Tobias Schlitt - a passion for php

Wietse Venema, the creator of the Postfix MTA, posted a proposal for a "taint mode" to the PHP internals list. Before commenting his proposal, I'd like to give a short intro about what a "taint mode" is:

Consider the 2 main types of data you are using in an application: The most significant division you can make is "incoming", and "outgoing" data (possibly "internal" data, which is justs stuck in your application, but this is not of interest here). "Incoming" data is everything that is received/requested/injected into your application, for example the $_GET/$_POST/$_COOKIE/... arrays in your PHP application contain "incoming" data, but also everything you receive from a database, a file, a shell script or from anywhere else. "Outgoing" data (in contrast) is everything you provide to external resources, like echo'ing a string, sending a query to a database, submitting arguments to a shell command or writing to a file.

As you should know, most (all) of your "incoming" data is potentially dangerous and insecure. This might apply more to the super global arrays and less to files and database results. But if you think a bit deeper and consider that your database might be compromised or somebody manipulated a file maliciously, this kind of "incoming" data contains a potential security risc, too. So, every kind of "incoming" data has to be considered potentially bad (I think this is the most basic mantra of web application development). In contrast, "outgoing" data (most commonly, if it depends on incoming data) is potentially insecure for your users and/or your application directly (XSS, SQL injection, ...).

At this point of the consideration, the "taint mode" comes into place: Every single bit of "incoming" data is insecure, it is "tainted". In taint mode, your interpreter flags all incoming variables as "tainted". If you then perform a potentially insecure operation with the tainted data, you will be notified. For example, if you just take a POST variable and use it in an SQL query, you are using tainted, incoming, data and open up a wide security whole. In "taint mode", the PHP interpreter would stop in inform you about this issue. In order to fix it, you have to use a specific mechanism to "clean" your data before using it. In our example, this would be to escape the data properly before using it in SQL or use variable binding. The same aspect applies the other way around: If you retrieve data from a database and just echo it to the user, it might contain insecure HTML and script code. This data is tainted, too, you need to escape the HTML characters properly (htmlspecialchars()), before sending it to the browser.

So, let us come back to Wietses proposal about a "taint mode" for PHP. While this topic was raised multiple times before on the internals list, I never saw such a well-thought and detailed proposal so far. Remember that I'm neither a C, nor a Zend Engine, nor a security expert. But what I read there, impressed me quite much. I don't want to repeat the whole proposal here, but I can possibly give a short roundup: Wietse wants to have "taint mode" turned off by default, which makes sense to keep backwards compatibility. Turning it on is mainly for development and educational reasons. When switching on "taint mode", every bit of incoming data is marked tainted by PHP itself internally. In a first step every function/primitive (further on refered to as "function") in PHP will be marked as protected by default, which means, that it will not accept tainted data and will return always tainted data. The second step will be to identify 2 further groups of functions: Permeable and sanitizing functions. While permeable functions will only return tainted data if they received tainted data (like substr()), sanitizing functions are used to untaint data (like htmlspecialchars()).

Using this kind of process to introduce "taint mode" smoothly has 2 big advantages:

1. Because it is off by default, no application will break when upgrading.
2. Because every function will be protected by default, the need for touching every single PHP function is gone in the first place.

If you want to know more about the proposal in general, I'd suggest to read it directly in the internals archives (and possible the huge thread it spawned, too). What follows now is my personal opinion:

As already stated, I think Wietses proposal is really good and well-thought. He read a lot of literature beforehand and described the overall idea really well-founded. Beside that, he seems to already have a working proof-of-concept, which is great! I really think, having an optional "taint mode" in PHP would be an absolutely large benefit for all of us. There are 2 main reasons, which make me think so:

a) PHP is easy to learn and the perfect tool for rapidly developing web applications. But this exactly is the danger: Every unexperienced guy can just start of with writing a web app and will most probably do the first security error in his first 10 minutes. Surely, this can be blamed to the unexperienced developer, which probably did not read a single bit of literature on web security beforehand. But anyway, with "taint mode", this guy gets a handy tool, which tells him exactly, where he might have done something seriously wrong. For sure, this is not the solution to all of our problems (like XML is, e.g. ;), but it still helps to identify a huge amount of them.

b) Even if you are a highly professional PHP expert, with many years of web development experience. Even if you are a highly experienced hacker, who knows every single bit about web and code security: Everybody makes mistakes. Having a "taint mode", will give you a great possibility to simply check your application for a large number of mistakes you might have missed somewhere.

Surely, the basic implementation of "taint mode" for PHP would still have some drawbacks. For example, Wietse does not plan to devide levels of taintness directly. This means, that you could clean a variable by running htmlspecialchars() on it, but this would not save you from SQL injection anyway, while the PHP interpreter would think so. The main reason here is the overhead that is added to every single zval (the main PHP internal data structure) and the function calls, which need to check for tainted-ness every time (remember, the latter one should not affect your production environment largely, since these checks need to be performed only when "taint mode" is switched on). Adding more information than just "tainted" or "clean" (boolean flag, which could possibly just cause 1 bit overhead) to the zval would cause a much higher memory overhead. But anyway, just knowing, which variable is still tainted when being submitted to potentially dangerous function is a great help! And for the first step, it would last here to give the user some info how he can clean a variable correctly for the specific purpose (like htmspecialchars() for echo and bindParam() for a PDO query). And if designed well (which I think will be the case, if it happens), the "taint mode" should be extendable enough to add levels of tainted-ness later on.

Overall, I think this whole thing would be a great addition to PHP and I hope this could come for 6.0. What do you think?

More information about taint mode in other languages (like Perl and Ruby) can be found here: ^{1 2}

I've just put the slides from our PHP Weekender event online. You can find them on the PHP Weekender website for download.

The second day of the PHP Weekender is over now, too. We are happily looking back on a great event and I want to thank Benjamin Schwertfeger and Dave Kliczbor form the Computer Sience faculty of the University of Dortmund for their engagement. Beside that, we want to thank all the attendees and my fellows form the PHP Usergroup Dortmund for coming and making this event such a great success!

Today at 9:30 Kore and me started the day with a 3 hour session about "PHP best practices". We enhanced our slides from FrOSCon this year with a section about debugging and one on OOP in PHP. Right in time for lunch, we finished the talk with about 60 satisfied and quite "knowledge filled up" attendees.

After lunch, we again splitted in 2 tracks. Tobias Struckmeier (most of the time assisted by someone else) handled the 2nd introduction workshop, which was actually the rest of the first workshop, since we had much too much stuff for the attendees. In parallel, Kore and me stepped up again and gave an overview on PHP 5s advanced OO features (like ArrayAccess and Iterator, overloading and ObjectStorage). After that, Kore took over the stage on his own and visualized his view on the topic "Enterprise PHP", which was a really intressting talk. Last but not least, Jakob Westhoff introduced into database abstraction and ORM. All talks went really well (thanks to factors like really good equipment and absolutly brilliant preperation of all PHP UG Dortmund members).

We finally had a small closing key note, where we asked the attendees for feedback. It was positive all over, although we had 2 small drawbacks: 1st we did not have coffee for sale, which is actually a big no-no for any geek event - I know. 2nd we started already at 9:00 a.m., which was quite early for a) a weekend and b) for (mostly) students. We promise amendment for the next event! ;) After the offical part ended, we had a small key-signing party, where 15 people attended and I issued my first CACert.org assurances.

So, all in all I can say: We never expected the event to become such a great success. Our first assumptions were around 20 attendees. After we saw the registrations, we guessed to have around 50 attendees overall, which was already suprising. In the end we had around 90 attendants on Saturday and about 80 on Sunday. I hope the interesst in PHP in Dortmund stays at this level and that some of the attendants will join our usergroup.

So long, 'till next time... :)

^{P.S. Slides and examples will follow on the PHP Weekender website}

The first day of the PHP Weekender (the free-of-charge, 2-day PHP event organized by the PHP Usergroup Dortmund) just comes to an end and we are heading out for the social event. All in all, I have to say, it is a fantastic event and we are really happy about its success.

In the moring we had a 3 hour introductional session, where Jakob Westhoff and Peter Koch introduced pure PHP newbes to the concepts of web application development (requests, GET/POST variable handling,...), the PHP syntax, basic database and file handling and some more. They had about 50 attendees, which equals more or less the number of registered attendees for that session. Both had a very good feeling about their talk and the attendees were absolutly satisfied.

After a great Pizza lunch (which was generously sponsored by an anonymous sponsor), the second track started. While Jakob Westhoff created a simple to-do application with about 25 attendees in track 1, Jörg Sprung started of with an introduction to PHPs XML handling functions with above 50 attendees. Both groups stayed at this rate during the whole evening, where the workshop ended up in the first stage of a working application. The second track was continued by myself, with a track about SOA (basically SOAP, XML-RPC and REST in PHP) and a session about console scripting by Tobias Struckmeier.

We are looking back on a very successful first day of the PHP Weekender and we are looking forward to the second day, where we will continue with 2 other great tracks:

Track 1:

• PHP best practices (OOP, debugging, security, performance)
• PHP advanced workshop

Track 2:

• The PHP OO Candy Store (cool OO development in PHP)
• Enterprise PHP (NCC-1701-A)
• Database abstraction (Handler-, SQL-, Object-Abstraction)

So, if you did not register, yet: The University of Dortmund gracefully sponsored large rooms and you can just turn around. :)

I just came across my website stats and found that the user agent allocation is quite interessting (August 2006):

Top user agent on my website is Mozilla/5.0 with 11.35% of the users. The second place is quite far away, the Google Desktop with 7.95% (while I wonder, what actually sends the Google Desktop user agent, is it a modified IE version? I actually never used it...). Wide before MS IE 6.0 (with 3.93%) is Yahoo! Slurp (on place 3), the crawling bot from Yahoo!, with 7.16%. I wonder why they crawl my site so often? The Googlebot makes 3.08%, directly followed by IE 5.0 (2.91%) and Opera 6.0 with 2.75%. The next place (8) is held by the MSN Bot, making 2.54% of the traffic, followed by 2 times Liferea (version 1.0.18 before 1.0.12) with 4.12% in sum. Konqueror is not very widely used (with 1.79% on place 11), followed by some misc ones (e.g. older versions of the bots) and MSIE 4.0 with 1.18% on place 14.

Ok, that so far for the stats. I found this already quite interessting, but if you cummulate these numbers, you get quite more interessting stats (note that this is only done over the Top 15 user agents, provided through Webalizer):

About 30% of the user agents are from real browsers (Mozilla, IE, Google Desktop, ...), while the second group, the search engine bots, still make about 15% of the traffic. I wonder a bit, why only about 7% of the traffic is produced by content aggregators. If you cummulate the stats per browser, you can definitly see, that most people browsing my side are geeks: The largest group (around 11% use Mozilla and only version 5.0 is under the top 15), 4% less use a version of IE (about, 7%) - while here 3 different versions are still present and I'm shocked that IE 4.0 still makes 1.18%. The Google Desktop (whatever that is) makes another 8% (*argh* that is IE infact, isn't it?). Other browsers (Konquerer and Opera) make around 4% of my top 15 stats.

Finally, these are all lies, damn lies and statistics, but interessting in some way.

FrOSCon ended yesterday, but because the net was cut down too early, I could not blog this one. So I'm doing that now.

Congratulations to the FrOSCon organization team. The organization was really good: The talks were well chosen, there were a lot of helpers on their way to support the attendants and speakers. The equipment was excellent (the main conference rooms as well as the dedicated PHP room, where we stayed the past 2 days). Also excellent was the catering provided for speakers and helpers, if you consider that this was an almost free of charge event! Great work, guys and girls, I hope you will repeat this event next year!

For the PHP room, we are pretty satisfied, too. The room equipment was (as already mentioned) great and all speakers held their talks in time. The attendance was quite fluctuating and quite different as I expected. So the talk about "Geeklog" was crowded (about 15 people, beside us 5 from the PHP UG DO and Thomas Weinert from the [ PHP UG KB]), while the most interessting talk about "A web services framework for PHP5" was not that crowded (about 5 attendants). Most of the slides from the talks are already linked on the PHP at FrOSCon website. Todays hackaton was not that interesting, though, but we only had that, because there was no time to plan another day of talks. Surely, the PHP room would be more frequented, if the FrOSCon was not in parallel to PHP Vikinger. Anyway, we will try to avoid this issue next year and will probably go to organize a 2 day sub-conference to the FrOSCon, including many talks.

So long, another week of conferences past and I'm quite happy to relax a bit. Looking forward to the next conf. So long...

Today was the first day of the eZ publish conference here in Skien, Norway, where the eZ systems headquarter is located. Before today we had 3 days of eZ crew activities, since the complete eZ systems team from over the world is currently in Norway.

But before I start with my little roundup, I'd like to announce some stuff that we (eZ) presented during this conference:

1. The eZ publish online editor (a WYSIWYG web interface) changed it's license. From now on, it is not commercial any more, but released under the GPL and will be shipped with the next eZ publish release.

2. We are starting to develop the "eZ platform", which is an enterprise level platform for PHP development and will be the basis for a future eZ publish release. eZ platform will consist of the eZ application server, which is based on the eZ components. eZ publish will be build on top of that.

But now, let's talk about some social stuff. ;)

On Monday (where we left Dortmund at 2:00 and I did not sleep before that), we arrived in Skien around 11:00, had lunch all together and I went to bed afterwards. That night we spent with pizza and beer at the "eZ bar" (the office).

On Tuesday morning we splitted up into task related groups (developers and management) and had some internal education talks, e.g. Derick about the usage of Xdebug. After lunch we went to a "wild-life"park, where we took some team-building activities. This was amazingly great and lasted from clay pigeon shooting over climbing to canu driving. Absolutly cool and much fun. After that, we went for some "wild-life" dinner (deer).

Wednesday was the eZ partner day, which already belonged to the eZ publish conference. The development teams seized the chance for a discussion phase. We (the eZ components team) planned the upcoming components release 2006.2 (formally known as 1.2), which will probably include a lot of cool new components and features. For example eZ Feed (for reading and writing Atom/RSS feeds), eZ Graph (for rendering charts) and many more.

Today was finally the first day of the official part of the eZ conference. After Derick gave an overview on the current status of our enterprise PHP library, the eZ components, I continued with a 2 hours entrance workshop. The number of attendees was really large and everyone seemed to be quite amazed. At least, that was what they told me. A nice quote I heard from someone was "this is the cleanest piece of PHP code I've ever seen", which does not really sound bad, does it? Later today we will have the eZ Awards dinner, which also sounds quite promising.

Finally, tomorrow, Kore and me will leave Skien again around 10:00 to catch our plane at 13:00 in Oslo Torp. I expect to be home around 19:00 then, where I'm pretty much looking forward to see my sweet girl friend Carmen again. Sadly only until Saturday morning, around 7:00, when we again leave direction Bonn, for the FrOSCon.

Anyway, another great evening here in Norway is waiting. Stay tuned.

On Monday I arrived back in Germany from the Zend/PHP Conference & Expo. Other people already posted detailed round ups ^{1 2 3} on this great event, so from my side only few words on the actual event: It was damn cool! :) The conference itself was a very well working mixture of business and geek talks, the sessions were chosen really good. As usual I met a whole lot of old friends (like Markus Börger, John Coggeshall, Christian Wenz and even Sterling Hughes) and made another lot of new ones. The location was really nice and the events they organized were real fun. So, all in all: My appreciation to Zend for this great event!

Update Oct. 30: I recently added 2 movies Gregor made during our heli trip to my gallery. Really cool! :)

But now, let's come to the more unofficial part: On Friday, after the last keynote, Gregor Streng (from Mayflower) and me moved to a hotel downtown San Francisco, directly at the Union Square, to have 3 more days of enjoying San Francisco itself (since the Conference took place in a town near SFO airport: Burlingame). We had 3 fantastic days in "the City" and did lot's of sight seeing, like flying over SF with a helicopter, touring to Sausalito with a bike, going out for party with Sterling, and much more. Just to make you curious, here just a few of the amazing pictures we took:

[]

All in all it was an amazing trip and I love San Francisco, it's flair, the people and the whole city. I will definitly come back one day... Hopefully this is next year for another Zend/PHP Conference and Expo. Thanks so much for bringing me there!!! :)

Yesterday I arrived here in San Francisco, together with Gregor Streng from Mayflower, for the Zend/PHP conference and expo. The flight was a bit hard (12 hrs sitting is not what you really want to do) and the jetlag caught me yesterday afternoon during dinner, but overall I'm really happy to be here. :) I already saw parts of Frisco when driving to dinner and the Californian environment ist really nice (although the weather is quiet cloudy). As usual there are lots of wellknown people here and I expect to have lots of fun with all those collegues and friends form the community. Since I missed to by an AC adapter (I was sure to be able to rent one here) I'm currently out of power most time, but I hope to fix that soon, so that I can upload some photos and write some more on the conference.

For those of you who can not attend the Conference here in the US (all you European and mainly German geeks), I can only recommend joining the International PHP Conference in Frankfurt this November (6th to 9th). It's one of the oldest and most established community events and you get the chance to meet all those PHP gurus, who push PHP forward every day, in person. Beside that, you can join my phantastic workshop on how to distribute your applications through the new PEAR Installer version 1.4 and your own PEAR channel server.

So long, have a good time!

Sadly I'll leave the eZ Systems headquarters in Norway tomorrow direction Dortmund again. It really was an amazing time for me in all aspects: Work, people, country and whatever else matters.

We almost finished the work we planned to do during my stay here (some small peaces will follow on Monday, but that's all) and i