Blog Archive

Public key encryption on php|architect

Date: 01 Mar 2011
Tags: [ magazine ]  [ php|a

Yesterday the February edition of php|architect came out. I always look forward upon the new release every month, but even more so this month since it features an article about “Public Key Encryption” I’ve written for php|a. It’s more or less a written version of my public key authentication 101 talk and consists of not only the theory behind it, but also some php examples on using public key authentication in your own projects. As always, comments on either my blog or php|architect’s are welcome.

Back to basics: TCP

Date: 20 Feb 2011
Tags: [ b2b ]  [ tcp

TCP is one of the core protocols for the TCP/IP suite. It provides a reliable data connection without you needing to worry about errors, congestion and other communication problems that haunt the internet. But how does TCP work? It’s another edition of the back-to-basics series.

Having fun with Arduino

Date: 09 Feb 2011
Tags: [ arduino ]  [ C ]  [ electronics

So yesterday I’ve finally received my Arduino Mega. If you know me, you know I’m not even capable (or allowed) to handle a screwdriver, let alone something even more complicated things like transistors, resistors etc..  However, with the help of some friends over on the #pfz channel on freenode to create the schematics, I’ve made - and programmed -  a very simple lcd-counter consisting of 3 times a  4-digit 7-segment lcd’s.

memcache internals

Date: 06 Feb 2011
Tags: [ memcache

Memcache is a pretty well-known system inside the web-community and for a good reason. It’s fast, flexible, lightweight and it looks like installing memcache on your servers automatically increases your website speed tenfold or more. Ok, so that’s a bit over the top, but still: having a good caching-strategy in place can help your website/application. If you want to know how to implement memcache in your website you’re out of luck. This post isn’t about starting with memcache. We are going to pop the trunk and see what’s under the hood.. What exactly makes memcache so magical??

Password hashing and salting

Date: 02 Feb 2011
Tags: [ hash ]  [ md5 ]  [ nacl ]  [ salt ]  [ sha ]  [ sodiumchloride

The thing everybody (should) know is that when you want to secure passwords in - let’s say - a database, you have to hash to them. It’s kind of a golden rule but is it safe enough? Ask a more experienced user and they probably tell you to add some salt. Ask the reason why and they will probably say “it’s because it makes the password longer and more secure”. Even though it is true in effect that using a salt increases the overall security of your hashes BUT it’s not only because your passwords are longer. There is a another (maybe even more important) factor that comes into play, namely the fact they are more secure against rainbow table attacks, but that depends on HOW you season your hashes. Season it incorrectly, and you gain nothing in security even though you think you did….

Make me a sandwich. Ok!

Date: 01 Feb 2011
Tags: [ root ]  [ sandwich ]  [ sudo

I have to admit it: grew up with unix “the wrong way”. Instead of having decent user-accounts for every employee, all our work was done under the root-account. The main reason for this is that our software deployment system didn’t really worked the way it should and I guess nobody really cared. It worked.. login as root on our (private) systems and call the compile+install script… Furthermore, there were about 14 different unix-flavours available, and only 2 or 3 persons with access to them. Again, all internal systems just for compiling and testing. A good thing.. yes and no.. It feels like I started learning to ride a bike on a ATB instead of a tricycle I guess..

Talking at the PHP Benelux 2011

Date: 23 Jan 2011
Tags: [ conference ]  [ PHP ]  [ talk

[][1]As you might know, the PHPBenelux Conference 2011 is right around the corner. Happy to inform you that not only will I attend, but also will be speaking at this event. My talk will be about the awesome things you can do with Sed & Awk. Not necessarily a talk you would expect on a PHP congress, but on the other hand, maybe it’s just precisely a talk you might expect. Not only will I talk about WHAT you can do with sed & awk, but also why and when you should - or shouldn’t - use it. It will be a fast-paced, information-loaded, things-you-probably-never-knew talk so make sure you keep your seat-belts on and remain seated until the vehicle has come to a complete stop.

Conferences like these are an awesome way to gain knowledge about everything related to PHP, web development and above. Even though my personal interests lies with web-development in general, I really like to show other developers the broader perspective in which you are just a small part:  your application runs on a database which needs to be setup and maintained, you run on an infrastructure that needs to be setup and maintained, you might talk with 3rd party applications and so on… I hope to see you around during my session and try to discover some sweet tools that, even if you not going to use them on daily basis, at least you know they’re there, ready to do all your complex stuff developers always like to automate…

Using syslog for your php applications

Date: 12 Jan 2011
Tags: [ logging ]  [ PHP ]  [ syslog

Linux, and other unices have an excellent system to centralize log events. This is done through syslog. This system removes the need for every application to maintain their own log files and let the syslog server handle all the events. Depending on the type of event that is logged, it can take additional action like alerting you through email or even text-messaging if a critical event occurs. No system administrator can live without syslog and is normally the first place to look for signs of trouble on a system. So instead of writing our own log system for your application, why not use an existing one?

PHP 5.4: RegexIterator::getRegex()

Date: 06 Jan 2011
Tags: [ core ]  [ patch ]  [ PHP ]  [ regexiterator ]  [ spl

Recently, my colleague Jeroen van Dijk needed to extend (or better yet: override) the accept()* method for the RegexIterator. Turns out this wasn’t as easy as it might sound in practice. So after extending and overriding multiple methods he found an acceptable solution. But there is room for improvement. And starting from PHP 5.4, this improvement is available through regexiterator::getregex() method.

12 tips for securing your linux systems

Date: 05 Jan 2011
Tags: [ linux ]  [ security

From time to time I get amazed how people can setup their production servers. At the smallish development companies there is no real system administrator available to setup the systems and to keep them up to date. Now I’ve seen systems that have been setup ranging from “somebody with sufficient knowledge” to “this-was-setup-by-the-janitor” and everything in between. So, if you are a “programmer who knows a bit about Linux because you’re using Ubuntu”, but you have no real idea on how to SECURELY setup a system, here are some tips.

Github gists: revisioned code snippets for free

Date: 26 Dec 2010
Tags: [ gists ]  [ github

If you maintain a tecnhnical programmers blog, you occasionaly need to post code snippets. I use a syntax highlighter plugin on my blog to make those snippets look nice and highlighted. It works and it’s easy enough to implement and maintain. But Github might come with a even better solution: gists…

Enrise: Appending the appenditerator

Date: 26 Dec 2010
Tags: [ spl ]  [ iterator

I’ve posted a blog at the @enrise techblog about enhancing SPL’s appenditerator. This lovely iterator can be useful from time to time but it does not always do what you need. Here’s how you can easily create your own iterator:

InnoDB isolation levels

Date: 20 Dec 2010
Tags: [ innodb ]  [ MySQL ]  [ transaction

When asking what THE advantage of InnoDB over other MySQL engines like MyISAM is, then 9 out of 10 times the answer will be that InnoDB supports transactions. And it’s true. But there is more about transactions than meets the eye. Let’s explore one of the most difficult area’s: isolation levels.

The first few milliseconds of https

Date: 19 Dec 2010
Tags: [ tls ]  [ ssl

I was on the verge of creating a post about the TSL/SSL handshaking, when I discovered a blogpost about the very same subject. Since I don’t think it’s of much use to blog about exactly the same thing, and I can really recommend Jeff Moser’s page so please read and understand it.

Tutorial: how to manage developers

Date: 18 Dec 2010

This post is not so much for developers as it is for the managers and bosses from those developers. As you probably know by now, managing software engineers (or programmers) is not an easy task. They just don’t like to play by the rules you always took for granted. Why is that? Why are those pesky programmers too hard to handle? Why is it so hard to sit down, write code and shut up??

Composite key autoincrements

Date: 17 Dec 2010
Tags: [ autoincrement ]  [ MySQL

Autoincrement is sometimes called a “poor-man-sequence”. Sequences in other DB systems are counters that can be used for automatically number fields when inserting data, just like autoincrement in MySQL does, but they can be much more complex. However, in MySQL you do not always you want or need increments of 1. Sometimes you need something a little more complex than that and MySQL leaves you pretty much in the cold.  There is a neat little trick that can solve some “autoincrement” problems…

OAuth timestamps and nonces

Date: 16 Dec 2010
Tags: [ nonces ]  [ oauth ]  [ replay-attack ]  [ timestamps

Oauth is a very popular authentication mechanism used for a lot of web applications. And not without good reasons. It is relatively easy to implement, has different flavours (2-legged, 3-legged system) so you can use almost anywhere that requires authentication and authorization. This post is not about how to implement oauth. That can be found in much greater detail than I can explain here, but about two tiny details that can make or break your oauth security: the oauth nonce and timestamp.

What kind of day has it been

Date: 14 Dec 2010

For the readers who get the Aaron Sorkin reference in the title, do not be alarmed: this will NOT be my final blog post, just the last of the season. One year ago I’ve decided to do some (active) blogging about all tech related things I encounter in both my professional as my private life which I find interesting enough to share with the world (or at least with google). So, after blogging one year, was it worth it?

PHP srand problems with suhosin

Date: 13 Dec 2010
Tags: [ PHP ]  [ rand ]  [ suhosin

Today I stumbled across an odd problem which took me about an hour to figure out what was going on. It had to do with mt_srand(), where it looked like it didn’t work properly. I needed a repeatable sequence of random numbers (which is EXACTLY what the Mersenne Twister produces) so I used mt_srand() with a fixed number (for testing purposes) and tried to see if the same sequence of random values were generated by mt_rand()..  It didn’t…

SSL and Virtualhosting

Date: 12 Dec 2010
Tags: [ apache ]  [ sni ]  [ ssl ]  [ tls ]  [ virtualhosting

SSL and virtualhosting on 1 IP address? I can’t be done! Well, this might have been the case a few years ago but times has changed. Let’s explore the possibilites to have multiple hosts running on the same IP address AND all of them have their own separate SSL domain and certificates. It’s possible, but with a few catches..