<?paul

Yet another hour burned debugging some weird issue. Let me give you the short version.

Imagine a script executed in a dispatch-method like manner (so calls to example.com/ example.com/stuff, and example.com/stuff/cool/12 all go to the same script). It stores the value (12 in the last example) in a session for later use. Printing out that value on the page, doing weird things with it, etc. all work. You always get 12. Even printing out the value from the session as the last thing in the script then exiting, you still get 12. Load up another page, you get 0.

Is that even possible?

It turns out what was happening was my script was displaying information in a template, that was including another resource (say <img src=”image.png” />). The browser was obligingly requesting example.com/stuff/cool/image.png, which was re-executing the script, casting image.png over to an integer, resulting in a 0.

The fundamental stumbling block in my diagnosis of the issue was that I saw my browser making two requests, the first when I was being presented with a 12, the second when I was shown a 0. In fact my browser was making three requests, the first directly at my request for the page (setting the value), the second by my implied request to retrieve a referenced image (resetting the value), the third for the page showing zero.

Things that helped me debug the issue: IRC, (Daniel Banck in #zftalk), and Christine

Things I should have used, Firebug or Dragonfly to watch the requests go by.

Something I would love to have: An application that watched a file on disk, reporting all versions of the file over time. tail -f wont work as the file is a single line long, the line is changed but no new lines are added. I’m aware of similar tools for windows, none for mac/linux.

I’ve been working on yet another side project (too many!), and got a fair amount of work done during recent flights this holiday season. I started working at 30,000ft so I was lacking in the Internet access department. Luckily(?) I had my Subversion check out of Zend Framework, so I just used it.

This morning I spent an hour or so debugging a problem where a certain control (Zend_Form) was printing out a debug type message, and I couldn’t figure out why.

Well, the why is, it’s a subversion checkout, not a release!


Always use a real release.

So, I'm a horrible person for not mentioning this before, but go take a look at the PHP Advent Calendar, in particular, my post Listen.

So one month ago I cancelled my cable subscription. I was never really happy with what I was getting (picture quality and channel selection), my expensive HD box breaking 13 months into a 12 month warranty was the final straw.

Not having cable frees up $40/month that I wasn’t really budgeting on having. Sponsoring a child with World Vision happens to be $40/month. This seemed like a good match, and a far better use of my money.

if you’re not satisfied with a service you’re currently paying for, why not put the money to better use

When developing your applications you’re going to need to present options to the end user (if not, you’re developing a static application, stop using PHP). How these options are presented is a decision that should be made by user interface experts, not programmers. I'd love to entrust programmers with this task, but we keep doing it wrong.

Continue reading "Give few concise options"

One other small note, while it's at the forefront of my mind. It's November 11th, and just after 11 am. Watching the airport around me stop for the national anthem and two minutes of silence was uplifting. I'd intended to stand on my own, but watching the entire terminal around me stop was... awesome. A word I use in this case in the traditional sense.

My camera spent the entire event in my travel bag. Though I would have loved a shot, the moment itself was worth more than the picture.

Note: This article doesn’t contain anything new or ground breaking. This is the stuff that you should know already because it’s been written about before by people smarter than me. Tragically, despite lots of great material on subject people keep messing it up.

So, cross site request forgeries are a pretty common topic these days; they’re in almost every security talk, book, site etc. This is okay; they’re important (but I wish people would concentrate on security as a whole rather than just worrying about problems with nifty acronyms). Most of the sites, and all of the books I’ve read demonstrate things correctly, but when it comes to actual implementation, time and time again, I see code that’s just wrong. This CSRF Demonstration page will be used throughout this post.

In order to effectively use the common transparent defense against CSRF attacks you need to generate an unpredictable token, and confirm its presence in both the session and form submission upon receipt. Only two essentials there, but I’ve seen lots of live code that fails on at least one of the two.

Comparison

So, the point of CSRF is to confirm that the CSRF token in the session is equal to the one received with the form post. This is critical and easy, though people seem to manage to screw it up. They write code that looks remarkably like this:

if ($_POST['csrf'] == $_SESSION['csrf'])

Do you see the fatal flaw? If both the session and post variable are empty, they’re also equal. So if you’re attacking the form you simply omit the post variable. I demonstrate this attack on my negligence csrf attack page. Not only do you need to ensure they’re equal, you also need to ensure that they’re both set and non-empty.

Note I’ve left the warnings in on purpose. I could have turned off display errors, or suppressed them, but I really wanted to show what was happening.

Unpredictable Token.

This part should also be easy; generate a token that the attack can’t guess. I haven’t actually said random here, though random is good. The important part is that the attacker can’t guess it. I have a piece of information for you that shouldn’t be news, but it might be. Time isn’t random. Time increases by one, once a second, every second. MD5 also isn’t random. Thanks to the snowball effect the hash of very similar values are actually very different, but they are in no way random. Now combining these two non-random values also happens to give you a non-random result. Yet, time and time again I see code exactly like this:

$csrfToken = md5(time());

This is idiotic. Throwing a hash function at the problem doesn’t solve anything. It’s obfuscation, and weak obfuscation at that.

Now I’ve mentioned this at talks before, and the audience has politely nodded, then privately told me that it doesn’t actually matter. It does, so take a look at the md5 time attack page.

Now adding a little bit of salt also doesn’t solve the problem, it’s just more obfuscation.

If you’re interested you can also see the source code for my weak csrf page.


Stefan Esser’s talk at ZendCon Lesser Known Security Problems in PHP discusses a few other issues related to sessions you may want to take a look at.

So please go home and fix your CSRF pages.

(s/messing/&$#@ing)

So this year at php|works we’re trying something a little different for the evening entertainment, You! (we had enough of me at php|tek).

The format is a little bit different than a talk (thank god) and hopefully a lot more fun. Basically the presenter gets up there with twenty slides, each are going to be shown for exactly 20 seconds, for a total of six minutes forty seconds. No take backs, no do-overs, no boring slides full of code.

The format lends itself well to quick, interesting presentations on pretty much anything. Plus, if you give a talk I’ll be buying you a drink!**


A couple of quick FAQ points:
Q: Do I have to be a speaker to give a talk?
A: Oh gosh no! I’ve heard enough of those guys already, I’d love to get some fresh blood up there.

Q: Does it need to be on PHP?
A: Oh gosh no! Make it interesting, make it on something important, something cool, something trendy! Remember there’s Python folks in the crowd as well.

Q: Why should I give a talk?
A: It’s fun. It’s a new format, something interesting to try, plus we have prizes.

Q: I’ve never given a conference talk before, I’m a bit nervous about this whole thing.
A: That’s not actually a question. I’ll speak to your point anyways, this is a great way to get some exposure to decision makers for our conferences and other ones, if you’re good we’ll remember you, next time there’s a CFP we can say “Oh we say her/him at php|works, let’s get em!”. Plus it's fun, and Paul will clap politely no matter what.

Q: Will Paul keep his pants on?
A: Magic 8-Ball says: Unclear.

Q: Will Kiss be making an appearance?
A: Tragically, probably not.


So yeah, send Elizabeth Naramore an email with your interest quickly while there's still a few slots left. She's at elizabeth at phparch dot com.


**While it's still an open bar.

I have a lot of pet peeves, and in order to start blogging more often you might be hearing about them, sorry.

One of them is stupid ways software downloads work, in particular software designed to be run on a server. This umbrella category includes pretty much every PHP application you might download (arguments from Elizabeth Smith not withstanding). Why do all these sites insist on being “helpful” and redirecting my browser to a download link? I don’t want to download the file to my computer, I want the file on a server in another country!

Some sites, dissatisfied with merely making you hit stop, copy the direct download link to clipboard and paste in a terminal window go one step further! They refuse to serve files unless you’ve got a cookie. So just having the right link doesn’t work, I have to boot up lynx, surf to the page, hit the download link again. This is freaking stupid.

Provide real download links for software designed to run on the server, stop requiring cookies to download your software, just make things work.

Example Culprits include PHP itself for the whole redirection business, and Magento for necessitating a cookie.

So I had dinner this evening at a new place around the corner called "Buns". Imagine a small burger joint opened by two frat guys fresh out of school with no real business or food safety experience. You've got it.

Small hole in the wall location, small commercial grill at the window, menu consists of burgers, fries, and pop. That's it. The food is basically what you'd expect from a couple of frat guys on a barbecue. It's burgers from costco (the big ones), thinly sliced potatoes done on the grill, and pop in a cooler owned by the local coca-cola franchisee.

This probably doesn't sound too appealing, but the area I'm in is relatively high density, with lots of places (including mine) forbidding the use of barbecues. Also, truth be told, there's not a lot of options for barbecues in the area. There's five chinese, three thai, and a pair of sushi places on the block, but the closest burger is McDonalds four blocks down. So it's got market.

Their problem is going to be their (apparent) complete lack of experience. They're leap years away from any sort of "order once, pay and get food" system. I think my order was confirmed twice, independently, by each employee. That, and character was the only thing that necessitated payment. This slows them down a lot, and seems to be doubling their work load. A couple people actually gave up and walked out waiting in line.

Their food safety is about what you'd expect from a couple of frat guys... So head down before their first random inspection.

I wish i had the credentials to go in there and help them improve. My tips would be simple:
- When you take the order, call it out.
- After the customer pays, write down the order (or use receipt) tape to tray or bag
- Buy three barbecue flippers, spray paint the handles. Red for raw meat, black for cooked, green for potatoes.


So yeah, if you like bbq burgers and fries, check it out

I'm normally a big fan of decisions amazon.com makes. Their site is pretty easy to use, the recommendations and upsells are useful without being over the top and annoying (see: godaddy.com), and overall its a site a think a lot of others would do well to emulate.

I don't like something they're doing now. As a rule, I feel that when presenting hyper links the links themselves should be useful words describing the target, and also generally represent the action item the user is looking for. Saying Click Here to visit a really cool blog is bad. The link doesn't describe the target, nor will someone looking for that link find it quickly when scanning for hyper links. Something like You should go read Paul Reinheimer's Blog is much better.

These days, skimming Amazon for "Log In" or "Sign In" doesn't work. The words appear, but they're not linked. Instead the link is on "Personalized Recomendations"

What are your thoughts?

So on a recent trip to California I was in an area that had boingo wireless. I was stuck for a few hours, and I needed to get in touch with a friend back home. So I signed up, given the option for some sort of $5 for a few hours or $10 for a month, I chose the month option.

Then it wanted me to download this little application to "help" me connect. I was wary. I'm not on windows, and %99.999 of the time that crap is windows only. It's also useless %99.999 of the time. But, I gave it a whirl and installed it.

I'm Happy.

Most of the time, I don't even know the application is running. There's no dock presence or anything, it's just a little chunk of ram. Then, when I open my laptop up and it sees a boingo partner network nearby it pops up asking me to join whatever that partner network is. Then upon connecting it jumps through whatever the hoops are to get me logged on. I connect, I push a button, I'm on.

It's also much much cheaper than the roaming options I have up here in canada. Most of them are in the $30/month range, whereas boingo is $9.95/month for the first three, then jumps up to $21.95.

So I've got this small application that looks like it was built intelligently, a reasonable fee for wi-fi on the go, and fewer headaches jumping through partner hoops.

If you travel a lot, I'd personally recommend the boingo network.

So I had another great time at ZendCon this year. Great conference, great attendees, lots of good times. I gave my Ajax and State talk that was a huge success. I may have dressed a bit better than usual for the talk this year. Though opinions range from me looking like a motivational speaker to a cult leader.

ZendCon usually has a different feel for me than our regular php|works and php|tek conferences. There's more businessy people here rather than just developers. It's a nice mix, but the booze doesn't seem to flow quite as easily.

I was quite happy to get a call out from the opening and closing keynotes. Cal Evans was kind(?) enough to present me as a PHP celebrity for the work beth and I do on the P3 podcast. During the closing keynote my suit wearing new trend was presented as a new level of class for the conference.


A great conference. If you haven't been to a PHP conference yet come out to php|works in Atlanta, this should whet your appetite, then you can head over to |tek in the spring, and back to ZendCon next year.

I'll be blogging (no php tag) about my drive down highway 1 this weekend, and hopefully posting a few interesting pictures.

This is what I was presented with when the Wi-Fi

<!-- Colubris -->
<!-- Custom -->
<HTML>
<!--
===============================================================================
fail.html
_____________________________________________________________________________

Description
- - - - - -
Customers see this page if the CN3000 could not find the appropriate RADIUS
to authenticate:
- itself and retrieve configuration information.
- a customer login


Customizing this page
- - - - - - - - - - -
This page can be customized for your site according to the following
guidelines.
- Do not alter the ID tags "[!-- Colubris --]" & "[!-- Custom --]"
located at the top of this file.
- Do not alter any JavaScript code in this file, except for
the following Session window parameters: width, height

- Only one image can be included on this page. This same file is shared
by all customizable pages, and must be resident on the CN3000.
For details see ?????????
- Do not alter any occurance of "Get...();"
- Do not alter any form elements, names and values should be left intact.

===============================================================================
-->
<HEAD>
<meta id="metaViewPort" runat="server" name="viewport" content="height=device-width; initial-scale=1.0; minimum-scale=1.0; maximum-scale=1.0; user-scalable=0;" />
<TITLE>Rogers Hotspot</TITLE>
</HEAD>
<BODY bgcolor="#FFFFFF">

Way to go live with those comments built in guys .

I then gave up on coffee shop wifi and came home .

It's 2008 (I think, my wall calendar hasn't been flipped since March) and while browsers are getting slicker, faster, and trendier code names. They're still working on the same basic premise as Mosaic did the same time I used the web. We've moved past basic HTML, it's high time our browsers noticed this and caught up.

1. Re-empower the Stop button
When pages were static HTML, maybe a few images, the back button was great! You hit stop, and by gosh stuff stopped. It stopped loading, you browser stopped having seizures every-time a new image was downloaded, all was well.

That was then, this is now. The stop button does the same thing it did back then (halt page load), the problem is there's tones more going on in the browser, things like ajax, silverlight, flash, etc. None of these things are really stopped when you hit that button, they continue forging on. I need a way to actually stop all the crap that's happening in my browser that isn't relying on some application to play nice.

2. Let me control CPU usage
Sure, all these new technologies empower some really nifty features, and some great ads, but they have a tendency to run away with themselves. I'm tired of noticing that $browser is consuming some insane amount of cpu then clicking through tabs trying to figure out which flash app (generally some ad) has gone nuts then closing the tab.

By default, when a tab loses focus I'd like all activity on that app to be frozen, or capped at some minimal level of CPU activity. Give me access to empower pages to continue functioning normally on a tab by tab basis, and possibly program in given URLs and domains as being permanently allowed (think pandora, or our training application).

3. Notify on break-out events
My browser is a contained space, it has four borders. Anything that exits that space by: popping up a window, initiating a sound, dropping a file onto my hard drive, etc. should be made clear. I'm tired of playing whack-a-mole when an advertisement in one of the 30 tabs I have open across three browsers starts whispering to me.

When a web application initiates a break out event I'd like it to get some sort of an icon on the tab level. A little speaker for sounds, a box for a pop-up, etc. That way when something happens I can track down why and where it came from.