melbourne chapter

One of those falling people things:

http://www.planetdan.net/pics/misc/georgie.htm

Just having a play with some JavaScript to generate a URL to redirect the user to.It appears that IE does take into consideration your < base xhref="" mce_href="" > in your header when executing a location.href=”" mce_href=”" command with IE. It does however work with NN. In my scenario it was due to a having images and CSS work relative to a different folder, with operations occuring in a different folder. This was due to my templating setup.

Instead of simply calling:

location.href=”myotherfolder/?do=whichever”;

you can build the whole URL using

location.href = window.location.protocol + “//” + window.location.host + window.location.pathname + “myotherfolder/?do=whichever”;

which sidesteps your base href declaration in your head HTML. May be useful to keep in mind.

Recently I had to help a friend with protecting Flash files on an educational site. Essentially she wanted to prevent unauthorized use of the sites Flash content. In the past users have been hot linking Flash files, and even posting files on their own sites for their own material.

The first step was to prevent any playback of swf files not on her server, so I decided to use Flash’s _root.url property which tells us the domain on which the current playback is occuring.

Here’s what I came up with:

_authPlayback = FALSE;
 
siteURL = "http://mysite.com.au";
 
if (_url.substr(0,siteURL.length) == siteURL) {
 
_authPlayback = TRUE;
 
}
 
if (!_authPlayback) {
 
getURL(siteURL);
 
}

Unfortunately this won’t stop someone from hotlinking swf files through the OBJECT/EMBED tags

So how do we stop this? Well for hotlinking you would normally resort to apache’s mod_rewrite directive and based on the referrer information rewrite the URL. However, mod_rewrite won’t work with flash swf files since the tag doesn’t submit a referrer when requesting the swf file from the server! Intead, the solution is to setup a password protected directory (using htaccess) and use a bit of php to handle the swf file request’s

< ?php
 
/*
 
swfrequest.php
 
Example PHP code processing a request to a secured swf file
 
*/
 
// a secured directory containing your swf file(s)
 
$secureDir = 'swf/';
 
// the password for your protection setup
 
$password = 'yourpassword';
 
// how many days until a key expires? (0 = only keys from today)
 
$keyExpiry = 1;
 
header('Content-Type: application/x-shockwave-flash',true);
 
for($i = 0; $i < = $keyExpiry; $i++) {
 
$match = md5($password.date("Ymd", mktime(0, 0, 0, date("m"), date ("d")-$i, date("Y"))));
 
// authorize request by checking key
 
if($match == $_GET['key']) {
 
// deliver the file and make sure the user doesn't request files from higher directories
 
$filename = $secureDir.str_replace(array('../','..\'),array('',''),$_GET['file']);
 
header('Content-Length: '.filesize($filename),true);
 
readfile($filename);
 
exit;
 
}
 
}
 
// Otherwise serve up a pre-determined swf with a denied message or animation ?
 
readfile($secureDir.'denied.swf');
 
?>
 
< ?php
 
$filename = 'http://www.example.com.au/swfrequest.php?file=myfile.swf&key='.md5('yourpassword'.date("Ymd"));
 
?>
 
<OBJECT classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=7,0,0,0" width="200" height="200" id="my" align="middle">
<OBJECT WIDTH="550" HEIGHT="400" >
 
<PARAM NAME=movie VALUE="<?php echo $filename; ?>">
<param name="quality" value="high" />
<param name="bgcolor" value="#ffffff" />
<EMBED xsrc="<?php echo $filename; ?>" WIDTH="550" HEIGHT="400" TYPE="application/x-shockwave-flash" pluginspage="http://www.macromedia.com/go/getflashplayer"></EMBED>
</OBJECT>

We have now successfully implemented two levels of securiity to prevent unauthorized playback. If you would also like to protect your files from being imported into a Decompiler you may want to look at using Flash’s internal import protection or use one of the many third-part encryption tools

I have been asked before about using local PEAR libraries (or the like) that you have downloaded and having them run locally, not needing them installed on your hosting server.

To do this we need to add to the include path to point to your library paths.

When PHP looks for a file it checks the path from the current working directory, and then interogates the details it has received from the directive ‘include_path’ and checks there. Typically the include_path contains a directory path to the location that your hosting company has installed the components (PEAR and the like) to.

So, we just need to be able to change classpaths to point to our library folder.

Classpaths (or include paths) are seperated by a delimeter. The delimeter is different depending on what O/S you are operating on. So first we need to determine how to treat the classpath delimeter:

/**
* Returns with the delimeter to use
* @return String Path Delimeter for this O/S
* @access private
*/
function getClassPathDelimeter() {
if(defined(’PATH_SEPARATOR’)) {
return PATH_SEPARATOR;
} else {
// Determine the O/S
$osType = (substr(PHP_OS, 0, 3) == ‘WIN’) ? “WINDOWS” : “UNIX”;
if($osType == ‘WINDOWS’) {
return ‘;’; // Windows
} else {
return ‘:’; // Mac, nix, etc
}
}
}

Say we had our files like this:

myfile.php
lib/PEAR/*

We can make calls in myfile.php to any pear library (without have to fix paths etc) by calling:

$currentClassPath = get_include_path();

$delimiter = getClassPathDelimeter();

$newPath = getcwd() . ‘/lib/PEAR/’; // Don’t have to use getcwd(), could be dirname(__FILE__);, always use ‘/’ regardless of OS

$newClassPath = $currentClassPath . $delimiter . $newPath;

ini_set(’include_path’, $newClassPath);

Ofcourse this can be placed in a shorter version, and reused by making a class called ClassPath and adding the functions for static calls, eg.

ClassPaths::addClassPaths(’/lib/PEAR’, getcwd());

Therefore your setup is reusable and more concise.

We once had a challenge in our Linux Operating System class to use bash to connect to the Australian BOM website (Bureau of Meteorology) and extract the current temperature in Melbourne. The task was quite trivial and involved the use of grep, awk and sed to extract the information.

Listed on the BOM website are two pages that allow us to get the current temperature reading at various weather stations and also the weather headline.

I have provided the script as an example of a simple way to retrieve the information from the BOM website. It could be used with a crontab script setup to run every 5 minutes and can update a text file, which you could then use to display on your website.

This script can easily be re-written to extract all the weather forecasts and current temperatures for various australian weather stations. It would be a good idea to have this extended to be a public web-service. I had later rewrote this script to generate XML with complete conditions (warnings, wind direction etc) and not require wget. If I find it I will post it, I had just stumbled across this one in the attic.
Download the bash script here, please respect as GPL.

If you simply want the current weather temperature there is a free webservice located here:http://www.stanski.com/services/worldweather/weather.asmx?op=getMelbourneTemperature

AustralianIT.com reports that the XBox 360 sold over 30,000 units in its first four days on sale in Australia, (figures from industry analyst GfK show).

XBox 360 is now the best-selling games console, a crown previously held by Sony’s PSP, which sold over 27,000 units on debut in September last year (2005).

The XBox 360 is the first of the so-called “next-generation” gaming consoles to reach Australia. Sony’s equivalent, the PlayStation3 (PS3) is set to arrive in November this year. But will it out-sell the XBox?

Sessional variables are variables that exist across a certain period of a web clients visit to your application. Sessional variables does not mean that your PHP application is running the whole time. Infact it works by saving all your sessional variables to a datasource at the end of execution. There is no way for us to store something in application memory (or RAM [to my knowledge]) that can be accessed again by another request.

Because of this it means that Database Pooling cannot be achieved without a layer manager (such as SQLRelay) and we can’t have our application prepend tasks (such as Model2 MVC prepend or boot tasks) performed once per client connecting to your site for a few requests.

Each time a PHP page is called everything is loaded up, and then teared down, including our sessional variables, which are stored to disk. - When your client makes another request - your sessional variables are searched for, and loaded into memory. It usually identifies the user through the HTTP headers where the browser maintains a session ID (issued automatically to your browser by php using session_start() call) and submits it to the server each time.
Sessional Hijacking/Fixation is something that is highly relevant to this topic and is a must read for learning about Session handling in PHP.

“Session security is a vast and complex topic. One of the fundamental principles of Web application security is to never trust data from the client. However, in order to achieve statefulness, the client must identify itself by sending a unique identifier. This fundamental conflict creates significant complexities for developers wanting to build secure, stateful applications. In fact, the session mechanism in any Web application is likely to be that application’s most vulnerable feature, and session security is one of the most complex topics of Web application security on any platform.” - Chris Shiflett

A great security recommendation he makes it to reissue a new session ID when reauthenticating or chaning a users access level.

session_regenerate_id();
$_SESSION[’logged_in’] = true;

Before considering how you will manage your sessions, I recommend you read the relevant articles on PHPSec here:

• http://www.phpsec.org
• http://shiflett.org/articles/security-corner-feb2004
• http://www.hackerscenter.com/archive/view.asp?id=21242 - A very well written article

The process of loading into memory is handled by a few different sessional method handlers. A detailed section is provided on PHP.net on Sessions.

Typically sessions are stored in temporary files on the server, and relies on the security of the webserver temporary folder to limit access to those variables. We can change the way we save where sessions are saved by writing our own class to handle the access of sessional variables. It also means that we can change where they are stored (say to a database), and because we have that contol over the read/write access we can do some nifty tricks like encryption, and extend the checks (such as cookie checks, regenerating ID’s, mutex) to provide another level of security to our sessions.

There is no silver bullet to writing sessional management as it changes depending on your requirements. Some implementations make use of encryption with a database, higher overhead, and some use persistent/sessional cookies etc. Searching online will reveal a lot of scary holes in standard session management, and also reveal a lot of different ways of managing it all.

PHP Web applications scale very well. When PHP executes it loads your previous sessional variables (if used and if there is any), performs a task, writes your session to disk (if sessions are used) and exits. This is different to a Java Web container which has a process handling requests at all time, with your application running from start to finish.

Due to this “start-process-finish” requests can be processed without worrying greatly about affecting data in other processes. It also means that if our storage is shared (for sessions etc) and we use some intelligent network level routing we can have requests processed by several different servers. When more requests are needed we can simply pipe on more servers, without worrying too much about managing the state across the servers.
When we are using virtual servers for our hosting we must consider about how load is handled. Generally cheaper hosting usually means that it is either hosted in america, using a poor tier of hosting (cheap bulk) or jamming a large amount of domains onto single servers (having a high ratio of servers to domains). All usually results in slower performance of your website.

I have been using a group out of Western Australia for my shared hosting. After doing research into them and their setup it seems very full proof. Damian Douglas-Meyer (a technician there) explains:

Our load balancing system works like this:

1. Today, there are 10 identical Linux servers, each running Apache and ProFTPD for HTTP and FTP respectively. 2 of these are dedicated for FTP although all can do FTP or HTTP.
2. All servers are configured for and can respond for all sites and share a common file system via a NetApp filer.
3. There is a central load balancing switch that listens for the common IP address 203.202.10.111 and initially receives the packets.
4. The load balancer monitors server health and also load, based loosely on the number of current connections to each server. It also remembers client IP addresses that have connected to each server within the immediate past.
5. When the load balancer receives a packet, if possible it passes the request onto the same webserver that processed the requests from that client. This is to keep PHP and other sessions alive. Otherwise it passes the request to the least loaded webserver, modulo some other settings for distributing load.
6. The webserver gets the request as if it came directly from the client due to some network level packet re-writing. It process the request in the same way it would as if it was the only webserver for that site, and returns the data to the client.

So in essence, if 100 people were accessing your site at any one time, 10 of them would be processed by each server. An individual client would stay with the same server for the life of a session.

If one server gets busy due to other clients consuming resources, the load balancer knows this based on response times of its’ heartbeats and reduces the level of new connections to that server.

If a server dies, connections are passed to other servers, although in this situation, PHP sessions can be lost (unless stored in your own tmp directory under your home directory, or in a central database.)

Regarding peaks and troughs in load, there are times when some servers get busy due to specific clients running demanding scripts. We do place limits on memory, CPU and execution time of scripts to mitigate issues with these situations. If we notice some clients abusing the servers with poorly written perl cgi’s, for example, we will work with the customer to improve their script, or quarantine them on a separate server for the good of all customers

This sort of scenario is very appealing to us, due to the way that our PHP applications can be handled by several servers without worrying about scalability issues of a single web container instance. This scenario is good to have if you are internally hosting your applications. If your server become under high load you can simply setup another server in the cluster [although a theoritical bottleneck would come of the storage medium first].
RE the company I use for hosting: Another attractive feature is that they are using a high-grade australian bandwidth, generally meaning that your website will load quickly for australian viewers, and because they are close to the top tier, international traffic is quite good as well. They provide excellent prices (starting from around $180 per year - 500mb, 10GB traffic, unlimited email, and Urchin Webstats [can be automatically emailed to your client every day/week/month]). The accounts are customisable and have the ability to scale only traffic without having to pay for more space - (so you don’t have to fork out money for several gig of space if all you want is lots of traffic). You can get a 5% discount on the price using my referral. Their support is outstanding and I have found it to be a very proffesional way to host our domains. I first came across them because PHP.net uses them as a mirror because of their capability to handle demand. Must be good

Web tracking company ComScore reports that Google has gained an additional 6 percentage points of the US search market based on total queries last month, while Yahoo and Microsoft MSN slipped back.

Google’s estimated share of the search market today is estimated at 42.3 % in comparison to Yahoo’s 27.6 and MSN’s 13.5 %.

Early this year Merrill Lynch analysts Justin Post and Lauren Rich Fine identified Google’s increase in market share due to its better monetization of queries - in a spin-off Google’s monetization techniques have been criticised by some.

With Yahoo and Microsofts struggle to improve the experience and technology of their search engines it is only a matter of time before Google is said to gain 70% of the market share.

The only speed bump in their road to domination will be their ability to convert searches to revenue.

A spin on the controversial “where the bloody hell are you?” australian tourism ads are located here. Very B/C Grade but quite funny.