@font-face getting over used

Posted on August 10, 2011 by Tom Rawcliffe

I’ve noticed more and more recently people making use of the new @font-face css tags. This isn’t a bad thing I’m all for using new technologies ass soon as we can. I was (and still am) in favour for our company dropping support for IE6 and personally i feel that were nearly, but not quite, ready to ditch support for IE7.

Whilst I’m all for using the new tech its true that some people get a little carried away with it, using 1 or 2 fonts for headings, navs, etc can really make a site stand out and with the right design eye can add something special to a site. The problem at the moment is that people are picking either two many fronts that can make a site slow to render or they are using what I would deem as heading fonts for body copy, this can result in making the copy unreadable.

So all I’m asking is that people stop and consider do i really need so many fonts and to take care with fonts used for blocks of copy.

Posted in Uncategorized | Tagged | Leave a comment

Hashing Passwords

Posted on June 9, 2011 by Tom Rawcliffe

We all know that storing passwords in plain text in a database (or any other data-store) is an absolute no no. Now in my time I’ve seen some quite silly stuff one that comes to mind is a developer who has ‘refactored’ his (or hers) application from using the dreaded plain text pass words to use an MD5 hash. The auth query went something along the lines of :-

SELECT *
FROM Users
WHERE Username = :username
AND (	Password = :password OR
	Password = :hashedPassword)

The problem with the query above is the OR in the Password check the fact that the plain text passwords still works means that if some unauthorized person was to gain access to the database they would still be able to log in to the application using the hash in the password field. Obviously this is not a good thing.

An alternative way to do this would have been to migrate the data at the time that the code was deployed using a migration script (sometimes called a database patch).

Now for the next issue when the developer chose to hash the passwords they chose to do so with an unsalted md5 hash. Many years go (around 5 to 10) when computing power was not as readily available as it is today, md5 was a very fash “1 way” hashing algorithm. I put the one was in quote because now a days it is possible to use rainbow tables that are readily available from the Internet (they are hundreds of gigs) to find a string that collides with the actual password.

Collisions in hashing functions refer to the fact that many strings can produce the same hash, any one of these string can be used in place of the actual password. From the limited searching I have just done it seems that most rainbow tables are only mapped out for dictionary words and all strings under 10 characters in length, although they are always being expanded.

So without enforcing that our users passwords have to be really long we can we try stop our hashes from being reversed by adding arbitrary strings to the beginning and/or end of the password before we hash the password, this is called a salt. I would recommend always salting your passwords with a different salt for each application.

The last this is the use of MD5, MD5 was once the defacto choice for hashing passwords now-a-days due to the excess of processing power available, the easy of which people can acquire rainbow tables and the relatively high level of collisions that occur in MD5 dew to its short hash length. It is there for better to use a slower hashing algorithm that will generate a longer hash. My personal preference is for the whirlpool algorithm which in PHP is available in the pecl hash extension or be default in PHP as of version 5.1.3. An example use is included below.

hash( 'whirlpool', $preSalt . $password . $postSalt)

Posted in Uncategorized | Leave a comment

Setting PHP up to handle large file uploads with suhosin

Posted on June 7, 2011 by Tom Rawcliffe

Just as a follow up to my last post on Setting PHP up to handle large file uploads, I though I would add the extra settings that require changing if you are running suhosin. If you don’t know suhosin is a patch and an extension for PHP which is designed to ‘harden’ PHP to make it more secure. I defiantly recommend to anyone to run suhosin on all your production servers.

When using suhosin you can not set the PHP memory_limit (in php.ini or in a script) above the value that is defined in the suhosin.memory_limit.

If you are planning to allow uploading of a large number of files then you may need to increase the value of suhosin.upload.max_uploads which limits the number files which PHP will accept (defaults to 25).

I plan to follow this post up with a more general post on configuring suhosin, but you’ll have to wait for that.

Posted in PHP, Security | Tagged , , , | Leave a comment

Setting PHP up to handle large file uploads

Posted on May 31, 2011 by Tom Rawcliffe

By default PHP will only allow files to be uploaded that are under 2Mb, to change this we need to look at a few configuration options, these are:

file_uploads
upload_max_filesize
post_max_size
memory_limit

file_uploads:
This configuration defines wither or not PHP will accept HTTP file uploads. It defaults to On so unless you’ve disabled it, you should be able to just leave it.

upload_max_filesize:
This configuration defines the maximum size that a single file must be under in order to be accepted by PHP. It can be defined as the number of bytes or using the shorthand notation.

post_max_size:
This configuration defines the maximum size that all the post data must be under this includes all variables and files. If the post data exceeds the limit set here PHP will throw a fatal error. It can be defined as the number of bytes or using the shorthand notation. This can not be set above the maximum about of ram available on the system

memory_limit:
This configuration defines the maximum memory that can be used by a script this includes all all inputs that will need to be held in memory, therefor it is normal to have this set a few megabytes above the post_max_size although the amount over can depends on the memory requirements of the rest of your application. It can be defined as the number of bytes or using the shorthand notation.

An example configuration to upload files up to 100Mb, might be:

file_uploads = On
upload_max_filesize = 100M
post_max_size = 100M
memory_limit = 116M

There are a couple of other configurations that some people will tell you you need to set, however this is a myth. max_execution_time is one of them. The execution time of a script does not include the time spent waiting for input. The same is also true of max_input_time, which is the time spent parsing the input, and not receiving it.

Posted in PHP | Tagged , , | Leave a comment

How to get an iPad out of recovery mode

Posted on May 30, 2011 by Tom Rawcliffe

Random thing happened with my iPad the other day, it froze up on me whilst browsing the net and wouldn’t respond at all. So first thing I try is a hard reset. For those of you that don’t know a hard reset on an iOS device is done by holding down both the home and power buttons together until the apple logo is displayed on the device, this normally takes about 10 seconds.

However when i tried this on my iPad it seemed to boot back up in to ‘recovery mode’. Recovery mode is used when you want a restore from iTunes to perform a full factory reset on your device, the device boots really quickly and will do nothing except display the iTunes logo and a picture of a USB cable.

So, how did i get the iPad out of recovery mode? After a bit of reading on the Internet it seemed that performing another hard reset should have allowed the device to boot back up into normal mode. For some reason on my iPad it decided that recovery was going to be the default boot option. So back to the Internet for a bit more research where i came across a small bit of free ware called RecBoot, after following a couple of small steps, all was right in the world again.

Thank you RecBoot.

Posted in iOS | Tagged , , | Leave a comment

Developers need to remember null

Posted on May 27, 2011 by Tom Rawcliffe

Based on some old code I was going over the other day, I think PHP developers too often use false when they mean null. How often have we all seen or used something like:

$id = isset($_GET['id']) ? $_GET['id'] : false

Or: 

public function foo()
{
    if ($this->blah()) {
        // Do something
    }
    else {
        return false;
    }
}

Chances are in both these situation the developer actually meant to use null instead of false. It is very easy to do in PHP because with a few exceptions (isset() and === to name a couple) false and null can be used nearly interchangeable in most code. So what is the difference? By definition null is a value to represent the absence of a value, whereas false is the boolean value false.

Maybe next time your about to type ‘false’ in to eclipse (or your IDE of choice) then maybe just have a little think as wither or not you actualy mean null.

Posted in PHP | 1 Comment

What makes some people more successfull than others?

Posted on May 24, 2011 by Tom Rawcliffe

What makes some people more successful than others? A question that I’m sure we have all pondered at some point in our lives, I know have anyway. On my way home today I was listening to the radio and they were discussing an interesting piece of new research on how to improve sports teams. There basic premise was that the way in which a person evaluates there directly relates to how successful they are likely to be.

This may seem obvious at first as we all know that the ability to correctly criticize ones self is an important skill to posses, but has anyone ever been told how to correctly self criticize? I know I haven’t and I don’t plan to tell you in this article. What I do want to highlight though is that the ability to look at your failings and attribute blame to your self that can be the difference between being able to develop your self and been stuck in the same old cycle of failure.

We all know someone like it, someone who no matter what goes wrong and no matter how much they fail, they will always find someone else who’s fault it is. This method of dealing with your failings is OK in the short term and if there good with the b***s*** to those who are managing them, they may look like they never put a foot wrong. The issue with thinking you never make a mistake is that then you don’t have any mistakes to learn from. So you are then unable to work on and improve your self in the areas that you actual fail at.

I think that anytime you find your self in a position where you have failed or your under the impression that the people around you have failed, take a step back and think was there nothing that you could have done to prevent or make the situation better? Well I normally write more technical articles and this was just a little article based on a though i just had on the way home, hope you enjoyed reading it.

Posted in Life | Tagged , | Leave a comment

session_start() blocking in php

Posted on April 25, 2011 by Tom Rawcliffe

Had a problem the other day when trying to optimise the performance of a site that was on my companies in-house content management platform. Now the speed of the response to generate the HTML was not the issue. The issue was that all of the content managed assets were taking seconds to load in. Now this was the first site that we had that the client had included quite a lot of cm images on all there pages.

Trying to debug the issue was difficult the images them self would load in a matter of milliseconds. Using operas dragon fly feature could see that it wasn’t a bandwidth issue, and no data was been sent from the server for seconds.

Now I didn’t know it but is seems that php’s session handling is blocking on a per request basis. Kinda makes sense if you think about it, that if two requests simultaneously try and change a session variable then you would get constancy issues. So php handles this by making session_start() a blocking action and will wait for any other request to either finish or close the session using session_write_close().

For me it came down to only starting the session when necessary and closing it as son as your finished with it. As it turned out the best solution for us on the cm images was to check to see if any permissions were set on the images before seeing if we needed to start the session.

Posted in PHP | Tagged , | 6 Comments

Do I need an XML site map

Posted on April 12, 2011 by Tom Rawcliffe

Do you *need* an XML site map? Simple answer NO.

There is a very common misconception that because Google webmaster tools shows an error if it receives a 404 Not Found whilst looking for a *sitemap.xml* that there is a need to have a
Site map in order to have your site indexed properly. Google and other search engines are actually pretty good ant crawling sites and al long as. Your not doing anything silly like have a flash navigation or using JavaScript for links then the search engines are quite capable of finding your pages.

Now I’m not saying that there is never a need for a site map if you have a large site that the search engines a going to take a while to. Index it is possible to define priorities for the crawler to allow google to know which are the most important pages on your site.

I conclusion most of the time you have no need for a site map but there is no harm in having one and there are sometimes reasons when they can help. Also auto generated ones are pointless because the crawler that auto generates the site map will inevitably be not as good googles crawler.

Posted in SEO | Leave a comment

Setting up a Apache with vhosts on Windows

Posted on March 20, 2011 by Tom Rawcliffe

So I’ve just reinstalled my PC at home and had to go through the rigmarole of setting up my PHP stack (PHP, Apache and MYSQL) on windows. Now first of all I’d like to say that although i currently have a windows desktop at home my  prefered development operating system is mac os. On most operating systems this is quite easy, your either treated to pre installed version of the software the packages or the use of a nice easy to use package manager. On windows we don’t have such luxuries so we have to find and install the packages our self.

First of all we need to install Apache httpd which can be downloaded from http://httpd.apache.org.

Installation of apache is quite a simple process and by excepting all the defaults allows you to get the web server up and running in no time.

Once the installation is complete we need to make a few changes to the config changes in order to set up vhosts. On windows 7 and vista we need to edit the config file as the administrator, this requires us to find the executable for your favorite text editor (mine is gvim on windows) right click it and press launch as administrator.

Open the apache config file located by default at

C:\Program Files\Apache Software Foundation\Apache2.2\conf\httpd.conf.

Locate and uncomment (remove the #) the line #Include conf/extra/httpd-vhosts.conf.

We now need to allow access to out sites directory by adding:


<Directory "C:/path/to/Sites">
    Options Indexes FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from all
</Directory>

The last thing we need to do in this file with regards to setting up vhosts is add the line:

Include "C:/path/to/vhosts/*.conf"

Now we can add files such as “C:\path\to\vhosts\example.conf” with the content:
e now need to allow access to out sites directory by adding:


<VirtualHost *:80>
    DirectoryIndex index.php

    DocumentRoot "C:/path/to/Sites/example/public"
    ServerName example.localhost
    ErrorLog "C:/path/to/logs/example-error.log"
</VirtualHost>

At this point we should now be able to restart apache by right clicking on the icon in the system tray and clicking restart, If every thing is set up correctly apache should come back up and you shouldn’t see the icon go red.

Apache is now set up to serve vhosts by we need to tell our system that the addresses were using for the vhost (example.localhost in this case) can be accessed by the system. The easiest way to achive this is to modify the systems hosts file. This is the file that windows will check before attempting any dns lookup, it is located at “C:\windows\system32\drivers\etc\hosts” and needs to be edited as an administrator.

Add the line:

127.0.0.1 example.localhost

Only this left to do now is open up our web browser and try visiting example.localhost, if all is well we should see our example site. Good luck :-)

Posted in Uncategorized | Leave a comment