I’ve just published an article that explains how a PHP-based product can gain a good position in the market and be made appealing to customers by using marketing communication. The focus is on products licensed under an Open Source license. Yet, most of the recommendations also apply to proprietary offerings.

The article has initially been published in German by PHPmagazin. It has now been translated to English and is available on the Initmarketing website: Commercialization of PHP Software.

After the recent beating I gave Packt Publishing's "PHP Team Development" recently, I had a number of people ask what books I did recommend.  To be honest, that's one of the easiest questions I've gotten in a while.  And that's because when we put together Blue Parabola about a year ago, I had the chance to make this list exactly.  There are about 5 books that I believe should be in nearly any software developer's library:

• First, there's The Pragmatic Programmer by Andy Hunt and Dave Thomas. If you are new to the field, don't have a mentor, or just don't have someone pushing you, this is a great book to start with.  It will get you into the right mindset and teach you a number of core concepts that will apply to any developer anywhere.  Matthew Turland touches on some of its topics here and here.
• Next, we have Joel On Software from Joel Spolsky. This one shares ideas on how to do things simply but effectively.  If you're not familiar with the Joel Test, you should be.  Regardless, this one is primarly a group of his blog posts, so if you can't get a hold of it, you can read it on his blog.
• Next, we have Code Complete, 2nd Ed by Steve McConnell. I consider this a primary manual for good software development.  Steve covers a few dozens of key concepts - though few to any depth - that cover everything from requirements gathering and specification to good code organization principles to testing.  Most advanced developers aren't going to draw great value from this one, but it fits nicesly with the Pragmatic Programmer.
• Next, there's Patterns of Enterprise Architecture by Martin Fowler. I tend to keep this one within arm's reach on my book shelf.  It covers a number of common Design Patterns and shares examples of each.  The example code is all Java, but the concepts are there and quite easy to follow.  The most useful thing is where Fowler describes some places where these Patterns do and don't make sense.
• And finally, there's Refactoring (review here) by Martin Fowler. This one is unique in that each of the various refactorings begin with a piece of code and it walks you through step by step in how to make it better.  While there are numerous helpful tools - I use NetBeans 6.8 M2 - that handle simple refactorings, you should explore this one to learn advanced concepts and tactics.

You'll notice there are no technology-specific books in that list. For a long time, I wasn't adding any because I worked in a variety of technologies.  Once I focused on PHP, a few PHP-specific books made it into my list, but not many.  So to add a second tier of "must have" books, I'd add these:

• First, we have Chris Shiflett's Essential PHP Security (review here). Despite being published in 2005, a

Truncated by Planet PHP, read more at the original (another 2744 bytes)

I'm delighted to announce that I'm speaking at the inaugural PHP Benelux Conference, to be held on Saturday 30th January in Antwerp, Belgium. The talk will be "Passing the Joel Test in the PHP World"; I gave this talk PHPNW09 in October and it was well-received there, so hopefully I can bring the same insight and inspiration to attendees at this new event as well!

On a personal level I'm very pleased to have a reason to visit the Low Countries - Ibuildings is a dutch company and I'm already making plans to link up with my colleagues there by extending the trip by a few days. I've also never been to Antwerp so I'm hoping I'll see something of the city while I'm there, if time allows. The benelux user group contains many friends so I'm looking forward to what I know will be an excellent event and catching up with all the friends who will be there.

If you are attending, or thinking of it, let me know - and come and say "hi" to me on the day :)

Since being laid off last month, I’ve thought long and hard about what I wanted to do next. After consulting with my fiancee and with friends and colleagues, I decided that the best approach would be to begin working towards my own consulting company. And so, several weeks into the process, I’ve laid the groundwork and today, I can announce it.

Blueprint DC, a full-service custom software development company based from Washington, DC, is officially open for business.

After being a PHP developer for five years, it feels awesome to be able to go into business, and work on great projects. I look forward to the awesome relationships I’ll establish and the great work I’ll be able to do for a multitude of clients, instead of just one or two (my employers).

So feel free to browse the site and get in touch with me to meet your PHP development needs. I look forward to working with you!

Today I have released the first version of the staticReflection component. This component provides a reflection implementation that is compatible with PHP's build in API and so it can be used as a drop-in replacement within applications.

A few weeks ago I started just another script that utilized the tokenizer extension to extract some information from source code files. At that point I thought that the time had come to realize a project that was on my todo for a very long time. And here is the result of the first iteration, a userland reflection implementation that is api compatible with PHP's internal reflection extension. Beside the source parser and the reflection ast this component provides a unified interface to both reflection versions, which makes it easy to switch between different implementations.

As a first use case for this component I have choosen autoload files, as they are used by the eZ Components. The generation of those files is really easy, simply parse a directory with source files and dump the result into a file.

<?php use org\pdepend\reflection\Autoloader; use org\pdepend\reflection\ReflectionSession; // Include the bundled autoloader include_once 'staticReflection/Autoloader.php'; // Register the autoload function spl_autoload_register( array( new Autoloader(), 'autoload' ) ); // Create a new session $session = new ReflectionSession(); // Create a directory query $query = $session->createDirectoryQuery( ); $autoload = array(); foreach ( $query->find( __DIR__ . '/../../source/' ) as $class ) { $autoload[$class->getName()] = $class->getFileName(); } var_export( $autoload );

You can also use the static reflection implementation to analyze different versions of the same class in the same process, which is not possible with the build-in reflection API, because you cannot load multiple classes with the same name into the current runtime context.

Beside parsing of a given directory or file the staticReflection component also supports direct access to a concrete class or interface through the name. Therefor it uses so called source resolvers, that perform a mapping between class names and the associated source files. The current release has two build-in resolvers, one using autoload arrays as they are used by the eZ Components and the other one uses the PEAR naming conventions and the configured include_paths to determine the source file for a given class name. The following example illustrates the usage of the PEAR source resolver.

<?php use org\pdepend\reflection\Autoloader; use org\pdepend\reflection\ReflectionSession; use org\pdepend\reflection\factories\StaticReflectionClassFactory; use org\pdepend\reflection\resolvers\PearNamingResolver; include_once 'staticReflection/Autoloader.php'; spl_autoload_register( array( new Autoloader(), 'autoload' ) ); $session = ReflectionSession::createStaticSession( new PearNamingResolver() ); $class = $session->getClass( 'PEAR_Frontend' ); echo '- ', $class->getName(), PHP_EOL, ' ', $class->getFileName(), PHP_EOL;

This concept makes the component extremly flexible, because you can write your own source resolver that fulfills the requirements for your application.

Beside the source resolver concept the ReflectionSession can also be configured with a custom stack of ReflectionClassFactory objects that are used to retrieve a reflection class instance for a given class/interface name. To minimize the configuration overhead for common use cases the ReflectionSession class provides three build-in factory methods that create default session configurations for you:

• ReflectionSession::createDefaultSession( SourceResolver ): This session configuration uses three different backends. First it asks the native backend for a reflection class. When this backend cannot handle the request the static reflection factory is asked for a matching class. Finally this configuration uses the null backend, which always returns an empty placeholder reflection class.
  
  

Truncated by Planet PHP, read more at the original (another 2643 bytes)

Am kommenden Donnerstag, den 03.12.2009 findet wieder ein öffentlicher Vortrag im Mayflower Büro in Würzburg statt (Pleichertorstrasse 2, 97070 Würzburg, Straßenbahn und die Haltestelle Congress Centrum).
Beginn ist um 18:00 Uhr, Thema des Vortrags ist "Crystal Clear explained".

Crystal Clear ist ein Mitglied der Crystal Family und reiht sich in die Welt der Agilen-Entwicklungsmethodiken ein. Als das kleinste Mitglied ist "Crystal Clear" auf kleine Projekte und Teams ausgelegt und bietet hierfür Vorgehensweisen und Hilfestellungen um Probleme zu identifizieren und zu beheben. Unter dem Titel "A Human-Powered Methodology for Small Teams" wird Max Köhler in diesem Vortrag veranschaulichen wofür "Crystal Clear" steht und wie dessen Einsatz bei der agilen Softwareentwicklung dem Projekt und dem Team Vorteile verschafft.

Die "Donnerstags-Vorträge" werden sowohl in Würzburg als auch in München gehalten. Bei Interesse einfach das Blog beobachten, um auf dem Laufenden zu bleiben!
Wir freuen uns auf viele Teilnehmer!


Größere Kartenansicht

When I talked with journalists, lawyers and analysts about the Oracle/Sun merger case questions were raised about the possibility to fork MySQL and that everybody who is not satisfied with Oracle's future way regarding MySQL could do this. I don't agree with that and I think it's best to put Monty's own words (found in a comment in his blog) here because I can't explain it better:

In addition, the MySQL trademark is so strong that it's hard to impossible for a fork to attract enough attention to be able to compete in a meaningful manner if MySQL would be owned by a vendor that refuses to cooperate and works against the fork.

My company SektionEins that is specialised in web application security audits, consulting and trainings has finished the english translation of the PHP Security Poster. This poster is send out for free to interested PHP programmers (until out of stock). The poster is of DIN A0 size and details the most important aspects of configuring PHP securely and writing secure PHP code.

SektionEins PHP Security Poster

The poster contains the following topics:

* Vulnerabilities & Concepts
* Security Related PHP Funktionen
* Secure Programming
* Hardening the PHP Configuration
* Server Protection with Suhosin

The order form for the poster is available here.

At yesterday’s RSS09 conference I gave a slightly different version of my “Shocking News in PHP Exploitation” talk. This time I disclosed for the first time how unserializing user input in Zend Framework based applications can result in direct remote PHP code execution.

The topics of my talk were

• easy ways to bypass modsecurity and f5 big ip
• executing PHP code on Zend Framework based applications that unerialize user input
• how to still exploit PHP interruption vulnerabilities after recent fixes in PHP

You can grab my new slides here.

On 5th of November I gave a talk titled “Shocking News in PHP Exploitation” at the Powerofcommunity hacking/security conference in Seoul, South Korea. Afterwards I uploaded my slides to this server but only distributed the link through twitter. I totally forgot about announcing the slides in my blog.

The topics of my talk were

• easy ways to bypass modsecurity and f5 big ip asm
• exploiting unserialize vulnerabilities in Zend Framework applications
• exploiting PHP interruption vulnerabilities after recent fixes in PHP

The slides are available here.

The PHP development team would like to announce the immediate availability of PHP 5.3.1. This release focuses on improving the stability of the PHP 5.3.x branch with over 100 bug fixes, some of which are security related. All users of PHP are encouraged to upgrade to this release.Security Enhancements and Fixes in PHP 5.3.1:Added "max_file_uploads" INI directive, which can be set to limit the number of file uploads per-request to 20 by default, to prevent possible DOS via temporary file exhaustion.Added missing sanity checks around exif processing.Fixed a safe_mode bypass in tempnam().Fixed a open_basedir bypass in posix_mkfifo().Fixed failing safe_mode_include_dir.Further details about the PHP 5.3.1 release can be found in the release announcement, and the full list of changes are available in the ChangeLog.