DFL update

My boss wants a nice looking front-end to the new DFL site, even if all the links are broken, so expect something next week. As it currently stands the new design is going to borrow heavily from the current one, though it should use space a little bit better and display information a bit more logically. You can see the current site at The new site redesign is taking advantage of the Smarty Template Engine, so expect to see some Smarty tutorials in the near future.

WordPress 2.0 Final released

WordPress 2.0 final was released today. Since you’re at this blog, you’ve already seen it in action. I’ve read some comments on Digg where people are pretty happy with it – especially the spam zapper.

Essential PHP Security

Just received Chris Shiflett’s Essential PHP Security book in the mail today. If it’s like the other O’Reilly books it should be pretty good. It’s pretty short – a smidgen over 100 pages, so it’ll be a good quick read.

Plan on seeing practical examples of how to apply these security techniques – here.

Merry Christmas!

File access control

… and bandwidth throttling, using PHP.

If you’re in a situation where you need to control who has access to certain files/downloads, PHP can do it all for you. Even better, you can use the same script to throttle how quickly data is sent to the user. Let’s take a look at this problem:

First, you obviously need some kind of files that need protection. Make a downloads directory and stick a .htaccess file in there with the following contents:
Options -Indexes
Order Deny, Allow
Deny from all
Allow from none

Of course you’ll want to also put a file worth downloading: topsecretdownload.pdf

Create a file in your web root called download.php. In it you’re going to put some fairly straightforward code to send a file to only authorized users. There are a few things you should take care of yourself, such as proper escaping of user-supplied data and user validation (they’re beyond the scope of this post).

And there you have it! The files are safe from snooping via requests directly to Apache, and you can even make sure only the right people can download topsecretfile.pdf

If you want to throttle download for some reason, replace the readfile($file); line with the following code:

So, in this example, we don’t want any users to download faster than 20 kilobytes per second. sleep(1) basically makes sure the while() loop doesn’t execute faster than 1 time per second, though sleep() can be used in many other situations besides this.

One thing to point out: if you’re checking user authorization against a database, you probably want to close the db connection before you start sending the file over. This is because PHP will keep a connection to the DB open as long as the script is running, or until you explicitly close the connection before the end of the script. This is especially important as site traffic increases (there’s a chance of hitting the max allowed connections to the database).

Finally, you can always use mod_rewrite to make nicer URLs: http://www.domain.ext/files/topsecretfile.pdf instead of http://www.domain.ext/download.php?file=topsecretfile.pdf. I’ll leave that to another quick totorial.


edit: I just realized WordPress removed part of my code sample. Everything should be working fine now.

Digital Fish Library

I’d like to introduce you to the Digital Fish Library, of which I’m a developer on. The idea of this library is to catalog MRI data from hundreds of fish species worldwide and provide online analysis tools. It’s like open source resarch, so to speak. Scientists can log in and do dissections and other analyses if they wish. My job is to collect and post the data and develop the website.

The project is currently at if you’re interested in taking a look. I’m in the process of completely rewriting the codebase to take advantage of the Smarty template engine and PHP5’s support for object oriented programming.

ApacheCon Photos

I’m sorry this is such a lame post, but I’m in one of Chris Shiflett’s photos before Rasmus’s talk at ApacheCon.
This Photo Me: The second person from the left, sitting down. You can really only see the back of my head, and my shoulders, but I’m physically in-front of the camera man. Rasmus: the guy at the lectern.

Check-out Chris Shiflett’s blog at He has dozens of ApacheCon photos, mostly of the other PHP guys there. While you’re at it, cruise on over to the PHP Security Consortium site and learn something new:

Coming from Blogger *shudder*

Blogger is nice and pretty, and somewhat easy to use, but it’s really not that great. After a few short days on the service I’m already switching to WordPress (here) for the moment, and probably soon to switch to my own hosted version of WP in coming weeks.

The Meat at ApacheCon

Today really was my day at ApacheCon. Four of the five talks were on things I’m truly interested in – mostly PHP (see previous post). Rasmus gave an interesting talk about using PHP at Yahoo!. He gave some particulars about making high-performance, scalable systems. The other portion of his talk focused around XML support in PHP 5, as well as SOAP and REST services at Yahoo! (including a pretty cool Yahoo! Maps demonstration). There’s a similar demo on his toys blog: There were times, however, when he went a little to deep into the details, though I don’t think they detracted from the quality of the talk.

There was another good talk called “Consuming Web Services using PHP 5” by Adam Trachtenberg (eBay). For the amount of time allotted I think it was a pretty good discussion on what to expect when working on REST and SOAP clients.

Scalable Web Architectures: decent. It’s one of those that really got me thinking about how German and I are going to design the DFL system (fewer hits, but extremely high bandwidth per user).

Now for the fun part of this post: Ruby on Rails (RoR). “Cheap, fast, and Good. You can have it all with Ruby on Rails.” It seems like every RoR demonstration I’ve seen fails to really capture a whole lot of attention from the average web developer, including this one. When the presenter, who I believe is one of the main developers of RoR, says that a lot of it is “magic” that scares him because he doesn’t really know what’s going on, what are we supposed to think? Yeah – it’s great that they can make these easy to install frameworks, but you can’t deny that some amount of programming has to go into developing the framework, and after that, the consumer developers still have to figure it all out (or in many cases, practice some kind of voodoo automagical programming methods). Put it this way – it didn’t seem like a lot of those people were very excited after the talk. It appears RoR will remain a novelty for some time to come.

ApacheCon day 3

I’m in the company of celebrities in the world of PHP.

I just finished listening to a talk by Andrei Zmievski on Unicode character support in the upcoming PHP 6. Though I don’t know much about supporting multiple character sets (I’ve had not reason just yet to internatiionalize my code), I do know the problem/difficulty that PHP has with internationalization. Andrei did a very good job of explaining not only what the problems are in the current 5.1.x release, but also how PHP 6 is going to address these items specifically. Without going into any detail here, I can safely say that our jobs are going to be much easier.

The next talk is by Rasmus Lerdorf, the father of PHP. Why is this a big deal? PHP is not only an easy dynamic language to learn, but it’s also currently the most popular, and fastest growing, language on the web (according to sourceforge and other code repositories). His talk is going to be on large-scale PHP. Not quite where I’m at … YET, but these kinds of things are great because they tend to be very concerned with optimization and scaling.

Oh yeah – Christian Wenz and Chris Shiflett are also at these talks. Reminder: Talk to Chris and Christian about securing files w/ Denying access to directories and files via Apache, but reading through PHP if user has appropriate privs. Oh yeah – and the book, maybe.



And thus the second day of ApacheCon is over. It’s been a great conference so far, and I’ve learned quite a bit. My favorite talk thus far was the one on Web App Security by Christian Wenz. He’s one of Chris Shiflett’s buddies (who I also had a chance to meet this morning after the talk) over at PHPSec. I already knew what sorts of things went into breaking into sites, XSS, etc, but what I saw today was quite jaw-dropping at how easy it really is to do all these things. I suppose what’s been a great benefit to PHP will also be the downfall for many sites out there whose programmers haven’t been careful enough to check for tainted input.

Here’s a good start for those of you interested in more PHP security:

Thanks to German, the DFL story is getting around a bit. A lot of people really don’t know what to think when they hear about it, and understandably so. Then again, we’re also among the very few who belong to academic/non-profit organizations (FOSS aside). In essence, it’s an odd data processing web app built with Java and PHP. It’s a pretty original idea, and there have been very few, if any, projects to come before us doing similar things (none quite to this extent).