ChichaPlanet

Yesterday I attended the Ubuntu 8.04 Hardy Heron LTS Release Party event the folks from Ubuntu Peru and Linurp organized here in Lima at Universidad Ricardo Palma. Nice talks on Ubuntu, KDE, GNOME, Drupal and PHP among some other stuff. I particularly liked the talk by the good old Jesus Castagnetto of PEAR and Professional PHP Programming fame. His slides (spanish) are posted at his site. My summary including bits i’ve been adding follows:

• PHP is an easy language to pick up & learn but it’s a bit tricky to master
• During the development phase of your project set the error_reporting value of php.ini to E_STRICT in order to get all sort of errors
• Please set an error log and read it! You are going to need it to monitor your application when it’s deployed for production. Don’t forget to stop displaying errors to the end user in production sites. If you do, chances are you’re disclosing very useful information for an attacker trying to take control of your site or shutting it down.
• If you’re using clean urls (and you should!) and not using the .php extension for your pages you don’t need to disclose that you’re site is running PHP. Setting the expose_php value to zero in php.ini might be a good idea.
• Please get rid of code (yours or written by someone else) that depends on registers_globals = On. This configuration option won’t even exists when PHP 6 is released. Having PHP or your own code create global variables automagically from data sent by the user is a major security threat. So please resit the temptation of using it.
• Please stop using magic quotes. Today they’re not a good idea. Actually they never were a good idea and will be depracated in PHP 6. As the programmer you’re responsible for adding quotes properly to any string that might need them.
• Since version 5, PHP got exception handling. Please don’t abuse then exception handling mechanism by raising an exception at the minimal user-generated error. Raise an exception instead when a critical condition that is need for your program to continue working properly is not met, specially when you expect some other part of you code catching the exception and doing something about it.
• Exceptions can consume considerable memory if your stack trace gets big. They are useful but not cheap.
• Don’t debug you’re code using exclusively echoes, prints and var_dumps. You should be using a proper debugger instead. A very good one is XDebug. You get the extra advantages of getting a full stack trace and profiling capabilities.
• No matter if you’re a solo coder or part of a team you need to follow coding standard in order to produce a consistent-looking codebase that can be easily read by anyone including yourself. PEAR has a good coding standard that has been proved in many PEAR contributions over a good few years. The Zend Framework provides you with a newer coding stardard (draft) that is also based on PEAR’s.
• Documenting might be a bit boring but it’s critical for the success of your project over it’s lifetime. If you’re code is non-trivial you’re much better embedding good documentation in it that will help you in the first place to understand that are those lines of code doing when you come back to make changes. A quality tool for generating PHP documentation is phpDocumentor. It’s fast and can generate not just only API docs but tutorials by parsing your code if you learn to use it properly.
• Please don’t reinvent the wheel. PHP has lots of useful functions that are implemented in C and will definitely run faster than you’re code. If you caught yourself reimplementing native functionality it’s your fault for not reading the manual and keep up with the changes and additions to PHP and it’s core extensions. Know your tool. Investing a bit of time in reading the manual will definitively pay off.

There are a few tips related to OOP with PHP, specially PHP 5:

• Don’t over-engineer your code. PHP is not Java and in many circumstances you’ll be good using just a simple array which is a native data structure instead of a user defined class. Keep things simple.
• Don’t use is_a() but instanceof() instead for checking if an object is a member of a class since is_a() was depracated as of PHP 5.

In order to improve the security of your code you can follow this guidelines:

• You must ALWAYS initialize your variables, specially those involved in authentication, authorization and security checks.
• Never ever trust your user on providing the right kind of input for your program to work properly. You must always validate that the user’s input is good for you
• PHP has the filter and ctype extensions for validating user input. You can always use regular expressions for custom validations.

Finally, for performance improvements you have this recommendations available:

• Don’t use double quotes in strings if there’s no variable interpolation or character escaping taking place. This saves a few miliseconds in each string so if you have many strings in your code and many visits in your website this alone can be a huge CPU and time saver.
• In many places you can speed things a bit up by avoiding string concatenation. Just use a comma in echo to get the same output effect.
• Prefix variable incrementation is a bit faster than postfix incrementation so if you’re not assigning the value of the variable before incrementing it you can easily gain a few extra milliseconds and consume less server CPU with this simple change so you ++$i instead of $i++ whenever you have the chance.
• By all means you must avoid recreating the same dynamic content over and over again if you can be sure it won’t be changing. This is when content caching comes handy. Something as simple as reading a generated HTML chunk from a file in the filesystem instead of issuing again the database queries and/or performing the calculations needed to generate can be a big improvement. Generally cached content is not useful or trusty after some period of time has passed so put your attention in regenerating the cached content when it’s no longer valid.
• Your own PHP can benefit a lot from using a caching mechanism so PHP doesn’t have to compile your code over and over again if it hasn’t change. Avoid wasting server CPU and response time. APC is a very good code caching solution for PHP and is mantained by Rasmus Lerdorf, the creator of PHP himself.
• Don’t guess which parts of your code are the bottlenecks. Use a profiling tool instead. Remember XDebug includes a profiler.
• Even if it’s not something you do at the PHP level you can always take advantage of a data compressing mechanism like Apache’s mod_gzip. Compressing content in both requests and replies is something that has been available in the HTTP specs for a while and you can easily save up to 80% of the bandwidth and response time.

I really think it’s a good idea to use lists like this as check-lists and use the techniques in your projects.

Keep this link with you and help spread the word:

We interrupt these wonderful 6 months without posting in this blog to share the joy, directly from Django’s BFDLs, my christmas present to myself:

The Django Book! I bought it in Amazon and it was only 3 days late to Peru, not bad for christmas season.

I can’t wait to read this book. I did read the chapter previews in the site and they were very good. I’ll write a review of the book as soon as I finish reading it.

(btw, I’m sick of wordpress, it’s a buggy piece of ^*($#, is there a decent django powered blog with an import-from-wordpress feature?).

Mientras tuve problemas con mi servidor inicié una investigación sobre todos los plugins que utilizo para ver si alguno me causaba problemas. De esta forma me puse a revisar mucho código y me entraron ganas de modificar unos cuantos plugins. Asi fue como llegué a DevLounge donde Ronald Huereca ha escrito una magnífica guía sobre como escribir un plugin para wordpress en una serie de 12 artículos cubriendo desde los aspectos básicos de diseño y programación hasta añadir florituras como Ajax y promocionar tu plugin.

Lectura más que interesante
How to write a Wordpress plugin

Taken from a Python up, Ruby down discussion in programming.reddit:

Ruby takes all the elegance and simplicity of Perl, and mixes it with the library support of Lisp…

- foonly

Previously…

Following Planet Debian’s current meme Programmer Personality Test. (a test based on Myers-Briggs Personality Test)

My results are:

You’re a Doer.
You are very quick at getting tasks done. You believe the outcome is the most important part of a task and the faster you can reach that outcome the better. After all, time is money.

You like coding at a Low level.
You’re from the old school of programming and believe that you should have an intimate relationship with the computer. You don’t mind juggling registers around and spending hours getting a 5% performance increase in an algorithm.

You work best in a Solo situation.
The best way to program is by yourself. There’s no communication problems, you know every part of the code allowing you to write the best programs possible.

You are a Conservative programmer.
The less code you write, the less chance there is of it containing a bug. You write short and to the point code that gets the job done efficiently.

Today I was at #gnome-hackers asking about pointers, memory leaks and other C things. As always an enormous amount of positive feedback was the result.
I said that I would publish the log to help any other unfortunate C novice, and then Alex Jones resumed all the IRC conversation:

foo is just another variable, it’s of type pointer-to-char

Estaba probando Anewt (Almost No Effort Web Toolkit) escrito por Wouter Bolsterlee y me encontré un error inocente y gracioso acerca de que la clase DateTime ya estaba definida.

Me pareció raro pues el repositorio de Anewt no había tenido cambios en mucho tiempo y pues no tenía mucho sentido que un error tan evidente y grosero estuviese en el último commit del repositorio (el cual data de hace unas semanas). Entonces le pregunté a Rudy si sabía cómo podía averiguar quién y dónde llamaba/era llamada una función pero antes de poder obtener una idea de cómo hacerlo se me vino a la mente que quizá DateTime ya estaba definido en otro lugar (quizá algún paquete de PEAR que había bajado, a pesar que mi sistema está recién instalado). Así que dije:

(01:07:33 AM) dieg0_rm: espera
(01:07:36 AM) dieg0_rm: creo que ya sé qué pasa
(01:07:47 AM) dieg0_rm: tienes idea si DateTime es una palabra reservada en php5.2?
(01:07:53 AM) stone_head: it is
(01:07:59 AM) stone_head: it breaks it all

Eso quiere decir que si tu aplicación tiene una clase con ese nombre estará inexorablemente rota al momento de actualizar a 5.2 .

Entonces, aquí un lo que concluímos Rudy y yo:

(01:17:39 AM) dieg0_rm: a ver blogueemos rápidamente sobre esto
(01:17:51 AM) stone_head: claro
(01:17:56 AM) stone_head: collaborative blogging
(01:18:25 AM) dieg0_rm: claro
(01:18:28 AM) dieg0_rm: pondré rápidamente
(01:18:54 AM) dieg0_rm: putos php devs: por qué carajo implementan una clase DateTime en el core de php jodiendo así miles de aplicaciones, pudieron habernos dado la gracia de los namespaces
(01:18:56 AM) dieg0_rm: end of rant
(01:19:02 AM) stone_head: <o/
(01:19:07 AM) dieg0_rm: firmado: rudy y diego
(01:19:13 AM) stone_head: ello

BTW, Feliz navidad!.

Some moths ago I wrote about the BDFL considering the use of the Django web framework.

Cronologically it went like this:

Please Teach me Web Frameworks for Python! (2006-01-27)

Literally a cry for help. He didn’t quite like the magic in Django, considering he used a pre magic-removal version.

Web Framework Redux (2006-01-30)

Perhaps WSGI represents the “blank slate” approach; Rails/Django represent the wizard approach; I’m still looking for the ideal mix-and-match solution.

Django vs. Cheetah: 1-0 (2006-01-31)

Guido is beginning to like the Django templates.

Which Part of “No XML” Don’t You Understand?

This one is related to his previous post. Guido just think that the use of XML in a template engine is WRONG. I couldn’t agree more.

Django Gaining Steam (2006-5-4)

Guido talks about Jacob’s Django talk in the Bay Area and Jeff Croft’s Django for non-programmers (a great article).

Months after that, Guido got interviewed in FLOSS weekly (2006-08-04) and he declared:

Leo La Porte (LL): Python doesn’t have a native GUI, there is TCL/tk… is that an issue?

Guido van Rossum (GvR): It seems to be coming less and less of an issue because more and more people are doing everything over the web

LL: The web is an interface, yeah

GvR: So of course that doesn’t really solves the problem because then you have, as I say, more web frameworks than keywords in the language. My personal favorite and I expect that will remain personal favorite for a long time is something named Django.

LL: I was going to ask you about Django. There was just a … just somebody published some article, interesting I think it was in the Rails website testing Django, Rails and a Perl framework and Django was by far the fastest.

GvR: Interesting! I didn’t hear about that.

Chris di Bona (CdB): How do you measure something like a web framework?

LL: Well they set a simple site and they used web testing applications to create lots of transactions and measure transactions and Django was like significally faster. So tell us about Django.

GvR: I am a very satisfied user of a very small part of Django. Django is sort of, I would call it probably a second generation web framework in Python where first generation would be things like Zope and Twisted. Django was originally started I think two guys who work for, believe it or not, a newspaper in Kansas. Not a very glorious location.

CdB: Well, it’s funny because Zope and Plone came out of the (??) newspaper.

LL: Well you know why, they have to streamline production workflows, that’s a big deal for a newspaper

GvR: Maybe that’s the case. This paper in Kansas decided that they wanted to set a local website with information for people in their town that was very responsive to the audience. They wanted to publish things very quickly but also not just add new articles to the site which everybody can do, but change the site completly, add new ideas, new features to the site, add new applications. They came up with endless number of examples, for example publish the sports, like the local sports results of the little league complete with hyperlinks to the teams and photos and all sort of interesting stuff. And they wanted to be able to roll that out very quickly and so I think they did that for maybe two years, and the two guys who did it and working with a bunch of editor who where providing the content, as they were doing that they realized that they needed a framework and they sort of grew a framework out of their first application. As they (??) what kind of things their editors were constantly asking them to them change to the site, they developed more flexibility in all those areas. And at some point they said let’s open source it and they got support from the newspaper. And then a very interesting thing hapenned. I suppose the newspaper is still using Django in some form (they are, and in fact they are selling the CMS they build). I think both of the original developers are no longer working there and they started Django the Open Source Project and what I found really great about that is I talked to those guys a couple of times and see them give presententations and I’ve seen how they work, and they really get open source. And they have a good license, but in my view even more important is the whole process, the way they work with the user community, the way they answer, they find a ballance between chaos and democracy and anarchy and sort of between Cathedral and Bazaar. They let lots of users add new features and provide ideas without losing the original thought and flexibility of the framework and I can think they are really doing a fantastic job at making Django a better product that goes way beyond what that original Kansas newspaper needed.

(now they talk about the Django vs Rails benchmark and how Django is an order of magnitude faster than Rails…)

LL: I will have to take a look at Django, because that’s pretty impressive.

GvR: Absolutely, I highly recommend it.

And yesterday (2006-08-17), at least two sources (Titus Brown and The Third Bit) are talking about what the BDFL said in SciPy 2006:

• Django is the web framework.
• It won’t be included in the standard library because of different development cycles, but will (should?) be as “standard” as PIL or NumPy
• He hopes that Django and TurboGears will converge

There is a discussion about this on reddit.

What do you guys think?

Greg Stein announced today a new Google Service in his talk in OSCON: Google Code Project Hosting (they need a shorter name), a hosting service of collaborative development enviroments featuring:

• Project workspaces with simple membership controls
• Version control via Subversion
• Issue tracking
• Mailing lists at groups.google.com

Obviously this is direct competition to Sourceforge.

Now, Sourceforge has has been suffering some problems for years:

• Downtime
• A very cluttered interface
• A search feature that just doesn’t work

Google Code Project Hosting is based on Subversion on Bigtable (instead of filesystem or BerkeleyDB) and features a trac-like issue tracker (written in Python!).

The interface is google-like of course: very simple and without creeping featuritis. There aren’t many projects yet in the system to test the search feature, but since searching is Google’s main strength I bet it will be better than Sourceforge’s.

Google already provides a great mailing list service in Google Groups and Code Hosting can send issue-tracker and SVN commits to the list of your choice.

Is it a Sourceforge killer?

No. It aims, at least at the moment, at different audiences. Google doesn’t offer shell accounts, tarball hosting or compile farms like Sourceforge does. The thing is most projects don’t make use of these features, so I guess lots of small-to-medium sized projects will flock from SF to Google once the dust settles down. For the larger projects, Google’s solution just doesn’t fit (yet).