Tag Archives: PHP

Automated Documentation in PHP

I’ve been looking for some software to help me compile web-based documentation for a school that we work in.

What they are trying to do is write coursework modules for staff to follow, and then have them available on a site.

I know how this ends up. One of the ideas I had when they told me that they were writing modules was to put it all in word, and then generate PDFs at the end, using the headers for bookmarks in Adobe.

It was sound until I was told that there must be ‘no scrolling’, so that pupils with a 2-second timespan might be able to read it. I’m not convinced that the no-scrolling is the way to go, but I suppose it’s no better one way or another.

So, here we are. I’ve scoured the internet looking for something that will do the job nicely. I found some modules on the PEAR site that would allow me to create documentation and store links in a database. I liked the look of it, but it seemed that I might have been going a little off-track as with HTML Menu, I’d probably end up storing all of the data in HTML pages that I’d still manage and then place the menu in a database. Not fun.

Luckily, an offshoot of a PEAR project surfaced called PHP Dcoumentor while has some useful documentation (surprise, surprise), and seems to be able to generate documentation into a variety of formats from XML or DTD, which can’t be bad.

Steve was perplexed as to why we are doing this, when it means that we would have to go through everything that the tutors have written for the modules and reformat it. Ironically, if they had settled on my PDF idea in the first place, then it’s feasible that we could have used the Word styles as a starting block for the online styles.

Still, if someone wants to pay me to make documents look pretty, then I’m all for it.

Reverse Engineering Passwords

Hashing passwords is a common way to secure them in a database and make sure that they cannot be read easily.

But did you know there’s a website that reverse engineers the hashes and stores them in a searchable database?

The folks over at RedNoize have created such a site.

Obviously, there’s no better protection than keeping your databases tightly secured – but even so, it may be worth considering putting extra abstraction on passwords – just to make it that little more difficult.

Using the RTSP Protocol with the PHP header function

I had a great deal of trouble getting Internet Explorer to redirect the header to a RTSP link using the header function in PHP.

I found that in IE, I would get a HTTP 402 error (page has been temporarily moved). IE would happily sit there and tell me it could not be found.

Firefox was a little more robust and displayed a page which resolved an alternatve link – “Object Moved” gracing the page and a link to the rtsp link. This would also automatically open the link in Firefox.

Thankfully, I found the answer on the Jalix PHP manual.

I think that the idea is to generate a RAM-style link to the RTSP protocol rather than redirecting directly to it:

Header ("Pragma: ");
Header ("Cache-Control: ");
Header ("Expires: ");
Header ("Content-Type: audio/x-pn-realaudio");

# insert DB code here
print "rtsp://host.com:554/$filename";

That should happily create a working link to the RTSP transport.

And to Schu, yes – that saved me loads of time.

ASpell, PHP and IIS

I’ve been trying to introduce spell checking into my PHP application and have been hitting a small snag. It’s called ASPELL.

For the uninitiated, aspell is a command-line spelling utility to, well, do clever spelling stuff.

In Apache, aspell works wonderfully. In fact, I wouldn’t have even thought that there was a problem. IIS on the other hand has different issues.

It’s easy to ask why I’m running my application on both servers, so I’ll quickly explain that one.

When I’m developing, I use Apache. For me this is an internal facing server which facilitates my needs of having simple-to-use easily editable configurations.

IIS faces the rest of the world because it hosts my email server (Exchange), so I don’t really have a choice about what I have on port 80.

Because of this, I always run demos on port 80 as a lot of sites I work in only have port 80 available, so IIS the the chap.

Anyway, the bottom line is that when aspell wants to run in IIS, you’ll end up with something like the following error on the client browser:

System error: Aspell progrem execution failed ('aspell -a --lang=en_US < C:WINDOWSTEMPasp1FB.tmp 2>&1')
Catchy, eh?

The problem is that the Windows security model is not allowing PHP to use the shell_exec() interface. And quite rightly, too.

To work around this, you must set permissions for cmd.exe in %windir%\system32 to allow your website visitors to run these external applications.

NOTE Allowing this means that website visitors can theoretically upload scripts that can execute commands on your system. Be very very careful that you are the only person able to upload scripts. Take all other web-security precautions.

A good idea would be to create a dummy user account solely for the website you have created, and give that user minimal permissions on the server.

Finally, don’t blame me if your system gets hacked!

magic_quotes and other evils

Well, it seems that as the development of the learning platform trundles to it’s conclusion, I’m forced to look back at what has been done so far and say, “Bugger”.

Half way through the development I switched my development server from Linux to Windows, and unknown to me started using a server that had magic_quotes_gpc = on in the php.ini file.

What does that mean?

I wouldn’t have worried about it too much, really if it hadn’t been for the minutes from the PHP6 developer’s meeting which basically say that magic_quotes_gpc is out. It’s caused too much grief for developers and migration issues. I can see the point. It was very handy for preventing SQL injection easily, but then that’s no replacement for secure code.

So because I’ve gone through the code fixing errors where there weren’t actually any to begin with (due to manually working against escaping characters), now I must go through the code again to ensure that the code is working properly without magic quotes!

Also, I have had to implement two new functions from the PHP manual to ensure that magic_quotes will not upset the code in the future.

Here’s the code:

<code>
< ? php
function stripslashes_deep($value)
{
   return (is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value));
}

if (get_magic_quotes_gpc())
{
   $_GET    = array_map('stripslashes_deep', $_GET);
   $_POST  = array_map('stripslashes_deep', $_POST);
   $_COOKIE = array_map('stripslashes_deep', $_COOKIE);
}
?>
</code>

By trying to run stripslashes on the array itself (if there is one), you destroy any keys and arrays that are passed through. If you rely on this, then you will wreck your code.

So, just run the script at the start of each page, and you should be okay.