File uploads with Adobe Flex and Zend AMF

Leonardo França writes; Zend AMF is an implementation done in PHP to work with the communication protocol binary AMF (Action Message Format) and is part of ZendFramework. I had to implement a system to upload files that were a little different than what is typically used in Flash, with this feature had to be integrated into the Zend AMF.
Researching a little on the net, found a solution that was simpler than I thought based on that article with a few adjustments.
Begin with our gateway to be used as endpoint in Adobe Flex.

< ?php require_once 'Zend/Amf/Server.php'; require_once 'Zend/Amf/Exception.php'; require_once 'br/com/leonardofranca/vo/FileVO.php'; require_once 'br/com/leonardofranca/UploadZendAMF.php'; $server = new Zend_Amf_Server(); $server->setProduction(false);

$server->setClass('UploadZendAMF');
$server->setClassMap('FileVO',"br.com.leonardofranca.vo.FileVO");

echo($server->handle());
?>

Read more at; File uploads with Adobe Flex and Zend AMF – Workflow: Flash.

Flex Builder 4.5.x Test Drive for Mobile Tutorials

Here is a very good multi-part tutorial on the ins and outs of mobile client / server development, that adds some quite useful functionality on Android, Apple IOS and Blackberry mobile devices.

In this Test Drive, you are going to create a Flex mobile application that retrieves, displays, and modifies database records (see Figure 1). A Flex application does not connect directly to a remote database. Instead, you connect it to a data service written in your favorite web language (PHP, ColdFusion, Java, or any other server-side technology). You will build the front-end Flex mobile application; the database and the server-side code to manipulate database records is provided for you as a PHP class, a ColdFusion component, or Java classes.

The Mobile Test Drive application running on a mobile device.

Figure 1. The Mobile Test Drive application running on a mobile device.

via Adobe Developer Connection.

Data paging with Flex and PHP using Flash Builder 4.5.x

Flash Builder 4.5 has a built-in data paging feature that generates ActionScript code to retrieve data from the database incrementally on demand. For example, suppose your database has thousands of records and you want to fetch only 20 rows at a time and display them in a data grid. When you enable paging for an operation and bind the operation result to a DataGrid control, the first 20 records will be retrieved initially and the next page of records is fetched only when the user requests them—that is, when he or she scrolls the vertical scroll bar of the DataGrid control.

Flash Builder 4.5 lets you enable paging for any type of data service operation including operations on a Remoting service, web service, or HTTP service. This article explains how to enable data paging for a PHP-based Remoting service. After you set up the server environment required for the sample application, you’ll use Flash Builder 4.5 to generate ActionScript service classes and build a Flex application that incrementally retrieves data sets from a database table using the PHP class on the server.

via Adobe Developer Connection.

Encrypt session data in PHP

Zimuel writes; As promised in my last post I present an example of strong cryptography in PHP to secure session data.
This is a very simple implementation that can be used to improve the security of PHP applications especially in shared environments where different users have access to the same resources. As you know, the PHP session data are managed by default using temporary files. In shared environment a malicious user that is able to access to these temporary files can easly read the session data because they are stored in plaintext (data in a session file is theserialization of the array $_SESSION).
In theory, the session data should be stored in folders that are accessible only by the owner of the web site, but never say never (btw, you can manage the location of the session data using the session_save_path function or changing the session.save_path in the php.ini).

To secure the session data I used strong cryptography to encrypt the content using the mcrypt extension of PHP. I chosen the simmetric cipher AES (Rijandel-256) to encrypt the session data and the openssl_random_pseudo_bytes() function to generate a random key of 256 bit.
The idea is to use a cookie variable to store the key that will be used to encrypt the session data. In this way the key is stored only in the client (the browser) and only the client is able to decrypt the session data on the server. Each time we encrypt the session data we re-generate the IV vector in a random way using the mcrypt_create_iv() function. It is very important to generate a unique IV in each encryption. This best practice increase the security of the encryption algorithm.
It’s important to note that this implementation is not secure against session hijacking attack. If someone is able to capture the cookie variable of a client and have access to the temporary session files, in the server, he/she will be able to decrypt the session data. Our goal is to protect session data against attacks on shared environments.

The idea to encrypt the session data is not new, for instance Chris Shiflett proposed an implementation in his book “Essential PHP Security” (O’Reilly, 2006). Shiflett used a $_SERVER variable to store the key used to encrypt the session data. Kevin Schroeder, my colleague at Zend Technologies, implemented a very similar session encryption algorithm extending the Zend_Session class of Zend Framework (you can find it here). In my solution, I used some of the best practices related to strong cryptography to implement a secure session handler.

Below the source code of my implementation:

Full class @ Zimuel’s blog.

XML to JSON in PHP

Zimuel writes; Last friday, in occasion of the April Zend Framework Bug-Hunt, I started to look at this bug: ZF-3257. This is an issue related to the Zend_Json class that occurs during the conversion from XML to JSON for some specific XML documents, like this one:

$xml= 'bar';

The result using Zend_Json::fromXml($xml, false) , where false indicated the usage of XML attributes, was:

{"a":{"b":{"@attributes":{"id":"foo"}}}}

As you can see the bar value, of the a element, is not represented in JSON. This issue comes also with other XML documents, and in general when an XML node has a single character data child, any attributes are lost.

For instance, the following code:

$xml = 'bar';
echo Zend_Json::fromXml($xml, false);

Produced the output:

{"a":{"b":"bar"}}

in this case the attribute id and the value foo are lost.
Find a solution @ Zimuel’s blog.

Create daemons in PHP

 

Kevin van Zonneveld wrote a life saving article that saved me quite a bit of time; Everyone knows PHP can be used to create websites. But it can also be used to create desktop applications and commandline tools. And now with a class called System_Daemon, you can even create daemons using nothing but PHP. And did I mention it was easy?

What is a Daemon?

A daemon is a Linux program that run in the background, just like a ‘Service‘ on Windows. It can perform all sorts of tasks that do not require direct user input. Apache is a daemon, so is MySQL. All you ever hear from them is found in somewhere in /var/log, yet they silently power over 40% of the Internet.

You reading this page, would not have been possible without them. So clearly: a daemon is a powerful thing, and can be bend to do a lot of different tasks.

Why PHP?

Most daemons are written in C. It’s fast & robust. But if you are in a LAMP oriented company like me, and you need to create a lot of software in PHP anyway, it makes sense:

  • Reuse & connect existing code Think of database connections, classes that create customers from your CRM, etc.
  • Deliver new applications very fast PHP has a lot of build in functions that speed up development greatly.
  • Everyone knows PHP (right?) If you work in a small company: chances are there are more PHP programmers than there are C programmers. What if your C guy abandons ship? Admittedly it’s a very pragmatic reason, but it’s the same reason why Facebook is building HipHop.

Read the full article here >>Create daemons in PHP.

Usage of the Conditional Ternary operator to reduce brace and newline waste when processing optional method parameters

ralphschindler writes; Usage of the Conditional Ternary operator to reduce brace and newline waste when processing optional method parameters

< ?php class Coordinate { protected $x; protected $y; public function __construct($x = null, $y = null) { (empty($x)) ?: $this->setX($x);
(empty($y)) ?: $this->setY($y);
}

/* What we're trying to replace
public function __construct($x = null, $y = null)
{
if ($x) {
$this->setX($x);
}
if ($y) {
$this->setY($y);
}
}
*/

public function setX($x)
{
$this->x = $x;
}
public function setY($y)
{
$this->y = $y;
}
}


via Gist.

Zend Framework 1.11.0 FINAL Released

The Zend Framework team is pleased to announce the immediate availability of the general access release of Zend Framework 1.11.0.

This release is the culmination of several months of effort by contributors and Zend Framework partners, and offers several key new features, including support for mobile devices and the first stable release of the SimpleCloud API.

You may download the release from the following location:

http://framework.zend.com/download/latest

The following is a summary of new features and capabilities introduced in version 1.11.0

mobile support

Zend Framework 1.11 marks the first release with explicit support for mobile devices, via the new component Zend_Http_UserAgent. This component was developed by Raphael Carles. Carles is CTO of Interakting, the digital agency of Business & Decision Group of France. Interakting employs 150 PHP professionals to build industrial PHP projects, and its clients include Canal +/Vivendi, BNP Paribas, Samsung France, Ministry of Education, Alapage (Orange), Orange Tunisia, and many others. As such, they have extensive experience in supporting mobile devices, and stepped forward to contribute to Zend Framework, which they leverage in their projects.

Zend_Http_UserAgent performs two responsibilities:

– User-Agent detection

– Device capabilities detection, based on User-Agent

The component includes a “features” adapter mechanism that allows developers to tie into different backends for the purpose of discovering device capabilities. Currently, Zend Framework ships with adapters for the WURFL (Wireless Universal Resource File) API, Tera-WURFL, and DeviceAtlas, with more planned for the future.

Luca Passani, author and lead of the WURFL project, has provided an exemption to Zend Framework to provide a non-GPL adapter accessing the WURFL PHP API.

Additional hooks into the component are provided via a Zend_Application resource plugin, and a Zend_View helper, allowing developers the ability to return output customized for the detected device (e.g., alternate layouts, alternate images, Flash versus HTML5 support, etc.).

Zend_Cloud: SimpleCloud API

During ZendCon 2009, Zend announced a prototype of the SimpleCloud API.

This API was to provide hooks into cloud-based document storage, queue services, and file storage.

Zend Framework 1.11.0 markes the first official, stable release of Zend_Cloud, Zend Framework’s PHP version of the SimpleCloud API. Current support includes:

– Document Services:

– Amazon SimpleDB

– Windows Azure’s Table Storage

– Queue Services:

– Amazon Simple Queue Service (SQS)

– Windows Azure’s Queue Service

– All adapters supported by Zend_Queue:

– Zend Platform JobQueue

– Memcacheq

– Relational Database

– ActiveMQ

– Storage Services:

– Amazon Simple Storage Service (S3)

– Windows Azure’s Blog Storage

– Nirvanix

– Local filesystem

When using any of the SimpleCloud APIs, your code will be portable across the various adapters provided, allowing you to pick and choose your services, as well as try different services until you find one that suits your application or business needs. Additionally, if you find you need to code adapter-specific features, you can drop down to the specific adapter in order to do so.

More adapters will be arriving in the coming months, giving you even more options!

We thank Wil Sinclair and Stas Malyshev for their assistance in the initial releases of Zend_Cloud.

Security

Several classes in Zend Framework were patched to eliminate the potential for leaking timing information from the direct comparison of sensitive data such as plaintext passwords or cryptographic signatures to user input. These leaks arise from the normal process of comparing any two strings in PHP. The nature of the leaks is that strings are often compared byte by byte, with a negative result being returned early as soon as any set of non-matching bytes is detected. The more bytes that are equal (starting from the first byte) between both sides of the comparison, the longer it takes for a final result to be returned. Based on the time it takes to return a negative or positive result, it is possible that an attacker could, over many samples of requests, craft a string that compares positively to another secret string value known only to a target server simply by guessing the string one byte at a time and measuring each guess’ execution time. This server secret could be a plaintext password or the correct cryptographic signature of a request the attacker wants to execute, such as is used in several open protocols including OpenID and OAuth. This could obviously enable an attacker to gain sufficient information to perform a secondary attack such as masquerading as an authenticated user.

This form of attack is known as a Remote Timing Attack. Timing Attacks have been problematic in the past but to date have been very difficult to perform remotely over the internet due to the interference of network jitter which limits their effectiveness in resolving very small timing differences. While the internet still poses a challenge to performing successful Timing Attacks against a remote server, the increasing use of frameworks on local networks and in cloud computing, where network jitter may be significantly reduced, raises the distinct possibility that remote Timing Attacks will become feasible against ever smaller timing information leaks, such as those leaked when comparing any two strings. As a precaution, the applied changes implement a fixed time comparison for several classes which would be attractive targets in any potential remote Timing Attack. A fixed time comparison function does not leak any timing information useful to an attacker thus proactively preventing any future vulnerability to these forms of attack.

We thank Pàdraic Brady for his efforts in identifying and patching these vulnerabilities.

Dojo Support

Zend Framework’s default Dojo Toolkit version has been bumped to version 1.5.0, which includes the new dojox.mobile component, a simple framework for client-side mobile applications.

SimpleDB Support

Zend Framework has provided support for Amazon’s Simple Storage Service (S3), Simple Queue Service (SQS), and Elastic Cloud Compute (EC2) platforms for several releases. Zend Framework 1.11.0 adds support for SimpleDB, Amazon’s non-relational document storage database offering.

Support is available for all SimpleDB operations via Zend_Service_Amazon_SimpleDb.

Zend Framework’s SimpleDB adapter was originally written by Wil Sinclair.

eBay Findings API Support

eBay has an extensive REST API, allowing developers to build applications interacting with their extensive data. Zend Framework

1.11.0 includes Zend_Service_Ebay_Findings, which provides complete support for the eBay Findings API. This API allows developers to query eBay for details on active auctions, using categories or keywords.

Zend_Service_Ebay was contributed by Renan de Lima, Ramon Henrique Ornelas, and Don Bosco Nguyen Van Hoi.

MariaDB Compatibility

Zend_Db’s mysql and Pdo_Mysql adapters are fully MariaDB compatible, and the documentation has been updated to reflect configuration options for this fork of MySQL.

New Configuration Formats

Zend_Config has been a quite popular component in Zend Framework, and has offerred adapters for PHP arrays, XML, and INI configuration files.

Zend Framework 1.11.0 now offers two additional configuration formats:

YAML and JSON.

Zend_Config_Yaml provides a very rudimentary YAML-parser that should work with most configuration formats. However, it also allows you to specify an alternate YAML parser if desired, allowing you to lever tools such as PECL’s ext/syck or Symfony’s YAML component, sfYaml.

Zend_Config_Json leverages the Zend_Json component, and by extension ext/json.

Both adapters have support for PHP constants, as well as provide the ability to write configuration files based on configuration objects.

Stas Malyshev created both adapters for Zend Framework; Zend_Config_Json also had assistance from Sudheer Satyanarayana.

URL Shortening

Zend_Service_ShortUrl was added for this release. The component provides a simple interface for use with most URL shortening services, defining simply the methods “shorten” and “unshorten”. Adapters for two services, http://jdem.cz and http://tinyurl.com, are provided with this release.

Zend_Service_ShortUrl was contributed by Martin Hujer.

Additional View Helpers

Several new view helpers are now exposed:

– Zend_View_Helper_UserAgent ties into the Zend_Http_UserAgent component, detailed above. It gives you access to the UserAgent instance, allowing you to query for the device and capabilities.

– Zend_View_Helper_TinySrc is an additional portion of Zend Framework’s mobile offering for version 1.11.0. The helper ties into the TinySrc API, allowing you to a) provide device-specific image sizes and formats for your site, and b) offload generation of those images to this third-party service. The helper creates img tags pointing to the service, and provides options for specifying adaptive sizing and formats.

– Zend_View_Helper_Gravatar ties into the Gravatar API, allowing you to provide avatar images for registered users that utilize the Gravatar service. This helper was contributed by Marcin Morawski.

Thank You!

We’d like to thank the countless contributors who have made Zend Framework 1.11.0 possible. Over 200 issues and feature requests were closed in preparation for this release, reflecting the efforts of dozens of contributors to the project.
Matthew Weier O’Phinney

Zend Framework 1.11.0BETA1 Released

The Zend Framework team is pleased to announce the immediate availability of the first beta release of Zend Framework 1.11.0. This release is the culmination of several months of effort by contributors and Zend Framework partners, and offers several key new features, including support for mobile devices and the first stable release of the SimpleCloud API.

You may download the release from the following location:

http://framework.zend.com/download/latest
(Note, beta releases appear separate from stable releases.)

This release is of BETA quality, and should be used for testing purposes only, not production. While the code has been well tested, we do expect there may be a few issues to resolve prior to a release candidate or general access release.

New Features in Zend Framework 1.11

Mobile Support

Zend Framework 1.11 marks the first release with explicit support for mobile devices, via the new component Zend_Http_UserAgent. This component was developed by Raphael Carles. Carles is CTO of Interakting, the digital agency of Business & Decision Group of France. Interakting employs 150 PHP professionals to build industrial PHP projects, and its clients include Canal +/Vivendi, BNP Paribas, Samsung France, Ministry of Education, Alapage (Orange), Orange Tunisia, and many others. As such, they have extensive experience in supporting mobile devices, and stepped forward to contribute to Zend Framework, which they leverage in their projects.

Zend_Http_UserAgent performs two responsibilities:

• User-Agent detection
• Device capabilities detection, based on User-Agent

The component includes a “features” adapter mechanism that allows developers to tie into different backends for the purpose of discovering device capabilities. Currently, the only shipped adapter is for the WURFL (Wireless Universal Resource File) API.

Luca Passani, author and lead of the WURFL project, has provided an exemption to Zend Framework to provide a non-GPL adapter accessing the WURFL PHP API.

Additional hooks into the component are provided via a Zend_Application resource plugin, and a Zend_View helper, allowing developers the ability to return output customized for the detected device (e.g., alternate layouts, alternate images, Flash versus HTML5 support, etc.).

Zend_Cloud: SimpleCloud API

During ZendCon 2009, Zend announced a prototype of the SimpleCloud API.
This API was to provide hooks into cloud-based document storage, queue services, and file storage.

Zend Framework 1.11.0 markes the first official, stable release of Zend_Cloud, Zend Framework’s PHP version of the SimpleCloud API. Current support includes:

  • Document Services:
    • Amazon SimpleDB
    • Windows Azure’s Table Storage
  • Queue Services:
    • Amazon Simple Queue Service (SQS)
    • Windows Azure’s Queue Service
    • All adapters supported by Zend_Queue:
      • Zend Platform JobQueue
      • Memcacheq
      • Relational Database
      • ActiveMQ
  • Storage Services:
    • Amazon Simple Storage Service (S3)
    • Windows Azure’s Blog Storage
    • Nirvanix
    • Local filesystem

When using any of the SimpleCloud APIs, your code will be portable across the various adapters provided, allowing you to pick and choose your services, as well as try different services until you find one that suits your application or business needs. Additionally, if you find you need to code adapter-specific features, you can drop down to the specific adapter in order to do so.

More adapters will be arriving in the coming months, giving you even more options!

We thank Wil Sinclair and Stas Malyshev for their assistance in the initial releases of Zend_Cloud.

Security

Several classes in Zend Framework were patched to eliminate the potential for leaking timing information from the direct comparison of sensitive data such as plaintext passwords or cryptographic signatures to user input. These leaks arise from the normal process of comparing any two strings in PHP. The nature of the leaks is that strings are often compared byte by byte, with a negative result being returned early as soon as any set of non-matching bytes is detected. The more bytes that are equal (starting from the first byte) between both sides of the comparison, the longer it takes for a final result to be returned. Based on the time it takes to return a negative or positive result, it is possible that an attacker could, over many samples of requests, craft a string that compares positively to another secret string value known only to a target server simply by guessing the string one byte at a time and measuring each guess’ execution time. This server secret could be a plaintext password or the correct cryptographic signature of a request the attacker wants to execute, such as is used in several open protocols including OpenID and OAuth. This could obviously enable an attacker to gain sufficient information to perform a secondary attack such as masquerading as an authenticated user.

This form of attack is known as a Remote Timing Attack. Timing Attacks have been problematic in the past but to date have been very difficult to perform remotely over the internet due to the interference of network jitter which limits their effectiveness in resolving very small timing differences. While the internet still poses a challenge to performing successful Timing Attacks against a remote server, the increasing use of frameworks on local networks and in cloud computing, where network jitter may be significantly reduced, raises the distinct possibility that remote Timing Attacks will become feasible against ever smaller timing information leaks, such as those leaked when comparing any two strings. As a precaution, the applied changes implement a fixed time comparison for several classes which would be attractive targets in any potential remote Timing Attack. A fixed time comparison function does not leak any timing information useful to an attacker thus proactively preventing any future vulnerability to these forms of attack.

We thank Padraic Brady for his efforts in identifying and patching these vulnerabilities.

Dojo Support

Zend Framework’s default Dojo Toolkit version has been bumped to version 1.5.0.

SimpleDB Support

Zend Framework has provided support for Amazon’s Simple Storage Service (S3), Simple Queue Service (SQS), and Elastic Cloud Compute (EC2) platforms for several releases. Zend Framework 1.11.0 adds support for SimpleDB,

Amazon’s non-relational document storage database offering. Support is available for all SimpleDB operations via Zend_Service_Amazon_SimpleDb.

Zend Framework’s SimpleDB adapter was originally written by Wil Sinclair.

eBay Findings API Support

eBay has an extensive REST API, allowing developers to build applications interacting with their extensive data. Zend Framework 1.11.0 includes Zend_Service_Ebay_Findings, which provides complete support for the eBay Findings API. This API allows developers to query eBay for details on active auctions, using categories or keywords.

Zend_Service_Ebay was contributed by Renan de Lima and Ramon Henrique Ornelas.

New Configuration Formats

Zend_Config has been a quite popular component in Zend Framework, and has offerred adapters for PHP arrays, XML, and INI configuration files.
Zend Framework 1.11.0 now offers two additional configuration formats:
YAML and JSON.

Zend_Config_Yaml provides a very rudimentary YAML-parser that should work with most configuration formats. However, it also allows you to specify an alternate YAML parser if desired, allowing you to lever tools such as PECL’s ext/syck or Symfony’s YAML component, sfYaml.

Zend_Config_Json leverages the Zend_Json component, and by extension ext/json.

Both adapters have support for PHP constants, as well as provide the ability to write configuration files based on configuration objects.

Stas Malyshev created both adapters for Zend Framework; Zend_Config_Json also had assistance from Sudheer Satyanarayana.

URL Shortening

Zend_Service_ShortUrl was added for this release. The component provides a simple interface for use with most URL shortening services, defining simply the methods “shorten” and “unshorten”. Adapters for two services, http://jdem.cz and http://tinyurl.com, are provided with this release.

Zend_Service_ShortUrl was contributed by Martin Hujer.

Additional View Helpers

Several new view helpers are now exposed:

• Zend_View_Helper_UserAgent ties into the Zend_Http_UserAgent
component, detailed above. It gives you access to the UserAgent
instance, allowing you to query for the device and capabilities.
• Zend_View_Helper_TinySrc is an additional portion of Zend
Framework’s mobile offering for version 1.11.0. The helper ties
into the TinySrc API, allowing you to a) provide device-specific
image sizes and formats for your site, and b) offload generation of
those images to this third-party service. The helper creates img
tags pointing to the service, and provides options for specifying
adaptive sizing and formats.
• Zend_View_Helper_Gravatar ties into the Gravatar API, allowing you
to provide avatar images for registered users that utilize the
Gravatar service. This helper was contributed by Marcin Morawski.

Download it today!

We’d appreciate your feedback on this release — please download and test it, and let us know what issues you encounter.

Also, please join me in extending a hearty round of congratulations to all the contributors involved in this release!


Matthew Weier O’Phinney

You want to do WHAT with PHP? Chapter 10

With the book out and released I now reach the final chapter excerpt that I will have. As I said in one of my previous chapter excerpts, I did not write this book to cover a wide range of topics. I wrote it to cover a narrow range of topics, more fully. But the topics I chose were based off of my experiences as a Zend Consultant for several years. If you are someone with 2-5 years of experience (the typical requirement for a PHP job) you need this book. This book was born out of my experience dealing with code written by people with 2-5 years of experience, sometimes more.

This chapter is called “Preparing for success, preparing for failure”. It contains a few pseudo-rules that can go a long way to helping you manage unexpected popularity of your website. In other words, to help you in minimizing the effects of 2-5 years of programming experience. 🙂 Those rules are not complete and there are plenty of exceptions, but knowing these things will help you be more prepared for handling things like load and failure.

via You want to do WHAT with PHP? Chapter 10.