TM NEXCESS.NET Internet Solutions 304 1/2 S State St Ann Arbor, MI 48104-2445 http://nexcess.net PHP / MySQL SPECIALISTS! Simple, Affordable, Reliable PHP / MySQL Web Hosting Solutions P O P U L A R S H A R E D H O S T I N G PAC K A G E S MINI-ME $ 95 SMALL BIZ $ 2195/mo /mo 500 MB Storage 15 GB Transfer 50 E-Mail Accounts 25 Subdomains 25 MySQL Databases PHP5 / MySQL 4.1.X SITEWORX control panel 2000 MB Storage 50 GB Transfer 200 E-Mail Accounts 75 Subdomains 75 MySQL Databases PHP5 / MySQL 4.1.X SITEWORX control panel POPU L A R R E S E L L E R H O S TI N G PAC K A G E S NEXRESELL $16 95/mo 900 MB Storage 30 GB Transfer Unlimited MySQL Databases Host 30 Domains PHP5 / MYSQL 4.1.X NODEWORX Reseller Access NEXRESELL $ 59 95/mo 7500 MB Storage 100 GB Transfer Unlimited MySQL Databases Host Unlimited Domains PHP5 / MySQL 4.1.X NODEWORX Reseller Access : CONTROL PA N E L All of our servers run our in-house developed PHP/MySQL server control panel: INTERWORX-CP INTERWORX-CP features include: - Rigorous spam / virus filtering - Detailed website usage stats (including realtime metrics) - Superb file management; WYSIWYG HTML editor INTERWORX-CP is also available for your dedicated server Just visit http://interworx.info for more information and to place your order WHY NEXCESS.NET? WE ARE PHP/MYSQL DEVELOPERS LIKE YOU AND UNDERSTAND YOUR SUPPORT NEEDS! NEW! PHP & MYSQL 4.1.X php 4.1.x We'll install any PHP extension you need! Just ask :) PHP4 & MySQL 3.x/4.0.x options also available php 3.x/4.0.x 128 BIT SSL CERTIFICATES AS LOW AS $39.95 / YEAR DOMAIN NAME REGISTRATION FROM $10.00 / YEAR GENEROUS AFFILIATE PROGRAM UP TO 100% PAYBACK PER REFERRAL 30 DAY MONEY BACK GUARANTEE FREE DOMAIN NAME WITH ANY ANNUAL SIGNUP ORDER TODAY AND GET 10% OFF ANY WEB HOSTING PACKAGE VISIT HTTP://NEXCESS.NET/PHPARCH FOR DETAILS D e di c a t e d & Ma n ag e d D edi c a t e d s e r v e r s o l ut i o ns a l s o a va i l a ble Serving the web since Y2K m e _ l i m i t ( 0 ) ; t i t t o o n e h o u r n g ” f u n c i o n s e c t ( “ y o u r _ d b ” ) ; = “ S E L E C T * , a s i d j o b s j b , j o b _ u s j o b o _ i d = i d t a t u s j o b _ B Y j o b i d ” ; o u w a n t t e , t h e n c h a n g e b o l i s h t h e l m i t c r d = m y s q l _ y ) ) y o u v e t h i s c a n b e a n ( $ r o w = m y s q l _ e o r d s t ) ) k F u n c t i o n ( $ r o w ) ; h a v e n o t h i n g t o ) ; n ( $ f i e l d s ) i s i s w h e r e y o u r w h a t e v e r i t m a y t h c a e w e r e y t h a t d a t a o m p r o c s s i n g s e a n d g o i n t o d s t i n t i o n f i l e a k e a Columns w e ’ r e s a y i n g u s t Features l s t h n 0 l o n g n n c ( “ y o u r _ t i t t o “ ” t o i s u n d e r w a y = “ U P D A T E j o b _ j o b _ s a t u s = R E j o b _ i d = i d ’ ] ; r e u l = ( $ s q l ) ) ) “ p r e m w i t h j o b ” ) ; y = “ S E L E C T * l d s [ ‘ p r o c e s s n g _ r e c o r d s e t = ( $ q u e r y ) ) ( $ o w = _ a r r a y ) ) n m e s = “ ” ; v l u e s = “ ” ; c o m s t a t u e n ” ; _ n o t i c e = o r a c h ( $ r o w a s l u e ) { i f < 0 ) { $ n a m e s = ; v l u e s = $ v a l u e ) ” ’ ” ; c o m a = “ , ” ; } e l s e { $ s t a t u s = l o w ” ; _ k y ” w a s t o o } } s q l = “ I N S E R T d e s t i n a t i o n _ “ ( “ $ n a m e s ” ) v a u e s ” ) ” ; f ( ! ( $ r e s u l t = ( $ q l ) ) ) { s t a t u s = ” ; _ n o i c e s f a i l e d ; “ ; } t a u s _ n o t i c e = [ ‘ i d ’ ] ” : “ $ s t a t u s t ; r i t e _ o g _ d , $ s t a t u s _ t u ) ; $ s a u s + + ; / / g r e n o r $ r e d / i f $ p a s % d a t e i m p o r t w i p e p s s + + ; f ( ( $ p a s s % ) { $ q l = “ U P D A T E S E T S t a t u s _ G r e e n = n + “ $ S t a t u s _ Y e l l o w = o w + “ $ S t a t u s _ S t a t u s _ R d = + “ $ S t a t u s _ p r o c e s e d = W H E R E j o b _ i d = i d ’ ] ; i f ( ! ( $ r e u l t = ( $ s q l ) ) ) { d i e “ p r o b e m s p o r t j o b ” ) ; } S a t u s _ G r e e n = $ Y e l l o w R d = } s e t i t t o “ ” t o h a s b e e n d o n e l = “ U P D A T E j o b _ o b _ t a t u s = , t a t u s _ G r e e n = n + $ S t a t u s _ Y e l l o w = w + “ $ S t a t u s _ t a t u s _ R d = + “ $ S t a t u s _ r o c e s e d = p s s ) ) ” H E R E j o b _ i d = i d ’ ] ; ! ( $ r e s u l t = ( $ q l ) ) ) e “ } a t u s _ G r e e n ; Y l o w = ; R e d = ; n w r i t _ l g _ d , $ s t a t u s _ t u s ) n e c ( “ y o u r = “ I N S E R T I N T O = “ ( ` j o b ` , ` s t a t u s _ V A L U E S “ ; ‘ ” $ j o b _ i d ) ” ’ , ’ ” s l a h e s ( $ s t a t u s ) s _ ” ; ! ( $ r e s u l t = ( $ s q l ) ) ) “ p o b l e m s w i t h l o g ” ) ; n D B _ _ n a m e ) s t = “ y o u r _ e r d b _ l o g i n ” ; s p a s s ” ; = m y s q l _ h o s t , $ d b u s e r , d i e < ? h p m e _ l i m i t ( 0 ) ; t i t o o n e h o u r n g ” f u n c i o n s e c t ( “ y o u r _ d b ” ) ; = “ S E L E C T * , a s i d j o b s j b , j o b _ u s j o b o _ i d = i d t a t u s j o b _ B Y j o b i d ” ; o u w a n t t e , t h e n c h a n g e b o l i s h t h e l m i t c r d = m y s q l _ y ) ) y o u a v e h i s c n b e a n t o w = m y s q l _ ( $ r e o r d s t ) ) k F u n c t i o n ( $ r o w ) ; h a v e n o t h i n g t o ) ; n ( $ f i e l d s ) i s i s w h e r e y o u r w h a t e v e r i t m a y t h c a e w e r e y t h a t a t a o m a p r o c s s i n g s n d g o i n t o d e s t i n a t i o n f i l e a k e w e ’ r e s a y i n g u s t l s t h n 0 l o n g n n c ( “ y o u r _ t i t t o “ ” t o i s u n d e r w a y = “ U P D A T E j o b _ j o b _ s a t u s = R E j o b _ i d = i d ’ ] ; ( $ r e u l = s q l ) ) ) “ p r e m w i t h j o b ” ) ; y = “ S E L E C T * l d s [ ‘ p r o c e s s n g _ r e c o r d s e t = ( $ q u e r y ) ) ( $ o w = _ a r r a y ) ) n m e s = “ ” ; v l u e s = “ ” ; c o m s t a t u e n ” ; _ n o t i c e = o r e a c h ( $ r o w a s l u ) { i f < 0 ) { $ n a m e s = ; v u e =,”; $e vl as le uo el )m a ”s ’= ” ;“ c } { TM CONTENTS 14 PHP & Oracle Analysis of this recently announced partnership and its benefits to the web developer community EDITORIAL by ROBERT MARK 21 Job Management with PHP & Cron Discussion on building an admin page to create and monitor a job queue with near-real-time status updates by MIKE DeWOLFE php|news 10 TIPS & TRICKS mail() hacks Redefining and Redirecting mail() by BEN RAMSEY 31 Flying with Seagull A step-by-step guide for setting up an example module by WILLIAM ZELLER and WERNER M KRAUSS 45 User Management with Active Directory Accessing, inserting or altering objects within the AD structure of Microsoft Windows Server 2003 by CHAD R SMITH 52 TEST PATTERN To Test is to Fake How to properly test the whole system by MARKUS BAKER 57 SECURITY CORNER Cross Site Scripting by CHRIS SHIFLETT SPECIAL FEATURE 60 Conference Coverage Review and analysis of the php|works and web|works coference held in Toronto, September 14-16, 2005 by PETER B MacINTYRE 64 exit(0); It’s a Bird! It’s a Plane! It’s FUD! by MARCO TABINI Download this month’s code at: http://www.phparch.com/code/ WRITE FOR US! If you want to bring a php-related topic to the attention of the professional php community, whether it is personal research, company software, or anything else, why not write an article for php|architect? If you would like to contribute, contact us and one of our editors will be happy to help you hone your idea and turn it into a beautiful article for our magazine Visit www.phparch.com/writeforus.php or contact our editorial team at write@phparch.com and get started! EDITORIAL THE ENTERPRISE T AWAKENS hose of us in the know have been aware of PHP’s readiness to take on the “enterprise” for quite a while, now We’ve built serious applications, we’ve processed millions of dollars worth of transactions with our favorite language, and we’ve even been heard extolling PHP’s virtues before management-types An all-too-common scene in the office, though, is PHP sneaking in through the back door Upper- (or perhaps mid-) management has traditionally favored heavily-marketed, and “proven” products over non-orthodox, community-built technologies I once worked for a CTO who (as the joke went, anyway) would build the next project on whatever platform was advertised on the last page of his business magazines Unfortunately, many of the developers (myself included) were not convinced that the joke was only that—a joke Despite—or perhaps thanks to—this lack of technological vision, our “little secret” language has been making huge inroads into the enterprise, lately We have a few key players to thank for this; especially Zend Zend’s involvement with PHP is obvious—they are “The PHP Company” after all They’ve recently made a few strategic moves that are helping to propel PHP into the minds of corporations, IT managers, CTOs, and other business-types As far as I’m concerned, they’ve made four key moves to promote PHP in this way The first two are related (and the first of which is partially covered in this issue): Zend Core for Oracle, and Zend Core for IBM Much like large-business’ dislike for non-mainstream software, they’re often seen shunning open-source database platforms With Zend actively working with both Oracle and IBM’s DB2, the PHP database taboo has been lifted Many corporations have already deployed systems on Oracle or DB2, and (correctly) see no need to add yet another database platform to their clusters (IBM has returned the favor by participating in PHP development—see PDO_odbc (http://pecl.php.net/pdo_odbc), the PDO documentation (http://php.net/pdo) and SDO (http://pecl.php.net/sdo).) The next move on Zend’s part, of enterprise significance, is Marc Andreessen’s recent joining of Zend’s board of directors Marc seems to have wholeheartedly accepted PHP as a legitimate platform for serious web applications, facing the competition of coffee-based languages head on: “PHP is to 2005 what Java was to 1995.” Those are strong words from a guy with both serious technology and business credibility The last of Zend’s recent moves that I find significant is the recent announcement of the PHP Collaboration Project, including the Zend Framework This one has three major enterprise-friendly parts (again, in my opinion): Engagement with the Eclipse Foundation, a standard development framework for PHP, and corporation-friendly licensing and license-auditing of the code in the framework There is little information available on Zend’s work with Eclipse, but I’m eager to find out, as I’m personally an active PHP Eclipse user, and I long for certain features of Zend Studio (especially debugging) Just as with the database problem above, many companies already have Eclipse deployed for their (especially Java-) developers The framework itself (to which I’ve been invited to participate, but as yet have only lurked on the mailing list) will hopefully breed a new generation of PHP applications that can avoid the menial task of form handling (as one example)—see also this month’s continuation of the article on building applications with the Seagull framework (which exists and is ready to use, today) The licensing feature of the framework is particularly beneficial to enterprises who wish to re-sell applications developed in PHP The PHP project has been burned by the GPL before (which is why you won’t find any GPL-licensed extensions in PECL), and even for code licensed under a BSDish (e.g PHP) license, there’s always the risk that code being stolen from an unknown source, without some sort of auditing Zend provides this with their framework All of this to say: not only is PHP ready for the enterprise, but the enterprise is starting to awaken to this fact Kudos to the key players for making this happen! Volume - Issue 11 Publisher Marco Tabini Editor-in-Chief Sean Coates Editorial Team Arbi Arzoumani Peter MacIntyre Eddie Peloke Graphics & Layout Aleksandar Ilievski Managing Editor Emanuela Corso News Editor Leslie Hill news@phparch.com Authors Marcus Baker, Werner M Krauß, Peter B MacIntyre, Robert Mark, Ben Ramsey, Chris Shiflett, Chad R Smith, Mike DeWolfe, William Zeller php|architect (ISSN 1709-7169) is published twelve times a year by Marco Tabini & Associates, Inc., P.O Box 54526, 1771 Avenue Road, Toronto, ON M5M 4N5, Canada Although all possible care has been placed in assuring the accuracy of the contents of this magazine, including all associated source code, listings and figures, the publisher assumes no responsibilities with regards of use of the information contained herein or in all associated material php|architect, php|a, the php|architect logo, Marco Tabini & Associates, Inc and the Mta Logo are trademarks of Marco Tabini & Associates, Inc Contact Information: info@phparch.com General mailbox: Editorial: editors@phparch.com subs@phparch.com Subscriptions: Sales & advertising: sales@phparch.com support@phparch.com Technical support: Printed in Canada Copyright © 2003-2005 Marco Tabini & Associates, Inc All Rights Reserved OCTOBER 2005 • php|architect •6 news PHP 4.4.1 php.net announces the release of PHP 4.4.1 “PHP 4.4.1 is now available for download This version is a maintenance release, that contains numerous bug fixes, including a number of security fixes related to the overwriting of the GLOBALS array All users of PHP 4.3 and 4.4 are encouraged to upgrade to this version Some of the changes in PHP 4.4.1 include: • Added missing safe_mode checks for image* functions and cURL • Added missing safe_mode/open_ basedir checks for file uploads • Fixed a memory corruption bug regarding included files • Fixed possible INI setting leak via virtual() in Apache sapi • Fixed possible crash and/or memory corruption in import_request_ variables() • Fixed potential GLOBALS overwrite via import_request_variables() • Fixed possible GLOBALS variable override when register_globals are ON • Fixed possible register_globals toggle via parse_str() Get your hands on the latest release at php.net! phpBB 2.0.18 The phpBB Group is pleased to announce the release of phpBB 2.0.18, “The Halloween Special” release This is a major update to the 2.0.x codebase and includes fixes for numerous bugs reported by users to our Bug Tracker, as well as updates to those issues identified by the recent security audit of the code and a couple of security issues reported to us In addition we have backported a further feature from our “Olympus” codebase to change the way automatic logins are handled We would like to thank all of those who took part in the security audit of the code for their work As with all new releases we urge you to update as soon as possible You can, of course, find this download available on our downloads page As per usual, four packages are available to simplify your update For more information visit: http://www.phpbb.com/ FUDforum 2.7.3 Released Ilia.ws announces: After nearly months of testing and development, I am happy to announce the release of FUDforum 2.7.3, the new stable version This is primarily a bug-fix release and all users, especially those of the 2.7 series are encouraged to upgrade to it As far as the changes go, this version is virtually identical to the prior release candidate The one major addition was the integration of the Indonesian translation that now makes the forum available in a whooping 26 languages, more than in the prior stable release Get all the latest info from ilia.ws symfony 0.4.1 symfony-project.com announces the release of version 0.4.1 What is symfony? The site describes it as professional web tools for lazy folks: Based on the best practices of web development, thoroughly tried on several active websites, symfony aims to speed up the creation and maintenance of web applications, and to replace the repetitive coding tasks by power, control and pleasure If you have been looking for a Rails/ Django-like framework for PHP projects with features such as: • simple templating and helpers • cache management • multiple environments support • deployment management • scaffolding • smart URLs • multilingual and I18N support • object model and MVC separation • Ajax support where all elements work seamlessly together, then symfony is made for you Check out the latest version of symfony at symfony-project.com PHP Québec 2006: call for speakers PHP Québec is pleased to announce the 2006 PHP Québec conference, which will be held between March 29th and 31st, 2006 We are looking for the best speakers, willing to share their experience and skills with professional PHP developers from eastern Canada and USA PHP Québec 2006 features distinct tracks: • Technical PHP, covering in deep details of PHP techniques • Professional Development, featuring tools and development methodologies to increase productivity • Databases, covers different databases that can be used with PHP Sessions will be held in French or English For more information, see the PHP Québec website: conf.phpquebec.com/en/conf2006/ php|architect Releases New Design Patterns Book We’re proud to announce the release of php|architect’s Guide to PHP Design Patterns, the latest release in our Nanobook series You have probably heard a lot about Design Patterns —a technique that helps you design rock-solid solutions to practical problems that programmers everywhere encounter in their day-to-day work Even though there has been a lot of buzz, however, no-one has yet come up with a comprehensive resource on design patterns for PHP developers—until today Author Jason E Sweat’s book php|architect’s Guide to PHP Design Patterns is the first, comprehensive guide to design patterns designed specifically for the PHP developer This book includes coverage of 16 design patterns with a specific eye to their applications in PHP when building complex web applications, both in PHP and PHP (where appropriate, sample code for both versions of the language is provided) For more information, http://www.phparch.com/shop_product.php?itemid=96 Volume Issue 11 • php|architect •8 Check out some of the hottest new releases from PEAR ScriptReorganizer 0.3.0 Library/Tool focusing exclusively on the file size aspect of PHP script optimization HTTP_Request 1.3.0 Provides an easy way to perform HTTP requests Calendar 0.5.3 Calendar provides an API for building Calendar data structures Using the simple iterator and it’s “query” API, a user interface can easily be built on top of the calendar data structure, at the same time easily connecting it to some kind of underlying data store, where “event” information is being held It provides different calculation “engines” the default being based on Unix timestamps (offering fastest performance) Looking for a new PHP Extension? Check out some of the latest offerings from PECL expect 0.1 pecl_http 0.17.0 - Extended HTTP Support - Building absolute URLs - RFC compliant HTTP redirects - RFC compliant HTTP date handling - Parsing of HTTP headers and messages - Caching by “Last-Modified” and/ or ETag (with ‘on the fly’ option for ETag generation from buffered output) - Sending data/files/streams with (multiple) ranges support with an alternative using PEAR::Date which extends the calendar past the limitations of Unix timestamps Other engines can be implemented for other types of calendars (e.g a Chinese Calendar based on lunar cycles) Benchmark 1.2.4 Framework to benchmark PHP scripts or function calls Text_Wiki_BBCode 0.0.2 HTML_Template_Sigma 1.1.4 HTML_Template_Sigma implements Integrated Templates API designed by Ulf Wendel PEAR_ PackageFileManager 1.6.0a4 PEAR_PackageFileManager takes an existing package.xml file and updates it with a new filelist and changelog Parses BBCode mark-up to tokenize the text for Text_Wiki rendering (Xhtml, plain, Latex) or for conversions using the existing renderers (wiki) PEAR 1.4.4 Text_Wiki 1.0.2 PEAR_RemoteInstaller 0.2.0 Abstracts parsing and rendering rules for any markup as Wiki or BBCode in structured plain text - Negotiating user preferred language/ charset - Convenient request functionality built upon libcurl - PHP5 classes: HttpUtil, HttpResponse (PHP-5.1), HttpRequest, HttpRequestPool, HttpMessage PDO_SQLITE 1.0RC2 This extension provides an SQLite v3 driver for PDO SQLite V3 is NOT compatible with the bundled SQLite in PHP 5, but is a significant step forward, featuring complete utf-8 support, native support for blobs, native support for prepared statements with bound parameters and improved concurrency PEAR Base System PEAR Remote installation plugin through FTP PDO_PGSQL 1.0RC2 This extension provides a PostgreSQL driver for PDO PDO_ODBC 1.0RC2 This extension provides an ODBC v3 driver for PDO It supports unixODBC and IBM DB2 libraries, and will support more in future releases PDO_OCI 1.0RC2 This extension provides an Oracle driver for PDO Volume Issue 11 • php|architect •9 mail() Hacks TIPS & TRICKS mail() Hacks How you send e-mail on a server in which there is no mail server installed? How you redirect e-mail messages in a testing environment so they don’t go to your users? This edition of Tips & Tricks addresses these two questions, highlighting some useful tricks to redefine or redirect mail() by BEN RA MSEY P HP provides an awesome built-in feature with the mail() function I refer to it as “awesome” because I originally came to this language from the background of ASP and VBScript, and to successfully send an e-mail message from an ASP script, one had to purchase a third-party COM object and successfully install and register the object on a Windows server PHP has mail capabilities built right into the language, providing developers with a powerful and easy way to send e-mail Sometimes, however, whether for purposes of security (in which the server doesn’t have access to a local mail server) or debugging (mail should be trapped and not sent to users), it becomes necessary to redefine the mail() function, or redirect it In this edition of Tips & Tricks, we’ll explore how to both Redefining mail() There might be times in which server administrators not wish to provide access to mail functionality For example, they are unwilling to install sendmail, CODE DIRECTORY: hacks TO DISCUSS THIS ARTICLE VISIT: http://forum.phparch.com/262 postfix, or any other mail servers There are valid security reasons for disallowing mail servers, such as the fear of a Web server being used as a spam relay, but this lack of functionality can put a damper on Web application features Furthermore, while applications can be written in such a way as to get around this limitation (e.g using sockets and SMTP), there are many thirdparty applications and tools that rely on PHP’s mail() function, and it is far too time consuming to rework these applications to use your own mail function Thus, for full compatibility, it becomes necessary to hack away at PHP’s mail() command and create your own, but, as difficult as this sounds, it’s actually quite simple to To completely redefine the mail() function, it is necessary to recompile PHP without support for the function Afterwards, we’ll create a new mail() function Volume Issue 11 • php|architect • 10 ...NEXCESS.NET Internet Solutions 304 1/2 S State St Ann Arbor, MI 48104-2445 http :// nexcess.net PHP / MySQL SPECIALISTS! Simple, Affordable, Reliable PHP / MySQL Web Hosting Solutions P O P U L... Oracle 9i LINKS: http :// www.oracle.com/technology/tech /php/ index.html http :// www.zend.com/core/oracle CODE DIRECTORY: oracle TO DISCUSS THIS ARTICLE VISIT: http :// forum.phparch.com/263 free download... the favor by participating in PHP development—see PDO_odbc (http :// pecl .php. net/pdo_odbc), the PDO documentation (http :/ /php. net/pdo) and SDO (http :// pecl .php. net/sdo).) The next move on Zend’s