Monthly Archives: December 2011

Top Posts of 2011

NEW YORK, NY - APRIL 28:  HBO VP of Documentar...

Image by Getty Images via @daylife

Seems like a PHP meme is growing, where you highlight your favorite posts of the year. While it’s a bit self promotional, it’s also the one time of year you can give some old posts a second chance.

1. Got good feedback from tips on getting your talk accepted at a conference. I’m actually thinking of expanding that article together with advice on technical career development, maybe turning it into a book. Hear me out before you say it’s stupid.

I think awesome developers are not getting the recognition they deserve. Much of it because many are introverted and scared to death of speaking in public. Secret admission, I have the same fear. That’s one of the main reasons I started running meetups. To conquer my biggest fear. There is MUCH you can do to overcome the fear. And in our particular field, much to gain as well.

Mozilla Application Suite for Mac OS 9 Startup...

Image via Wikipedia

2. Maybe 5 people saw my post on a memory trick I started using. Got no feedback on it at all. But still like it :)

3. I floated the idea of a new HTTP header. Someone from Mozilla said he liked it (iirc it was Ben Adida). Which prompted me to get some invaluable advice from Manu Sporny. Man, hats off to people who get things done at W3C. It takes a lot of work. Maybe one day, but I’m too busy for now.

Ben Adida

Ben Adida Image by Joi via Flickr

4. One of the most important posts I ever wrote was another proposal, to create a Global Accessibility Awareness Day for developers. I’ve been mulling it over for awhile and it’s time to make this happen. If you check out no other post, please look at that one.

Was very glad it got a lot of attention. It’s now in someone’s slides as an official “Day”. Special Kudos to Jennison who is taking up the cause. We’re going to make this work.

PHP Rock Stars

Thanks to Zemanta for helping me add links and phunny pictures to this blog. Image by DrBacchus via Flickr

Lots of developers go on and on about “wanting to change the world”. Well instead of changing the world with a newfangled “social” network or some other nonsense to please the VCs, how about improving people’s ability to access the Internet. IOW do your day job properly and that by itself will improve lives!

5. I had a couple of security posts this year. One was about properly escaping data in your views. No one does it right. No one cares. Except the hackers p0wn1ng your sites. And your users who get victimized.

By far the post that got the most attention this year was about Schema Injection. By 10am, I had more views on this blog that any other day ever.

Mozilla Firefox Accessibility Extension

Image by cobalt123 via Flickr

I’ve never really seen anyone else talk about Schema Injection, though the term did exist. Maybe I should expand it into an article for a real online journal. I have some other concerns about NoSQL security, but haven’t totally thought through the implications yet.

I’ll leave you with a call to action for 2012. Please participate in our Global Accessibility Awareness Day. If you run meetups, please cover this topic. If you attend meetups, ask your local organizer to set one up. Talk about it in your blogs. Mention it in podcasts. Thank you.

Happy New Year Folks!

Enhanced by Zemanta

Belated Zendcon 2011 Recap

Image representing Zend Technologies as depict...

Image via CrunchBase

I started writing a Zendcon recap post as soon as I got back. And then mis-timed a couple projects. Note to freelancers, make sure your new gig starts AFTER your old gig is over. Or you’ll be working an insane schedule. Hence the lateness….

First the good part. What made Zendcon special.

I listen to many podcasts while on the LA freeways (aka parking lots), read a lot of blog posts by the pros, and connect with the #ZF community on twitter. It was great to finally meet so many “online friends” in person.

Even if you’re not a Zend Framework or PHP Developer, I recommend following these folks, as you will gain something from each of them.

First of all, many thanks to Kevin Schroeder ( for inviting me to be on

The PHP logo displaying the Handel Gothic font.

Image via Wikipedia

the advisory board for Zendcon 2011. It was a wonderful experience.

Juozas Kaziukėnas proves that even if you’re circa ~7’9″ tall, you can be a better programmer than basketball player. Back when he was still trying to get accepted to speak at conferences, I could tell that this fellow had chops. Glad the last couple of years he’s been getting the recognition he deserves. His talks included sessions on Doctrine and Azure.

I wish I’d have managed to catch some sessions by Daniel Cousineau. Besides having a really neat beard, this is one smart feller.

Wayne's World

Wayne's World (Image via

If there’s one event I will remember about Zendcon2011, other than Kevin wearing a cape for two days, it will be 4 of us, David Zulke, Juozas, Paul Jones and yours truly in David’s car, singing Bohemian Rhapsody like in Wayne’s World. Anyone (ie David) who gets REST right and yells at those getting it wrong in conference talks has my props.

Paul Jones is one cool Marine. He’ll kick your ass physically and in code. I think anyone coming from OmniTI must be really smart, because between him and Elizabeth Marie Smith, you can spend a day chatting about hardcore programming and not get bored.

Image representing OmniTI as depicted in Crunc...

Image via CrunchBase

I missed Paul’s talks unfortunately and only caught one of Elizabeth’s, but it was great. If you don’t know SPL, you should try to catch her SPL talk. Actually, I want to hear all of them when they’re released.

Hanging out with Dr. Keith Casey is always a blast. One of the most unique individuals you’ll come across. He has so many great stories. And we’re very much of the same mind about connecting people who would mesh well together.

I hung out a lot with @jsundquist and @jcarouth. Promising young talent. When you meet good kids like them, you have hope for the future.

English: Zend Framework logo. Português: Logot...

Image via Wikipedia

I really enjoyed meeting one of our #LAMySQL speakers in person. @billkarwin. He’s so humble for someone who’s done so much. This guy headed up Zend Framework V1.0, wrote the groundbreaking SQL Antipatterns book and has had quite a career so far. Now at Percona. We chatted quite a bit and I’m honored to call him a friend.

Bill and I also hung out with another gentleman and scholar, Bradley Holt. These two guys forgot more about Databases than most of us have ever learned.

English: Zeev Suraski, significant contributor...

Image via Wikipedia

I’m kind of losing steam in telling these stories, because there’s one name I want to cover at the end, and life kind of sucks, it’s hard to focus on the good when I’ve got his story in the back of my mind…so if I miss anyone please accept my apologies.

Shout outs to @DragonBe & DASPRiD. Enjoyed IHOP with you guys!

Also nice to meet fellow Canuck @afilina who manages to get the PHP community out to the Frozen Tundras of Canada with her mega conference organizing skills.

Andi Gutmans

Image via Wikipedia

Too bad @skoop wasn’t there the whole conference as I was hoping to chat with him more. However I was very pleased to chat with the names behind Zend, Zeev Suraski and Andi Gutmans.

One of my favorite talks, which was in the uncon came from @iliaa. He always has so much to say about performance. If you’ve never had to worry about performance, it might be hard to tell who’s good. But trust me, he is.

And I’m going to wrap up with the dynamic duo behind Zend Framework. Ralph Schindler and MWOP. Ralph is hilarious! And I learned some interesting things chatting about the history of PHP with Matthew.

Running a project like Zend Framework has its positive sides to be sure, but also its thankless side. The public out there can be pretty mean and demanding at times. Especially with stuff they get for free. These guys really handle the community with class.

Sorry if this post is too positive, but it’s one of the few things I love. Meeting wicked smart people, often they are nice too, and just learning. If you focus on the good people, you can gain so much from conferences…

Now last, but not least I will mention Jeroen Keppens. We sat together during the opening Keynote, live tweeted the conference, and every time the live demo showed top tweets, one of us was on the screen. It was real fun. And I really enjoyed hangin’ with him and chatting. Having lived in Belgium for awhile, it’s easy to connect with people on that side of the world.

And this brings me to something that bothers me a lot about twitter. The world gets smaller. Because I run meetups, I follow a lot of people on Twitter and many are not just strangers. A good chunk are community members.

And almost every day something really sad happens to someone. I’m still kind of shocked from when Jeroen tweeted that his wife passed away from an accident. The original version of this post had more details, but now I see that his tweets are protected, so I will respect his privacy. I wish there was something we could do, but what can you do?

Jeroen is such a good guy. Why does he have to go through this? I don’t know. A week earlier, someone from the cloud community announced that his 2 year old daughter pulled a pot of boiling water onto herself and went to the hospital. Thank God she seems OK.

A couple of people have gotten cancer. Another Twitter friend had a relative commit suicide.

It’s hard to tweet as though it’s a normal day when someone you are fond of one way or another are going through such a hard time. Like a Doctor you have to get “used” to this because of the frequency. But it is hard and the downside of these tools that bring the world closer.

Enhanced by Zemanta

Some tips on using MongoDB (with Lithium examples)

International Church of the Foursquare Gospel

Four Squares Image gratefully obtained via Wikipedia

I didn’t rush into trying out MongoDB at first, when the buzz began to grow on NoSQL. The reason being that so many developers didn’t bother to research and understand SQL properly, a bread and butter technology proven over decades… and when those same developers move into something shiny and new, proclaiming how great it is, they scare me.

Databases are not simple or trivial. It’s like a Mountain. You have to respect the Mountain or Nature will force you to show respect.

What you don’t know can lead to disaster in production situations. It’s the type of thing that you want to let others, like Foursquare, fail painfully at, identify and analyze the bottlenecks for you, and then you come in and try it out as the issues start to get resolved and the technology matures a bit.

I think we’re getting there and the time has come to get involved. There are lots of clever things I really like about Mongo and still some gotchas. This post will give you an example of both. I urge you to do your research on how MongoDB works so that you can use it like a champ.

OK, let’s dig in.

MongoDB was built to scale horizontally. Their goal was to make that easy. To help highly trafficked websites have a smaller burden when they grow quickly. And to be as fast as possible. There are no shortcuts. You sacrifice one thing to achieve another. So just keep in mind that 10gen made deliberate choices. And there are times when you want to override the defaults.

One such example is safe mode. In order to optimize for speed, MongoDB does not, by default, wait for confirmation that a write was successful. So you go on your merry way, only to find out later that your write never happened. I encountered this very issue yesterday when an update wasn’t happening, and I didn’t know why. If you turn on safe mode, Mongo will wait until a confirmation comes in (or an error).

You need that error to find out that something went wrong and figure out how to fix it.

That’s why their choice of default is controversial. But there’s nothing inherently wrong with it. In fact, this approach is getting popular in other areas. The caveat is that it’s up to you to handle it properly. And that message is getting lost along the way…

Check out spine.js, a javascript library by a Twitter engineer. Instead of waiting for confirmation from the server on ajax calls, they update the UI first and have to build in error handling later.

If all you lose is some Paris Hilton or Kim Kardashian tweets, no biggie. The world won’t go a-hurtin’. But if you just failed on a credit card payment, well then my friends, it’s another story entirely.

My point is, it’s great that you can optimize the hell out of the web experience you’re building. But if you aren’t even aware that you need to handle errors, then what the hell are you doing anyway?

OK, I think I’ve nagged you enough about fully researching your database of choice, now it’s time to get practical.

Here’s tip #1. When you are working on your dev machine, safe mode should be turned on for all DB operations. It’s similar to strict mode.

Additionally, when you are processing an important request in production, this too should be done with safe mode ON. For example user registration.

This is how you set it up on Lithium ( aka #li3 ). I ran into a bit of a gotcha. Lithium has some defaults for (‘test’, ‘development’, ‘production’) environments. And I’ve been working with ‘local’. It turns out that setting up a custom environment in Lithium is a bit unintuitive (remember Lithium isn’t even on version 1.0, so keep expectations in check).

Instead of:

Environment::add(‘local’, array(‘foo’ => ‘bar’);

Environment::set(‘local’), you actually need to add it with the set command and then set it with a second call to the set command.

So I have an environments.php file under the config directory. It contains this:

use lithium\core\Environment;

if (preg_match('/^local/', $_SERVER['HTTP_HOST'])) {
Environment::set('local', array('host' => ''));

Now in a moment, I’m going to show you what my connections.php looks like. You may need to adjust yours a bit. Post a comment if it isn’t working right.

Connections::add('default', array(
'local' => array('type' => 'MongoDb',
'host' => '',
'database' => 'example_LOCAL'),
'test' => array('type' => 'MongoDb',
'host' => 'localhost',
'database' => 'example_TEST'),

Now you’re going to want to “filter” the “create”, “update” and “delete” methods. Hat tip to @mehlah for the approach. So right underneath that code, add this (updated to make more DRY, per @mehdi’s comment):

if(Environment::is('local')) {
Connections::get('default')->applyFilter(array('create', 'update', 'delete'), function($self, $params, $chain){
$params['options']['safe'] = true;
return $chain->next($self, $params, $chain);

} // end if

And voila, safe mode is on for local. Now play around with your app. Some of you may be surprised to find some exceptions being thrown. If so, that means Mongo has been silently dropping some db calls. This is something you’ll need to fix ;)

Now that that’s done, you need to know how to manually turn on safe mode for important queries, like credit card processing.

Let’s say you have an activity model. And you’re updating a credit card. Here is a call with safe mode on:

if (Activity::update($query, $conditions, array(‘atomic’ => false, ‘safe’ => true))) {
$success = true;

Now here’s tip #2. You don’t need to create a field called “created”. Because the _id that Mongo creates contains a timestamp! This is one of those clever things I really like. It would take very little to find out how via Google, so I’ll leave you a link or two and this task, as an exercise for you, dear reader.

Dear Internet: Can you please stop calling Twitter & its brethren “Social Media”?

I love Twitter. And hate it at the same time.

Here are some definitions of the word “Twitter”:

  1. Talk in a light, high-pitched voice
    (- old ladies in the congregation twittered)
  2. Talk rapidly and at length in an idle or trivial way
  3. A series of short, high-pitched calls or sounds
  4. Idle or ignorant talk

Some people might think the Twitter branding was brilliant. I’ll give you this, it’s distinctive. But it’s the most asinine name they could have come up with. Sure, there’s plenty of inane shit on Twitter. But I’d try to hide that and minimize it, not encourage it! DOH!

Amazingly, CEOs and Presidents are now “tweeting”.

It cries out for being made fun of. How many more CEOs would be on twitter if it had a more professional name and demeanor?

English: A pie chart created in Excel 2007 sho...

This is an Image via Wikipedia that is completely unrelated to the content of my post.

And another thing. I’m sick and tired of the term “Social Media”. Twitter and even Facebook are communication mediums. You get news much faster on Twitter than anywhere else. They disintermediated the practice of Journalism! This is profound. While there is a social element to it, the point isn’t to “socialize”.

For me, it’s about business.

As a developer, this is what Twitter brings me. Daily links to quality content. Most of the tools I use today would probably not be in the arsenal had I not been an avid user of Twitter. Most of the technologies I build my sites on would not be part of my daily life. In fact, those technologies would have been slower to take off had there not been a medium such as Twitter.

It’s not about “twittering” away your time.

Journalism “old-style” allowed journalists to connect with important and newsworthy people. Now, with Twitter, we all have our very own communications medium if we want it. We can connect with and discover people who enrich our lives and work.

I “follow” and am being “followed” by hundreds of developers, dozens of tech journalists, and a good number of CTOs & CEOs. This is a wonderful thing. But let’s come up with a new way to describe it and not allow people to trivialize the importance of all this by letting them define what it is for us.

Let’s come up with a better “catchphrase” and start using it. How about “Internet Media”? OK that sucks but maybe someone who’s good at branding can come up with a better name.

Enhanced by Zemanta

You thought SQL injection was bad? Schema injection coming to a NoSQL site near you

Let’s nip this problem in the butt!

OWASP NYCSQL injections are the number one security vulnerability according to OWASP. Playing with MongoDB lately, I’m getting scared. Because I’m seeing some really bad practices out there. Seeing it in live code. In tutorials. And we need to make people aware of it. And put a stop to it NOW.

It’s bad enough that the average developer is completely oblivious to SQL Injection. But now with schema-less databases like MongoDB out there, expect to see something new. Schema injection.

Take a look at this Lithium Blog Tutorial. Is building a blog this way safe? Is traditional SQL Injection possible?

Probably not. I’m sure Lithium is binding parameters in that example. Therefore typical injection is not possible. However, we’re not done! How about Schema Validation???

Do you really want to let hackers easily inject columns into your database? They can add 1000 columns with any data they want!

It’s true that MongoDB makes some things easier on developers. But there’s some steps you shouldn’t skip just because it’s easy.

In the case of Lithium, you can secure your data by putting your field list in the model under $_schema and locking it in the $_meta attribute.

Mongo and Lithium are a great combination. But it’s on YOU the developer to use those tools properly.

Feel free to add columns to your production NoSQL database. That’s the good part of “no schema”. But you still need to add those columns to your code and make sure not to do inserts on unchecked columns.

Spread the word.

Enhanced by Zemanta

I wrote a new ACL module for Lithium: li3_simple_acl

Lithium hydride

This Image via Wikipedia, is a test of focus. Is it related? Perhaps not, but it looks better than a naked post.

I tried to work with the existing Lithium ACL module called li3_access, as several folks have done some really good work there. It has a lot of flexibility, including the ability to let you create your own Adapters. Which I tried at first.

The reason I chose to roll my own, at 4am no less, was that I was looking for something simple, that still lets you protect the resource.

A principle in making a good ACL layer is that you don’t want a bunch of if statements in your code. If($user == ‘admin’){ //do ‘A’ }. Because if you change your ACL rules, you have to find every instance of that and change it. Breaking your code.

If you thought you improved that situation by moving to an ACL but find yourself writing code like: if($acl->isAdmin($user, $request, $resource)){ // do something }, you’ll realize that you just abstracted away the same exact code, and did not solve your problem.

In my opinion, you should be calling your ACL with code that looks something like this: if($acl->isAllowed($user, $resource) { // do something }.

The $user array/object should contain the info needed to validate the $resource/$perms array. Then all you have to think about is how to make sure you can pass the needed info from your resource.

Image representing GitHub as depicted in Crunc...

Image via CrunchBase. Did you know that research scientists in Freedonia have proven that programmers improve their standard of living by opening up a github account?

For example, if you have a database row with a forum post and want to provide the author of that post permission, the user array has the userid and the row has the author’s userid. Simple to match.

Naturally, it still needs a bit more work. Like the ability to Deny users in the event that certain conditions match. Or allow some IP ADDRESSES access. Basically, it needs a little more flexibility. So please take a look at li3_simple_acl on my github account and give me feedback. Thanks.

Enhanced by Zemanta

Someone please make a website that does this (for programmers):

English: Rasmus Lerdorf (left) at LinuxTag

Image via Wikipedia. Zemanta picked a good picture since there's only one link in the post; to PHP.

The user picks a language. Say PHP for example. And starts a challenge.

The form has two input boxes with:



And the users visiting the site need to provide code in that language, that provides the output expected. And the result can be graded by either the questioner or perhaps the visitors, on speed, terseness and readability.

Obviously if the input is:


and the output is:


and some wiseass posts:

function doh($a){ echo 20; }

that isn’t what we’re looking for. There needs to be a bit of explanation such as “multiply by 2″. And “punishment” for wiseass answers.

What do y’all think?

Enhanced by Zemanta