Lithium PHP Framework

Not actually news but I have not posted about this: The Lithium PHP Framework self-announces itself as a lightweight, fast, flexible framework for PHP 5.3+. An Email explains it as being the Cake(3) successor (which is not an offical statement though) but I’m not so involved in the Cake development to say at least.

More interesting is the list of features:

• PHP 5.3+ only
• lightweight test suite with code coverage and profiling filters
• automatic api documentation using li3_docs plugins
• easy integration with other libraries courtesy of the Libraries class and namespaces in 5.3
• method filters with closures

And if not so, most interesting were Benchmarks placing it between solar (faster) and yii (slower). Whereas these are funny and interesting to read.

WordPress 3.0 now Feature-Freeze

Freezy Breezy not only over Europe but as well within the project. Today WordPress 3.0 12:00 UTC/GMT went feature freeze (Announcement).

Please see the updated Reports as well:  WordPress 3.0 Released to be shipped early next Week (June 12) and WordPress 3.0 Release Schedule Changes (April 23).

There was a slight shift in the development timeline last weeks that resulted in a hop from Feb 15th to March 1st. The other dates were shifted accordingly making May 1st as the new planned release date of WordPress 3.0. I think that date is promising and sportive at once, the roadmap still needs to get updated in the moment I write this.

As you may know WordPress 3.0 is to be shipping with a multi-site feature that was previously available as the WPMU fork. The fork was merged into the core trunk which leaded to a lot more code that is not always new because both projects were next to each other for quite a long time and only loosely connected. In the end the MU fork did not get that much development attention that it was announced to merge both projects in end of May 2009. Big sites like wordpress.com are running on the WPMU flavor according to the projects website.

So if this will be May 2010 for release, then within the period of one year that might have become reality!

From the new release wordpress.com-like as well as buddypress-based sites will benefit. For the core project this means a lot of more work. Comparing the original plans from December last / January this year I would assume that this bears more than estimated (so I won’t swear on May 1st as release as of today) and it might be likely that things will break in 3.0 for existing WP or MU installations. If you’re a plugin developer, take care and jump in while the Beta-Testing is running. It will start in about two weeks if things work out well.

The period between Freeze and Beta is needed to get some UI/Commit/Workflow related issues sorted, the ticket related to the MU merge is #11644.

Next to the 3.0 release cycle and the Merge another important date should not get passed unnoticed in the wordpress-timeline. On January 22th, 2010, the WordPress Foundation was officially established which might create more stability in the development for the org and com side of the project as well as for sister-projects like Buddypress and all the plugins (canonical or not) that are interconnected in the wordpress domain.

Docblock comments and more in code guidelines / standards

In the recent WordPress Coding Standard discussion it was clear that mutliple scenarios are not handeled. While doing more and more WP developmet these days, the list of stuff grows so it’s good to collect and to write them down. The followinig list contains those from my recent summary post, the discussions in comments here and there and things I did run over with other developers while handling patches within the last week:

• Comments: Write constants in comment UPPERCASE or lowercase? Generally it’s an idiom to write constants all uppercase.
• Comments: Optional variables. There are different notations on how to flag a variable optional with the @param notation. Two I found within the code were (optional) and Optional.
• Comments: @since version numbers. Since version 1, three dotted version numbers are used (e.g.) 1.5.0, but sometimes you see 2.8 instead of 2.8.0
• Comments: Indentation after @tags and previous to their value. Sometimes it’s aligned, sometimes not. Aligned is better to read, but is it the criteria?
• Code Organisation: External files should be properly flagged as those, so it’s clear thatWordPress Coding Standards do not apply to those. A specification how this is done in the project is needed.
• Whitespaces in the brackets on class instantiation with the new operator. Are those to be handeled like function calls?
• !empty( $blah ) or ! empty( $blah )? The first is w/o the second with a space after the exclamation mark.
• Should translation functions follow the rules defined for functions or should there be exceptions for certain functions? But question could be, if it won’t work for every function, why to we do it then?
• array brackets. put spaces in there as well, like $array[ $key ]?
• case with space? like case 'all' :?

I might extend this list for new issues I run over or I read about in the discussions. If you have patches that apply the already clear parts of the coding standard, you can attach them to Ticket #11971. Feel free to suggest your own issues into the comments on the coding standard post. I therefore closed comments here.

HTML Entity Boundaries – Zero Padding

I can not say why, but the HTML specification does allow to zero-pad numerical entities [Reference needed]. Well that sounds fair per-se, but it does not give a limit here. So strictly spoken, you can pad your numeric entities with gigabytes of 0’s … .

This really does not make much sense because one should have been aware of the fact that documents need to be interpreted by systems with limited resources. Technically a parser could just filter out those zeroes from the input stream (drop) but that might not be considered save.

The good thing is, this leaves some playground. While testing diverse HTML encoding related routines with miqrogroove this morning (who has more and more cool plugins btw.) I just needed to find out about the limitations (a related ticket is #12284). I started the game by sending an entity of 1 MB to Firefox, just imagine the number of zeros in there: &#000...00065; …

Continue reading →

Free PHP Security Poster

Ther germany located security company SektionEins, which is specialized on Webapplication and PHP security, has a freebie to offer: You can download or order a PHP Security poster. They even send it in format A0 for free to you within the EU (European Union). It is available in english and german.

I think this is a great opportunity for every PHP developer to get reminded on some things.

SektionEins is well known for its founder Stefan Esser who is successfully doing security research since years. A well known PHP extension, suhosin, is part of many PHP installments. Just recently the Month of the PHP Security has been announced for May 2010.

WordPress coders have no Class

Some days ago last month, Andrew Rickman blogged about the lack of Object Oriented Design in WordPress. He makes some very thoughtful statements even the article first starts with a lot of assumptions that made it easy for me to misread it.

I share some of his experiences with archtitectural design of wordpress and OOP:

• Lack of Design and Architecture.
• Developed by achieving specific things and extended on the way.
• WP has a functional approach with variables in the global namespace. That is contradictory to the Blackbox character of Objects.
• Object-oriented code is not necessarily better, it is different.

Additional thoughts can be found in the comments, I think the article and discussion is worth to read for a calmer approach on to the issue(s).

Part of the article is about the topic wether it’s easier for new developers or not. It is assumed that new coders are understanding functional programming better then object oriented (which I do not know if that is really a rule/ the case). I think that question is totally regardless because you can do both in your plugins / themes. So this just is not an issue. The core won’t change to pure OO written code overnight, right?

PHP Open Basedir degrades Security (Bonus)

Some hosters are using the open_basedir restrictions because they think this makes hosting somewhat more secure. Well normally it is not because a hoster in need to enable it often shows that the system is not properly configured in respect of the file-access-rights. A properly configured system would not need PHP to handle restrictions. And often open basedir can be tricked because of flaws in the implementaiton – at least those problems were reported in the past.

Anyway, the funny thing is, that a strong source of randomness often isn’t available any longer when those hosters configure the open_basedir restriction: /dev/urandom .

For example with something like WordPress and phpass, they just do not benefit any longer of it, if it was forgotten to allow access to it.

In for the security or in for the obscurity?

via: #12148

CSS Selector Code Smell

3-2-1: Grab your QC environment and get ready for CSS today because it just does not makes sense to write a CSS Selector like these:

#footer-widget-area #fourth {
	margin-right: 0;
}

Example 1: A bogus selector.

img#wpstats {
	display:block;
	margin: 0 auto 10px;
}

Example 2: Can make sense

The first example is pretty simple and the second is in the same sense. With only a slight exception that it can make sense if the markup changes relative to the style-sheet definition and that would be bad semantics. Therefore that selector is not totally bogus but still a smell.

These are two quick picked examples out of the upcomming WordPress TwentyTen theme. It is not released right now, so a good field to test code smells on. Some Regular Expressions for sniffing around:

#[A-Za-z][A-Za-z0-9_:.-]*\s+#[A-Za-z][A-Za-z0-9_:.-]*
^\s*[A-Za-z]+#[A-Za-z][A-Za-z0-9_:.-]*

I bet there are more scenarios worth to look for but those were two I just stumbeled over while taking care on Ticket #9015. Just comment and I’ll add them to the list.

References to the Max

It’s somehow hard to understand. PHP Variables and how they do References to the according data. This Blog post is a collection of articles related to the topic and a short review of those I found valuable. Maybe there are more important ones, please let me know via the comments.

The story behind this post is, that within the WordPress project we need to currently still keep PHP 4.3 backwards compability. One topic that is related to the differences between the outdated 4.3 version and the current 5.2 version is the handling of values for object variables.

I saw some issues within the core-code and I was asking in some tickets (#11663, #11780) about how to handle them. It was important to me to get feedback from core developers because in other situations when it came to references in a patch nothing concrete was available and specs were missing. That lead to the situation that certain myth and wrong information is circulating. At least partly wrong information. I do not like that and I would love to see this clarified.

I thought: Well even if we’re currently wrong with the topic, it would be good to have a spec or similar at least to referer to while trying to figure things out. And while discussing those in IRC yesterday, we came to the point that it’s often a question how a value is to be used then the type only. For example in PHP 5 passing or returning references can be counter-productive where in some cases in PHP 4 those are a need to get certain functions in wordpress to work.

Functions returning cache objects were named as examples where that is the case. Otherwise those objects would get copied on change and the changes won’t be reflected overall in memory and/or within the database or on disk occasionally. And the cache should be something where it’s possible to write into.

Another thing is the $this variable. By PHP Documentation that one is “by reference” automatically so there never is need to prefix it with a &-sign. But within the core-code this is done all the time when it is passed it into the hook system. Myth or reality? At least that’s the documented behavior.

But those are some aspects of the problems within the wordpress project only. In general the topic is not easy to understand and I thought it’s time to collect some valuable resources. On the way to do so, I revealed some pretty interesting texts incl. one that is mathematically proving why the topic is hard to get. Because the implementation in PHP comes with it’s flaws. Continue reading →

The short memory of WordPress.org security

For the wordpress project it’s said: If you find a bug, report it. That’s the same if it is security related. For those who feel – for whatever reason – uncomfortable to publicize it in trac directly, can shoot an email to security@wordpress.org. So trac is not the only option. But it is one.

But do not think that if you report a security related bug, that it will get fixed sooner or later. For example, the bug related to last years wordpress worm was open for a very long time. Even after it has been reported for months (and from what I’ve read in the sourcecode this bug must have been known for even longer). A patch had been provided but it took about four month or so after it finally got committed. That was a public report. If I remember correctly, no correct credits were given for the report and fix. A full report on that issue is still missing, I might write about it in a blog-post on it’s own. Continue reading →

Dion Hulse (dd32)

Name: Dion Hulse
Profile: Dion Hulse on WordPress.org
Nick: dd32
IRC: dd32
Trac: dd32
Aka: -/-
Commit Access: ca. 2010-01-12
Birthday: 25 Sep 1987
Topics: Filesystem; Transports; Plugins

References

• Homepage: blog://dd32.id.au/
• Photo: Source
• DD32, whatcha gonna do? – WordPress Development Updates (January 12, 2010)
• Numbers… Plugins.. WordPress. (25 Sep 2010)

My site’s been hacked – now what?

Just a quickie to link to Google Webmaster Central: My site’s been hacked – now what? which provides some googly tips on how to handle such a situation.

Twiggy Miggy Ziggy Biggy

Some days ago I posted about Twig, an open PHP template language. I have not added much detail nor discussion about Twig in that short post.

In “In Response to Fabien Potencier: Twig & PHP Templating“, Eli White another PHP Programmer is handling some feedback and discussion related to Twig and the concept(s) behind it as well as an answer to Fabien Potencier’s own Blog Post regarding Twig.

The discussion is of somewhat general character and what I like here is that Fabien Potencier as well as Eli White are both arguing in a fairly professional form within their articles.

Andrew Ozz (azaozz)

Name: Andrew Ozz
Profile: Andrew Ozz on WordPress.org
Nick: azaozz
IRC: azaozz
Trac: azaozz
Aka: Mr. Visual Editor
Commit Access: ca. 2008-07-15
Topics: Visual Editor / TinyMCE

References

• Homepage: LaptopTips.ca – Website run by Andrew Ozz
• Blog: Andrew Ozz on WordPress
• Interview With Andrew Ozz (Mr. Visual Editor) – WordPress Tavern (March 24, 2009)
• Congratulations to Andrew Ozz (azaozz) – Mark on WordPress (July 15, 2008)

WPDB include problems in wordpress 3.0

From time to time my brain remembers me that there is a major bug within wordpress in case of the re-instantiation of the wordpress database class. When a replacement class is in use, the original WPDB one will get re-created under certain circumstances instead of the replacement one. That breaks the modular DB replacement concept once introduced.

This bug is not widely known because right now not many users are replacing the database class. With wordpress 3.0 it will become more popular to replace it because currently it got replaced in the MU merge with a hyper-mega-f!#$-db (say it with scooter: hyper, hyper!) which just has an enormous overhead in single-site setups and contains of a lot of legacy code.

Just to remind: previous to the merge I did some overwork of the wpdb class for development purposes (refactoring, improvements, security, stability, optimization and all that stuff) and since the 3.0 release is comming closer, those deficiencies will be quite a hot topic sooner or later. You must imagine that the MU class is based on even older code, so this will be fun.

I wish we get the replacement related bugs out in 3.0 so that everybody is able to use the wpdb implementation she or he likes best without any flaws in the (currently broken) API. Go Go Gadget.

Enhancing Feeds: Show your Name with Feedname

By default the feed contains the name of your blog as each entries author and that’s it. If you want to personalize your feed for example with the author’s name of a certain entry in a feed there is a little plugin already available called feedname.

I wrote it some month ago but it still does it’s job, simple and put.

You can edit the plugin file to change the default settings, that version offers two placeholders:

// %author%    - replaced with the author's name
// %blog-name% - replaced with the blog's name
$pluginFeedname = new Feedname_Plugin('%author% blogging on %blog-name%');

Coding Standards Summary of the last Week

The last week gave us some more feedback regarding the wordpress coding standard. In general the current standards seems accepted, but some areas were highlighted in comments where problems might arise with the current definition (this list is also a try to get that into order, the most important on top):

1. This is more about applying the current standard than switching to a new one or adding new stuff.
2. The biggest problem next to the fact that the standard is not well defined is that it isn’t applied to the codebase in full.
3. Improvements to the code can be simply provided as a patch in #11971.
4. It was said, if there is a problem in the documentation, that should be fixed. Rules must be simplified and clarified. The standard should not be that complex, and easy to adopt.
5. A single file should be provided containing correct usage, it can be more easily overlooked.
6. Current bracket (the round ones) usage is questioned/not well defined for functions with or w/o arguments or for certain type of functions (i.e. translation). Additionally, in the code this has not been handeled consequentially as well as in the mailing list email (the documented root of the wordpress coding standard) is describing bracket usage differently to the codex page. So this is a point to be clearly defined and applied. It might be at error on the codex page.
7. PHP files are closed having an ?> at the end (despite the critique).
8. There are more topics, but improvements should be applied step by step to go further.

This is a first summary. Relating to the current standard, there was only little feedback given about what it is good for / not good for in it’s general usage over the years. This can be related to the topic or to the concrete standard, I can not say.

Additionally the files that are linked in from third party projects (external libraries that ship with wordpress) should be tagged to not being changed due to coding standards because they are not part of the project. For example, adopting the SimplePie sources to the wordpress coding standards is hard to imagine at all.

Previous: WordPress Coding Standards – How to go on? (18 Jan 2010; by hakre)
Follow Up: PHP Code Sniffer, Eclipse and WordPress (6 Mar 2010; by hakre)

Enhancing Feeds: Limiting the Comments Feed

In a recent ticket (#7092), redsweater was asking for a missing feature: A separate setting for limiting the numbers of comments in the comments feed. He drives multiple sites that have such a high user traffic which results in soo many comments that it was his wish to have more control over the number of comments listed in the comments feeds. By default it’s limited to the value set for the standard feed, but that was not a pleasing option for him any longer.

Separate Setting for Limiting Comments Feed

There is actually a patch and a plugin offered in trac. So it’s quite new (3 weeks ago) and quite untested but if you’re missing that feature as well you can give the patch or plugin a try. Whichever is the best option for your site. The patch might become part of the core code some day. Let’s see.

For those missing that option, this is a path to follow. Patch was provided by Nacin, I wrote the Plugin. Redsweater himself was not very happy about the plugin provided because he really wants to see this setting as part of the main product and not inside the plugin. If that is your wish too, please support him and the ticket. I think it’s a usefull setting for active sites.

All Posts of the Enhancing Feeds Series

Enhancing Feeds: Technorati Full Feeds

I’m starting a new series. I will call it enhancing feeds. Feeds are an important cornerstone in web publishing these days and WordPress has it’s part in it. But from time to time you can not do want you might want or the feeds do not do what you want. Whatever comes first.

Technorati Full Feeds

The first post in this series is about some changes Technorati made to their system. They need your full feed of your blog now otherwise they won’t give a shit any longer (as the British say). Luckily, there is already a wordpress plugin available that is taking care: Technorati Full Feeds.

Consider a use if you’re using Technorati, that simple it is.

Twig PHP template

Marketing is often referred to black magic. Looks like within the PHP Community some coders know how to deal properly with it when you see this list of adjectives for the Twig template language (isn’t that a template engine?):

Twig, the flexible, fast, and secure template language for PHP

So it’s flexible, fast and secure. And a language! What do you want more? I think it’s worth a link. At least I would consider that one a replacement for Smarty. Catch it if you can. I wonder if this might work with wordpress themes. Would be fun to find out.