PHProjekt Version 5.2 now available

MAYFLOWER announces that Version 5.2 of its
free popular open source groupware suite “PHProjekt” is available
immediately and ready for download.

With the new version a foundation is made for a clearly
arranged and intuitive usable PHProjekt. This is made by a refactoring
of the user interface and the integration of the Dojo JavaScript
Toolkit, which enables an effective realisation of Web 2.0
functionalities. The Migration is going to take place in steps, the
main changes of the user interface will take place in the next
releases. The clou: PHProjekt remains barrier-free.


Performant DOJO

When your rich internet applications become more complex and mature, you learn that there are some rules to obey to achieve a sucessful dojo project. What does successful mean ?

  • easy extendible
  • good client performance
  • easy maintainable, readable code
  • economical memory usage

Our rules ;)

1. Build dojo from SVN
Its seems to be disturbing to your own work that the dojo team has comitted a fix last night that breaks a api. But, these fixes don’t come from nothing, means the chance is there that you had a warning like "xy is deprecated and will be replaced by zz" when you read the console output. You read the console messages, don’t you?
All in all its much faster on the major dojo release dates to have it all there, instead of fixing it all on one day. It is much likely that this will cost You a remarkable amount of time.

2. Use dojos compression
The compression & buildsystem is a important thing that will help you to reduce the time the whole dojo system requires to load and initially execute. A important factor if you are not using a one page Ajax application model or limited ressources.

3. good XHTML matters
Dojo parses a lot of information to get all that markup transformed into CSS styled widgets that have all that magic functionality inside. So far it is important to produce correct markup, without ANY style attributes (use class and css by id), tables only where they are required and the minimum set of (X)HTML nodes.
Examples that use only 60 Nodes (XHTML) with div/span based layout perform better than the same code with table based HTML 4.01, style attribute using markup and 185 Nodes. Simply because you tell the same story with less characters.

4. (X)HTML event attributes -> NO NO NO
XHTML Attributes do not need to be noted down in the markup, they can be added programmatically. In any HTML / JS contect you can choose to add them by js code, may it be dojos event connect or the pure javascript methods that add event functionality to the dom.
Its much more likely to find all the connected and used events when you are doing that by code in ONE place and not ditributed over the whole project.

5. Dont use javascript global scope in your project

When you develop the application code using dojo and maybe a bit of DOM, avoid using variables outside your function scope. Why ?

  • The variables outside the function scope are slower to access
  • references to dom nodes are much likely not to get garbage collected and you will need more RAM to execute your application code over time.

You can use objects to create your application code and informations like the actual used browser (i know its implemented in dojo .. just say for fast accesses sake)  can be stored in a objects member variable instead of beeing globalized around. If you are generating these objects using prototype of objects you will save some more memory on you application.

So far, these are the basics i have learned to make my life in the dojo easy and effective.
Besides you are much likely to be at home in time at the evening and able to meet timelines because refactoring and changes to dojo are not that big things and cost not too much time. Hope that helps in any way.

Meet me at Open Source Developers‘ Conference

The „Open Source Developers‘ Conference is a conference designed for developers, by developers“ and will be held from december, 6th to december, 8th in Melbourne, Australia. I’ll give two presentation about „Enterprise PHP“ and „PHP 5 and IBM DB2“. The first talk will be about my daily work and how to handle big PHP projects. The second talk is an introduction into the features of PHP 5.2 and using IBM DB2. I’ll present all four possibilities to connect a IBM DB2 database: ext/odbc, ext/ibm_db2, PDO_ODBC and the new PECL release PDO_IBM. If you’re in a reachable distance you should take the chance to meet me. :-)

An update on Tim Bray’s keynote

Whew… it seems that some people misinterpreted the slides I picked from Tim’s presentation. („Your Enterprise Java community“) did some kind of flame-bait for that, with Tim being unable to comment on for several reasons. Fortunately, Tim gives us a bit of context on his weblog.

[Update: I like thinking about PHP as in „PHP is the Borg“. Whether we interface Cobol (yes, at Mayflower we did that), Java ($foo = new Java(…); ), Perl/Python, SAP, OpenOffice etc., it just doesn’t matter. That’s also what I like on the SOAP/XML-RPC etc. interfaces: I really don’t have to care about the underlying protocols.]

The Chorizo! International PHP Conference Quiz

On this years conference we did start a quiz regarding security.

For those who were not able to visit the Conference I’d like to show the questions asked.

Which of the following code lines does really protect against Cross-Site-Scripting?

[ ] echo ‚<a href="index.php?name=‘.addslashes($_GET[’name‘]).’">name</a>‘;

[ ] echo ‚<a href="index.php?name=‘.strip_tags($_GET[’name‘]).’">name</a>‘;

[ ] echo ‚<a href="index.php?name=‘.preg_replace(‚|\W|‘, “, $_GET[’name‘]).’">Name</a>";

In which code line did we hide a Remote Code Execution?

[ ] include(dirname(__FILE__).’/lang/lang_‘.$_GET[‚lang‘].‘.php‘);

[ ] preg_replace(‚/_NAME_/msiUe‘, "htmlentities(\"$_GET[name]\")", ‚Hello Mr _NAME_ ! ‚);

[ ] eval("echo ‚Hello Mr ".htmlentities($_GET[’name‘], ENT_QUOTES)."‘;");

Which tag can not contain JavaScript?

[ ] <img />

[ ] <br />

[ ] <style></style>

[ ] <meta></meta>

[ ] each of the here named tags can contain JavaScript

What is not possible to happen if your website contains a Cross-Site-Scripting-Vulnerability?

[ ] It is possible to take over the user-logins by using the so named Session-Riding.

[ ] Your website visitor´s intranet can be scanned.

[ ] Every pressed key of your sites user´s can be logged by third parties.

[ ] Your user´s harddisks can be formatted.


Keynote of Tim Bray: some interesting comparison between PHP, Rails and Java

Tim Bray, who – among many other things – co-edited the XML 1.0 and XML namespace definitions, was invited to the International PHP Conference to give a keynote about „How to combine PHP technology with Java based on Enterprise Systems“. I had the pleasure to talk with him and I like his spirit. During his keynote, he presented some very interesting comparison between the popular development „frameworks“ PHP, Ruby on Rails (RoR, Rails) and Java:

Of course you need to decide yourself which of those intrinsics is most important:

You can find his slides here. Thanks Tim for being at the Conference.

Announcing Chorizo! Intranet Edition and Chorizo! Security Audits

Live from the International PHP Conference this year, we have some announcements to make: first of all, we’re now officially releasing the Chorizo! Intranet Edition. That’s basically the full Chorizo! software package for your internal corporate environment, installed on one of your servers. Furthermore, you can scan an unlimited number of your own websites (we won’t charge you for every server!) and create your own users inside the usermanagement. Besides that, of course Morcilla, the PHP security extension that detects deep security bugs directly on your server is included. The Intranet Edition is available for a license fee of EUR 5.800,– including VAT (16% currently) for one installation. Support and updates are available for 20% of the license fee per year. If you’re interested, just drop us an e-mail.

Second, we’re launching an array of Professional Services: Security Audits. You can get them in different flavours, like the Chorizo! PenTest, the Chorizo! Standard Audit and Chorizo! Extended Audit. Automatic security scanning is good, but to get hardened web applications, Security Audits are your friends. You can download the product paper or drop us an e-mail for an offer. Clients already include the financial and logistics industry.