AKA Marketing.com Logo            VISIT THE BLOG            

Blogged thoughts, is our web blog. Expect views, opinion, rants and tirades about everything and anything 

« Home / Forums »        


Subscribe to our SEO / IT related blog by entering your email address below

Blogged thoughts

| by the www.akamarketing.com team

Archive for the 'PHP' Category

Top 25 dangerous coding errors ‘revealed’

Tuesday, January 13th, 2009

I usually spend a lot of time on BBC.co.uk (so rescuetime tells me anyhow) each day and while on it today I came across an interesting piece in the technology section relating to the publication of a near universially agreed document which lists the top 25 programming errors that us so called professional developers occasionally let creep into our systems & applications.

According to the The SANS Institute (a leading contributor to the document) who issued a press release yesterday (12th Jan 09):

the impact of these errors is far reaching with just two of them leading to more than 1.5 million web site security breaches during 2008.

Contributors to the document who include SANS, MITRE, Microsoft, the US National Security Agency, the Department of Homeland Security and Symantec believe it will have four major impacts:

  1. Software buyers will be able to buy much safer software.
  2. Programmers will have tools that consistently measure the security of the software they are writing.
  3. Colleges will be able to teach secure coding more confidently.
  4. Employers will be able to ensure they have programmers who can write more secure code.

In regards to the 3rd point above I know that with the exception of a passing remark or two about the need to validate input I was not taught a lot about writing secure code during my computer science degree in college. I think in this day and age (Web based/Cloud Computing), teaching secure coding is the way to go so I think this list will definitely help.

Reading through the list, I notice a lot of the usual suspects are listed such as input validation, cross site scripting, SQL injection and that old chestnut hard-coded passwords which I must admit gave me a chuckle just by its very inclusion in such a list, but I guess if developers are still doing this then it must be included.

The fairly detailed press release from SANS is available at http://www.sans.org/top25errors/ while the document itself is located at http://cwe.mitre.org/top25/. There’s a printable PDF version available too which I suggest every software development manager or team leader makes compulsory reading for his or her programmers.

PHP to PDF conversion with TCPDF

Friday, July 25th, 2008

Recently I had a development client which as part of a larger system had a requirement of creating a PDF based report from his clients metrics, KPI’s etc. which he could then forward onto them. It was simple numerical data but for presentation purposes it was needed in PDF… you know to look good.

In the past when budget was less of an issue I used PDFLib, a commercial library which these days is available as part of the core PHP package. This project however required me to look for a free alternative. I found TCPDF on Sourceforge. It had almost 80,000 downloads, good documentation, lots of examples and was being used by applications such as Joomla, Drupal, Moodle and phpMyAdmin so I said I’d give it a go.

Installation was easy, basically I just needed to copy the TCPDF folder to my www space and require() the main class file from PHP scripts that needed to create PDFs on the fly.

I have to say I found it quite a slow & tedious process to create the more complex dynamic PDFs with this library, however this is because of what I was trying to do in the overall sense and was not the libraries ‘fault’, after all creating PDFs dynamically is quite different than creating webpages dynamically. I found having to work out all the ‘maths’ for positioning elements and the fact you can’t just press refresh to see if your latest line or two outputted as intended the most frustrating.  

OK to give you a feel for how the TCPDF class library can be used I’ll go through how I actually created the PDF report which my client wanted by providing a striped down version of the code. The two interesting things about the report was that it had to have a table with all the data and the page the table was on had to be presented in landscape style (because the table was wide). The table I output is related to Golf and is very simple, but hopefully it will be a good TCPDF starting block for you. 

Creating a table with TCPDF
Within the TCPDF class there are a couple of useful methods which enable me to output a nice table with DB data embedded in the cells. These are writeHTML(), writeHTMLCell()Cell() & MultiCell(). I had to rule out Cell() for the most part as it does not support putting HTML into the cell data. Although I could have outputted a standard HTML coded table using writeHTML() I went with MultiCell() in the end. The code below is similar to what I used, it produces this PDF (please right click and save as… otherwise your browser might crash). Be sure to change the line that says ‘FIX THIS LINE’… I had to remove the HTML because Wordpress was acting the goat again. The full not-messed-up-by-wordpress version is available too.

//reference the class so you can use it

 // create new PDF document

 //do not show header or footer
 $pdf->SetPrintHeader(false); $pdf->SetPrintFooter(false);

 // add a page - landscape style

 // set font
 $pdf->SetFont(”freeserif”, “”, 11);

 //Colors, line width and bold font for the header
 $pdf->SetFillColor(11, 47, 132); //background color of next Cell
 $pdf->SetTextColor(255); //font color of next cell
 $pdf->SetFont(”,’B'); //b for bold
 $pdf->SetDrawColor(0); //cell borders - similiar to border color
 $pdf->SetLineWidth(.3); //similiar to cellspacing

 $cols=array(’Rank’,'Player’,'Pts. Avg.’,'Total Pts.’);//Column titles
 $width=array(20,50,40,30); //amount of elements must correspond with $header array above

 for($i = 0; $i < count($cols); $i++)
     //void Cell( float $w, [float $h = 0], [string $txt = ''], [mixed $border = 0],
     //[int $ln = 0], [string $align = ''], [int $fill = 0], [mixed $link = ''], [int $stretch = 0])

 $pdf->Ln(); //new row


 //styling for normal non header cells
 $pdf->SetTextColor(0); //black

 //the data - normally would come from DB, web service etc.
 $rank = array(’1′,’2′,’3′);
 $player = array(’Tiger Woods,  USA’,'Phil Mickelson,  USA ‘,’Padraig Harrington,  Irl ‘);
 $playerWWW = array(’http://tigerwoods.com/’,'http://philmickelson.com/’,'http://padraigharrington.com/’);
 $avgPts = array(’10′,’9′,’8′);
 $totPts = array(’100′,’90′,’80′);

 //create & populate table cells
 for($i = 0; $i < count($rank); $i++)
       if($i == "2")//highlight Harrington because he Irish...
      {                //in reality you might highlight profits/losses etc.
          $pdf->SetFillColor(89, 239, 152); //green
         $pdf->SetFillColor(255); //white
       //link the players name to his website

      $playerANDlink = “a href=\”$playerWWW[$i]\”>$player[$i]/a”; //FIX THIS LINE
     //int MultiCell( float $w, float $h, string $txt, [mixed $border = 0], [string $align = 'J'],
     //[int $fill = 0], [int $ln = 1], [int $x = ''], [int $y = ''], [boolean $reseth = true],
     //[int $stretch = 0], [boolean $ishtml = false])
     $pdf->Ln(); //new row

 //output the PDF to the browser
 $pdf->Output(”./pdfs/example.pdf”, “F”); //F for saving output to file

PDF creation and setup
OK I’ll briefly go through this code then. The first couple of lines really just sets up the PDF document or pages within the document, please refer to the TCPDF class documentation for more information. The only real item of note here is the method for creating a landspaced PDF page. The default AddPage() method takes no parameters and with this a page is created with the default page style (as per the overall TCPDF config file) which is usually portrait style, so pass in an ‘L’ for landscape pages. It is possible to have some pages landscape and some portrait style in a single PDF document.

Table Header
The TCPDF class has a lot of methods for setting the style of elements. The styles set will correspond to the next cell/element drawn. Most of them are obvious. SetFillColor() sets the background color of a cell when that cell is set to be painted or filled. The fun begins though when you actually start outputting cells (retangles). The header is just plain text so I used cell(). Cell() is well documented on the TCPDF site and it is easy to use. Parameters in order from left to right are, width, height, cell text, border true or false, where next cell should go, cell alignment, fill in cell true or false, optional link and stretch options.

The $ln - where next cell should go parameter, is useful if you want to build your tables vertically rather than horizontally. Leave it at 0 to go to the right and then call Ln() (kind of like what tr does in HTML table) to start a new row is what I suggest. If the fill parameter is set to true the cell background will be the color set by SetFillColor() as mentioned above, if no fill color has yet be set, the background will be grey. My header is built by using a loop to create the four required cells. The first iteration in the loop will be:


which means create a cell of width 20 and height 7 with its value set to “Rank”. It should have a border, have its value centered and should have its background filled in.

Table Body
The main body of the table is very similar, but uses the method MultiCell() as we want the ability to output HTML as the cells’ value. A couple of arrays of data are created and populated. These will slot into the cells we are about to create. In reality the values of the cell will likely come straight from a DB or webservice but hardcoded arrays is fine for this sample.

MultiCell() has a lot of the same parameters which we have come across when using cell() above so I won’t mention them again. It also introduces a couple of new parameters including, X and Y for setting the positional coordinates of a cell, Reseth which resets the height of the last cell (without setting this to true your likely to get crazy looking tables… leave it to true and forget about it) and ishtml which determines if the cell value can hold HTML or not. MultiCell()’s full definition is below.  

int MultiCell( float $w, float $h, string $txt, [mixed $border = 0], [string $align = 'J'], [int $fill = 0], [int $ln = 1], [int $x = ''], [int $y = ''], [boolean $reseth = true], [int $stretch = 0], [boolean $ishtml = false])

It’s pretty simple to use. It provides power by allowing you to set the exact X and Y coordinates of a cell, but also ease of use in the sense that if you don’t specify values for X and Y it will just output at the current position (just like cell() does) so you don’t have to do any logic to get suitable X & Y values… in most cases anyhow.

After four calls to MultiCell() which printed one row of cells, we call Ln() to move to a new line. In fact we didn’t even need to do this to be honest, we could have just changed the $ln parameter value from 0 (to the right) to 1 (to the beginning of the next line) on our fourth cell in each row. The code then would change from this:

$pdf->Ln(); //new row

to this:


Personally I prefer the first way of doing things as it’s more obvious that a new line/row is being outputted. 

Before the call to MultiCell() I changed the fill colour of the cells related to Padraig Harrington (for those that don’t know who he is… he’s a two time Golf Major champion from Dublin), I set them back to white for all other rows. Of course that’s more hardcoding, in a ‘real world’ scenario you might highlight your good figures in green and your bad figures in red.

Outputting the final PDF
When you’ve finished creating all required cells, images, links, text etc. you have to call the Output() method to actually get your hands on your dynamically created PDF. This can take no parameters in which case the PDF is sent to the browser, more commonly though, developers specify the filename and the destination of the generated PDF. The destination can be one of four values, these are:

I: send the file inline to the browser.
D: send to the browser and force a file download with the name given by name.
F: save to a local file with the name given by name.
S: return the document as a string.

You can see my code sets the destination value as F:

$pdf->Output(”./pdfs/example.pdf”, “F”);

this is telling TCPDF to save the dynamically generated PDF document in the pdfs folder with the name example.pdf. On Windows it’s not needed but on Unix based machines you will need to set appropriate permissions on the pdfs (or whatever) folder to allow TCPDF to write the pdfs to it.

A little tip when your developing locally (as opposed to directly on your webhost) and using ‘F’ for the destination parameter is to create your PDFs with a random filename so you can simply press refresh on your script that does the PDF creation logic. If you have a static filename as I do in this example (called example.pdf) and you have the last generated PDF file (also example.pdf) open TCPDF will not be able to write the PDF (as it is aleady open, so a sharing violation error will occur internally). What I often use for random filenames during development is sha1(microtime()), this means to check changes I just need to press refresh on my PHP script and then visit my PDFs folder without having to close previous versions of my PDF.

S is useful if you want to sent the PDF as an attachment in an email without first saving it to disk somewhere.

Both I and D allow you to access the PDF quickly via the browser. A note about these two lads is this… Internet Explorer often looks at the extension of the file, (which will be .php) and assumes that the output will be HTML and thus will not present you a PDF, it will likely present a load of binary data in the webpage itself which obviously is not what you want. Firefox handles both I and D perfectly so I recommend using this during development, you obviously need to keep this in mind when you go into production too as your users might have the same problem too. It might be an idea to save to disk first, provide a link to the pdf and then periodically purge your temp PDFs folder.

I guess you could say that was kind of an introduction to TCPDF, my own introduction to it came from the TCPDF examples page. Thanks to Nicola Asuni for all her hard work on the examples and on TCPDF itself of course.

At this stage I’m really only learning TCPDF myself too so at the moment so I can’t really comment on its real power yet. I’ve come across a couple of issues using it so far but none were without workarounds, I imagine the commercially available libraries will out do it but for a library that’s free and relatively easy to use I offer my closing statement as… so far so good.

$_ENV, the Environment variable array is empty in PHP

Wednesday, February 13th, 2008

The environment variables are usually made available to your scripts via $_ENV, just like $_POST, $_GET etc. are. It seems however that the registration by PHP of these kind of variables for use in your scripts is governed by a configuration option called variables_order in the php.ini file. By default many of the latest installs (and associated php.ini’s) of PHP will have this option set to ‘GPCS’, which stands for Get, Post, Cookie and Built-in variables respectively.

Therefore if you find your php_info() function call returning a bucket load of environment related information but yet a print_r($_ENV) returns an empty array () check the aforementioned setting and be sure to add E in there somewhere so as to instruct PHP to make environment variables available to you and your scripts.

While I’m not 100% certain I believe the ordering of the letters is only important when you have the register_globals option set to on. If register_globals is set to on (off by default since 4.2 and ditched in 6.0) then PHP will make all the variable kinds (Post, Get etc.) specified in variables_order available as global variables in the order you specified in that directive. Imagine for instance that you have ‘EGP’ specified in variables_order and register_globals set to on, if you have a variable called ‘Path’ in both the $_ENV and $_POST arrays, the value from the post array will overwrite the value from the environment array and thus the global variable $Path will hold information from $_POST and not $_ENV. If register_globals was turned to off, you would simply access all array indexes by their full name such as $_ENV["Path"] and $_POST["Path"] and thus they will be considered as 100% different variables.

PHP SQL Server connection problems - mssql_connect() [function.mssql-connect]: Unable to connect to server

Tuesday, February 12th, 2008

As pear (pun intended) usual if I have what I believe is a useful solution to something I’ve spent an eternity trying to fix in my code I will try put it up on the old blog for the benefit of others. The problem I was having for a large part of yesterday and earlier on this morning (Tuesday the 12th) related to the use of a PEAR based Database Abstraction Layer (DAL) module called DB. For those that don’t know a DAL allows a developer to call generic database access code, which then in turn calls DB provider specific code. The advantage of this is that the developer can change the underlying database system by changing a single line of code in a connection string as opposed to all DB access logic in his or her code.

The Database Abstraction Layer I was using: DB is actually depreciated but I was using it for legacy purposes as most of our existing PHP apps use it. The thing to remember with DALs is that ‘under the hood’ they will eventually call DB provider specific code so problems with DB, any other PEAR DAL or indeed any DAL in general may not be caused by the DAL itself but in fact caused by the underlying DB provider specific code.

My problem in this case was that I just seemed to keep getting connection errors when I called the ‘connect’ function in DB. The code I used was similar to:

require_once(’DB.php’); //makes the DB extension available to my code

//connection string for SQL Server database
$db = DB::connect(”mssql://username:PaSsWoRd@dbhost/dbname”);


and the error I got was DB Error: connect failed. As you can see my underlying database is SQL Server as indicated by ‘mssql’ in the above code.
I’m not too sure about the more recent releases of DB (I was using one from 2003) but it seemed DB was not very useful from an error debugging point of view as it didn’t ‘bubble up’ all error messages and only spit out something very generic and very useless.

The thought struck me that perhaps the underlying PHP MS SQL function library was not enabled in the PHP configuration file. This turned out to be the case. Enabling it was as simple as adding a line or two into the PHP.ini file:


If you had of called

$db = mssql_connect(”dbhost”,”username”,”PaSsWoRd”);

directly in your code, which the above PEAR DB code eventually did you would have got a much more helpful error like the following:

PHP Fatal error: Call to undefined function mssql_connect() in…

which you would (hopefully) immediately diagnose as being related to the availability of the PHP mssql library itself and not DAL related.

After enabling the extension, I was still getting the DB Error: connect failed generic error from PEAR DB so I decided to work directly with the mssql_connect function to see if again it was a SQL Server issue. When I called mssql_connect I still couldn’t get a connection and got the error below so it was obviously not PEAR DB playing up.

PHP Warning: mssql_connect() [function.mssql-connect]: Unable to connect to server: servername

It turns out that my connection string was 100% correct however the version of the ntwdblib.dll file on my PHP box was not compatibile with certain recent versions of SQL Server. According to the PHP website ntwdblib.dll is required for the PHP MSSQL extension to work:

The extension requires the MS SQL Client Tools to be installed on the system where PHP is installed. The Client Tools can be installed from the MS SQL Server CD or by copying ntwdblib.dll from \winnt\system32 on the server to \winnt\system32 on the PHP box. Copying ntwdblib.dll will only provide access through named pipes. Configuration of the client will require installation of all the tools.

It seems that for whatever reason the very latest installs of PHP include a version of ntwdblib.dll that will not work with SQL Server 2003, SQL Server 2005 and as far as I’m aware SQL Server Express. The version of ntwdblib installed is likely to be 2000.2.8.0 when what you need to have to talk to recent versions of SQL Server is 2000.80.194.0. This file can actually be present in locations other than winnt\system32 depending on your platform and installation setup so I suggest you do a search for it, check the version and if it doesn’t end it 80.194.0 download the latest version from the UserScape.com site and use it to overwrite the existing version. In my case I installed PHP as a CGI on Windows Server 2003 so the file was present directly in the PHP folder. When I updated it and tried my code again everything worked fine, including the original PHP DAL DB:connect call.

In the end it turned out my problems were nothing to do with the PEAR DB module but were related to PHPs SQL Server functions. If your still having problems connecting to SQL Server from PHP I suggest you visit the relevant PHP page located at http://ie2.php.net/function.mssql-connect which contains a lot of user contributed information about ntwdblib.dll and other issues which may be causing your problems and associated pain.

Parsing a Wordpress feed with DOMXML in PHP

Saturday, September 1st, 2007

You may have noticed that I’ve recently been making use of this blogs XML feed to a) display links/descriptions to my three most recent posts on the akamarketing.com homepage and b) display links to my ten most recent posts in the left navigation bar of most of my sites pages. This was done to try and funnel more site visitors to the blog because that’s where I’m doing most of my updates and although it’s early days it seems to be working.

It’s actually quite easy to do, I basically just parsed the standard Wordpress XML feed with DOMXML and then outputted the specific information I needed. The code for generating links to my last ten posts I used on the left nav bar is available at: http://www.akamarketing.com/wordpress-links.php.txt with the running version at http://www.akamarketing.com/wordpress-links.php

By examining the structure of a Wordpress feed (mine is located at http://www.akamarketing.com/blog/feed) you’ll see that the details of each post is stored in the item element. By getting and looping through all the item elements it is possible to access specific information such as post link, title and description. In this case I’ve used the description information for the title attribute of the link meaning that when someone mouses over a certain link a snippet from the corresponding post will appear on screen.  

Feel free to use my code, check if you have DOMXML support first of course.

PHP 6 - a brief look ahead

Monday, June 26th, 2006

Despite the fact that PHP 5 is still not yet supported by all of the webs main hosting companies, the show must go on and this means the ongoing development of PHP 6. The minutes of all the PHP developers meetings are available on the www.php.net website and provide us with a fairly reliable look at what we can expect from PHP 6. The exact location of the minutes is http://www.php.net/~derick/meeting-notes.html. This document is over 83 KB and your most likely not going to read it all, I however have gone through it intermittently over the last few days and although there are a tonne of proposed changes, only three of these proposed changes are likely to be seen as major and having an effect on the general PHP developer population. The three major changes are that register globals, magic quotes and safe mode are all to be ditched.

Register Globals is a PHP directive that when turned on automatically sets all EGPCS (Environment, GET, POST, Cookie, Server) variables as global variables. This means that to use a post form variable you need only reference it by its name and not by its full location within the post array. For example to access the value of a form (submitted by the ‘POST’ method) textfield called firstname with register globals on one would simply use $firstname, however with the register globals directive switched off one would have to use $_POST['firstname'].

Enabling register globals appears then to be more convenient but it is also more of a risk as writing insecure code becomes a lot easier. The reason for this is that with register globals on a developers script can be injected with all sorts of variables including HTML form values and URL get values (which can easily be manipulated by a hacker). With EGPCS variables and internal variables that are defined in the script itself so easily available the programmer can mistakenly open a ‘door’ or a ‘hole’ to a hacker by simply getting confused. A great example of a potential security risk created by bad coding with register globals on is available on http://ie.php.net/manual/en/security.globals.php (see example 29-1 near the top). Although register globals was turned off by default as off PHP 4.2, many webhosts use earlier versions of PHP and others simply manually set the directive to on. To eliminate any risks associated with having register globals on then the development team of PHP 6 decided to get rid of the directive altogether. This means that any scripts which made use of the register globals directive must be rewritten before being ported to PHP 6 as they will not work otherwise.

Next there’s magic quotes, this directive when switched on automagically escapes incoming data (such as POST form values) to any PHP script. This means that you will not have to run addslashes() to prevent MySQL (and others which escape characters with a slash) returning a syntax error when a user enters in a ‘ (for example) in a form textfield. Magic quotes (when switched on) helps beginners code more safely and it’s more convenient as addslashes gets run by PHP without any explicit calls by the coder. The magic quotes directive can however be set to on or off without any influence from within the script itself as input parameters are escaped before the script starts, this means that developers have the cumbersome task of having to first check if it is on and then having to run or not run addslashes() accordingly. Unexperienced programmers could simply assume it is either on or off and code accordingly which will of course effect the portability of an application as obviously some servers will have it switched on and some will have it switched off. In an effort to clean up the code and remove any ambiguity the developers of PHP 6 have decided to remove magic quotes functionality altogether, this is fairly significant and will require code rewriting for those applications and scripts that relied on the magic quotes directive being on (without checking) before these same applications and scripts will work on PHP 6.

Safe mode too is on the way out. PHP safe mode is an attempt to solve the shared-server security problem (according to PHP.net anyhow). When PHP safe mode is on lots of functionality is turned off and other functionality needs a higher degree of authorization (such as UID checks) to run, not only does this frustrate many developers whose hosts have safe mode on but it also gives off the impression that PHP is completely safe with safe mode on, even the most inexperienced PHP coders know this is not the case. The particular section of the developers meeting minutes corresponding to safe mode is found at http://www.php.net/~derick/meeting-notes.html#safe-mode. I don’t believe that the removal of safe mode will require major code changes for applications and scripts to work on PHP 6, please tell me though if I’m wrong on this one (it has been known to happen…)

Although the minutes of the meeting are not final it’s looking like PHP 6, if developed according to them is likely to go through an even longer ‘probationary’ period with webhosts than PHP 5 did (and is still doing) as an awful lot of scripts stand to be broken with any rushed migration to version 6 of this very popular web programming language.

12 Lorcan Crescent, Santry, Dublin 9, Ireland +353 87 9807629