This is just a demo item.

This is just a demo item.

This is just a demo item.

This is just a demo item.

This is just a demo item.

This is just a demo item.

This is just a demo item.

This is just a demo item.

This is just a demo item.

This is just a demo item.

Small bug fixes: add sql_table and supportsFeature support

click here to download

Been itching to try out this new version but I can't stand the default theme. So I waited until Aaron Spuler had a Smoke theme for 1.5 ready to go.

This whole weekend I've been surfing with 1.5, the improved back and forward caching is worth the trip to beta land. I haven't had one crash to speak of and sites render much faster than 1.0.7.

The only extension I decided to leave on before upgrading was Web Developer, it seems to be working just fine. I used to be an extension freak but I've since become more minimalistic in my ways.

Gecko, I wonder if Geico will sue one day?

This release is a very small update that fixes an SQL injection vulnerability in search.php that is exploitable in PHP environments with register_globals enabled. Beginning with 1.2.9, PunBB also implements a method for reversing the effects of register_globals (thanks Stefan Esser!). What this means is that register_globals should no longer be a problem. If a variable is instantiated as a result of register_globals being enabled, it will be unset by PunBB. Yay!

Posted by Rickard on 2005-10-16 10:36 | CommentsChangelog:

* Implemented Stefan Esser's unregister_globals(). What this does is reverse the effects of register_globals by unsetting any globals that were instantiated as a result of register_globals being enabled.
* Fixed SQL injection vulnerability in search.php (only exploitable with register_globals enabled).

It looks like the wp guy is brewing some new mechanism to battle spam.

All of the solutions I saw so far used one of the methods:
- special interaction ie captcha, embedded keys in form
- detection algorithm ie filters, blacklist
- manual intervention ie human approval

The widely used one for Nucleus these days are NP_Blacklist, NP_CommentControl, NP_Captcha, and a few.

This new ASS idea is very different than the current crop of methods, mostly autonomy. Spam detection in ASS is done in a centralize server, which tell the blog whether the submit comment is spam or not.

Of course this raise a lot of concerns such as on how this method scale and response to things like privacy, which is yet to see.

Currently, there is a NP_SpamCheck being worked on, which provide an infrastructure to allow customize spam detection.

For those having problem cut and paste code...

Thanks to Trent and all for the code!

click here to download

This new version fixed small bug and add return-path header in mail, which some user suggest fix the no mail received probem.

click here to download

This new release allows item author to approve/deny comments

click here to download

On twofifty.org, you can track which movies of the IMDb top 250 list you've seen. It's currently open for all in a closed beta width invites, of which I have 4 left to share. Send me your mail address and name, and I'll see what I can do for you.

By the way, twofifty.org was developed by Tim Broddin, which you might remember from the Nucleus Support Forum as JefPober or Sir_Psycho.

Let this serve as a reminder how to treat your users right, at work and while working on Nucleus.

Powered by BLOG:CMS? No Way

There are many articles you read, mostly financed by closed source companies, that paint the Open Source community, along with the GPL, as the death of software.

They'll have you think that the only way to produce quality software is to stick everyone in controlled cubicles with set hours. Like inspiration and creativity can be turned on and off with the punch of a time clock.

Open Source works quite the opposite, there are no cubicles and you work when you're inspired. You decide on what you want to work on, code it, then introduce it the community. Should the community like it, more people join in and the code base expands.

This methodology is quite mature at this point, most if not all closed software has an Open Source counterpart. So if you're connected to the Internet, what do you work on, or what can you work on at 1:56am? The cubicles are closed, awaiting the inspired to arrive in the morning.

Open Source is the death of software, but only of the closed variety.

NAJAX is a PHP Ajax framework. Not only does it look easy to use, it also appears to have well-written and well-documented code.

One of the examples is a PHP Exam. I managed to score only 7 out of 12. A list of my errors in in the extended section of this article.

The errors

1. I confused array_shift with that of array_unshift. I always mix these two up.
2. I never heard of pcntl_exec before, so I didn't know why it was different than exec.
3. I didn't know how the === operator worked. I feel ashamed :) (it checks if both operands are the same and are of the same type)
4. I didn't know what the purpose of either get_required_files or get_included_files was. I guessed that they would be different, but in fact they are exactly the same. It returns an array with the names of included or required files.
5. I was fooled by the behavior of the ksort function: it does not return an array but rather applies the changes directly in the array passed to it, and returns a bool instead.

Hurray! I learned something today.

Recent PHP versions offer a mysqli extension instead of the old mysql extension. Since Nucleus relies on the mysql_xxxx functions, it won't run when those are unavailable.

A database abstraction layer would be the ideal solution, but will take a long time to implement correctly and break most of the currently available plugins. Luckily, there is a workaround which works rather well: defining fake mysql_ methods that delegate the work to the new mysqli_ methods. This way, you can keep running the Nucleus core and most plugins.

Update 2005-09-28: These changes made it into CVS

The Idea

The idea is to check if the mysql_query method is available. If not, we'll define it ourselves and just call mysqli_query inside.

We'll also add an extra global $MYSQL_CONN variable which holds the MySQL connection id. While the old mysql_ functions never required this ID to be passed along, some of the new mysqli_ methods do.

A library

The library below is to be saved as /nucleus/libs/mysql.php.

<?php
$MYSQL_CONN = 0;

if (!function_exists('mysql_query'))
{
  if (!function_exists('mysqli_query') 
      && function_exists('startUpError'))
  {
    startUpError('<p>No suitable mySQL library found.</p>');
  }
  
  function mysql_query($query) 
  {
    global $MYSQL_CONN;
    return mysqli_query($MYSQL_CONN, $query); 
  }
  
  function mysql_fetch_object($res) 
  { 
    return mysqli_fetch_object($res);
  }
  
  function mysql_fetch_array($res) 
  { 
    return mysqli_fetch_array($res);
  }  
  
  function mysql_fetch_assoc($res) 
  { 
    return mysqli_fetch_assoc($res);
  }  

  function mysql_fetch_row($res) 
  { 
    return mysqli_fetch_row($res);
  }  

  function mysql_num_rows($res)
  {
    return mysqli_num_rows($res);
  }
  
  function mysql_free_result($res)
  {
    return mysqli_free_result($res);
  }
  
  function mysql_result($res, $row, $col) 
  { 
    if (($row != 0) || ($col != 0)) echo 'not implemented';
    $row = mysqli_fetch_row($res);
    return $row[$col];
  }  
  
  function mysql_connect($host, $username, $pwd)
  {
    return mysqli_connect($host, $username, $pwd);
  }
  
  function mysql_error()
  {
    global $MYSQL_CONN;
    return mysqli_error($MYSQL_CONN);
  }
  
  function mysql_select_db($db)
  {
    global $MYSQL_CONN;
    return mysqli_select_db($MYSQL_CONN, $db);
  }
  
  function mysql_close()
  {
    global $MYSQL_CONN;
    return mysqli_close($MYSQL_CONN);
  }

  function mysql_insert_id()
  {
    global $MYSQL_CONN;
    return mysqli_insert_id($MYSQL_CONN);
  }

  function mysql_affected_rows()
  {
    global $MYSQL_CONN;
    return mysqli_affected_rows($MYSQL_CONN);
  }

}
?>

Adapting globalfunctions.php

We'll also need some small changes to globalfunctions.php. First of all, we need to include the new library. Find the following block of code and add a line for mysql.php.

include($DIR_LIBS . 'mysql.php'); // <- Add this line
include($DIR_LIBS . 'MEMBER.php');
include($DIR_LIBS . 'ACTIONLOG.php');
include($DIR_LIBS . 'MANAGER.php');
include($DIR_LIBS . 'PLUGIN.php');

Next up is storing the MySQL connection ID from the sql_connect function. Lookup this function and change it like this:

function sql_connect() {
  global $MYSQL_HOST, $MYSQL_USER, $MYSQL_PASSWORD, $MYSQL_DATABASE;
  global $MYSQL_CONN; // <- new!

  $MYSQL_CONN = @mysql_connect($MYSQL_HOST, $MYSQL_USER, $MYSQL_PASSWORD) or startUpError('<p>Could not connect to MySQL database.</p>','Connect Error');
  mysql_select_db($MYSQL_DATABASE) or startUpError('<p>Could not select database: '. mysql_error().'</p>', 'Connect Error');

  return $MYSQL_CONN;
}

How about installing?

Installing through install.php won't work yet, though. You'll run into a Your PHP version does not have support for MySQL :( error because it checks for the existance of the mysql_query function.

To get past this error, also include the mysql.php file in install.php. Like this:

if (phpversion() >= '4.1.0')
  include_once('nucleus/libs/vars4.1.0.php');
else
  include_once('nucleus/libs/vars4.0.6.php');
  
include_once('nucleus/libs/mysql.php'); // <- Add this line!

// check if mysql support is installed
if (!function_exists('mysql_query'))
  _doError('Your PHP version does not have support for MySQL :(');

Next to that, install.php also creates its own MySQL connection. We need to change this also, so $MYSQL_CONN ends up containing the connection ID.

// 2. try to log in to mySQL
global $MYSQL_CONN;
$MYSQL_CONN = mysql_connect($mysql_host, $mysql_user, $mysql_password);
if ($MYSQL_CONN == false)
  _doError("Could not connect to mySQL server: " . mysql_error());

Words of caution

Some words of caution on this hack:

• I haven't tested this code very well, I added mapping functions until visiting a Nucleus website and its admin area appeared to work without errors.
• Not all mysql_ functions are present in the mapping. This means that you can still run into a call to an undefined function: mysql_xxxx. In that case, it should also be added to the mapping.
• Since I couldn't find an exact match for mysql_result, and because the only occurrences in the Nucleus core code use it to get the result at row 0 and field 0, that's how I implemented it. In other cases, an error message will show up in the output.

This has been dubbed the Rod Serling release.

The week has been one of surreal goings on, like a Twilight Zone episode. My Internet connection has been sporadic all week, every hour the connection would go down. Time Warner finally came out today and gave me a new modem, no drops to speak of after that.

Just as I'm putting the finishing touches to this release, the server I'm hosted on decides to mount the file system as read only. Rush to grab all the work I've done today via FTP, I'm only able to offload my Wiki before the Time Warner connection goes away, this time for 2 hours.

When the connection returns, my sites are reset to last night's backups, the file system was unrecoverable. So the process begins anew, at 2:00am, to reapply all the changes, updates to software, upload the Xrefs, enter today's posts, initialize the wiki and upload the new release.

Download episode 09.23 here, changelog below.Nucleus CMS
* Update to version 3.22
* Update NP_Calendar to 0.84
* Update NP_LatestComments to 1.6
* Update NP_LatestPosts to 0.5
* Add NP_PingPong 0.5

PunBB
* Update to version 1.2.8
* Update Migration tool to 1.3.0

singapore
* Add Minima template

WebCalendar
* Update to version 1.0.1

DokuWiki
* Update to version 2005-09-22
* Update Wiki docs to latest releases

OlateDownload
No changes, awaiting version 3.3

Andreas Gohr has released DokuWiki v2005-09-22.

Small bugfixes and a new Geshi.Release 2005-09-22

* various bugs fixed bug>550, bug>548, bug>529, "basedir" problem
* GeSHi and language updates

This new release fixed the get_file_contents problem for older PHP.

click here to download

It's that time again. I'm pleased to announce the release of PunBB 1.2.8, a small bug and vulnerability fix. As usual, the changelog is your friend.

Posted by Rickard on 2005-09-21 23:21 | CommentsChangelog:

* Fixed a potential code inclusion vulnerability involving the user language selection.
* Properly fixed the search.php SQL injection that was uneffectively dealt with in 1.2.7.
* Fixed an XSS vulnerability involving the "forgotten e-mail" feature.
* Fixed "bare linefeed" problem with external SMTP servers.

A new version that based on TeRanEX's rewrite, with output template.

click here to download

This new release added emoticons panel.

click here to download

This new release built from v1.5 from gRegor and added a plugin admin menu to list and reset counts, as well as delete view counts entries on item deletion.

click here to download

After discovering about the debug_backtrace function (PHP >= 4.3.0); I was thinking about how wonderful it would be to attach a customized error handler to Nucleus when running in debug mode. This handler could output a stacktrace, which would be much more helpful than a message a la "Tried to call a method on a non-object at code.php line x" when this line of code is buried deep into the code.

Unfortunately -- as I discovered the hard way -- the error handler function that is passed to set_error_handler is never called for fatal errors. This behavior is listed in the manual, but I only bothered to read it carefully once things didn't quite work as expected. The reason why these fatal errors cannot be trapped is that the engine might not be in a stable state. Bummer. An extra class of errors (fatal unless trapped) would certainly be welcome.

Andreas Gohr has released DokuWiki v2005-09-19.

New search mechanism!Release 2005-09-19

* page template support bug>104
* added support for local configuration files bug>349
* Image metadata support (EXIF/IPTC) and detailpage added
* insitu footnotes
* removed 2MB limit in fetch.ph bug>506
* personal wordlist for spellchecker bug>488
* syndication|feed caching
* email subscription for pagechanges
* commandline utilities for scripting
* a new index based search
* Template editors need to add the tpl_indexerWebBug() function to their main template
* Upgraders should read wiki:search#Some Background on the searchindex
* URL rewriting for media files
* Users of rewrite mode 1 need to adjust their .htaccess
* experimental plugin:Plugin Manager
* Support for admin plugins added
* Proxy support added
* Optional ImageMagick support added
* New options for image inclusion

In this article, I'm re-creating the example from the Friendly Forms post using HTML_QuickForm (a PEAR package) and the Smarty template engine. I'm also looking into how to easily distribute PEAR with your application.

Some background

A while back I posted an article about a script I wrote to create friendly forms more easily. When I talk about "friendly forms", I'm talking about forms that get displayed again when some input is wrong. The fields are pre-filled with the submitted value again and visual indications (error messages and/or different styles) indicate which values needs to be corrected. Try the demo if you want to get an idea.

Sounded like a great start into friendly-fying the forms in the Nucleus admin area. The only problem is that my code required a lot PHP code mixed into the page HTML. This is not a good thing, so I was looking for something more flexible.

After reading some chapters about HTML_QuickForm and Smarty in the Essential PHP Tools: Modules, Extensions and Accelerators book, I decided to look into a rewrite.

Friendly Forms: HTML_QuickForm

The HTML_QuickForm package greatly simplifies creating forms that have validation rules. For a simple non-styled form that doesn't have custom validation rules, the code will look much like this:

require_once('HTML/QuickForm.php');

$form =& new HTML_QuickForm();

$form->addElement('text', 'name', 'Name');
$form->addElement('text', 'zipcode', 'Zipcode');
$form->addElement('text', 'number', 'Number');
$form->addElement('submit', 'send', 'Send');

$form->addRule('name', 
               'Would you please enter your name?', 
               'required');
$form->addRule('zipcode', 
               'Would you please enter your zipcode?',
               'required');
$form->addRule('number', 
               'Would you like to enter your house number?', 
               'required');
$form->addRule('zipcode', 
               'Format zipcode like <code>1234 AB</code>', 
               'regex', '/^[0-9]{4} ?[A-Za-z]{2}$/');

if ($form->validate())
{
  // save data
}
else
{
  $form->display();
}

The resulting output looks fine, although it would be much more interesting if we could style the output. The HTML spit out by HTML_QuickForm contains a table, where each cell has align and valign attributes. And older versions of the library even inserted font-tags. Yikes! We'll work on that later. First, a little info on installing PEAR.

Including PEAR with applications

If you're browsing the PEAR documentation looking for install instructions, you'll find out that they assume that you either are a server administrator or have shell access to your webserver. There is also a section about installing a local PEAR copy through FTP, however. All of these methods use the go-pear script, which prepares your PEAR installation to be managed through the command line pear command.

But what to do when you're developing a PEAR-dependant application and want to distribute it to millions of users, without having them go through the trouble of installing PEAR manually? You want to have it so your users only need to unzip a bunch of files and get going.

Some trial and error brought me to the conclusion that all you need to use HTML_Quickform are these files:

• pear/PEAR.php
• pear/HTML/Common.php
• pear/HTML/QuickForm.php
• pear/QuickForm/**

Still 445KB though... But webspace is cheap enough nowadays, is it not?

If you include all of these files in a pear/ directory, all you still need to do is to make sure the include statements in the PEAR code find the correct files. This is done by setting the include_path PHP variable at the start of your script:

ini_set('include_path', './pear/' . PATH_SEPARATOR . ini_get('include_path'));
require_once('HTML/QuickForm.php');

Customizing the output: Smarty

Back to the friendly form now. After reading the chapter about HTML_QuickForm in the Essential PHP Tools book, I was left with a bad feeling: there was no indication whatsoever that there was an ability to customize the HTML output generated by the library.

I almost gave up, but then I discovered about how HTML_QuickForm supports template renderers, one of them being HTML_QuickForm_Renderer_ArraySmarty, which uses the Smarty template engine. We're back in business!

Smarty is a powerful template engine. My form template looks much like this:

<form {$form.attributes}>
  {$form.hidden}

  {$form.name.label} {$form.name.html}
  <br />

  {$form.zipcode.label} {$form.zipcode.html}
  <br />

  {$form.number.label} {$form.number.html}
  <br />

  {$form.send.html}     

  {* display an overview of all form errors *}
  {foreach from=$form.errors item=error name=errorloop}
   {if $smarty.foreach.errorloop.first}<ul class="error">{/if}
   <li>{$error}</li>
   {if $smarty.foreach.errorloop.last}</ul>{/if}
  {/foreach}

</form>

Quite simple, don't you think?

In the code where the form is defined, the $form->display() needs to be replaced, though:

define('SMARTY_DIR', './smarty/');	
require_once(SMARTY_DIR . 'Smarty.class.php');
require_once('HTML/QuickForm/Renderer/ArraySmarty.php');	

$tpl =& new Smarty();
$tpl->template_dir = './templates';
$tpl->compile_dir  = './templates';

$renderer =& new HTML_QuickForm_Renderer_ArraySmarty($tpl);

$renderer->setRequiredTemplate(
 '{strip}
  <span class="
     {if $error}error{/if}
     {if $required} required{/if}
   ">
   {if $error}<img src="fout_ikoon.gif" width="11" height="11" 
   alt="Warning: {$error|strip_tags|escape}" /> {/if}
   {$label}
  </span>
  {/strip}'
);
$renderer->setErrorTemplate('{$html}');

$form->accept($renderer);
$tpl->assign('form', $renderer->toArray());

// render and display the template
$tpl->display('verify-sample.tpl');

The sample

You can see the complete sample here. It's almost identical to the non-QuickForm/non-Smarty version, except that I couldn't assign a class="error" part to the input-HTML fields.

You can also download the code (210KB). If you want to try this, you'll need to make sure to chmod the templates/ directory to 777, since Smarty will want to write a compiled template in there.

When I left Miami, I promised myself some time off from the keyboard.

Little did I know that in the digital age, there is no such thing. Heck my new Nextel phone, a Motorola i560, has a built in browser, which I'm using to test out some WAP skins.

After buying a new laptop, I was itching to continue working on NuPusi. I had two choices, dual boot to Debian or install Apache, MySQL and PHP on Windows XP. To my surprise, there are many mature choices to instantly get you up and running. After a few days of testing different packages, I settled on XAMPP.

XAMPP is an unzip and go complete solution and it has a very active user base. Yes, I could have gone the do it yourself route, but I didn't see the need and XAMPP appealed to me for another project.

So now my Windows XP laptop boots up with Apache and MySQL as services on localhost. I also installed the Perl addon and used it to generate new PHPXrefs for the side menu. I'm working to get a new release of NuPusi out for next week, so much for a vacation.

Due to space constraints in our Van, all I brought up to North Carolina with me was Jessica's laptop.

After sharing her laptop for the last week, I decided to buy myself a laptop. Seems I was hogging it and the family was none too happy. Now I have my own machine and everyone else can share the other laptop using the wireless router in our new digs.

My new laptop is a , AMD 64 processor, 1GB ram, this thing just screams. I'm running Windows XP for now but I plan on dual booting Debian Sarge. Need to do my homework but I should be able to get Debian running great on this machine.

The portable Giga is born ;)* Mobile AMD Athlon™ 64 processor 3400+* with 64-bit platform; 1600MHz system bus with HyperTransport™ Technology and enhanced virus protection for Windows XP SP2. AMD64 technology provides simultaneous support for 32-bit and 64-bit computing, including today's 32-bit applications and tomorrow's 64-bit software; 1MB L2 cache memory for efficient processing while multitasking

* 1GB PC2700 DDR memory for multitasking power, expandable to 2GB

* 80GB hard drive (4200 rpm)

* Multiformat DVD±RW/CD-RW drive with double-layer support records up to 8.5GB of data or 4 hours of video using compatible DVD+R DL media

* 15.4" WXGA TFT Ultrabright widescreen display

* ATI Mobility RADEON X600 with 64MB video memory; S-video output

* 6-in-1 digital media manager supports CompactFlash Type I/II, Microdrive, MultiMediaCard, Secure Digital, Memory Stick and Memory Stick PRO

* IEEE 1394 (FireWire) interface and 4 high-speed USB 2.0 ports for fast digital video, audio and data transfer

* Built-in 54g high-speed wireless LAN (802.11b/g) with BroadRange technology and 125MB high-speed mode; 10/100 Mbps Ethernet LAN; V.92 high-speed data/fax modem

* Weighs 7.5 pounds and measures 1.6" thin for portable power; lithium-ion battery

From the inbox:

Hi, I wrote an italian installation guide. I'm going to close my site if you are interested about it you can download it from ...

Best Regards, Elena.

I'm posting this document here, so it doesn't get lost:

Today brings the release of PunBB 1.2.7, a minor bug and vulnerability fix. Details on what has been fixed can be found in the changelog. As usual, I recommend that everyone update.

Posted by Rickard on 2005-09-02 14:59 | CommentsChangelog:

* Fixed post preview inconsistently preparsing BBCode (post.php and edit.php differed in the way they preparsed and displayed BBCode).
* Fixed SQL injection vulnerabilities in the admin interface (only exploitable by admins and mods).
* Fixed rare CGI error on admin index page.
* Fixed XSS vulnerability involving URL BBCode (only affects Internet Explorer).
* Fixed SQL injection vulnerability in search (only exploitable with register_globals enabled).
* Fixed banned users still appearing in the online list.
* Fixed updating certain admin options not always working properly.

We have released Nucleus v3.22. This is a bugfix release which mainly serves as a fix for the recently discovered security issue in the PHP XML-RPC .. (62 words)

A new tag has been added to the CVS repository, to indicate the fies for Nucleus v3.22:

• Nucleus-3-22-p0 tag, which points to the released version of Nucleus v3.22

For information on previous tags and branches, see the archive for the CVS category.

After a vulnerability was discovered in our bundled XML-RPC library earlier this year, the Hardened-PHP project did a code audit and found another s.. (77 words)

It has been quite a while since the previous linkdump. I've started using the del.icio.us social bookmark manager since. you'll find my permanent linkdump over there. Nevertheless, here is a selection from the past few weeks:

• Browsershots
• IEBlog: Overview of CSS fixes to land in IE7 beta 2
• Nucleus Wiki: Boron (collection of ideas for a major Nucleus refactoring)
• Nucleus Wiki: Contributing
• Atom 1.0 skin for Nucleus 3.x
• Nucleus Tags Plugin
• MSN Virtual AmericaEarth
• FeedShake
• rakaz - Moving from Atom 0.3 to 1.0
• Free e-book: "PHP 5 Power Programming"
• jsUnit: Unit testing in JavaScript
• Six JavaScript features we do not need any longer
• TiddlyWiki
• JavaScript Diff Algorithm
• script.aculo.us - web 2.0 javascript
• Using CSS selectors to apply Javascript behaviours
• Scott Hanselman's 2005 Ultimate Developer and Power Users Tool List