PHP libcurl example

libcurl In one of the sections on my “One Year of PHP at Yahoo!” talk I’m giving next week, I mention the security implications of the allow_url_fopen config setting.

I recommend that people set allow_url_fopen off, and instead use the libcurl extension to do server-side HTTP fetches.

Here’s a comparison of a simple HTTP fetch using both techniques.

allow_url_fopen = On

<?php

$str = file_get_contents("http://www.example.com/");

if ($str !== false) {

// do something with the content

$str = preg_replace("/apples/", "oranges", $str);

// avoid Cross-Site Scripting attacks

$str = strip_tags($str);

echo $str;

}

?>

allow_url_fopen = Off

<?php

$ch = curl_init("http://www.example.com/");

curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);

curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

$str = curl_exec($ch);

if ($str !== false) {

// do something with the content

$str = preg_replace("/apples/", "oranges", $str);

// avoid Cross-Site Scripting attacks

$str = strip_tags($str);

echo $str;

}

curl_close($ch);

?>

It’s not that much additional work to use the curl extension, and you shield all of your regular file I/O against the possibility of accidentally acting as an open proxy. You avoid having to scrutinize every usage of fopen(), readfile(), file_get_contents(), include(), require() and related functions for the possibility that they might be used with a URL.

How to scale PHP

oscon2003-speaker-125x125.gif With one week to spare, I’m finished with the slides for “One Year of PHP at Yahoo!,” a talk that I’m giving next week at the O’Reilly Open Source Conference in Portland.

The finished product is a quite a bit different than the abstract I submitted, but I think it’s a good thing. This talk ended up being much less about Yahoo! and much more about how to use PHP effectively in a high performance environment.

Here’s the new outline:

  1. Brief introduction to PHP
    • Where PHP fits in a web server architecture
  2. Scaling PHP
    • Five general techniques for high performance
  3. PHP Security
  4. Managing PHP
  5. Open Problems
    • Lessons learned after one year of PHP
  6. Q & A

Folks who come to the talk hoping to learn from an insider about how Yahoo! works are going to be disappointed. The PR group won’t let me give away any secrets this time. :-)

However, if you’re interested in seeing how PHP can be scaled to 1.9 billion pageviews a day, this talk is for you.

This talk is packed with content. I’ve got 30 slides but only 45 minutes of time. I’ll post the slides on Monday once I’ve got the final OK from PR.

[Update 8 July 2003: Slides for the talk are now available online.]

National Do Not Call Registry Opens

dnclogo_small.gif The opening of the National Do Not Call Registry, a free service of the federal government developed to give consumers a choice about getting telemarketing calls at home, was announced this morning by President George W. Bush, Federal Trade Commission (FTC) Chairman Timothy J. Muris, and Federal Communications Commission (FCC) Chairman Michael K. Powell.

Consumers nationwide can register online at DONOTCALL.GOV. Consumers in states west of the Mississippi River (including Louisiana and Minnesota) can register by calling, toll-free, 1-888-382-1222 (TTY 1-866-290-4236). On July 7, phone registration will be open to the entire country.

Working on my OSCON talk

It dawned on me recently that I’ve only got about 2 weeks before my One Year of PHP at Yahoo! talk at the O’Reilly Open Source Convention in Portland.

Here’s the section title slide for one of the parts of my talk:

Scaling PHP slide

I like talks that have lots of graphics, even if they’re a little goofy. I hate it when folks just put slide after slide of text. Those bullet-points communicate a lot of information, but they are really unpleasant to read.

[Update 8 July 2003: Slides for the talk are now available online.]

GIF Patent Expires Tomorrow

no_gif.jpg kuro5hin.org: “On Friday, 20th June 2003, the death knell sounds for US patent number 4,558,302. Having benefitted its owner, the Unisys Corporation for 20 years, the contents of the patent are entered into the Public Domain and may be used absolutely freely by anyone.”

Note however that the patent only expires in the USA tomorrow. The popular GD Graphics Library will not include GIF creation capabilities until the patent expires world-wide on July 7th, 2004.

Shared Libraries on my mind

I just finished writing up 4 pages of documentation on how to correctly build shared libraries for FreeBSD using Yahoo!’s Makefile macros. The fact that Makefiles are such a black art probably explains the popularity of alternative build systems.

I’m sure a bunch of these ideas will be covered in Theodore Ts’o’s Designing and Creating Great Shared Libraries talk in a few weeks, but I wanted to write down a couple of key points before I forget:

  • Using the -soname linker option is good because it guarantess that code built against your library (either an executable or another .so) only gets used with a binary-compatible version of your library. If you make an unversioned library, you’ll probably need to rename it when you add versioning.
  • Passing the -no-undefined flag to the linker can save you lots of trouble. It’s way better to have your make fail because of an undefined symbol than to end up with errors like this on Apache startup:
    
    Syntax error on line 68 of /usr/local/etc/apache/httpd.conf:
    
    /usr/local/libexec/apache/mod_yscript.so: Undefined symbol "Bar__3FooiPCc"
    
    
  • -fPIC good. TEXTREL bad.
  • objdump -p is a really useful tool.
  • Even after 16 years of development, there are still bugs in gcc.

Now I’ve gotta go hire a tech writer to clean up by doc.

Real Nice Clambake

This was a real nice clambake,

We’re mighty glad we came.

The vittles we et

Were good, you bet,

The company was the same.

Our hearts are warm, our bellies are full,

And we are feeling prime.

This was a real nice clambake,

And we all had a real good time.

(See also Hukilau)