FFEEAATTUURREESS 14 An Introduction to AJAX and JPSpan by Joshua Eichorn 25 PHP at Home Using PHP for Home Automation Ron Goff 37 May I See Your License, Please? Protect Your Product Against Piracy by Alasdair Stewart 44 Release Your Next Project as a PEAR 1.4.0 Package by Clay Loveless 08.2005 Download this month’s code at: hhttttpp::////wwwwww pphhppaarrcchh ccoomm//ccooddee// DDEEPPAARRTTMMEENNTTSS 6 EDITORIAL New New Media 7 WHAT’S NEW 10 TIPS & TRICKS Input Filtering: Part 2 Strings and Numbers by Ben Ramsey 52 TEST PATTERN Other People’s Code by Marcus Baker 57 PRODUCT REVIEW PHP Runner 2.0 by Peter B. MacIntyre 62 SECURITY CORNER Shared Hosting by Chris Shiflett 67 Exit(0); Home is Where the Index is by Marco Tabini nneeww NEW MEDIA EEDDIITTOORRIIAALL T wo of the things that I really like about developing for the web is that rate at which our technology changes, and manner in which new tech- nology helps us solve old problems—perhaps ones that we’ve solved in a much less clean manner. This can be both exciting and frustrating. Exciting because it’s always fun to work with new tech and play with new toys. Frustrating because it’s imperative that, as developers, we stay on top of a moving-target at all times. For me, this excitement/frustration is often man- ifested in a love-hate relationship with my work (with a strong emphasis on the love part). Web development has been my primary source of income for the past 6 years (I started, professionally, in 1999). I’m by no means one of the forefa- thers—the early pioneers that worked with Sir Berners-Lee—but I like to think of myself as having quite a bit of experience under my belt. In 1999, things were very different—or were they? The basic principles were the same (present content nicely, provide high usability, support many browsers and platforms, etc), but the manner in which we did these things was often opposite to how we’d handle the same problem today. Take browser compatibility, for example. Before (and during) the boom at the end of last century, developers were forced to employ a toolbox of hacks in order for our sites to look similar in both Internet Explorer (which was rap- idly taking over clients’ workstations), and Netscape Navigator—“similar” because we all knew that getting sites to look exactly the same bordered on impossible. Most of us developed on IE, and hacked up the markup for the monstrosity that was Netscape 4. Roles have now reversed, though. IE is the dominant player, and Mozilla- based browsers are playing catch-up. The main difference is that many devel- opers have flocked to the underdog, and are hacking up their content to pro- vide IE compatibility. But you probably already knew this. Browser War 2.0 is hardly news, so why am I rambling about it, here? The answer is AJAX (or “Asynchronous Javascript XML”), a method of tightly integrating server- and client-side code. Now, before the naysayers jump all over me for implying that AJAX is new, I feel that I need to explain that I know it’s not new—I developed my first AJAX-like application in 2000: instant in-site messaging using a hidden iframe. It is, however newly accessible. Google’s recent foray into the world of rich web applications, among other things, has brought AJAX to the forefront of many developers’ minds, creat- ing a nearly-industry-wide buzz. This is the exciting (and frustrating) part of my work. Again, exciting because I now have a new tool (ok not new, but structured) that I can use to solve problems. It’s also (again) frustrating because it’s so new that we’ll collectively need to absorb the new skill set, if not shape the method in which it is deployed. In this issue, Josh Eichorn, an early adopter and prominent AJAX evangelist gives an introduction to this new technology and will quickly bring you up to speed on how you can deploy it to solve your own development prob- lems, and leap into the world of rich web applications. I certainly enjoyed reading, and learning from it; I’m sure you will, too. I know I say this all the time, but we really do develop in exciting times. Enjoy! August 2005 ● PHP Architect ● www.phparch.com php|architect Volume IV - Issue 8 August, 2005 Publisher Marco Tabini Editorial Team Arbi Arzoumani Peter MacIntyre Eddie Peloke Graphics & Layout Aleksandar Ilievski Managing Editor Emanuela Corso News Editor Leslie Hill news@phparch.com Authors Marcus Baker, Joshua Eichorn, Ron Goff, Clay Loveless, Peter B. MacIntyre, Ben Ramsey, Chris Shiflett, Alasdair Stewart php|architect (ISSN 1709-7169) is published twelve times a year by Marco Tabini & Associates, Inc., P.O. Box 54526, 1771 Avenue Road, Toronto, ON M5M 4N5, Canada. Although all possible care has been placed in assuring the accuracy of the contents of this magazine, including all associated source code, list- ings and figures, the publisher assumes no responsibilities with regards of use of the information contained herein or in all associated material. Contact Information: General mailbox: info@phparch.com Editorial: editors@phparch.com Subscriptions: subs@phparch.com Sales & advertising: sales@phparch.com Technical support: support@phparch.com Copyright © 2003-2005 Marco Tabini & Associates, Inc. — All Rights Reserved TM August 2005 ● PHP Architect ● www.phparch.com 7 What’s NEW ? > PHP 5.1 Beta 3 php.net announces the release of PHP 5.1 beta3. "PHP 5.1 Beta 3 is now available! If all goes well, this beta release will be followed by a release candidate within a cou- ple of weeks. Some of the key improvements of PHP 5.1 include: • PDO (PHP Data Objects) - A new native database abstraction layer providing performance, ease-of-use, and flexibility. • Significantly improved language performance mainly due to the new Zend Engine II execution architecture. • The PCRE extension has been updated to PCRE 5.0. • Many more improvements including lots of new func- tionality & many bug fixes, especially in regards to SOAP, streams and SPL. • See the bundled NEWS file for a more complete list of changes. Everyone is encouraged to download and test this beta, although it is not yet recommended for mission-critical pro- duction use." Check out all the latest info at php.net. phpBB Blog 2.2.2 Want to share your thoughts with the world? Outshine.com announces the release of phpBB Blog 2.2.2. "The final, stable release of phpBB Blog 2.2.2 is here! If you're curious to know what this does or how it is installed, check out the readme file that comes with the download. This minor release is simply for bugfix- es: • Smileys weren't showing for people who used absolute paths in the config. Fixed. Thanks to isaacr for the bug report! • Minor corrections to the readme file." Check out the latest download at wwwwww oouuttsshhiinnee ccoomm//pphhppbbbbbblloogg// and start blogging today. PHP-GTK 1.0.2 Released http://gtk.php.net/ announces: "PHP-GTK 1.0.2 is a minor release that fixes a bug in the build process that prevented PHP-GTK from being installed with the newly released PHP 4.4.x branch." What is PHP-GTK? The GTK team describes it as: "an extension for the PHP program- ming language that implements language bindings for GTK+. It provides an object-oriented inter- face to GTK+ classes and functions and greatly simplifies writing client- side cross-platform GUI applica- tions." Get the latest release from hhttttpp::////ggttkk pphhpp nneett// . PHP 4.4.0 Released "The PHP Development Team would like to announce the immediate release of PHP 4.4.0. This is a maintenance release that addresses a serious memory corruption problem within PHP concerning references. If references were used in a wrong way, PHP could create memory corruptions which would not always surface or be visible. The increased middle digit was required because the fix that corrected the prob- lem with references changed PHP's internal API, breaking binary compatibility with the PHP 4.3.* series. PHP 4.4.0 does not have any new features, and is solely a bugfix release; however, it is strongly recommended that you read the more detailed release announcement available here prior to upgrading your PHP 4 installation. For changes in PHP 4.4.0 since PHP 4.3.11, please consult the PHP 4 ChangeLog." Check out all the latest info at pphhpp nneett . phpMyFAQ 1.5.0 RC6 The phpMyFAQ team announces the release of phpMyFAQ 1.5.0 RC6. "This version adds a rewritten DocBook XML export class, fixes PostgreSQL sequence errors, PHP 4.4.0 reference issues and the update script. This RC also includes improved cat- egory performance and an updated French language file. Do not use this version in produc- tion systems, but test this version and report bugs!" Grab the latest release from hhttttpp::////wwwwww pphhppmmyyffaaqq ddee// WWhhaatt’’ss NNeeww??>> August 2005 ● PHP Architect ● www.phparch.com 8 Check out some of the hottest new releases from PEAR. HTML_Progress2 2.0.0RC2 This package provides a way to add a fully customizable loading bar into existing XHTML documents. Your browser should be DHTML compatible Features: • create horizontal and vertical bar; also circles, ellipses and polygons (square, rectangle) • allows the use of existing external StyleSheets and/or JavaScript • all elements (progress, cells, labels) are customizable by their html properties • percent/labels float around the progress meter • compliant with all CSS/XHMTL standards • integration with all template engines is very easy • implements the Observer design pattern; it is possible to add Listeners • adds a customizable monitor pattern to display a progress bar • End-user can abort progress at any time • allows many progress meters on the same page without employing iframes • error handling system that supports native PEAR_Error, but also PEAR_ErrorStack, and any other system you might want to plug-in • PHP 5 ready. HTTP_Download 1.1.0RC3 Provides an interface to easily send hidden files or any arbitrary data to HTTP clients. HTTP_Download can gain its data from variables, files or stream resources. It features: • Basic caching capabilities • Basic throttling mechanism • On-the-fly gzip-compression • Ranges (partial downloads and resuming) • Delivery of on-the-fly generated archives through Archive_Tar and Archive_Zip • Sending of PgSQL LOBs without the need to read all data in prior to sending MDB2_Driver_oci8 0.1.1 This is the Oracle OCI8 MDB2 driver. Payment_Process 0.6.0 Payment_Process is a gateway-independent framework for processing credit cards, e-checks and eventually other forms of payments as well. Net_Curl 1.2.0 Provides an OO interface to PHP's curl extension. Net_UserAgent_Mobile 0.24.0 Net_UserAgent_Mobile parses HTTP_USER_AGENT strings of (mainly Japanese) mobile HTTP user agents. It'll be useful in page dispatching by user agents. This package was ported from Perl's HTTP::MobileAgent. File_Archive 1.5.2 This library is strongly object oriented. It makes it very easy to use, writing simple code, yet the library is very powerful. It lets you easily read or generate tar, gz, tgz, bz2, tbz, zip, ar (or deb) archives to files, memory, mail or standard output. HTML_CSS 1.0.0RC1 HTML_CSS provides a simple interface for generating stylesheet declarations. It is completely standards-compliant, and has some great features: • Simple OO interface to CSS definitions • Can parse existing CSS (string or file) • Output to: - Inline stylesheet declarations - Document internal stylesheet declarations - Standalone stylesheet declarations - Array of definitions - File Additionally, it shares the following with HTML_Common based classes: • Indent style support • Line ending style WWhhaatt’’ss NNeeww??>> August 2005 ● PHP Architect ● www.phparch.com 9 Looking for a new PHP Extension? Check out some of the lastest offerings from PECL. pecl_http 0.11.0 • Build absolute URIs • RFC compliant HTTP redirects • RFC compliant HTTP date handling • Parsing of HTTP headers and messages • Caching by "Last-Modified" and/or ETag (with 'on the fly' option for ETag generation from buffered output) • Sending data/files/streams with (multiple) ranges support • Negotiating user preferred language/charset • Convenient request functions built upon libcurl • HTTP auth hooks (Basic) • PHP5 classes: HttpUtil, HttpResponse, HttpRequest, HttpRequestPool, HttpMessage APC 3.0.6 APC is the Alternative PHP Cache. It was conceived to provide a free, open, and robust framework for caching and optimiz- ing PHP intermediate code. bcompiler 0.7 bcompiler enables you to encode your scripts in phpbytecode, enabling you to protect the source code. bcompiler could be used in the following situations • to create a exe file of a PHP-GTK application (in conjunction with other software) • to create closed source libraries • to provide clients with time-expired software (prior to payment) • to deliver closed-source applications • for use on embedded systems, where disk space is a priority For installation instructions see the manual at ppeeaarr pphhpp nneett PDO_DBLIB 0.9 This extension provides a FreeTDS/Sybase driver for PDO. php|architect Releases New Design Patterns Book We're proud to announce the release of php|architect's Guide to PHP Design Patterns, the latest release in our Nanobook series. You have probably heard a lot about Design Patterns---a technique that helps you design rock-solid solutions to practical problems that programmers everywhere encounter in their day-to-day work. Even though there has been a lot of buzz, however, no-one has yet come up with a comprehensive resource on design patterns for PHP developers—until today. Author Jason E. Sweat's book php|architect's Guide to PHP Design Patterns is the first, comprehensive guide to design patterns designed specifically for the PHP developer. This book includes coverage of 16 design patterns with a specific eye to their applications in PHP when building complex web applications, both in PHP 4 and PHP 5 (where appropriate, sample code for both versions of the language is provided). For more information, http://www.phparch.com/shop_product.php?itemid=96. BeebleX Tired of sifting through tons of pages just to find a few useful php resources when searching online? Check out BeebleX "the PHP Search Engine" Marco Tabini writes: "I've written more than once about the fact that searching for PHP-related information is one of the banes of my existence. I thought I'd take myself up to task and see whether I could come up with something of my own. Thus was born BeebleX, The PHP Search Engine. BeebleX works in a way that is orthogonal to most other search engines. Where a site like Google is mostly automated, BeebleX indexes hand-picked resources that are PHP-specific. Where Google tries to run your search against as many sources as possible, BeebleX categorizes its data sources and allows you to restrict the search field to what you need." Whether you are looking for a PHP job, function, solution, or other php related info, check out BeebleX at bbeeeebblleexx ccoomm . W elcome back to the sec- ond installment of the Tips & Tricks input filtering series. If you’ve been following along, you’ll know that this is the second of a three-part series on fil- tering input, and by “input,” I don’t mean only user input from an HTML form. I mean input from any external source, be it from GET, POST, cookies, RSS feeds, XML-RPC, etc.—any place from which an application accepts outside data beyond the control of the program- mer. That’s the data that needs fil- tering. So, to summarize part one of this series: input should always be con- sidered evil and tainted and, thus, must be filtered, and to properly fil- ter input, a whitelist approach is the most logical solution to ensure that input received is input expected. Continuing this short review of last month’s column, take a brief look at Listing 1. Without dwelling too much on this code listing, I’d like to point out that the whitelist approach here works merely to ensure that the received data adheres to a strict set of field names. Another form on another site could post all manner of differ- ent fields to this form, but the $$cclleeaann array will only contain the expected and intended fields. By now, it should be clear why a whitelist approach is the most desir- able form of filtering data; it requires only the knowledge of what the form should receive—not the myriad data the form could receive. For now, we’ll skim over the code in Listing 1, but I’ll return to it later August 2005 ● PHP Architect ● www.phparch.com 10 This year has seen an increased focus on PHP security, and this is good for the language, developers, and business community. One phrase that comes to mind when discussing secure coding practices is Chris Shiflett’s mantra of “filter input, escape output.” While we know what this means in a gen- eral sense, practical examples elude us. This month’s installment of Tips & Tricks continues the series on filtering input, providing practical examples and helpful tips to filter strings and numbers. TTIIPPSS && TTRRIICCKKSS Input Filtering, Part 2: Strings and Numbers by Ben Ramsey . http://cpaint.sourceforge.net / Sajax http://www.modernmethod.com/sajax / Xajax http://xajax.sourceforge.net/ Ajax AC http:/ /ajax. zervaas.com.au/ Toxic http://www.dotvoid.com/view.php?id=40. has worked in the past. AJAX widgets need to be part of the normal application flow, not a distracting gimmick. As I work with AJAX, I like to keep a few