web notes - a blog

A side effect of accelerating development by assembling systems of available open source components is the risk of incompatibility.

In this case, one must choose between abandoning the component, or modifying it. My recommendation is almost always to abandon it, because it is often an issue with the platform and the age of the component.

This error:

Assigning the return value of new by reference is deprecated

Was thrown by a great piece of software, on a PHP 5 platform.

I checked the release date and it looks like the software is not being updated. So, I chose a different package.

As a general rule, I don’t modify open source code. I strive to understand how the developers intended for it to be used, and work within those constraints. There are a few occasions when I will apply a patch or a quick fix because there is no alternative, but not many.

This has business impacts. It is almost always less expensive to use existing code than write new code. The tradeoff is that you accept a learning curve and some limitations to save the time. Thus - the code must be powerful and flexible enough to meet the requirements and must be fairly easy to use. Anything that is too difficult to work with should be discarded quickly.

There is so much awesome open source code available, and some of it is very powerful. To build a powerful, cost-effective solution, the best approach is to use open source code to provide the bulk of the functionality, and then extend or integrate the remaining elements.

The complexity is in gracefully combining elements from diverse sources into a cohesive unit, and ensuring the design is manageable in the event that more than one application is used on the site.

The choice of components is extremely important. I think the only way you can really decide is to try them out.

Here are some tips for cleaning up after your site/server has been hacked.

Look at the files that don’t belong - find a common pattern. Most have one.

Use grep -rl pattern * to find all the affected files. If you pipe the output to a file, you can turn it into a script that can automatically delete them. However - be careful to leave any files that are important. Those will have to be cleaned up manually.

If you run into permission issues, where the files were created by ‘nobody.nobody’ or ‘apache.apache’, you can use PHP’s system command to execute the rms - like so:

system('rm -f badfile.file');

Check your error logs and access logs, as well as your stats to find any additional files.

Avoid chmod 777 - although there are times when it is necessary. This is a hazard of administering a site through the web. An excellent alternative is to always chmod 755 after you edit those files, if possible. This won’t work for caches, template compilation directories, or file upload areas.

Don’t forget to escape the input, for both command lines and SQL statements, and validate on both the client and server side.

Be sure to identify how the hacker got in, whether it was an outdated application with security holes, SSH, your code, or some other failure. Resolve that issue.

Remember that there may be more than one symptom of the hack. My server was being used to distribute files, run a phishing scam (no page requests were processed when I found it), and links to other servers in hacked templates.

If you have a hosting company, it is good to contact them for help - especially if there is any sort of phishing or other financial scam involved.

Finally, sometimes it is better to delete a corrupted application, or reinstall it.

Good luck:!:

Template engine - Smarty (http://smarty.php.net)

Scripting language - PHP (http://php.net)

AJAX toolkit - dojo (http://dojotoolkit.org)

ACL library - phpGACL (http://phpgacl.sourceforge.net/)

Windows AMP server - XAMPP (http://www.apachefriends.org/en/xampp.html)

Audio Processor - SoX (http://sox.sourceforge.net/)

Content Management System - eZ publish (http://ez.no)

ecommerce - X-Cart (http://x-cart.com)

Blog - b2evolution (http://b2evolution.net)

Timecard - timesheet.php (http://freshmeat.net/projects/timesheet.php/)

Project Management - dotProject (http://www.dotproject.net/)

Browser - Firefox (http://mozilla.org) + Firebug plugin

Hosting Company - (http://hostforweb.com)

Map API - Google (http://code.google.com/apis/maps/)

LAMP = Linux/Apache/MySQL/PHP(or Perl,Python)

A good LAMP engineer can use the whole stack to build graceful, cost-effective solutions. It is the synergy of the stack, with a good knowledge of each layer, that makes this skill set valuable.

Examples:

* Use a link to allow different paths to the same file. That way - a file that is used to deliver more than one page can be maintained from a single point.

* Use Apache rewrite rules, with a PHP/MySQL application to make a small amount of code deliver what appears to be a very large site.

* Choose the best solution, either using PHP system/exec calls or bash scripts to use operating system commands. No sense reinventing the wheel.

* Use PHP5 exception handling, combined with the Apache error log to track errors, or display them on pages gracefully.

* Enjoy the vast collection of excellent open source software available to push the limits