archive-com.com » COM » S » STUARTHERBERT.COM

Total: 477

Choose link from "Titles, links and description words view":

Or switch to "Titles and links view".
  • Stuart on PHP - » 2008 » March
    too painful to do About The Author Stuart has been writing PHP applications since 2003 and has been contributing to open source software since 1994 He was an early writer for php architect a co author of the Official Zend Certification Study Guide for PHP 4 and a regular speaker at conferences and user groups since 2004 When he s not designing software Stuart loves to explore the world through a camera lens spend time with his beloved guitars and continue his study to T ai Chi Chu an Taijiquan Be the first to leave a comment Using mpm peruser To Secure A Shared Server Posted by Stuart Herbert on March 20th 2008 in The Web Platform Tagged with advice apache architecture hosting performance php security servers web The challenge with securing a shared hosting server is how to secure the website from attack both from the outside and from the inside PHP has built in features to help but ultimately it s the wrong place to address the problem Apache has built in features too but the performance cost of these features is prohibitive This has created a gap that a number of third party solutions have attempted to fill One solution you may have heard of is mpm peruser by Telana Internet Services How well does it work and how well does it perform A Bit of History Installing mpm peruser Configuring Apache Some Benchmarks Other Considerations Conclusions more About The Author Stuart has been writing PHP applications since 2003 and has been contributing to open source software since 1994 He was an early writer for php architect a co author of the Official Zend Certification Study Guide for PHP 4 and a regular speaker at conferences and user groups since 2004 When he s not designing software Stuart loves to explore the world through a camera lens spend time with his beloved guitars and continue his study to T ai Chi Chu an Taijiquan Comments Off on Using mpm peruser To Secure A Shared Server Looking For A Great Mind Mapping Tool on OS X Posted by Stuart Herbert on March 6th 2008 in Toolbox Anyone know of a really great mind mapping tool for OS X It s the one tool I haven t picked up since buying my beloved MBP in 2006 What I m really looking for is something that supports a more 3D approach to mind mapping than the traditional tools do which just mimic pen and paper at the end of the day I feel constrained with having to hang all the nodes off a single central node rich detail just doesn t work like that where things are much more interconnected Ideally it can cope with thousands of nodes and support storing rich text or HTML in the notes at each node too Don t want much do I If you ve got a favourite tool for this job please leave a comment below Ta About The Author Stuart has been

    Original URL path: http://blog.stuartherbert.com/php/2008/03/ (2016-05-02)
    Open archived version from archive


  • Stuart on PHP - » 2008 » January
    To Secure A Shared Server Posted by Stuart Herbert on January 18th 2008 in The Web Platform The challenge with securing a shared hosting server is how to secure the website from attack both from the outside and from the inside PHP has built in features to help but ultimately it s the wrong place to address the problem Apache has built in features too but the performance cost of these features is prohibitive This has created a gap that a number of third party solutions have attempted to fill One of the oldest of these is suphp created by Sebastian Marsching How well does it work and how well does it perform suphp Running PHP As A Specified User Installing suphp Configuring Apache Some Benchmarks Other Considerations Conclusions suphp Running PHP As A Specified User Like Apache s own suexec suphp is a solution that allows PHP to run as the user and group that owns any particular website on a shared hosting server suphp consists of two components mod suphp an Apache module that replaces mod php suphp a setuid binary that replaces Apache s suexec It relies on PHP CGI having been installed onto the server first Installing suphp suphp is compiled and installed in the same way as any other Apache module These instructions are for Apache 2 2 but they will work fine for Apache 2 0 as well You can run suphp on Apache 1 3 too Gentoo Linux and Seed Linux users can skip these instructions you can install suphp using emerge mod suphp Download the suphp source code from the website Unpack the tarball somewhere like this tar zxf suphp 0 6 2 tar gz cd suphp 0 6 2 Next run the configure script configure with setid mode paranoid with min uid 1000 with min gid 100 with apache user www with logfile var log apache2 suphp log with apxs usr sbin apxs with apr usr bin apr config You ll need to adjust some of these settings to suit your local operating system with min uid sets the lowest user id that PHP is allowed to run as Check your etc passwd file to see just how low this needs to be set with min gid sets the lowest group id that PHP is allowed to run as Check your etc group file to see just how low this needs to be set with apache user tells suphp which user Apache will be running as with logfile tells suphp where to write log messages to I recommend that you configure suphp to write its logfile in the same directory that Apache would normally write its log files with apxs tells suphp where to find the Apache util that s used to help build Apache modules with apr tells suphp where to find the Apache Portable Runtime apr config util It s worth pointing out that there are several different options to choose from for the with setid mode config Check

    Original URL path: http://blog.stuartherbert.com/php/2008/01/ (2016-05-02)
    Open archived version from archive

  • Stuart on PHP - » 2007 » December
    is the first place to look if PHP isn t working although the log messages can be a little terse and cryptic For reference here is the Apache config from my test system ScriptAlias php5 cgi var www localhost cgi bin php cgi Action php5 cgi php5 cgi AddHandler php5 cgi php AddDirectoryIndex index php index phtml VirtualHost 80 DocumentRoot var www localhost htdocs Directory var www localhost htdocs Options Indexes FollowSymLinks ExecCGI AllowOverride All Order allow deny Allow from all Directory SuexecUserGroup stuart users AddHandler php5 cgi ph VirtualHost Configuring suexec For Shared Servers I mentioned earlier that there was a problem with using suexec PHP CGI on shared servers the very environment where suexec is needed the most In one of the steps above we created a copy of the PHP CGI executable and changed its ownership on disk to match the ownership of the website chown stuart users var www localhost cgi bin php cgi What happens when we have two websites each owned by a different user Or five or ten or hundreds Apache s suexec will refuse to re use this copy of the PHP CGI executable for each of the websites because it isn t owned by the right user and group Each website needs its own copy of the PHP CGI executable owned by the user and group that owns the website itself We don t want to create hundreds of copies of the actual PHP CGI executable it s a large waste of space and a pain for managing PHP upgrades so instead we can point each website at its own copy of a simple bash script bin bash usr bin php cgi This script simply executes our central copy of the PHP CGI executable passing through whatever parameters Apache has called the bash script with To configure Apache to use this script simply move the ScriptAlias statement from outside the VirtualHost config to inside Some Benchmarks Because Apache is having to execute a new suexec process every page hit and suexec executes a new PHP CGI process every page hit it s going to be slower than running mod php But how much slower To find out I used Apache s ab benchmarking program to load a phpinfo page 1000 times I ran the benchmark five times and averaged out the results suexec average of 127 219 seconds suexec bash script average of 134 836 seconds mod php average of 3 753 seconds suexec on its own is some 34 times slower than using mod php suexec the bash script needed for shared hosting environments is even worse at 36 times slower than using mod php This benchmark doesn t provide the full picture Once you take into account the extra memory used by the suexec method and the extra memory and CPU and process context switches required to transfer output from PHP CGI to Apache to send back to the website s user the final cost of using suexec PHP

    Original URL path: http://blog.stuartherbert.com/php/2007/12/ (2016-05-02)
    Open archived version from archive

  • Stuart on PHP - » 2007 » November
    in PHP could ignore safe mode and just open any files that it chooses and that Apache can see The PHP developers audit the official PHP extensions to make sure none of them can be abused like this but when it comes to third party extensions you re on your own Sadly PHP is just the wrong place architecturally to solve this security problem and as a result safe mode will not be part of PHP 6 If you currently rely on safe mode to secure your servers it s time to start looking at other ways to secure your shared hosts I hope you ll find my next article or two about alternatives both useful and timely Restricting Access With open basedir The second PHP feature that helps is open basedir Although it s documented as part of the safe mode section of the PHP Manual to all intents and purposes it is a separate feature that can be switched on and off without requiring safe mode safe mode doesn t care where a file on disk is all it cares about is who owns the file open basedir is the orthogonal feature It doesn t care who owns a file only where the file exists on disk You tell PHP which directory it is allowed to open files from and PHP makes sure that all attempts to access files outside that directory will fail The idea is to setup each website so that PHP is only allowed to open PHP files installed for that website Switching On open basedir The open basedir setting can be edited in php ini but to be honest that makes little sense on a shared hosting server You re much better off putting this configuration into the httpd conf entry for each individual website VirtualHost 80 ServerName www example com DocumentRoot home customer1 public html www example com php admin flag open basedir home customer1 public html www example com VirtualHost There s one gotcha with open basedir that you need to pay close attention to Despite the name PHP doesn t expect open basedir to be the name of a directory it treats it as a prefix The check PHP uses is something like this code lang php function check open basedir file resolve any symlink file realpath file open basedir ini get open basedir check to ensure file is inside open basedir if substr file 0 strlen open basedir open basedir return false return true code To make sure that PHP treats open basedir as a real directory always put a slash at the end of the value for open basedir open basedir and PHP 6 For the moment at least open basedir will continue to be supported in PHP 6 There s a slight change to how it is configured with PHP 5 you can set open basedir in htaccess files with PHP 6 you have to put it in httpd conf or php ini but the actual functionality stays the same open basedir is vulnerable to the same theoretical circumvention as safe mode so be careful when installing third party PHP extensions onto a shared server Where Do We Go From Here I ve looked at two solutions implemented by PHP 4 5 to help make a shared hosting server more secure safe mode stops you opening up files owned by other customers but it has the side effect that your web application cannot create files of its own This feature has been removed from PHP 6 open basedir stops you opening up files outside the specified directory on disk This feature is still in PHP 6 but can now only be configured from phi ini and Apache s httpd conf Both features rely on third party extensions supporting them It s perfectly possible for a third party extension to choose to bypass both features thus re creating the security hole we re trying to close In terms of our challenge both features come close to solving it but neither is 100 guaranteed to do so Data security isn t just a legal obligation it s also a moral one and you can t meet your moral obligation using these features alone Fundamentally PHP is the wrong place to solve this problem PHP is trying to overcome a security weakness that it has inherited from Apache and all other web servers this isn t a problem specific to Apache and in turn they are constrained by the security model implemented by UNIX systems themselves Moving up the stack if the problem can t be fixed in PHP maybe Apache can offer some help I ll take a look at that in the next article This article is part of The Web Platform an on going series of blog posts about the environment that you need to create and nurture to run your web based application in If you have any topics that you d like to see covered in future articles please leave them in the comments on this page About The Author Stuart has been writing PHP applications since 2003 and has been contributing to open source software since 1994 He was an early writer for php architect a co author of the Official Zend Certification Study Guide for PHP 4 and a regular speaker at conferences and user groups since 2004 When he s not designing software Stuart loves to explore the world through a camera lens spend time with his beloved guitars and continue his study to T ai Chi Chu an Taijiquan 8 comments The Challenge With Securing Shared Hosting Posted by Stuart Herbert on November 21st 2007 in The Web Platform Many thanks to everyone for their feedback on my first post in this series Most of us started out hosting our code on shared hosting whether it was on a box provided by an ISP something we rented ourselves or something we built so that we had somewhere to host the websites we

    Original URL path: http://blog.stuartherbert.com/php/2007/11/ (2016-05-02)
    Open archived version from archive

  • Stuart on PHP - » 2007 » October
    What s Wrong With The Existing MSSQL Extension For PHP or why do we need an improved SQL Server extension for PHP The existing MSSQL extension works well but has a few practical limitations that have to be worked around Limited to varchar 255 support SQL Server 2000 and later support varchar columns longer than 255 bytes in size but unfortunately the old TDS based MSSQL extension can only support up to varchar 255 No support for unicode columns like nvarchar The size of a varchar column is specified in bytes not characters If you re working with UTF8 or UTF16 encoded data one non ASCII character takes up multiple bytes of space This cuts down on the amount of characters you can store in a varchar field and it makes things like HTML form validation er interesting nvarchar by contrast is advertised as a variable size datatype for storing multi byte characters nvarchar 255 holds 255 characters not 255 bytes No PDO drivers Although there s some debate about the performance merits of PDO PDO s prepared statement support is a real boon when it comes to preventing SQL injection attacks Poor error reporting The MSSQL extension doesn t provide an equivalent to mysql error et al which is a bit of a pain At the moment I ve no idea whether Microsoft s extension addresses any of these issues There s no documentation online just a exe file that isn t going to run under OS X I ll have a look at it when I get to my Windows PC at work and see what it can and can t do About The Author Stuart has been writing PHP applications since 2003 and has been contributing to open source software since 1994 He was an early writer for php architect a co author of the Official Zend Certification Study Guide for PHP 4 and a regular speaker at conferences and user groups since 2004 When he s not designing software Stuart loves to explore the world through a camera lens spend time with his beloved guitars and continue his study to T ai Chi Chu an Taijiquan 15 comments Six Classic Ways To Group Your Web Servers Posted by Stuart Herbert on October 15th 2007 in The Web Platform Many thanks to everyone who commented on my recent article and said they d be interested in a series of posts about more server oriented PHP topics There were quite a few requests for a ten point type article introducing the subject so that seems to be a good place to kick things off Building Blocks There are six classic ways to group and organise the servers that your web based application runs on Shared Hosting Shared hosting like the name implies is where you cram many different websites normally owned by many different people onto the same physical box The upside is that they re very cheap because you re not paying for an entire server only

    Original URL path: http://blog.stuartherbert.com/php/2007/10/ (2016-05-02)
    Open archived version from archive

  • Stuart on PHP - » 2007 » July
    nothing So let s see if we can find some reasons to chivvy them along Here are the arguments I ve been making for the last 3 years to pointy haired bosses that many technical folks ultimately have to answer to What commercial arguments have you tried in your workplace Post the good ones that have worked in the comments below or on the Net on your own blogs for us all to share Stu more About The Author Stuart has been writing PHP applications since 2003 and has been contributing to open source software since 1994 He was an early writer for php architect a co author of the Official Zend Certification Study Guide for PHP 4 and a regular speaker at conferences and user groups since 2004 When he s not designing software Stuart loves to explore the world through a camera lens spend time with his beloved guitars and continue his study to T ai Chi Chu an Taijiquan Be the first to leave a comment Latest Photos Categories phpnw 1 Beginner 2 Intermediate 3 Advanced Brighton PHP Conferences Opinion phix PHP In Business PSR Servers and Hosting Storyplayer Talks Toolbox Training Uncategorized Archives February 2016 January 2016 November 2015 October 2015 August 2015 March 2015 January 2014 May 2013 April 2013 March 2013 December 2012 November 2012 October 2012 September 2012 August 2012 July 2012 June 2012 May 2012 February 2012 January 2012 October 2011 September 2011 August 2011 July 2011 April 2011 March 2011 February 2011 October 2010 August 2010 July 2010 February 2010 January 2010 October 2009 September 2009 August 2009 May 2009 April 2009 March 2009 February 2009 January 2009 December 2008 November 2008 October 2008 September 2008 August 2008 June 2008 May 2008 April 2008 March 2008 January 2008 December 2007 November

    Original URL path: http://blog.stuartherbert.com/php/2007/07/ (2016-05-02)
    Open archived version from archive

  • Stuart on PHP - » 2007 » April
    after reloc Permission denied This is an error message from SELinux which is enabled by default on RHEL5 The error has been triggered because the PHP runtime code contains text relocations a situation where the code inside the so has to be writable in memory The definitive place to look for information about text relocations and the risk they pose to the security of your server is this page from Ulrich Drepper The quick workaround is to run this command on your server chcon t textrel shlib t modules libphp4 so This command tells SELinux to allow text relocations inside the libphp4 so Apache module Use the command chcon t usr t modules lib4php so to reverse the effect if you need to There are a couple of serious downsides to this workaround The first one is that it disables one of the protections that SELinux provides It makes your server more vulnerable to security exploits targetted at the PHP runtime itself The second problem is that your server uses more memory per Apache process because each Apache process ends up with its own copy of PHP One fix is to recompile your copy of PHP 4 using the with pic configure option This produces a copy of PHP that doesn t contain text relocations In theory I haven t tested this yet it should also be able to handle more concurrent connections on a server before the server runs out of RAM Using Apache s ab benchmarking app my results suggest that PHP 4 w with pic is about 0 7 slower small enough not to matter for many folks There s a second way to avoid text relocations don t compile with with pic and use the prelink tool instead This tool run from the command line works out the text relocations once and then writes the data back to the binaries and libraries From my testing this avoids the SELinux error and performance wise it s about 0 1 faster than PHP w text relocations and about 0 8 faster than PHP 4 w with pic This approach should also bring the benefits of reduced memory usage too that go with the with pic approach but I haven t done any testing to confirm this Which approach is the best PHP 4 w with pic or using prelink The downside of using prelink is that this approach is reported to be unsuitable for Linux installs configured to do address space randomisation You also have to remember to re run prelink everytime you upgrade or re install PHP Using PHP 4 w with pic avoids these issues About The Author Stuart has been writing PHP applications since 2003 and has been contributing to open source software since 1994 He was an early writer for php architect a co author of the Official Zend Certification Study Guide for PHP 4 and a regular speaker at conferences and user groups since 2004 When he s not designing software Stuart loves

    Original URL path: http://blog.stuartherbert.com/php/2007/04/ (2016-05-02)
    Open archived version from archive

  • Stuart on PHP - » 2007 » March
    track record in designing delivering and managing web based solutions to large organisations If you re a project manager software developer web site designer with XSL experience or a systems administrator maybe we have the right opportunity for your next role About The Author Stuart has been writing PHP applications since 2003 and has been contributing to open source software since 1994 He was an early writer for php architect a co author of the Official Zend Certification Study Guide for PHP 4 and a regular speaker at conferences and user groups since 2004 When he s not designing software Stuart loves to explore the world through a camera lens spend time with his beloved guitars and continue his study to T ai Chi Chu an Taijiquan Be the first to leave a comment Latest Photos Categories phpnw 1 Beginner 2 Intermediate 3 Advanced Brighton PHP Conferences Opinion phix PHP In Business PSR Servers and Hosting Storyplayer Talks Toolbox Training Uncategorized Archives February 2016 January 2016 November 2015 October 2015 August 2015 March 2015 January 2014 May 2013 April 2013 March 2013 December 2012 November 2012 October 2012 September 2012 August 2012 July 2012 June 2012 May 2012 February 2012 January 2012 October 2011 September 2011 August 2011 July 2011 April 2011 March 2011 February 2011 October 2010 August 2010 July 2010 February 2010 January 2010 October 2009 September 2009 August 2009 May 2009 April 2009 March 2009 February 2009 January 2009 December 2008 November 2008 October 2008 September 2008 August 2008 June 2008 May 2008 April 2008 March 2008 January 2008 December 2007 November 2007 October 2007 July 2007 April 2007 March 2007 February 2007 January 2007 This Month March 2007 M T W T F S S Feb Apr 1 2 3 4 5 6 7 8 9

    Original URL path: http://blog.stuartherbert.com/php/2007/03/ (2016-05-02)
    Open archived version from archive



  •