By Justin Silverton

Even though this news is a little old, I think it is important that people know about this release (you should only need to upgrade to this version if you are currently running the 2.0.X Version of wordpress.

Here is the list of updates:

• Security fix for wp_unregister_GLOBALS() to work around the zend_hash_del_key_or_index bug in PHP 4 versions less than 4.4.3 and PHP 5 versions less than 5.1.4 with register_globals set to “On.”
• Feeds now properly serve 304 Not Modified headers instead of mismatched 200/304 headers (a.k.a. the FeedBurner bug).
• Backport of another 304 Not Modified fix from WordPress 2.1
• Deleting WordPress Pages no longer gives an “Are You Sure?” prompt.
• After deleting a WordPress Page, you are now properly redirected to the Edit Pages screen.
• Sending an image at original size in Internet Explorer no longer adds an incorrect “height” attribute.

go here for more details.

by Justin Silverton

php 5.2.1 has been officially released

The following are some new security fixes/improvements:

• Fixed possible safe_mode & open_basedir bypasses inside the session extension.
• Prevent search engines from indexing the phpinfo() page.
• Fixed a number of input processing bugs inside the filter extension.
• Fixed unserialize() abuse on 64 bit systems with certain input strings.
• Fixed possible overflows and stack corruptions in the session extension.
• Fixed an underflow inside the internal sapi_header_op() function.
• Fixed allocation bugs caused by attempts to allocate negative values in some code paths.
• Fixed possible stack overflows inside zip, imap & sqlite extensions.
• Fixed several possible buffer overflows inside the stream filters.
• Fixed non-validated resource destruction inside the shmop extension.
• Fixed a possible overflow in the str_replace() function.
• Fixed possible clobbering of super-globals in several code paths.
• Fixed a possible information disclosure inside the wddx extension.
• Fixed a possible string format vulnerability in *print() functions on 64 bit systems.

PHP 4.4.5 with equivalent security corrections will be available shortly.

Upgrade instructions are also available here

By Justin Silverton

The following are five tips that can help with peformance when writing php (some can be applied to other languages) applications.

1) use multi resultset queries to your database rather than many small ones

Look through your database code to see if you have requests that go to the database more than once. Each of these will decrease the number of requests per second your application can serve. By returning multiple resultsets in a single database request, you can not only cut the total time spent communicating with the database but also make your app more scalable by cutting down on the work the database server is doing to manage requests.

2) page/object caching

Templates caching (a previous article I wrote describes some template engines here)

PHP Object caching

• ion cube (commercial) - This one is unique because you don’t have to have server extensions installed.
• Alternative PHP cache (free) - will be included with PHP 6.
• Turck MMCache (free) - includes an encoder and loader, so you can distribute your scripts without the source

Database object caching

memcached - used by livejournal and slashdot.org.

3) gzip compression

Enabling this may increase CPU utilization (because it takes more processing power to gzip a file) but it will decrease the number bytes sent from you server, save your bandwidth, and generally make you site faster to your visitors.

to enable gzip compression, add the following to your php.ini:

zlib.output_compression = 1 (requires php 4.0.5 or above)
zlib.output_compression_level = X (X=0 through 7. The higher the number, the more the output will be compressed. Be careful when choosing higher numbers as it will take much more processing power) (requires PHP 4.3.0 or above)

4) tune your web server

A large list of apache (version 2.0) performance tips can be found here

5) Don’t save performance testing for the end of the project

If you save performance testing until the end of the project, it may already be too late and take too much time to make the necessary architectural changes. Tests can be performed on individual pieces of your application or the application as a whole.

by Justin Silverton

While working on an AJAX project over the weekend, I ran into the following issue: (through a GET request), every time I tried to call a certain function, It was returning the same data (which was supposed to be different each time)

I first tried the following (which should disable browser caching):

(in PHP)

header( “Expires: Mon, 26 Jul 1997 05:00:00 GMT” );
header( “Last-Modified: ” . gmdate( “D, d M Y H:i:s” ) . ” GMT” );
header( “Cache-Control: no-cache, must-revalidate” );
header( “Pragma: no-cache” );

The data still did not change.

I finally came to the following solutions:

1) use a POST request. When using with xmlhttprequest, it is slightly more complicated.

2) add a unique identifier to the end of my GET url.

I choose #2. A unique Identifier can be created using the current data+time. Here is a simple way to generate this (in Javascript):

var date = new Date();
var timestamp = date.getTime();

createXMLHttpRequest();
xmlHttp.onreadystatechange = handleMessages;
xmlHttp.open(”GET”,”script.php?time=”+timestamp,true);
xmlHttp.send(null);

By Justin Silverton

The linux operating system is based on community. Many of the utilities and functionality are based on the hard work of open source developers from around the world. A recent article here is slightly disconcerting to me.

From the article:

“The Free Software Foundation is reviewing Novell Inc.’s right to sell new versions of Linux operating system software after the open-source community criticized Novell for teaming up with Microsoft Corp.

If the foundation decides to take action, the ban would apply to new versions of Linux covered under a licensing agreement due to take effect in March”

I don’t necessarily agree with what Novell is doing, but why ban them from selling linux? If they haven’t violated the GNU in any way (although many might not like the fact that they are involved with Microsoft) I see no reason to ban them from selling linux.

I also find this very hypocritical from an organization that is against intellectual property (The only reason they can ban novell or any other company from selling linux is because they own the intellectual property on many of the tools that make up the operating system).

Update (2/4/07): A clarification of the above article has been posted here

Novell can still use and sell linux (and GNU based software) under the GPLv2. However, anything under the new license (GPLv3) they will not be able sell because of the patent dealings with Microsoft. This isn’t as bad as I originally thought, but it still makes me wonder how far the FSF will go to “protect” free software.

Companies should start stocking up on GPLv2 software.