Archive for the 'php' Category

Great Drupal Resources (and a fun event): Drupal Module Finder and Drupal Code Search

My friend Brian Wood at UC Berkeley (and part of BDUG) pointed to a couple of great resources by way of John Bern’s blog:

Drupal Modules:  A comprehensive way of searching for, favoriting and ranking Drupal modules.

Drupal Code Search
:  A site using Google’s Code Search API to lookup Drupal code strings.

Neither are officially sponsored (nor sanctioned – yet?) by Drupal.org.  Nonetheless, I love this tertiary after-market style ecosystem building around Drupal.

Also, from Amazon, who is one of several people representing Druapl at the LUG Radio events in San Francisco:

Selena Deckelmann , and Andy de la Lucha, daytime Linux system administrator, nighttime design geek,  will be doing a fun and theatrical event pitting WordPress easy entry and their huge user community versus Drupal’s you can do anything and it’s huge “join the community now!” developer focus.

Should be a really fun event!

Signup and more details are here.

We’re hiring! AF83 is looking for a Drupal developer!

Read all about it over here. 

My contact info is on the linked page – yep, you’d be talking to me.  (The position is based in San Francisco…)

Technorati Tags: ,

OSCMS – Laura Scott on Drupal template theming

(One of the sessions I attended at OSCMS)

Laura Scott of PingVision gave a good presentation on proper theming techniques with the TemplatePHP engine, covering a range of tech and process levels from overview to detailed code. Her slides have a lot of good info and are well annotated.

Technorati Tags: , ,

powered by performancing firefox

OSCMS – Rasmus on PHP

RasmuS Lerdorf oh PHP and Internet security. (One of the sessions I attended at OSCMS)

(For what it’s worth – if you have any issue or disagreement with my barely technical descriptions below, please take it up “in original” – i.e. with Rasmus, and not me. PHP security auditing is not my job, and I’m just giving a basic report back).

Rasmus began his talk by saying “Basically, you should never ever ever click on a link.” Or even mouse over it, apparently. Now, I’m not a PHP coder, but most of what he explained was understandable by me, and thus scary. His main point was to illustrate that you can “inject” javascript into PHP (and thus almost any webpage) quite easily, and hence you have to be a) very diligent about your PHP scripting, b) even more diligent about your web browsing.

For example, a (trap) page could load in invisible

section that listed a number of popular websites – including Yahoo and Bank of America – that would not be visible to the person browsing. Javascript could then analyze whether any of the links had been “followed” by checking the color state of the link – the logic being if the link to Bank of America has been followed, you probably have an account there. Then the javascript could then check any other open browser tabs, and compare them to the standard homepage (like Bank of America, for example). If not, then that (likely) means you are currently logged in – and the javascript can make actions on that account!Sure, you can argue that there’s a lot of programming involved to get that far, and then much more to actually do anything fun with the bank acocunt you’re logged into. Rasmus went on to describe another type of attack that loads an invisible IFrame in your browser window that could log keystrokes; and even take actions on other open browser tabs (a more sophisticated version of the above). He showed how this is possible on something as simple as a “mouseover” command in PHP – using sophisticated javascript injection attacks.

Someone asked him if he ever developed a tool to scan pages for the types of holes in poorly formatted PHP that he was talking about. He admitted he had, but he did not make the tool avaialble, because he would discover too many large corporate sites (including banks) that had vulnerabilities. In his words, “I didn’t want to be the guy that released the tool that broke the web.”

(If anyone finds a link to his presentation – did he even have any slides? – lemme know.)

Technorati Tags: , ,

powered by performancing firefox