do the following: $dbh = new PDO ([.. ]); $stmt = $dbh->prepare ('SELECT accountid FROM dbo.Account'); $stmt->execute (); echo $stmt->fetchColumn (); // NULL
But when you do the following: $stmt = $dbh->prepare ('SELECT CAST(accountid AS varchar(36)) accountid FROM dbo.Account'); $stmt->execute (); echo $stmt->fetchColumn (); // "F05C92A1-3119-4206-A123-49A759AC99FB" I didn't think the casting would be necessary, since according to the manual: http://msdn.microsoft.com/en-us/library/aa226054(SQL.80).aspx the datatype 'uniqueidentifier' has implicit casts with multiple data-types. But I guess it's just one of those things...
Friday, June 4. 2010
I was asked to create a web interface front-end with Microsoft Dynamics CRM as back-end. But I had some troubles setting up the connection, since it has to be done using a domain logon. This doesn't have to be a problem at all, unless your configuration is wrong! In this article I'll explain a few things and point you in the right direction when you have login problems.
As stated earlier, the server running the PHP installation is not Microsoft. In this case a AS400 installation, but it could've been a Linux installation also. I'm using PDO for this article and PHP version 5.2.11. Even if you don't want to use PDO, I recommend using it only for debugging (if possible) since that will give you *most likely* more debug information then the mssql_* family.
When using PDO with a MS-SQL database, you'll need to supply "dblib" as driver and DBLib uses FreeTDS as underlaying library. FreeTDS can be a source of troubles when you're trying to connect, if not configured properly. So I'll kick-off with a little information about it. Don't skip it if you have login problems!
Continue reading "Connecting from PHP on a non Microsoft OS to MSSQL with a domain account"
Monday, April 19. 2010
I had a problem with running test cases on multiple CI environments, where one of the two runs on PHP 5.2 and the other on PHP 5.3. This basically meant that all our pretty PHP 5.3 code caused the builds to fail on the 5.2 only machine. To solve this problem I needed a way to skip tests when the PHP version was less then 5.3.0. Besides the reason I needed this for a -less then ideal- setup. This can also be a generic way to skip certain tests, based on a PHP version. class someTest extends PHPUnit_Framework_TestCase { public function setUp () { // Testing if we are dealing with version 5.3.0 or higher if (! version_compare(PHP_VERSION, '5.3.0', '>=')) { $this->markTestSkipped ('Invalid PHP version, unable to run tests.'); } } public function test_testFoo () { // .. some awesum test case .. \\ }} You can also use the cool @depends annotation of PHPUnit and put the version logic in a test. This has my preference, but it's not always possible. In case you have some code that simply can't be parsed by the older PHP engines. If you know a better way to do this, please share!
Tuesday, November 3. 2009
IntroductionThis is a blog about running two PHP versions on one webserver and using multiple php.ini files, this combination can be a tricky one to tackle. But luckily one we can tackle quite easily as long as one of the PHP versions is >= 5.2.7. For this example I'll be using Apache, but the webserver flavor doesn't really matter. The most important part is the "PHP_INI_SCAN_DIR" environment variable. The whyThere could be a number of reasons to want what I'm about to talk about. In my case I have a project where I have a legacy code-base, running on a specific PHP version, and a new code-base which will be run on 5.3. Because the new code-base will be a ongoing progress of replacing the old, it first has to run side by side with the legacy code-base. So I wanted my development image to run two PHP versions. The old code-base used php.ini settings such as a include-path, error reporting, etc. Which will be different from the new code-bas, and those can no-longer be set with the 'php_value' feature of Apaches since the PHP version we'll be using for that runs as (f)CGI rather then as module.
Continue reading "Multiple PHP versions on one webserver"
Monday, September 21. 2009
Welcome to another part of the PHP Quiz series, again some interesting questions to crack your brain about. If you have some nice additions or questions, be sure to leave a comment. Enjoy part three! As always, think of the answer before you execute the code or look it up. You can find round two here. Unset castWhat is the type of $a and what is the type of $b
Form funWhat will the output be? <form method= "post" action= "" enctype= "text/plain"> <input name= "search" type= "text"> <input type= "submit"> </form> <?php error_reporting( E_ALL ); echo (string ) filter_input (INPUT_POST, 'search'); ?> Fun with stringsStrings in PHP are versatile, but how versatile are they... What will the output be? $juggling = "Itffkhmf"; $rox = "Spy"; $b = $c = ""; for ($i= 0; $i<strlen ($juggling); $i++ ) { $b .= $juggling[ $i ]; $b++; } for ($i= 0; $i<strlen ($rox); $i++ ) { $c .= $rox[ $i ]; $c--; }var_dump( $b, $c );
Continue reading "PHP Quiz part 3"
Thursday, June 25. 2009
In these blog series I'd like to talk a bit about some "Did you knows". These series contain information I came across along the way and I mention them here to give you insight or just to make you aware of it's existence. The information is by no means in chronological order and mostly not even covering "state of the art" or "brand new" items for that matter. Some are directly code related, others are just brief descriptions. Basically it's just a pile of PHP and web related information. You can find part one here.
Continue reading "Did you know... part two"
Thursday, May 14. 2009
A short quiz this time, but that doesn't make it less fun. Do you know the answer to all of them? Get a cup of coffee and kill 10 minutes with round two...
As always, think of the answer before you execute the code or look it up. You can find round one here.
Array pointerWhat will the output be ?
$array = range(0, 5); next($array); foreach($array as $v) { echo $v; }
ArrayAccess and isset fun isset or not isset, thats the question.
Typo?The output might be confusing..
ReferencesHow many notices will be thrown?
error_reporting(E_ALL); function a ( & $array) {} function b ($array) {}a ($array); b ($array);
Continue reading "PHP Quiz part 2"
Tuesday, November 11. 2008
In this blog post I'd like to talk a bit about some "Did you know's". With these "Did you know" blog posts I want to tell you a few things that I came across along the way and hopefully you know some I don't know yet! Some DYK's are directly code related, others are just here to give you insight and some are just to let you know of it's existence (Afteral you don't search for what you don't know about.) So here they come in random/chaotic order:
Writable directoriesNot so PHP specific, but often miss-used is checking for writable directories/paths. Directories don't have to be readable to be used for writing, but they do have to be writable and executable. So a check like this, is simply incomplete:
And will simply fail if the directory is writable but has no execute attributes (mode 0666). This is especially trouble, and can keep you occupied for a long time when using the shutup (@) parameter... Form name attribute character conversions
Due to legacy PHP versions and to my understanding mostly due the register_globals feature, some HTML form name attribute characters are translated. The idea behind it makes sense, however it's applied in a strange way.
For example <input type="text" name="fu.bar" value="" > in a form with post method, get's translated (even in the current PHP 6 roadmap) into: $_POST['fu_bar']. This happens with the "." and " " characters. But not with '-' which seems weird, because $fu-bar isn't a valid variable, but '-' is a valid HTML input name attribute character. You probably never need it, but I had situation recently where I was flabbergasted of why array key's where different from their HTML counterparts and I completely forgot about this behavior.
Continue reading "Did you know... part one"
|
