Certification Central 5 Editorial To XML, or Not to XML! 6 What’s New! 57 Product Review webEdition by Peter B. MacIntyre 62 Product Review DHTML Menu Studio by Peter B. MacIntyre 67 Security Corner Ideology 70 e x i t ( 0 ) ; A Look at PHP in Government by Andi Gutmans and Marco Tabini 9 Object-oriented vs. Relational Part II Managing Distractions and Reverse- Engineering Abstractions by Rick Morris 17 Developing a PHP - XML Generator by Man-ping Grace Chau 32 PHP 5 & XML by Ilia Alshanetsky 42 Hiding Your Sins Practical Caching for the PHP Developer by Allen Smithee 50 Secure Your System with a Port Security Guard by Ron Goff 3 November 2004 ● PHP Architect ● www.phparch.com TABLE OF CONTENTS II NN DD EE XX php|architect Features Departments TM *By signing this order form, you agree that we will charge your account in Canadian dollars for the “CAD” amounts indicated above. Because of fluctuations in the exchange rates, the actual amount charged in your currency on your credit card statement may vary slightly. Choose a Subscription type: CCaannaaddaa//UUSSAA $$ 9977 9999 CCAADD (($$6699 9999 UUSS**)) IInntteerrnnaattiioonnaall AAiirr $$113399 9999 CCAADD (($$9999 9999 UUSS**)) CCoommbboo eeddiittiioonn aadddd--oon n $$ 1144 0000 CCAADD (($$1100 0000 UUSS)) ((pprriinntt ++ PPDDFF eeddiittiioonn)) Your charge will appear under the name "Marco Tabini & Associates, Inc." Please allow up to 4 to 6 weeks for your subscription to be established and your first issue to be mailed to you. *US Pricing is approximate and for illustration purposes only. php|architect Subscription Dept. P.O. Box 54526 1771 Avenue Road Toronto, ON M5M 4N5 Canada Name: ____________________________________________ Address: _________________________________________ City: _____________________________________________ State/Province: ____________________________________ ZIP/Postal Code: ___________________________________ Country: ___________________________________________ Payment type: VISA Mastercard American Express Credit Card Number:________________________________ Expiration Date: _____________________________________ E-mail address: ______________________________________ Phone Number: ____________________________________ Visit: http://www .phparch.com/print for more information or to subscribe online. Signature: Date: To subscribe via snail mail - please detach/copy this form, fill it out and mail to the address above or fax to +1-416-630-5057 php|architect The Magazine For PHP Professionals YYoouu’’llll nneevveerr kknnooww wwhhaatt wwee’’llll ccoommee uupp wwiitthh nneexxtt S ubscribe to the print edition and get a copy of Lumen's LightBulb — a $499 value absolutely FREE † ! In collaboration with: Upgrade to the Print edition and save! For existing subscribers Login to your account for more details. EXCLUSIVE! EXCLUSIVE! † Lightbulb Lumination offer is valid until 12/31/2004 on the purchase of a 12-month print subscription. November 2004 ● PHP Architect ● www.phparch.com EE DD II TT OO RR II AA LL RR AA NN TT SS php|architect Volume III - Issue 11 November, 2004 Publisher Marco Tabini Editorial Team Arbi Arzoumani Peter MacIntyre Eddie Peloke Graphics & Layout Arbi Arzoumani Managing Editor Emanuela Corso Director of Marketing J. Scott Johnson scott@phparch.com Account Executive Shelley Johnston shelley@phparch.com Authors Ilia Alshanetsky, Ron Goff, Man-ping Grace Chau, Peter MacIntyre, Rick Morris, Chris Shiflett, Allen Smithee php|architect (ISSN 1709-7169) is published twelve times a year by Marco Tabini & Associates, Inc., P.O. Box 54526, 1771 Avenue Road, Toronto, ON M5M 4N5, Canada. Although all possible care has been placed in assuring the accuracy of the contents of this magazine, including all associated source code, listings and figures, the publisher assumes no responsibilities with regards of use of the information contained herein or in all associated material. Contact Information: General mailbox: info@phparch.com Editorial: editors@phparch.com Subscriptions: subs@phparch.com Sales & advertising: sales@phparch.com Technical support: support@phparch.com Copyright © 2003-2004 Marco Tabini & Associates, Inc. — All Rights Reserved I have a confession to make. I’m an XML-phobe. I know, in today’s soci- ety of political correctness and respect for other cultures, that’s nothing short of inexcusable, but what can I say? I’m getting old and, therefore, cranky. When I first heard of XML a while back, I couldn’t help but thinking of it as the answer to a question nobody asked. This feeling was, in fact, aug- mented by the continuous misuse of this outrageously verbose in all sorts of places where it really didn’t belong. Have a configuration file? Let’s make it XML. Need to store data? Why use a database—we have XML! At the time, I was part of a team whose job was interfacing a Microsoft- based web system to a legacy mainframe system, which, at the time, was no walk in the park, as everything had to take place through a carefully- choreographed exchange of text files. I remember that, at some point, the irony of it all struck me: here was a perfect scenario in which being able to use XML would have been, at last, beneficial (although manipulating text files with ASP was about as pleasant as stapling your lips together) and, of course, there was no way I could have used it, because it would have required too much work on the mainframe side. On the other hand, I had to use XML for pretty much half of the configuration files on the Windows machine. Lovely. As time has gone by, the XML craze has somewhat faded to a more rea- sonable level: we now use it for its intended purpose—the structure com- munication of data between two or more heterogeneous systems—more often than not. It has become the basis of XHTML, whose importance is, in my opinion, not in the beauty of a “well-designed” web page, but in the fact that any robot should be able to parse XHTML, thus paving the way for better search engines, more focused online advertising, and so on. Still, despite (or, more probably, because) XML was designed to be a human-readable format, manipulating an XML document “by hand” is not fun—regardless of how good your particular platform is at handling strings and arrays. What it takes is a strong set of tools designed specifical- ly to parse, modify and produce XML documents and are capable of inter- facing with the underlying platform in a way that hides the minutiae of the language from the developers. PHP 4 had what could be considered a germinal XML infrastructure, but with PHP 5 we now have a robust toolset (despite a few kinks here and there) that can be used to perform all sorts of XML manipulations—and which will be indispensable to the introduction of PHP in an enterprise environment that requires interoperation between a variety of different systems. I had a taste of just how important this is to our readers during php|works, when I sneaked into Ilia Alshanetsky’s session on PHP 5 and XML… and had to leave because I couldn’t get a seat. Once the confer- ence was over, therefore, I had to ask Ilia if he wanted to write a compa- rable article for the magazine; the result is this month’s main piece. As usual, Ilia came through in style with an article that explores every single facet of the functionality available in PHP 5 (with a quick look at what was available in PHP 4), with plenty of practical examples and real- world suggestions. I hope you will find it as useful as I did—and that it will help you in your projects. Until next month, happy readings! EDITORIAL TM T o XML , or N ot to XML! November 2004 ● PHP Architect ● www.phparch.com 6 What’s New! NN EE WW SS TT UU FF FF Zend announces the PHP 5 Coding Contest Winners Zend has released the names of the winners of the PHP 5 Coding Contest!! “ It really wasn’t that easy to choose between the top applications; there are quite a few that ended up in the top 20 or so that could just have easily been in the top 6. Without your input, we’d still be arguing over them! A special mention goes to MyObjects * , a project that provides its own persistent object library and tools for generating classes directly from a MySQL database. A minor coding style issue was all that prevented the project from being one of the top prizewinners. The voters liked it too, and it ended up coming in 7th place. Keep an eye out for the author, Erdinc Yilmazel of Turkey - we’d put money on his winning next time, if there’s a next time! Another special mention goes to Hive ** , which came in 41st because nobody in the public domain voted for it. We disagreed - it ranked 3rd in the judges list - so we’ve scrambled around to find a judges prize for the author, Robert Janeczek. Ironically, Robert describes Hive as ‘a low-level version of the PRADO project’ . Our judges and the public agreed over PRADO *** , which won outright. All we need to do now is get a laptop to Qiang Xue, the author of the winning applica- tion, and then we can sit around in the office drinking too much caffeine and playing hangman with a clear conscience. “ For more information, and to try the winning software for yourself, visit http://www.zend.com/php5/contest/contest.php * [MyObjects ] http://www.zend.com/php5/contest/contest.php?id=126&single=1 ** [Hive] http://www.zend.com/php5/contest/contest.php?id=138&single=1 *** [PRADO] http://www.zend.com/php5/contest/contest.php?id=36&single=1 MySQL Version 4.1 Certified as Production Ready MySQL.com has announced that version 4.1 of its database management system is now production-ready for large-scale enterprise deployment: “ MySQL AB, developer of the world’s most popular open source database, today announced the general avail- ability of MySQL® 4.1. Certified by the company as production-ready for large-scale enterprise deployment, this significant upgrade to the MySQL database server features advanced querying capabilities through subqueries, faster and more secure client-server communication, new installation and configuration tools, and support for international character sets and geographic data. MySQL 4.1 can be downloaded now at http://dev.mysql.com/. “ PHPX 3.5.4 Released A quick note from pphhppvvoollccaannoo ccoomm announces the latest version of PHPX: “ After much too long in waiting, 3.5.4 can be downloaded. There are a lot of new features, including a guest- book and shoutbox, user groups have been added and stuff that I dont feel like putting here too! PHPX is a constantly evolving and changing Content Management System (CMS). PHPX is highly cus- tomizable and high powered all in one system. PHPX provides content management combined with the power of a portal by including in the core package modules such as FAQ, polls, and forums. PHPX uses dynamic-template-design, what this means is that you have the power to control what your site will look like. Themes are included, but not required. You can create the page however you want, and PHPX will just insert code where you want it. No more 3 columns if you don’t want it! Written in the powerful server language, PHP, and utilizing the amazingly fast and secure database MySQL, PHPX is a great solution for all size website communities, at the best price possible .free! “ Zend Encoder for MAC OSX Now Available Zend has announced the release of Zend Encoder for Mac OS X. “ The Zend Encoder is the recognized industry standard in PHP intellectual property protection. The Zend Encoder allows an unlimited number of PHP applications to be distributed, while ensuring your investment and source code are protected from copyright infringement. Independent Software Vendors (ISV’s) and Professional Service Providers (PSP’s) rely on the Zend Encoder to deliver their exclusive and commercial PHP applica- tions to customers without revealing their valuable intellectual property. By pro- tecting their PHP applications, these and other enterprises expand distribution and increase revenue. The Zend Encoder compiles and converts plain-text PHP scripts into a platform- independent binary format known as a ‘Zend Intermediate Code’ file. These encoded binary files are the ones that are distributed instead of the human-read- able PHP files. The performance of the encoded PHP application is completely unaffected! The Zend Optimizer, a free download, is the run-time environment that enables end-users to transparently execute these files as if they were regular PHP scripts. The Zend Optimizer not only provides an additional level of increased security against reverse engineering, it also improves performance speed. “ For more information visit: www.zend.com November 2004 ● PHP Architect ● www.phparch.com 7 NNEEWW SSTTUUFFFF Apache HTTP Server 1.3.33 Released From Apache.org: “ The Apache Software Foundation and The Apache HTTP Server Project are pleased to announce the release of version 1.3.33 of the Apache HTTP Server (“Apache”). This Announcement notes the significant changes in 1.3.33 as compared to 1.3.31 (1.3.32 was not formally released). The Announcement is also available in German and Japanese . This version of Apache is principally a bug and security fix release. A partial summary of the bug fixes is given at the end of this document. A full listing of changes can be found in the CHANGES file. Of particular note is that 1.3.33 addresses and fixes 2 potential security issues: CAN-2004-0940 * Fix potential buffer overflow with escaped characters in SSI tag string. And CAN- 2004-0492 ** Reject responses from a remote server if sent an invalid (negative) Content-Length. We consider Apache 1.3.33 to be the best version of Apache 1.3 available and we strongly recommend that users of older ver- sions, especially of the 1.1.x and 1.2.x family, upgrade as soon as possible. No further releases will be made in the 1.2.x family. “ Apache 1.3.33 is available for download from http://httpd.apache.org/download.cgi * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0940 ** http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0492 PostNuke Security Alert Postnuke.com has posted a new security alert regarding a Hack into the the ZIP archive of PostNuke .750 “ We discovered last night that http://downloads.postnuke.com was the target of a malicious attack and files in the ZIP archive of PostNuke .750 were changed. Immediately upon discovering this all links to the downloads section were removed and on Tuesday the 26th at 8:30 GMT the original download package was restored. Our investigations so far have revealed the attack was initiated on Sunday, 24.Oct, at 23:50 (11:50 PM) GMT. The attacker used an exploit in the download management software pafiledb to change the download address of PostNuke-0.750.zip to point to a compromised archive. We must stress this is a security compromise of paFileDB and has nothing to do with the PostNuke appli- cation. Note, if you downloaded the tar.gz archive you are not affected so you do nothing, only those who downloaded the zip version were affected and must take immediate action as detailed below. The changes made by the hackers were in two places. First, during the installation routine all data submitted (this includes the server, the database credentials, the admin name and password) is sent to a different server. Second, in one file there was code allowing a malicious user to execute any shell command on the web server. As noted before, immediate action is required from everyone who downloaded the .zip package between Sunday (24.Oct) at 23:50 GMT until Tuesday (26.Oct) at 8:30 GMT. “ For more information visit: news.postnuke.com Take Advantage of Marco’s Wonky Math and Save Up to $80 Our fall/winter 2004 subscription campaign is in full effect—and this year we have some great offers for all our sub- scribers, regardless of whether you’re becoming a member of our family for the first time or if you’re been looking forward for your copy of php|a since the very beginning. Signing up for a php|a subscription (or adding another 12 months to your existing one) right now means some great offers, which include: • A $80 discount on the Zend Certification Guide • A free 64MB USB Memory Key, complete with the php|architect logo For more information, visit our website at http://www.phparch.com/wonky Errata In last month’s Tips & Tricks column, John mentioned that a reader had pointed out a small flaw in his random-line access algo- rithm. In true php|architect fashion, we misspelled his name—quoting him as Chris Cowell, while his real name is Chris Dowell. Sorry, Chris! November 2004 ● PHP Architect ● www.phparch.com 8 NNEEWW SSTTUUFFFF Looking for a new PHP Extension? Check out some of the lastest offerings from PECL. WinBinder 0.27.093 WinBinder is an extension that allows PHP programmers to build native Windows applications. It wraps a limited but important subset of the Windows API in a lightweight, easy-to-use library so that program creation is quick and straightforward. Parsekit 1.0 This package provides a userspace interpretation of the opcodes generated by the Zend engine compiler built into PHP. This extension is meant for development and debug purposes only and contains some code which is potentially non-threadsafe. Imlib2 0.1 imlib2 is a very fast image manipulation library, but without the support for as many image formats as other libraries such as imagemagick. You will need the imlib2 library from http://sourceforge.net/projects/enlightenment/ in order to compile this extension. This extension is experimental. It's been tested on a number of Linux installs, but nothing else. Please report any bugs to the main- tainer! Translit 0.1 This extension allows you to transliterate text in non-Latin characters (such as Chinese, Cyrillic, Greek etc) to Latin characters. Besides the transliteration, the extension also contains filters to convert to upper- and lower-case words in Latin, Cyrillic and Greek, and per- form special forms of transliteration, such as converting ligatures such as the Norwegian "ÃE" to "ae," as well as normalizing punctua- tion and spacing. Check out some of the hottest new releases from PEAR. PHPUnit 2.1.2 PHPUnit is a regression testing framework used by the developer who implements unit tests in PHP. DB_odbtp 1.0.2 DB_odbtp is a PEAR DB driver that uses the ODBTP extension to connect to a database. It can be used to remotely access any Win32-ODBC accessible database from any platform. Mail_mbox 0.3.0 This extension can split messages inside an Mbox, return the number of messages, return, update or remove a specific message, or add a message to it. I18Nv2 0.9.1 This package provides basic support to localize your application, like locale based formatting of dates, numbers and currencies. It also attempts to provide an OS-independent way to sseettllooccaallee(()) and aims to provide language and country names translated into many languages. It provides these classes: • I18Nv2-OS-independent (Linux/Win32) sseettllooccaallee(()) , other utilities • I18Nv2_Locale-locale based formatter • I18Nv2_Negotiator-HTTP negotiation of preferred language and charset • I18Nv2_Country-multilingual list of country names • I18Nv2_Language-multilingual list of language names • I18Nv2_Charset-list of common and not so common charsets and aliases • I18Nv2_AreaCode-list of international area codes (phone) Stream_Var 1.0 Stream_Var can be registered as a stream with ssttrreeaamm__rreeggiisstteerr__wwrraappppeerr(()) and allows stream-based access to variables in any scope. Arrays are treated as directories, so it's possible to replace temporary directories and files in your application with variables. Distractions Abound Apparently, a few of our loyal readers have been won- dering just when Part II of this series would come out, or whether it had vanished into the //ddeevv//nnuullll bitbuck- et. Please bear with me; since writing that first article I have gone through three South Florida hurricanes and the birth of my second child (a boy!). So, suffice it to say that there have been a few distractions in my life. But, in the best tradition of making lemons into lemon- ade, let’s think about what distractions can teach us. Foremost, I would have to say that they highlight the need to think clearly and accomplish as much as possi- ble in the shortest possible time (and if my parents had known when I was 16 that I would grow up to write a line like that, they would truly believe in miracles). With that in mind, let’s think about how databases help us manage distractions. I have a very small synop- sis of what the relational model of data affords us: the ability to name things in order to control them. That may seem a tad simplistic, but think about it: relational data- bases give us the ability to apply a distinct and clear name with a value attached to everything—and, most importantly, they don’t require any other mechanism than a simple declaration of the named element and its attributes in order to retrieve the associated value. In other words, you don’t need to think about “the infor- mation in column #2 of row #34,” or “the eeyyee__ccoolloorr field is in column #4 of this table.” Instead, the mecha- nism for accessing your data simply is the statement of what you are looking for. “Get all eeyyee__ccoolloorr values for employees born before 1968” can be directly translat- ed into SSEELLEECCTT eeyyee__ccoolloorr FFRROOMM eemmppllooyyeeee WWHHEERREE eemmppllooyy-- eeee bbiirrtthhddaayy >>== ‘‘11996688--0011--0011’’;; . The fact that most data- base systems also allow you to ask for the data on row #34 and the value in column #2 should be regarded as a nuisance rather than a feature, if you truly follow the principles of relational database design. Distractions also teach us that abstraction helps us manage the organization of our lives. If we had to think about every single step we took, we would be pretty frustrated by the end of the day, but our bodies allow us to abstract that into a general concept called “walk- ing.” Thus, rather than thinking about moving our feet up and down in the exact steps we will have to take in order to get to the refrigerator, we just decide to walk to the refrigerator, and let the abstraction take over (believe me, with a wife, a 4-year-old and a newborn, I have been doing a lot of walking to the refrigerator lately). In the same way, both relational database sys- tems and object-oriented programming allow us to cre- ate abstractions that save us time in the future. They just do so in different ways. What’s wrong with this picture? As we discussed in Part I, one of the biggest distractions in modern programming is the “object-relational November 2004 ● PHP Architect ● www.phparch.com 9 FF EE AA TT UU RR EE Object-oriented vs. Relational Part II by Rick Morris PHP: 4.x+ OS: Any Other software: PostgreSQL version 7.4+ Code Directory: relational REQUIREMENTS To many object-oriented developers, there is a sense that the relational model for data management is at odds with the concepts of object-oriented development. Are these views justified? Are they practical? In part II of this two- part series, we build a simple example of an object-orient- ed application that derives business logic from the data- base without object/relational mapping. Managing Distractions and Reverse-Engineering Abstractions [...]... much of a problem and actually allows easy upgrades of the library without having to recompile PHP, since the library is linked dynamically Libxml2 happens to support an Expat-emulation REQUIREMENTS PHP: 5.x OS: Any Other: N/A Code Directory: php5 xml November 2004 ● PHP Architect ● www.phparch.com 32 FEATURE PHP 5 & XML mode, which makes it behave in an almost identical manner to the original Expat library... Listing 4 1 < ?php 2 /** 3 * Draw table content 4 **/ 5 6 function tableData ($expObj, $function, $colspan, $rowspan) 7 { 8 $statement = “”; 9 $statement = $expObj->$function(); 10 $statement = “”; 11 $statement = “\n”; 12 return $statement; 13 } 14 ?> November 2004 ● PHP Architect ● www.phparch.com 23 FEATURE Developing a PHP - XML Generator Listing 5 1 < ?php 2 /**... browser request is made to Listing 5, at a minimum, the GET parameters for relname and mode need to be passed as part Listing 6 1 2 3 4 5 6 7 8 < ?php /* file: relfiles .php */ require_once(‘./RelDomain .php ); require_once(‘./Relation .php ); require_once(‘./RelGui .php ); ?> 12 FEATURE Object-oriented vs Relational Part II of the URL This tells the program what relation to deal with, and how we want to interact... Sign-up and Save! For a limited time, you can get over $300 US in savings just by signing up for our training program! New classes start every three weeks! http://www.phparch.com/cert November 2004 ● PHP Architect ● www.phparch.com 15 Developing a PHP - XML Generator F E A T U R E by Man-ping Grace Chau Developing a UI that manipulates large data sets is difficult Developing a UI dynamically upon user request... (Model/View/Controller) REQUIREMENTS PHP: 5.x OS: Any Other: None Code Directory: xmlgen 17 FEATURE Developing a PHP - XML Generator Figure 1 “This generator was developed in the Infospheres Lab at the California Institute of Technology to help users generate state/transformation files for a crisis management system.” Figure 6 Figure 2 Figure 3 Figure 4 Figure 5 Figure 7 November 2004 ● PHP Architect ● www.phparch.com 18... ($value == $this->file) 45 { 46 $exist = true; 47 } 48 } 49 if (!$exist) 50 { Continued on page 29 November 2004 ● PHP Architect ● www.phparch.com 21 FEATURE Developing a PHP - XML Generator error checking/correction on the data (which we will look at in next section), and so on As arrays in PHP are comparatively a lot more flexible than in other languages, we should try to make good use of them mentation... makes a web application outstanding is the user interface—therefore, every developer should try to make the interface imple- November 2004 ● PHP Architect ● www.phparch.com before drawing) 22 FEATURE Developing a PHP - XML Generator Figure 21 Figure 22 Listing 3 1 < ?php 2 /** 3 * Draw the level of the node by comparing the last node with the same level 4 **/ 5 6 7 function drawLevel() 8 { 9 $statement... used as a column definition, you want the application to present it in the Courier font, it is a one- Listing 4: Continued Listing 4 1 < ?php 2 3 /* file: RelGui .php */ 4 5 require_once(“HTML/QuickForm .php ); 6 require_once(“HTML/Table .php ); 7 require_once(“./relfiles .php ); 8 9 class RelGui 10 { 11 12 var $relation; 13 var $quickform; 14 var $mode; 15 var $dbconn; 16 var $metadata; 17 var $data; //collection... the server will be sent all 24 FEATURE Developing a PHP - XML Generator Figure 25 Figure 26 “ JavaScript can help restrict the amount of data sent to the server In addition, it can produce a truly dynamic user interface.” Figure 27 Figure 31 Figure 32 Figure 28 Figure 29 Figure 30 November 2004 ● PHP Architect ● www.phparch.com 25 FEATURE Developing a PHP - XML Generator the GUI information However, the... 1; 64 } 65 66 } else if (dataType == “radio”) { 67 str = node.value; 68 } 69 else { // for text node 70 str = node.data; 71 if (str == “NULL” || str == “”) { 72 global_flag = false; 73 } 74 75 } 76 77 return str; 78 } 79 ?> November 2004 ● PHP Architect ● www.phparch.com fy the “DOM array tree” The running time becomes linear in the depth of the tree, which is much more efficient In addition, we perform . Security Guard by Ron Goff 3 November 2004 ● PHP Architect ● www.phparch.com TABLE OF CONTENTS II NN DD EE XX php| architect Features Departments TM *By signing. print subscription. November 2004 ● PHP Architect ● www.phparch.com EE DD II TT OO RR II AA LL RR AA NN TT SS php| architect Volume III - Issue 11 November,