Recent Blog Posts
Blogs ยป Archive for February, 2006
unserialize Yahoo! search results
Via John Cox, Yahoo! have opened up a PHP Development Center for their search APIs and, more interestingly, have started exposing their search data as serialized PHP strings. That’s “serialized” as in the serialize function.
This is very cool but think a little caution is needed when using it, given that it wasn’t designed to be a wire format but rather for local storage of PHP data, within a trusted environment.
Is this format safe?
First there’s a problem of trust and potentially a security issue. I guess we can trust Yahoo! OK but they need to make very sure that they’re escaping the data they publish this way correctly - make sure no-one they’ve gathered search results for is able to inject anything in there. Why?
Well for primitive data types (strings, int, PHP arrays) there’s more or less no problem - you can unserialize the result you get back without issues. That said, perhaps the Hardened-PHP Project needs to look at this - are there issues like deeply nested arrays, infinite recursion or very large data structures?
The potential (but low risk) security issue though is if any objects are being serialized this way. When you unserialize, PHP is going to attempt to …
Google Page Creator: When It’s All Just Too Hard
Tired of building quick-and-dirty sites for your family and friends just so they won’t produce their own FrontPage monstrosity? Tell them to try Google Page Creator instead.
The latest “beta” web application from the big G, Page Creator enables mere mortals to produces pages blessed by the goodness of CSS layout and (mostly) semantic markup.
Of course, Google has never been the champion of standards-compliant approaches to Web development, and Page Creator is no different. Ugly spots:
- It generates <font> tags (whoops, there goes the old gag reflex…).
- It uses <b> and <i> instead of semantic alternatives.
- It illegally puts <div>s inside tags like <h1>.
- It doesn’t put alt descriptions on images (not by default, but at all!).
On the bright side, it doesn’t use tables for layout, and it lets users create one-, two- and three-column layouts with a plethora of “skins” (CSS style sheets) within the browser with a very usable and AJAX-heavy interface.
The most frustrating thing for me as a developer who cares about standards is that all the ugly bits above seem to be a result of conscious decisions by Google, rather than simple ignorance. Google could have built their product without any of the above shortcomings just as easily, but they didn’t.
Google …
Full Feeds Financially Fruitful For Now
Like most online publishers, SitePoint has feeds (RSS and other formats) for most of its content. Also like most online publishers, SitePoint has struggled with the choice of how much content to put into its feeds: headlines only, summaries, snippets or the full content of each item. At the end of the day, we have chosen to strike a compromise, with our blog feeds offering full content while our other feeds (articles, forums, etc.) offer more limited content.
Robert Scoble today spelled out the advantages of full-content feeds. His argument goes like this:
For the moment, and for the foreseeable future, the users of RSS aggregators are the power users, journalists and other information addicts of the world. These people don’t generally click on ads unless they are very, very targetted. So if your revenue comes from advertising, you’re not actually missing out on any significant revenue by providing full content feeds that allow these readers to bypass the advertising on your site. Putting ads in your feeds doesn’t generally work for the same reason.
Taking the cynical view, if these readers aren’t clicking on ads, why should you even want to cater for them? Because they generate traffic for you, that’s why. …
How well do you handle interruptions?
Today yet another basic lesson about customer service comes up.
I’m sitting with a videographer/developer going through 2 hours of video clips. This is hard word as we are isolating still photos for a book.
The phone rings. He excuses himself to take the call. He comes back, apologizes, and we have to take a few minutes to figure out where we were.
The phone rings again. He takes the call again.
He ends up taking 3 or 4 calls during this session. He was apologetic, and noted that the calls netted him about $7,000 in business, but still….
When you are with a client, focus on that client. They have taken the trouble to come and visit you in person, not the caller. If you have an urgent call you know is coming, tell the client ahead of time. Otherwise, let your voice mail handle it.
Simple stuff.
Prototype Poster from Snook.ca
Ok, you’ve just read Dan Webb’s new feature article, ‘Painless JavaScript Using Prototype’ and you’re feeling all inspired at the possibilities. What now?
Well as it happens, Jonathan Snook has the answer. After spending hours pulling it’s legs off to figure out how it works, Jonathon has poured his findings into a really nifty visual reference for Prototype, which is now free to download at his site.
Hey, even if you’re not into JavaScript, it’ll still probably make a mighty purdy desktop.
A pro-PHP Rant
OK - following on from here and a later comment from Tim (and in fact more this rant from Jonas Maurus);
How about somebody sends me some good pro-PHP rants?
So here’s some pro-PHP ranting…
It’s the execution model
Focused on PHP as an Apache module the two big things are it works and it’s scalable. More to the point no one really has an execution model to compare with it, except perhaps Microsoft with ASP 3.0, which they’ve since abandoned. Before you fly off the handle, think about this one.
Tried to explain the basics a long time ago here - the important thing to take from that (compared to mod_perl / mod_python / mod_* or even “X” application server.) is the interpreter returning to a fresh state after every request (no globals hanging around or otherwise). PHP really is shared nothing. You want scaling? Try here.
Meanwhile, in these days of long tail enthusiasm, other than PHP, you don’t get to hear much about when stuff sucks. Put specifically, don’t bring me your FastCGI unless you’re providing free SMS to go with it, so I can alert myself when it goes down. There are smallish sites I own / run, built on PHP, which …
Google Allows Bidding on Print Ads
In case you haven’t heard - Google is now allowing AdWords clients to bid on ad space in major automatove, lifestyle and technology magazines including PC World, PC Magazine, Martha Steward Living, and Motor Trend Magazine.
Each publication has three months worth of advertising up for grabs, in quarter page, half-page, and full-page increments. The positioning of the ad page within the magazine, however, is not guaranteed.
The full list of magazines and the bidding form
Print Advertising FAQ
You have until February 24th to place your bids.
This might be a great way to grab some cheap print ad space to promote your business, or as a way to test the effectiveness of print advertising without the usual hassles.
Do you have one or more idea files?
A key tool in any web designer’s or developer’s kit should be a set of idea files. These are files filled with great ideas that you see on the Web or in print ads, and can refer to over time.
You should have a few files, some hard copies of screen shots and some made up of bookmarks to actual sites. Depending on your area of expertise, these might include: great home pages, navigation schemes, color schemes, order page copy, clean layout, catalog structures, headlines, favorite web sites from a specific industry, competitive sites, and so on.
Knowing the Sitepoint audience, I am confident that some of you are already typing away about copyright violation. Hold on there. All I’ve said is that you should have a file or files where you store great ideas. That way, when you need ideas, you can use your files as an easy way to “jog” your mind and get some inspiration. You still need to follow applicable copyright laws.
For instance, right now I’ve started doing marketing consulting to a variety of healthcare practices, including web site design. So now part of my desk is covered with advertisements and web sites from a bunch of …
Tim Bray on PHP
Tim Bray kicked off a big blog debate on the pros and cons of PHP (see links in his post to everyone who commented). If you’ve been around PHP for a while, there’s basically nothing new here but you might find cause for optimism in how things are being said - there’s far more informed discussion happening than you might have found even two years ago.
Haven’t got anything interesting to add accept perhaps a question. Responding to Tim, a number of people made statements to the effect of “PHP is too easy. It’s all those non-programmers that are the problem!”. So we should make PHP harder to keep the non-programmers out ?!? To me there’s something deeply wrong in that thinking.
SafeHTML - cleaning form input
Reading a couple of web-related security books at the moment.
One is Apache Security, by Ivan Ristic (mod_security), who I got to meet again last weekend. Will save a long review for another time (I’m not finished reading yet), suffice to say this is a must read if you’re doing anything around Apache. Particularily PHP developers, who tend to see just their small part of the stack (”Apache is the hosts problem right?”).
Another is PHP-Sicherheit, a German publication, one of the authors being Christopher Kunz, who was at the conference, talking about Hardened PHP.
SafeHTML
Also can’t say much about PHP-Sicherheit yet, other than I like what I’ve seen so far. What got me typing though was it’s mention of SafeHTML - an “anti-XSS HTML parser, written in PHP”, by Roman Ivanov, which I hadn’t seen before. In an odd way it’s kind of a product of Sitepointforums, given that it uses XML_HTMLSax, which basically got developed in this thread.
Now SafeHTML is acting as a filter, trying to strip out anything dangerous. The general view on the web is that it’s practically impossible to do this - there’s so many ways to sneak the word “javascript” in as the protocol to a link, …
Sponsored Links
Logo Design, Web page Design and more!
- Custom logo designs created ‘just for you’.
- Pick the design you like best.
- Only pay if you’re satisfied with the result.
Download sample chapters of any of our popular books.
