Archive for August, 2008

Book Review: Learning Facebook Application Development

Friday, August 29th, 2008

It’s been a while since I posted a review about a packt published book.
I was sent a copy of “Learning Facebook Application Development” by Hasin Hayder and Dr Mark Alexander Bain a while ago. The by-line description of the book is “A step-by-step tutorial for creating custom facebook applications using the Facebook platform and PHP”. It is precisely that.

Here’s my review of it:

The book was published prior to Facebook’s facelift but this doesn’t really impact on the usefulness of the book.
An overview of FBML, FQL, FBJS (a restricted subset of JavaScript and enforced for security reasons) are given along with information on how to use the test consoles, publish to news feeds, some multimedia aspects of what can be done in Facebook applications and more.

Happily the book focuses on using PHP5 for developing Facebook Applications – while there are classes available for developing FB apps with PHP4 there really is no point in doing so; especially now that official support for PHP4 was withdrawn last month.
MySQL appears to be the database system of choice for the examples and Linux/Unix oriented solutions for scheduling tasks to occur regularly are given – some Windows screenshots feature in chapter one with regard to setting up the client libraries for local development but other than that everything else is unix-centric.

I found “Facebook Application Development” more useful than facebook’s own documentation with regard to the main aspects of developing a Facebook application – it is written well and easier to follow than the online documentation and while it is true to say that the Facebook Platform is evolving I am of the opinion that Heyder and Bain’s work will still be applicable for a long time.

Tags: ,
Posted in php, review, Web Development | 3 Comments »

Is PHP vulnerable software?

Tuesday, August 26th, 2008

Thanks to Ivo Jansch, I spotted Matt Assay mentioning in his article on cnet that PHP headlines in IBM’s list of most vulnerable software and I have to say this is complete balderdash on the part of IBM.

He quotes from the report:

Another commonality between these three vendors is that they are all written in PHP. If we look back over last year’s disclosures and apply the new CPE methodology to them, we would uncover another newcomer to the top five list, PHP itself, which would rank number four in the 2007 top five vendor list.

What are featuring in IBM’s top ten of vulnerable that makes the report insinuate that the PHP language is a security risk are Jooma, WordPress and Drupal. How PHP would feature in a list of “vendors” is beside the point – if a construction company were to build a house where the windows don’t close fully, the security alarm doesn’t work and where bare wires are exposed you don’t “blame” the windows, alarm system and cabling. The responsibility rests with the construction company and/or the individual contractors hired by that company. Similarly, we can’t “blame” PHP for bad software architecture and security risks present in Joomla, WordPress or Drupal – the onus is on the software developers and architects to design secure [web] applications.

They should, at the least, ensure input data is of the expected type, of certain values; handle uploaded files in a secure and cautious manner that they don’t overwrite files crucial to the health/security of the system running the application or the application itself; use an audit trail for checking against attacks, ensure security in depth against SQL injections, Cross Site Vulnerabilities, Command Injection and … I could go on but won’t – search for php security best practices, get the Zend PHP 5 Certification Study Guide, check out the library resource at the PHP Security Consortium.

Now where’s ruby, cobol, C, and z80A assembly language on that list? And why is Linux mentioned there as a vendor?

Tags:
Posted in linux, linux.ie, pear, php, Web Development | 1 Comment »

Irish PHP User Group: Committee Forming

Wednesday, August 20th, 2008

Yesterday. a few weeks after much discussion and evolution of the constitution of the Irish PHP Users’ Group I suggested that we should get our skates on and get to forming a committee.
Nominations were made today for all of the posts but there’s a week left before the results are ‘official’ – the cut off is to have a committee voted in by next wednesday so there is still plenty of time left if you think you are better suited for the tasks at hand.

Posted in linux.ie, pear, php, Web Development | Comments Off

PHP 4 – this parrot is deceased!

Friday, August 8th, 2008

I woke this morning with a grin. Nope, nothing to with the Olympics; PHP 4 is dead and by that I mean it is no longer supported – no more official security updates for PHP 4 – or backports from PHP 5 or PHP 6.
The last release of PHP 4.4 occurred yesterday.
Why is this important – and why am I grinning?

PHP 5 has improved support for Object Oriented Programming, PDO, numerous performance and security enhancements that make continuing to maintain or develop PHP4 specific code a mugs game.
The enhancements in PHP 5.3, which is scheduled to be released in October, and those in PHP6 make it all the more compelling to move from PHP4.
If you are a developer and are unaware of this or are clinging on to PHP4 for dear life, you’d do yourself a favour by evaluating all options open to you – including a change of career.

The hosting market may be slow to catch up but remember this: there will be no more security updates for PHP4 and there are security enhancements in PHP5. Compelling reasons to ask your hosting provider if they do PHP5 hosting. Web hosts who are dedicated to supporting PHP 5.2 or later are listed on the gophp5 website.
Blacknight are the only Irish hosting company listed there.

Ivo Jansch, CTO of iBuildings painted a fairly bleak picture a month ago regarding continued PHP4 usage; poising the question “what if there’s an exploit for PHP4 and the bad guys are waiting until after 8/8/8 to make malicious use of it”. This is just scare-mongering but he does make a valid point, after today it will take longer than usual, if at all, for a fix against such expoints to be made available. So if you’re in business it would be wise to consult with your hosting company ASAP.

Posted in OpenSource, pear, php, Web Development | 1 Comment »