It started with one question:

Print numbers from 1 to 1000 without using any loop or conditional statements. Don’t just write the printf() or cout statement 1000 times.

How would you do that using C or C++?
Source: Stack Overflow

My favorite answer was an amazing example of obscure C. Using math to iterate between two function pointers (printf and exit). And while it brought back memories of my C days, I kind of left it at that.

Later in the day, one of my co-workers messaged me with his version of a 1-1000 iterator in PHP. So naturally, I had to write my own version.

Remember the rules: no control loops and no conditionals.

I hammered out a quick example using an array to simulate the pointer technique used in my favorite C-language solution. It was 10 lines of code. I managed to break it down to one function call:

call_user_func( $x = function( $f, $i=1 ) {
  echo "$i\n", $f[floor($i/1000)]($f, ++$i);
}, array( $x, function(){} ));

Try it. Assuming that you have PHP 5.3 for the lambda functions, it will work. Now to break down why it works:

The call_user_function call takes a callback as the first parameter and passes all subsequent parameters directly to the callback. A callback in PHP can be a string, array, or lambda function. I’m using the later here.

My lambda function takes two parameters. An array and a counter. If the counter is not specified it will default to one. The trickier part is the array. In this case it is an array of functions. My function is recursive so the array needs to reference it. By taking advantage of the left-to-right nature of PHP, I am assigning the function to the variable $x prior to the array being constructed.

Now, inside my function I am echoing the value of $i and the return value of the recursive function (which is undefined… it’s just a little cheat to keep it on one line).

Now to break down the second parameter to the echo.

It looks up a function in the array that is passed in. Remember, the array contains only one value (the function itself) two values (the function itself and an empty “exit” function). It uses the floor of $i/1000 as the array index. Which means that the value will be 0 until $i is equal to 1000. Then it passes in the array and the counter. Remember that if the “++” is before the variable then the increment will happen prior to the enclosing function being called.

When the index does hit 1, there will be an error. I suppressed that using the “@” operator it will call the empty function. At this point the recursion ends.

And we’re done.

Benchmarks (added March 15th)

This is obviously meant to be a thought exercise and not a practical thing to do in a real-world application but I thought it might be fun to run some tests against a normal loop. I upped the loop to 1,000,000 to make things more interesting. Here is my test code:

<?php

ini_set('memory_limit', '1000M');
const COUNT = 1000000;

$t1 = 0;
$t2 = 0;

$s = microtime(true);

call_user_func( $x = function( $f, $i=1 ) {
  echo "$i\n",  $f[floor($i/COUNT)]($f, ++$i);
}, array( $x, function(){} ));

$t1 = microtime(true)-$s;

$s = microtime(true);

for ( $i=0; $i<COUNT; $i++ ) {
  echo "$i\n";
}

$t2 = microtime(true)-$s;

echo 'Recursive: '.number_format($t1,2)."s\n";
echo 'Loop: '.number_format($t2,2)."s\n";
?>

The results:

Recursive: 6.38s
Loop: 5.28s

Not to mention that every recursive call needs to add the current state to the stack. Which is why the memory limit is increased the the beginning of the script. So clearly it is impractical. However, I’m actually a little surprised that the results are as close at they are.

It was originally built on technologies developed for myVBO but has grown to something much more. Some of its features are:

• An advanced pricing engine that quickly finds the best prices from all over the Internet.
• Toolbars for Firefox, Safari, Chrome, and Internet Explorer.
• A mobile website.
• Wishlists that users can create and share.

My own contributions to the project include:

• Collaborated on the user experience and architecture design from the project start.
• Developed a product processing infrastructure capable of handling tens of millions of products a day using Gearman as a job manager along with XSLT, AWK, Lex, and Yacc.
• Designed a RESTful API for use by all client applications.
• Partner integration.
• Designed a scalable cloud based multi-tier infrastructure.

AccessiblePlaces.in is a crowd sourced website that helps people with disabilities discover places that are accessible to them and anonymously share their experiences with other people. It is optimized to be quick and easy to use on both a mobile phone and on a computer.

AccessiblePlaces.in was conceived and launched during a 48-hour hack-day in Boston sponsored by the Boston Globe and Boston.com. The team consisted of Anthony Deaver, Sam Bisbee, and myself. In total, 32 teams competed. At the end of the weekend the project was fully working and it was awarded “Best Geo-Location Hack.” It only came extremely close to being the audience choice award (only a couple votes off).

The site was built using jQuery Mobile for the interface. On the back-end, PHP and CouchDB were used. It was built from the ground up to have an easy to use RESTful API and stores data that is compatible with the Open Civic Data standard.

I was able to flex my creative muscles a bit. My personal contributions included designing the logo, writing the copy on the Boston Hack Day wiki… and of course a little PHP and Javascript.

The project later went on to be a finalist for a 2011 MITX Innovation Award in the “Doing Good” category. Although my direct involvement with the project was limited to the Hack Day, I am happy to have helped with such a worthy project.

I’ve seen a number of blog posts floating around today about GMail Desktop Notifications (here, here, here, here and here — did I miss anyone?). I tried them out myself and they are very useful. Being a rich web applications developer I, of course, wanted to figure out how it works and how I could use it for my own apps. Here’s a quick overview of what I found.

There is a proposed web notification standard over at the W3C that Google submitted earlier this month (you can find it on the W3C site) but from what I can tell, that draft isn’t implemented in any browsers (including Google Chrome!). But you can get desktop notifications today without the need for any third-party browser extensions, if you’re using Google Chrome. You can find the documentation over on the Chromium developer site. The rest of this post is a collection of quick examples I put together for using notifications:

Checking for permission

It is pretty easy to check to see if the user has allowed notifications for your website. The first example displays an alert depending on the permission level.

switch ( webkitNotifications.checkPermission() )
{
  case 0: // PERMISSION_ALLOWED
    alert( "Permission: allowed" );
    break;
  case 1: // PERMISSION_NOT_ALLOWED
    alert( "Permission: not allowed" );
    break;
  case 2: // PERMISSION_DENIED
    alert( "Permission: denied" );
    break;
}

Try it: Check Permission

Unless you skipped ahead and tried the next bit of code, the answer is “No” my site doesn’t have permission to display notifications.

Requesting Permission

So before we do anything we need to ask for permission.

This method will only work when responding to a user gesture. Which means you can call it as a direct response to an action taken by the user; but you can’t call it (for example) on the response to an Ajax function. So if you wanted to call it when your Ajax call returns or when a timer fires, you’re out of luck. You need to request permission before then.

webkitNotifications.requestPermission();

Try it: Request Permission

Creating and Showing Notification

Notably, showing a standard browser alert dialog when permission is denied is a terrible user experience. Don’t do that! This is just for demo purposes.

if ( webkitNotifications.checkPermission() == 0 )
{
  var iconImageUrl = "http://www.example.com/foo.png";
  var title = "Hello World";
  var subTitle = "This is a sample desktop notification."

  var notification = webkitNotifications.createNotification( iconImageUrl, title, subTitle );
  notification.show();
}
else
{
  alert( "Please request permissions first." );
}

Try it: Show Notification

The new notification looks something like this (for those of you not using Chrome and want to see what I am talking about):

Example Notification (Google Chrome on OS X)

Creating and Showing an HTML Notification

You can also create a notification by passing in a URL.

if ( webkitNotifications.checkPermission() == 0 )
{
  var url = "http://www.example.com/notification.html";
  var notification = webkitNotifications.createHTMLNotification( url );
  notification.show();
}
else
{
  alert( "Please request permissions first." );
}

Try it: Show Notification

At first this seems like a terrible idea. It could be yet another way to have annoying advertisements pop up on a site. But it’s not as bad as it sounds since the user has to explicitly allow the notifications and they can be turned off at any time.

One Final Example

Now, you probably don’t want the notification to pop up and stay there forever. So, you can auto-hide it using a timer.

if ( webkitNotifications.checkPermission() == 0 )
{
  var iconImageUrl = "http://www.example.com/foo.png";
  var title = "Hello World";
  var subTitle = "This is a sample desktop notification."

  var notification = webkitNotifications.createNotification( iconImageUrl, title, subTitle );
  notification.show();
  setTimeout( function() { notification.cancel() }, 10000 );
}
else
{
  alert( "Please request permissions first." );
}

Try it: Show Notification

Wrapping it Up

I hope someone found this useful. If you do anything cool with this library please let me know in the comments.

Note: this is an experimental API that only works in Google Chrome right now. The API may change at any time and may be different when other browsers decide to implement similar functionality. Use with caution. Always check to make sure window.webkitNotifications !== undefined.

Here are few things I want to improve:

First, and I’ve been saying this for a while, I need to start blogging more. This post is a okay start but I want to finish my initiative that I start back in December. Which is to to break the site up into code in business and to post in each of those categories at least once a month. Once I get there, I can see where it goes.

Second, I’m going to start replying to more e-mails. This may seem like a no-brainer but I haven’t been in the habit of replying to e-mails that aren’t urgent or work related. So a lot of e-mails and the going unanswered. I want to change that.

Third, I want to participate more in the open source world. I work for start up so it’s difficult to find any time to work on open-source projects, but I imagine I can find a little time here and there and I want to all get a bit more involved with the community. I believe open source is fundamental to innovation and I think I can make some valuable contributions.

Fourth, and this is really my only non-tech related goal, I want to be more active in my life. Being a software engineer it’s sometimes easy to get into a rut where you’re just sitting at a desk 12+ hours a day staring at a computer screen. It’s clearly not the most healthy thing in the world. So my final resolution is to get out and be more active on both in the community and also in a more traditional sense (exercising, eating right, etc.).

Usually don’t like to post about my personal life but I want to get this out there for everybody to see. Maybe it will provide a bit of motivation. I know that some of you out there will start nagging me if I fall behind (thank you for that). And finally I wish you all the absolute best in this new year and with everything you do.

I was inspired by a question that I was asked on Twitter to write a quick code snippet.

As you may know, set_error_handler can be used to set a custom error handler in PHP. It will catch any errors that happen in the script (with a few notable exceptions). If the function returns false then error handling resumes as normal; otherwise it is assumed that the custom handler took care of things. The problem is that you can only have one error handler active at one time. The purpose of this code is to provide a error handeling stack for PHP.

Using this code you can have more than one error handler while taking advantage of the set_error_handler function.

Because this example uses closures, it will only work in PHP 5.3 or newer.

function push_error_handler( $error_handler, $error_types = 32767 )
{
  $old_callback = null;

  $callback = function( $errno, $errstr, $errfile, $errline, $errcontext )
  use ( &$old_callback, $error_handler )
  {
    $result = call_user_func($error_handler, $errno , $errstr, $errfile, $errline, $errcontext);

    if ( $result === false && $old_callback != null )
      return call_user_func( $old_callback, $errno , $errstr, $errfile, $errline, $errcontext );

    return $result;
  };

  $old_callback = set_error_handler($callback, $error_types);
}

Let’s see it in action:

function test1( $a, $b, $c, $d, $e ) { echo "Test 1 -- "; return false; }
function test2( $a, $b, $c, $d, $e ) { echo "Test 2 -- "; return false; }
function test3( $a, $b, $c, $d, $e ) { echo "Test 3 -- "; return false; }
function test4( $a, $b, $c, $d, $e ) { echo "Test 4 -- "; return false; }

push_error_handler( 'test1' );
push_error_handler( 'test2' );
push_error_handler( 'test3' );
push_error_handler( 'test4' );

trigger_error('testing');

The output is:

Test 4 -- Test 3 -- Test 2 -- Test 1 --
Notice: testing in /Users/andrew/recursive_error_handler.php on line 32

It is worth a closer look. First we initialize a variable that will be needed by the closure later on. Then we define the closure (which will be our actual error handling function) and register it as the error handler. The function set_error_handler returns the old handler which we then assign to the variable that we created earlier. We also return the old handler to keep compatibility with the normal set_error_handler.

The closure itself calls the new error handler. If the handler returned false (resume error handeling) then we call the previous error handler (if there was one). We also make sure to pass the error code and the old callback function into the closure. It is important that the old callback is passed by reference (note the “&”).

If you want to learn some more, here are some handy links:
PHP Manual for set_error_handler and anonymous functions and closures.
My book, Expert PHP and MySQL, also talks about closures in depth starting on page 78.

Note: this method only works if almost all the error handlers in the application use this or a similar method. Otherwise the chain will be broken. I say “almost” because the first registered error handler doesn’t have to worry about calling the previous handler since there isn’t any at that point.

When conference day two roles around you’ll be able to find all my presentation notes here and I will be uploading the slides as well.

As you may know, I will be talking on API Development with CakePHP. It is a complex topic so my presentation won’t be the end of it, I will be adding additional information over time. So I hope that you subscribe to me via RSS.

Happy coding!

This article covers the concepts of authentication and authorization.

Authentication is knowing who the logged in user is. Authorization is knowing what the user can and can’t do and can be as easy as checking that the user ID in the database matches the user ID of the authenticated user. It can also be as complex as Access Control Lists, social graphs, and multi-moderator systems. Either way it needs to be taken care of. Very few things are more devastating than when a malicious user finds that all you have to do to edit another user’s data is to change the value of a POST variable or all you need to do to access someone’s private photos is to change a URL. Do either of those two cases sound familiar?

Thinking like a hacker

If I were to try to exploit this feature: how would I go about it?
you, every time you write code (hopefully)

Let’s start by looking at a imaginary site that makes an Ajax request to delete a resource via a RESTful API. The HTTP request probably looks a bit like this:

POST /resources/1234.json HTTP/1.1
Host: www.example.com
Content-Length: 14

_method=DELETE

Now, make the assumption that you can find the ID of any resource on the system. This could be because it is exposed in a “view” URL or it could be that it is returned in an API call for search. Either way, assume that if it exists a hacker can find it either by design or through flaws in the code. Never assume primary keys are a secret. The next step is to find an ID of a resource not owned by the hacker (in this example: 5678) and to go the command line (assuming cURL is installed on your system):

curl -d "_method=delete" http://www.example.com/resources/5678.json

Curl doesn’t share cookies with the web browser so if that call succeeded and record 5678 was actually deleted then the application is not checking to see if the user is authenticated. There is no need to go any further, you’ve already found a devastating exploit. If this is your application (I hope that you aren’t using this article to try to hack other people’s apps!) it is time to go back to the code, add a check to make sure that the user is logged in. Then come back here to read on.

If the call didn’t work then it is time to try to delete the resource as an authenticated (but hypothetically not authorized) user:

curl -d "username=you&password=abcdefg" -c "cookies.txt" http://www.example.com/login/
curl -d "_method=delete" -b "cookies.txt" http://www.example.com/resources/5678.json

The first line authenticates the user and stores the cookies. The second line tries the delete method again with the new cookies. Make sure to replace all the appropriate variables and URLs in all of these examples. If all went well bad the resource 5678 should now be deleted. If that happened then the application needs to check for authorization as well as authentication.

The same concepts can be applied to viewing, editing, and creating resources. This article uses cURL but there are numerous other ways of spoofing Ajax and API requests, including injecting Javascript into the browser and writing a PHP / Perl / Ruby / Python / etc. script to do it.

One thing to watch out for is any request that takes the user ID as a parameter. It should raise a red flag. Whenever possible, get the user ID from the currently authenticated user. I once saw a password vault web application that returned the entire password list from a SOAP call given only the user ID. Just so you are sufficiently mortified, I’ll rephrase it: I could enter in any user’s ID and get back a list of passwords for other sites on the Internet (including Google). Don’t let that happen to you!

Taking care of business

Addressing the problem takes as much thought and planning then actually technical know-how. Imagine a user for each role (resource owner, administrator, moderator, customer support, friend of the user — if you are a social network — etc.) then ask three questions:

1. User X can/can’t view resource Y because…
2. User X can/can’t edit resource Y because…
3. User X can/can’t delete resource Y because…

Then for each of those, check to make sure the code reinforces that statement. It is also a good idea to give these stories to the testers and have them try to break your code. And remember: the authentication system tells you WHO the user is and authorization system tells you WHAT actions the user can perform.

How complex a system you need for authorization depends on your application. It can range from one-off code to full-featured generic systems that can be used for any type of resource imaginable. Social networks are the most complicated of the bunch because authorization often depends on a personal relationship with the user requesting access to the resource. The simplest form of authentication is:

if ( $user->id != $resource->owner_id )
  throw new Exception("Access denied");

Or if your application is a social network and you give friend’s access to resources:

if ( $user->id != $resource->owner_id && !$user->isFriendsWith($resource->owner_id) )
  throw new Exception("Access denied");

For a more robust system you’ll probably want to implement an Access Control List (ACL). An ACL at its core is just a mapping of users to resources. For example: Joe has view, edit, and delete access to resource 1234.

More advanced access control lists also have groups (called “roles”) and they can cascade. Roles introduce some ambiguity, and multiple entries in the list may govern the same action. If that happens, the most specific one is taken. For example, editing a resource may be governed by the rules:

• “Joe” is in the group “Basic Users” and “Basic Users” explicitly can NOT edit resources of type “forum post”
• “Joe” CAN edit resources of type “forum post” with ID “1234″

Since Joe has edit rights to the forum post with an ID of 1234 it doesn’t matter that the role Joe plays (a “Basic User”) cannot edit any forum posts. There are numerous articles on implementing an ACL in a PHP application and many frameworks have built-in classes for ACL.

Summary

When developing web applications (or any application for that matter): always be cognizant of authentication and authorization. Remember, authentication answers the question of WHO and authorization answers the question of WHAT. The application must always know the answer to both of those questions and be able to deny or allow certain actions based on those answers. It might be useful for newer developers to to actually put themselves in the shoes of a hacker and attempt to find exploits for their own website. Eventually, it will become second nature.

I presented a talk on API Development.

If you can, you may want to set post_max_size to a low value (say “1M”) to make testing easier.

First test to see how your script behaves. Try uploading a file that is larger than post_max_size. If you do you will get a message like this in your error log:

[09-Jun-2010 19:28:01] PHP Warning:  POST Content-Length of 30980857 bytes exceeds the limit of 2097152 bytes in Unknown on line 0

If you’re not careful this can lead to unexpected behavior in your application. The end result can range from silent failure all the way to lost customers.

Solving the problem

The PHP documentation provides a hack to solve this problem:

If the size of post data is greater than post_max_size, the $_POST and $_FILES superglobals are empty. This can be tracked in various ways, e.g. by passing the $_GET variable to the script processing the data, i.e. <form action=”edit.php?processed=1″>, and then checking if $_GET['processed'] is set.
Source: PHP manual

To be clear, it is suggesting that you pass a value in the query string along with your form. If the value is in the $_GET superglobal and both $_FILE and $_POST are empty then the maximum upload size is exceeded. There are two problems with this approach: it adds extra complexity on the front-end and it can potential give a false positive.

Extra complexity on the front-end means extra documentation and more room for mistakes. And if there is a mistake it may not be caught for a long time (does your QA team routinely upload large files?). In this case we already have all the data that we need to determine if the maximum file size was exceeded without adding extra complexity and headache for developers.

We know what type of request is being processed, we have the $_POST and $_FILES arrays, and we have the content length as it was passed to the HTTP server from the client. From that we get this code:

if ( $_SERVER['REQUEST_METHOD'] == 'POST' && empty($_POST) &&
     empty($_FILES) && $_SERVER['CONTENT_LENGTH'] > 0 )
{
  $displayMaxSize = ini_get('post_max_size');

  switch ( substr($displayMaxSize,-1) )
  {
    case 'G':
      $displayMaxSize = $displayMaxSize * 1024;
    case 'M':
      $displayMaxSize = $displayMaxSize * 1024;
    case 'K':
       $displayMaxSize = $displayMaxSize * 1024;
  }

  $error = 'Posted data is too large. '.
           $_SERVER[CONTENT_LENGTH].
           ' bytes exceeds the maximum size of '.
           $displayMaxSize.' bytes.";
}

The important thing to notice is the “if” statement on lines one and two. The example code just sets an error string. Production code might display a message to the user, execute some Javascript (for asynchronous uploads), or pass back a XML or Json object for Flash clients.

I’ve tested this code with Apache as both a module and as CGI. As far as I know it should work fine with IIS as well.