Skip to content

Author Archives for Planet PHP

A case for table-based design - Evert Pot

"A topic that has been beaten to death."

Standards advocates have been largely against the use of the <table> tag. The idea is that it's used for positioning and design, while it really should only be used for real tabular data. html should be a document with semantic data, and not contain any presentation information.

So the response is that all kinds of new techniques are devised to easily make stretchable designs. I just got handed a template that uses one of these techniques, along with a couple of others. Here's a snippet:

I can't say I blame the author of this code. He's always been told <table>'s are evil, and I have no doubts many 'experts' will suggest techniques like this.

There's no doubt this could be made much simpler even without using the <table>, but there's no way we can expect every junior frontend developer to memorize "1001 css hacks to make divs behave as a table".

The truth is, very little html documents are parsed by anything else but browsers and search engines. If an application's data is also consumed by other clients it will almost always be done through some kind of API or standard xml/json document. Even if html was used as a transport format, it will most likely be a specialized format.

Keeping html pure for data and CSS for presentation is a bit of a pipedream that never worked out. Even if you look at a relatively simple application such as Wordpress, every theme will have it's own html template, and not just a separate css stylesheet.

The point of my story is: html is read by browsers and developers. If you can make a brilliant html document and still keep pixel precision more power to you, but please keep things legible for the future developer that might need to fix a bug.

The upshot

CSS3 has support for multiple backgrounds, which will eliminate the need a lot of these problems. Safari has already supported this for a while, and Firefox will get it with the 3.6 release, and opera in 10.5. This leaves the browser that shall not be named.

Written on 12 January 2010 by Planet PHP under PHP with Comments Off

A Customer found a Bug - Paul Reinheimer

So this morning I woke up to an email (well, several, but only one is relevant) from a WonderProxy customer. They had discovered a bug in the website. A rather serious bug mind you, as it stopped them from adding servers to their account, and thus prevented them from actually using the service.

Here’s how I approached the problem:

  1. Reproduce the issue
    I logged into the website as the customer and attempted to reproduce the issue, no problems. I tried again on the development version of the website and reproduced it there as well.

  2. Estimate bug fix
    I took a look at the code and estimated that I could resolve the bug in under ten minutes. The code base for the WonderProxy website is rather small, and bugs there can’t affect customer usage (unless they break the DB) so I wasn’t too concerned about accidentally taking something down. The short time frame for release also let me fix the bug before contacting the customer.

  3. Fix the bug
    Found the bug, fixed it. Tested it out in development, checked other accounts to look for unrelated breaks. Finally I rolled it out from development to production and checked again.

  4. Contact Customer
    Replying to the customer I indicated that problem was indeed on our end (the customer wasn’t using the site wrong or anything), and that it had been fixed. Additionally I had updated the billing period to reflect the fact that the account hadn’t been usable up until the fix was applied. As a token of appreciation I upgraded the account slightly.



Overall, I found the process rather pain free. When I look at it from a customer’s prospective, I also feel like it was a reasonable problem resolution.

I’d like to delve deeper into how this problem made it onto my production website, but that’s a separate post. For now I’m really just looking at the customer service side, there was a total of 67 minutes between the initial contact (on the part of the customer) and my reply with the fix in place.

Thoughts? How did I do?
Written on 12 January 2010 by Planet PHP under PHP with Comments Off

Zend Framework Security Related Releases Now Available - Pádraic Brady

As announced earlier by Matthew, Zend Framework 1.9.7, 1.8.5 and 1.7.9 have been released incorporating routine maintenance and a number of security fixes detailed in the announcement. It's recommended that framework users upgrade as soon as possible to the latest release of whichever of these minor branches they are using.

As the announcement also indicates, following December's excitement I spent much of the Christmas and New Year period conducting a security review of the framework. While an ongoing process, the initial review focused on specific areas most likely to deal directly or indirectly with user input and the output of user sourced data. The results of that initial review were reported over the holidays to the Zend team, who patiently put up with my long winded emails and managed not to strangle me...so far. I'm keeping myself holed up in the mountains for now ;-).

The review also included an examination of all new components due to enter service with Zend Framework 1.10. This yielded a number of issues whose fixes will preempt their release into a stable version, and have been reported to the relevant lead developers. These will not be disclosed at this time, and will not form any new advisories for the simple fact that ZF 1.10 currently exists only as an alpha release where issues are to be expected anyway. Regardless, you all owe me extra cookies for those ;-).

On to the vulnerabilities, the majority are linked to encoding inconsistencies. One of the more far-reaching results of the fixes is that all developers should note the Zend Framework now enforces a default character encoding of UTF-8, including Zend_View which until now has defaulted to ISO-8859-1. This will require users needing that encoding to now set it manually. In addition, numerous classes have been given methods allowing developers pass in their preferred encoding. It's essential you do so to benefit from the full protection of all escaping mechanisms using htmlspecialchars() and htmlentities(). The remaining vulnerabilities are self-explanatory and, besides upgrading, require little additional work on your part.

It's also important to note that these fixes often go beyond fixing the immediate symptoms. So reporter's credit aside, thanks to Matthew, Ralph and Thomas Weidner who worked on the patches for these fixes as well as spending the time discussing and debating them all in turn. I'm sure Matthew and Ralph had lots of fun (in between apoplectic fits) preparing for three releases but it's truly appreciated.

I remember from December (when not ranting ;-)), that one of the identifiable problems with the Zend Framework was its overall security strategy which has been reactive in nature. The reason for performing this security review, in addition to finding it exciting to spend hour after hour staring at source code (I'm being sarcastic), is that my original rant was misdirected in one aspect. If the framework is reactive, it is because everyone who contributes source code also contributes to that particular attitude. Performing the review was one way of breaking the reactive trend, and so instead of having these security issues persist into the framework's future versions to be discovered by accident (or not), they have been deliberately searched for, found, poked, prodded, debated and then dutifully exterminated. Welcome to proactivity.

If there is a point, it is that as Zend Framework contributors it's still ultimately our job to enforce and promote a security awareness. We can't pass that responsibility to Zend (all of three employees) and wave our hands innocently. We now have two new jobs we better get used to. The first is applying the new Security Policy and notifying the security channel of any reported or self-discovered security issues. Don't sit around wondering if it's a problem, send it in and let the guys look at it. That goes for all security issues without exception (or should). Secondly, we need to build some semblance of a security conciousness because at present that is sorely lacking. I believe the Zend guys are on a similar track here so they may have more to say in the near future. I'll doubtlessly blog about these two topics more specifically over t

Truncated by Planet PHP, read more at the original (another 535 bytes)

Written on 12 January 2010 by Planet PHP under PHP with Comments Off