Jim Keller

compiling apache 2.2.14 on CentOS 5

2009-11-03T12:09:00.001-08:00

wrangled with this a bit today. One of our clients needed the upgrade for PCI compliance, and CentOS still has 2.2.8 as the latest version in YUM.

I couldn't find any decent RPMs, so I decided to compile from scratch by first downloading & extracting the source from apache.org.

The ./configure command for installing apache 2.2.14 on CentOS is below. The --disable lines you see are there because CentOS installs the default modules separately, which is probably a good thing. The rest of the options I found by reverse engineering the directory structure of the existing apache install.

To compile from source, you may need to first run: yum groupinstall 'Development Tools'



./configure \
        --prefix=/etc/httpd \
        --exec-prefix=/usr \
        --bindir=/usr/bin \
        --sbindir=/usr/sbin \
        --mandir=/usr/share/man \
        --libdir=/usr/lib64 \
        --sysconfdir=/etc/httpd/conf \
        --includedir=/usr/local/include/httpd \
        --libexecdir=/etc/httpd/modules \
        --datadir=/var/www \
        --with-mpm=prefork \
        --with-devrandom \
        --disable-auth \
        --disable-cgi \
        --disable-cgid \
        --disable-mime \
        --disable-env \
        --disable-setenvif \
        --disable-negotiation \
        --disable-alias \
        --disable-actions \
        --disable-autoindex \
        --disable-include \
        --disable-dir \
        --disable-userdir \
        --disable-status \
        --disable-authn-file \
        --disable-authn-default \
        --disable-authz-default \
        --disable-authz-user \
        --disable-authz-host \
        --disable-authz-groupfile \
        --disable-auth-basic \
        --disable-asis \
        --disable-log-config

Note that I also had to then comment out the following lines, possibly because I didn't --enable-ldap during the compile. I don't need LDAP though, so I just commented out:


#LoadModule ldap_module modules/mod_ldap.so
#LoadModule authnz_ldap_module modules/mod_authnz_ldap.so

installing ruby, rails, and redmine on Apache & FreeBSD 6

2009-04-21T21:24:00.001-07:00

I will elaborate on this if anyone needs it, but for now I just wanted to post my notes from this evening when I got ruby, rails, and redmine running on FreeBSD 6 with Apache 2.2:

1. install ruby

#cd /usr/ports/lang/ruby18/
#make && make install

2. install rails 2.2.2
#cd /usr/ports/www/rubygem-rails
#make && make install

3. install ruby-iconv (rake script for redmine won't run without this)
cd /usr/ports/converters/ruby-iconv/
#make && make install

4. install mysql gem
#/usr/local/bin/gem install mysql

5. install passenger
#cd /usr/ports/www/rubygem-passenger
#make && make install

6. add these lines to your httpd.conf:

LoadModule passenger_module /usr/local/lib/ruby/gems/1.8/gems/passenger-2.1.3/ext/apache2/mod_passenger.so
PassengerRoot /usr/local/lib/ruby/gems/1.8/gems/passenger-2.1.3
PassengerRuby /usr/local/bin/ruby18

7. install SVN (we'll need it to export the redmine trunk)
#cd /usr/ports/devel/subversion
#make && make install
#rehash

8. export redmine trunk (note: since we have ruby 2.2.2, we'll need the trunk, not the stable version of redmine.) ** see note below

svn export http://redmine.rubyforge.org/svn/trunk/ redmine

9. follow instructions at: http://www.redmine.org/wiki/redmine/RedmineInstall
10. copy redmine/public/dispatch.fcgi.example to redmine/public/dispatch.fcgi
11. -set up redmine vhost:

#------------------------------------
# redmine.example.com
#----------------------------------
<VirtualHost 192.168.1.100:80>
ServerName redmine.example.com
DocumentRoot /home/www/redmine/public

</VirtualHost>

Now you should be good to go at redmine.example.com!

NOTE:
The version of trunk I exported seemed to have some bugs, so I ended up installing rails 2.1.2 and going with the stable version of redmine by doing:

#gem install rails --version='=2.1.2'
#svn export http://redmine.rubyforge.org/svn/branches/0.8-stable redmine

Thanks to Mat Schaffer for the help on that one

sIFR flash is in front of dropdown menus

2009-01-06T18:08:00.000-08:00

While using sIFR to get nice, clean, scalable fonts on the web, I noticed that because sIFR uses flash replacement, the replaced text was appearing on top of (e.g. z-index) the dropdown navigation menus the site had, which was not the desired behavior. The simple fix was adding: sWmode: "opaque" as one of the options to the sIFR.replaceElement method.

Stop undeliverable spoofed spam using maildrop and PHP

2008-10-24T15:45:00.000-07:00

A common problem among email providers is the growing practice of spammers using legitimate email addresses in the From: header of their messages, which means that unsuspecting users get flooded with potentially thousands of undeliverable messages due to the fact that many of the To: addresses on the spammers' lists are no longer valid.
A few of our customers had this issue, so I devised a quick way to filter out the undeliverable messages via Maildrop and php.

1. Set Postfix to pass mail through Maildrop

After installing maildrop (it should be readily available in your *nix distro's packaging system) Make sure Postfix is set up to pass mail to Maildrop by putting the following line in your master.cf file:


maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient} ${recipient}

(Note: adjust maildrop according to your environment - see http://www.postfix.org/MAILDROP_README.html)

2. Place the following code in /usr/local/etc/mail/maildrop_filters.php



ini_set('display_errors', 'off');
error_reporting(0);

//---------------------------------------

$recipients = array(
                'recipient1@domain1.com',
                'recipient2@domain2.com'
);


$bad_subjects = array(
        'Undelivered Mail',
        'Delivery Status Notification',
        'Undeliverable mail',
        'Returned Mail',
        'Delayed Mail',
        'Delivery Failure',
        'Warning: could not send message',
        'Warning: message'
);

//---------------------------------------
// Don't edit below here
//---------------------------------------
$sender_address = $argv[1];
$recipient_address = $argv[2];

$stdin = fopen('php://stdin', 'r');
$msg = '';
$header = '';

while ( $buf = fread($stdin, 500) ) {
        $msg .= $buf;
}

$msg_lines = explode("\n", $msg);

if ( is_array($msg_lines) ) {
        foreach( $msg_lines as $cur_line ) {

                $cur_line = trim($cur_line);

                if ( $cur_line == '' ) {
                        break;
                }

                $header .= $cur_line . "\n";

        }
}

foreach( $recipients as $recipient ) {

        if ( preg_match('/^To\:\s*\

                foreach( $bad_subjects as $subj ) {

                        if ( preg_match("/^Subject:\s*" . preg_quote($subj) . "/im", $header) ) {
                                exit(1);
                        }
                }
        }
}

echo $msg;
exit(0);

?>

3. Add the following to your maildroprc file, which will probably be in /etc, /etc/mail, or /usr/local/etc/:


    RECIPIENT_ADDRESS="$1"
 
    exception {
        xfilter "/usr/local/bin/php /usr/local/etc/mail/maildrop_filters.php \"${SENDER}\" \"${RECIPIENT_ADDRESS}\""
    }

    if ( $RETURNCODE == 1 )
    {
        log "${OUTER_INDENT} Message for ${RECIPIENT_ADDRESS} discarded. Returncode was ${RETURNCODE}"
        EXITCODE=0
        exit
    }

4. Edit the $recipients array

Go back into /usr/local/etc/mail/maildrop_filters.php and edit the $recipients array as necessary - this is where you put the addresses that are being bombarded with the undeliverable mail messages:


$recipients = array(
                'recipient1@domain1.com',
                'recipient2@domain2.com',
                'recipient3@domain3.com',
);

Additionally, you can add or remove subjects from the $bad_subjects array as required. Note that the filter matches subjects that *start* with the items listed in $bad_subjects, so "Undeliverable:" will match "Undeliverable: Mailbox not found" and "Undeliverable: Mailbox is full", and so on.

SwiftFile - Send files securely on the web

2008-10-22T09:31:00.000-07:00

As the latest in a series of webtools that Context is launching, we've decided to offer an extremely easy, free, secure solution for uploading and sending files. SwiftFile.net offers a simple interface to upload and password protect files, making them unreadable even to the site administrator. Our goal was not to compete with filesharing giants like sendspace, mediafire, or rapidshare, but rather to offer a way to send sensitive documents very quickly and very securely. You can read the SwiftFile FAQ for information about how the data is stored and encrypted. Give it a try - it's fast, easy, and free. Additionally, thanks to the Fuse PHP framework, the site was put together from start to finish in 2 modest work days. We're hoping that a side effect of these tools will be to showcase the versatility and ease of use of the framework, which is now gaining ground in the PHP MVC community.

suphp directory not owned by user

2008-10-19T15:51:00.000-07:00

Installing suPHP on Apache 2 tonight, I was surprised that it was complaining about the parent directory for my document root not being owned by the specific user who owned the scripts. I had it owned by the apache user, www, and it turns out it (the parent directory which, for me, was /home/www) has to be owned by root in order for suPHP to traverse it.

Why you should do your PHP development in FUSE

2008-09-04T21:47:00.000-07:00

Let's face it - there are a lot of development frameworks out there, especially for PHP. CodeIgnitor and CakePHP come to mind immediately as leading PHP frameworks, but in this article I'm going to give some compelling reasons as to why you should be doing your PHP development with the Fuse Framework.

Fuse is a Model/View/Controller framework for PHP. If you're not familiar with MVC architecture, you may want to start with my other post, MVC and you: Partners in Freedom

1. FUSE is easy to get running

The installation scripts included with Fuse guarantee that you'll have a working install a few minutes after downloading. To get an idea of just how easy it is to get started with a Fuse project, have a look at the video I've posted here .
Fuse was built so that PHP developers don't have to feel like they were learning an entirely different language in order to make use of the framework. The syntax and structure follow normal PHP conventions, and everything from the method names to parameter order was designed to be as intuitive as possible.
Let's face it - everyone wants to use the newest, best, and most appropriate tool for the job. However, developers will often shy away from doing things differently because of the learning curve. They fear that introducing new technologies or methodologies will increase their project timeframe and decrease productivity. Fuse was built with a deadline-oriented mentality in mind: you can get started quickly, and you don't have to know every in and out of the framework to start building your project.

2. Data access has never been easier

Fuse's data modeling makes accessing your data easier than you ever thought possible. The management scripts will give you create, read, update, and delete access right off the bat, and customizing your queries is as simple as can be. Let's say you want to list your products, but also include their category_name, which lives in the product_categories table. In Fuse, all you have to do is open your ProductController and add this line:


public $list_options = array( 'include' => 'product_categories' );

That's it. Now when you iterate through your products, you can use the variable <{category_name}> in your template to display the category name for your product. Let's say we only want to display 20 categories? Try this:


public $list_options = array( 'include' => 'product_categories', 'limit' => 20 );

Fuse offers a whole slew of data methods just like these, and your queries can be as simple or as complicated as you need them to be. You will rarely have to write a query, but if you want to, Fuse even offers an object to take the headache out of writing queries . And, as always, if you just want to hand code a query the old fashioned way, Fuse will never stop you. A core principal of Fuse is that it's designed to aid the programmer, not force him or her into the methodologies that we've deemed best.

3. A simple but extremely powerful templating engine

Fuse contains its own robust, intuitive templating engine that allows you to truly separate your code from your presentation. As with everything else, the templating system was designed to be intuitive, and "designer friendly". Want to loop through the products we fetched above? Try this:

<{ITERATOR products}>
name: <{name}><br />
category: <{category_name}><br />
<br />
<{/ITERATOR}>

Want to apply a function to one of your fields? How about we only display the first 200 characters of our description:

<{ITERATOR products}>
name: <{name}><br />
category: <{category_name}><br />
description: <{ print(substr(description, 0, 200)) }>
<br />
<{/ITERATOR}>

Maybe our products can be in more than one category, and we want to fetch them?

After adding a one line method to our Product model that looks like this:


public function get_categories() {
return $this->product_categories->fetch_all();
}

We can do:


<{ITERATOR products}>
Name: <{name}>
Categories:
<{ITERATOR get_categories()}>
   <{name}>
<{/ITERATOR}>
<{/ITERATOR}>

Yes, <{name}> will know that when you're in the products loop, you want the product name and when you're in the product categories loop, you want the category name.

4. Searching your data has definitely never been easier.

Your client tells you that they want to be able to search records with any combination of title, date, description, id, and author. You know this is going to be an annoying task of using if/then statements to build a search query. Unless you're using Fuse, where you can do it all with a few lines of code.

The FuseDataController object, which handles all of the wheeling and dealing your app does with the database, has builtin search capabilities that will automatically sanitize data, generate the search query, and maintain the search session across pages. All you have to do is tell it which fields a user can search on, and it's ready to go. You can search fields values directly, with wildcards on either side, between two date intervals, or even have Fuse automatically parse strings like "restaurant AND (mexican OR Thai)" simply by setting your 'filter_type' to 'parsed_boolean'. The search capabilities are discussed here

5. Builtin management of photos for albums, user profiles, etc.

Let's say you're building a site that allows users to create a profile, add photo albums, then add photos to those albums. You're going to want several different sizes - a full sized image, a thumbnail for browsing, and a tiny thumbnail for a contact sheet type of display. You also want to watermark each image with your site's logo. This can be a pretty tedious task if you're not using the FusePhotoController, which should have you up and running in about a half hour if you're slow.

6. Simple but fully featured, scalable user management and ACL

A lot of sites need user authentication. I've seen a lot of custom implementation in my time, and because of the complexity of doing it right, mostly they rely on a very basic user scheme that allows little or no granularity or scalability when it comes to setting permissions. Fuse has a simple to implement, but fully granular and scalable user authentication and permissions scheme built right in. Need to associate users with groups that all have different permissions? No problem. Have a user who's in the "editors" group, but shouldn't have access to delete an article? Just add a restriction for that user. Need to set it up so that when a user tries to access a restricted page, they are asked to login, then redirected back to the original page on success? It's already done. Password encryption? SHA-1, MD5, and crypt() are all supported. I could go on. You can read about it on your own here

7. Integration with existing non-Fused projects

I mentioned above that Fuse endeavors to never prevent the developer from doing what he or she needs to do. If you have a project that's already done in standard, inline PHP, Fuse can go right alongside your existing code without upsetting any of the existing functionality. In fact, if you include the Fuse bootstrap in one of your existing php scripts, you can add Fuse functionality to that script without having to edit any of the existing code.

I have several projects right now that were handed to me as inline PHP, and I put Fuse right on top of it without having to re-code a single line of the existing project. However, I can now use Fuse moving forward for new features and updated functionality.

Conclusion

There you have it. Just a selected list of reasons you should switch to Fuse. Today. For the project you're working on. Right now. Make things easier on yourself. I've introduced a lot of people to MVC development and Fuse and, without fail, every single one has said, after just one project, that they could never possibly go back to their old methodologies of inline scripting and manually writing every query.

Comments welcome.

exchange defragment stuck or frozen

2008-08-28T20:54:00.000-07:00

I needed to defragment an Exchange 2000 mailbox store tonight because it had reached the 16GB limit. I started the process, let it run to about 5%, then walked away for about an hour. I came back, and it hadn't moved. I thought, "how long does it take to defragment the mailbox store??". I checked the temp files that the defragmenter was generating and noticed they hadn't been modified in an hour. Long story short: for some reason, clicking the mouse in the command window where the defragmenter is running will cause it to pause, and you can restart it by hitting F5.

Thanks to the following link for the F5 info: http://www.eggheadcafe.com/software/aspnet/31768198/how-do-i-know-how-long-th.aspx

CS-Cart images not displayed after server move / mysqldump

2008-08-07T20:14:00.000-07:00

if you are using CS-Cart and you've copied the database using a mysqldump ,the binary data for the images may not have been migrated properly. You need to make sure to use the --hex-blob switch when dumping the database. More information on the --hex-blob switch can be found here

ExpressionEngine flv upload file type not allowed

2008-08-06T21:50:00.001-07:00

To allow FLV files to be uploaded in ExpressionEngine without getting the file type not allowed message, add the following to /system/lib/mimes.php in the $mimes array:


'flv' => 'video/x-flv'

So, the end of your $mimes array will end up looking like:


 'aif' => 'audio/x-aiff',
 'aac' => 'audio/aac',
 'flv' => 'video/x-flv'
);

PHP class for Payflow Pro transactions

2008-07-26T12:52:00.000-07:00

The Payflow Pro PHP sample code was a bit messy, so I decided to wrap it in a nice object to make the entire transaction process very easy. This class will be included as part of the FUSE PHP framework, but I also created a standalone version below:

PayFlowTransaction.class.php:


class PayFlowTransaction {

 const HTTP_RESPONSE_OK = 200;
 const KEY_MAP_ARRAY = 'map';
 
 public $data;
 public $headers = array();
 public $gateway_retries = 3;
 public $gateway_retry_wait = 5; //seconds
 public $environment = 'test';
 
 public $vps_timeout = 45;
 public $curl_timeout = 90;
 
 public $gateway_url_live = 'https://payflowpro.paypal.com';
 public $gateway_url_devel = 'https://pilot-payflowpro.paypal.com';
 

 public $avs_addr_required = 0;
 public $avs_zip_required = 0;
 public $cvv2_required = 0;
 public $fraud_protection = false;
 
 public $raw_response;
 //public $response;
 public $response_arr = array();
 
 public $txn_successful = null;
 public $raw_result;
 
 public $debug = false;
 
 public function __construct() {
  
  $this->load_config();
  
  
 }
 
 public function load_config() {
  
  if ( defined('PAYFLOWPRO_USER') ) {
   $this->data['USER'] = constant('PAYFLOWPRO_USER');
  }
  
  if ( defined('PAYFLOWPRO_PWD') ) {
   $this->data['PWD'] = constant('PAYFLOWPRO_PWD');
  }

  if ( defined('PAYFLOWPRO_PARTNER') ) {
   $this->data['PARTNER'] = constant('PAYFLOWPRO_PARTNER');
  }
  
  if ( defined('PAYFLOWPRO_VENDOR') ) { 
   $this->data['VENDOR'] = constant('PAYFLOWPRO_VENDOR');
  }
  else {
   if ( isset($this->data['USER']) ) {
    $this->data['VENDOR'] = $this->data['USER'];
   }
   else {
    $this->data['VENDOR'] = null;
   }
  }
  
 }
 
 public function __set( $key, $val ) {
  
  $this->data[$key] = $val;
  
 }
 
 public function __get( $key ) {
  
  if ( isset($this->data[$key]) ) {
   return $this->data[$key];
  }
  
  return null;
 }
 
 public function get_gateway_url() {
  
  if ( strtolower($this->environment) == 'live' ) {
   return $this->gateway_url_live;
  }
  else {
   return $this->gateway_url_devel;
  }
  
 }
 
 public function get_data_string() {
  
  $query = array();

  if ( !isset($this->data['VENDOR']) || !$this->data['VENDOR'] ) {
 $this->data['VENDOR'] = $this->data['USER'];
  }

  
  foreach ( $this->data as $key => $value) {
   
   if ( $this->debug ) {
    echo "{$key} = {$value}
";
   }
   
   $query[] = strtoupper($key) . '[' .strlen($value).']='.$value;
  }
  
  return implode('&', $query);
  
 }

 public function before_send_transaction() {
  
  $this->txn_successful = false;
  $this->raw_response = null; //reset raw result
  $this->response_arr = array();
 } 
 
 public function reset() {
  
  $this->txn_successful = null;
  $this->raw_response = null; //reset raw result
  $this->response_arr = array();
  $this->data = array();
  $this->load_config();
 } 
 
 
 public function send_transaction() {
  
  try { 
   
   $this->before_send_transaction();
    
   $data_string = $this->get_data_string();
   
      $headers[] = "Content-Type: text/namevalue"; //or text/xml if using XMLPay.
      $headers[] = "Content-Length: " . strlen ($data_string);  // Length of data to be passed 
      $headers[] = "X-VPS-Timeout: {$this->vps_timeout}";
      $headers[] = "X-VPS-Request-ID:" . uniqid(rand(), true);
   $headers[] = "X-VPS-VIT-Client-Type: PHP/cURL";          // What you are using
   
   $headers = array_merge( $headers, $this->headers );
 
   if ( $this->debug ) {
    echo  __METHOD__ . ' Sending: ' . $data_string . '
';
   }
 
      $ch = curl_init();
      curl_setopt($ch, CURLOPT_URL, $this->get_gateway_url() );
      curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
      curl_setopt($ch, CURLOPT_USERAGENT, $_SERVER['HTTP_USER_AGENT']);
      curl_setopt($ch, CURLOPT_HEADER, 1);                // tells curl to include headers in response
      curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);        // return into a variable
      curl_setopt($ch, CURLOPT_TIMEOUT, 90);              // times out after 90 secs
      curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
      curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);        // this line makes it work under https
      curl_setopt($ch, CURLOPT_POSTFIELDS, $data_string);        //adding POST data
      curl_setopt($ch, CURLOPT_SSL_VERIFYHOST,  2);       //verifies ssl certificate
      curl_setopt($ch, CURLOPT_FORBID_REUSE, TRUE);       //forces closure of connection when done
      curl_setopt($ch, CURLOPT_POST, 1);          //data sent as POST
 
   $i = 0;
 
      while ($i++ <= $this->gateway_retries) {
          
          $result = curl_exec($ch);
          $headers = curl_getinfo($ch);
 
          if (array_key_exists('http_code', $headers) && $headers['http_code'] != self::HTTP_RESPONSE_OK) {
              sleep($this->gateway_retry_wait);  // Let's wait to see if its a temporary network issue.
          }
          else  {
              // we got a good response, drop out of loop.
              break;
          }
      }  

      if ( !array_key_exists('http_code', $headers) || $headers['http_code'] != self::HTTP_RESPONSE_OK ) {
    throw new InvalidResponseCodeException;
      }

   $this->raw_response = $result;
   
   $result = strstr($result, "RESULT");
   $ret = array();

      while( strlen($result) > 0 ){

          $keypos = strpos($result,'=');
          $keyval = substr($result,0,$keypos);
 
          // value
          $valuepos = strpos($result,'&') ? strpos($result,'&'): strlen($result);
          $valval = substr($result,$keypos+1,$valuepos-$keypos-1);

          // decoding the respose
          $ret[$keyval] = $valval;
        
          $result = substr($result, $valuepos+1, strlen($result) );
      }
      
   return $ret;
  }
  catch( Exception $e ) {
   @curl_close($ch);
   throw $e;
  }
 }
 
 public function response_handler( $response_arr ) {
 
  try { 
      $result_code = $response_arr['RESULT']; // get the result code to validate.
  
   if ( $this->debug ) {
    echo __METHOD__ . ' response=' . print_r( $response_arr, true) . '
';
    echo __METHOD__ . ' RESULT=' . $result_code . '
';
   }
   
   if ( $result_code == 0 ) {

    //
    // Even on zero, still check AVS
    //
          
          if ( $this->avs_addr_required ) {
     $err_msg = "Your billing (street) information does not match.";
           
           if ( isset($response_arr['AVSADDR'])) {
                if ($response_arr['AVSADDR'] != "Y") {
              throw new AVSException( $err_msg  );
                }
              }
              else {
               if ( $this->avs_addr_required == 2 ) {
              throw new AVSException( $err_msg );
               }
              }
          }
  
    if ( $this->avs_zip_required ) {
  
              $err_msg = "Your billing (zip) information does not match. Please re-enter.";
  
           if (isset($nvpArray['AVSZIP'])) {
               if ($nvpArray['AVSZIP'] != "Y") {
       throw new AVSException( $err_msg );
               }
              }
              else {
               if ( $this->avs_zip_required == 2 ) {
              throw new AVSException( $err_msg );
               }
               
              }
          }
          
          if ( $this->require_cvv2_match ) {
  
     $err_msg = "Your card code is invalid. Please re-enter.";
           
           if ( array_key_exists('CVV2MATCH', $response_arr) ) {
               if ($response_arr['CVV2MATCH'] != "Y") {
                   throw new CVV2Exception( $err_msg );
               }
              }
              else {
               if ( $this->require_cvv2_match == 2 ) {
              throw new CVV2Exception( $err_msg );
               }
              }
          }
  
    //
    // Return code was 0 and no AVS exceptions raised
    //
    $this->txn_successful = true;
    
    parse_str($this->raw_response, $this->response_arr);
    return $this->response_arr;
      }
      else if ($result_code == 1 || $result_code == 26) {
    throw new InvalidCredentialsException( "Invalid API Credentials" );
      }
      else if ($result_code == 12) {
          // Hard decline from bank.
          throw new TransactionDataException( "Your transaction was declined." );
      }
      else if ($result_code == 13) {
          // Voice authorization required.
          throw new TransactionDataException ("Your Transaction is pending. Contact Customer Service to complete your order.");
      }
      else if ($result_code == 23 || $result_code == 24) {
          // Issue with credit card number or expiration date.
         $msg = 'Invalid credit card information: ' . $response_arr['RESPMSG'];
         throw new TransactionDataException ($msg);
      }
  
      // Using the Fraud Protection Service.
      // This portion of code would be is you are using the Fraud Protection Service, this is for US merchants only.
      if ( $this->fraud_protection ) {
  
          if ($result_code == 125) {
              // 125 = Fraud Filters set to Decline.
              throw new FraudProtectionException ( "Your Transaction has been declined. Contact Customer Service to place your order." );
          }
          else if ($result_code == 126) {
              throw new FraudProtectionException ( "Your Transaction is Under Review. We will notify you via e-mail if accepted." );
          }
          else if ($result_code == 127) {
     throw new FraudProtectionException ( "Your Transaction is Under Review. We will notify you via e-mail if accepted." );
          }
      }
      
      //
      // Throw generic response
      //
      throw new FuseException( $response_arr['RESPMSG'] );
      
      
  }
  catch( Exception $e ) {
   throw $e;
  }
   
 } 

 public function process() {
 
  try { 
   return $this->response_handler($this->send_transaction());
  }
  catch( Exception $e ) {
   throw $e;
  }
 
 }

 public function apply_associative_array( $arr, $options = array() ) {
  
  try { 
   
   $map_array = array();
     
   if ( isset($options[self::KEY_MAP_ARRAY]) ) {
    $map_array = $options[self::KEY_MAP_ARRAY];
   }
  
   foreach( $arr as $cur_key => $val ) {

    if( isset($map_array[$cur_key]) ) {
     $cur_key = $map_array[$cur_key];
    }
    else {
     if ( isset($options['require_map']) && $options['require_map'] ) {
      continue;
     }
    }
    
    $this->data[strtoupper($cur_key)] = $val;
   
   }
  }
  catch( Exception $e ) {
   throw $e;
  }
  
 }
 
 
}


class InvalidCredentialsException extends Exception {
 
}

class GatewayException extends Exception {
 
}

class InvalidResponseCodeException extends GatewayException {
 
}


class TransactionDataException extends Exception {
 
} 

class AVSException extends TransactionDataException {
 
}

class CVV2Exception extends TransactionDataException {
 
}

class FraudProtectionException extends Exception {

}

Usage:


  
  try { 
   
   require_once('PayFlowTransaction.class.php');//assumes it's in the current dir

   $txn = new PayflowTransaction();
  
   //
   //these are provided by your payflow reseller
   //
   $txn->PARTNER = 'yourpartnername';
   $txn->USER = 'yourusername';
   $txn->PWD= 'yourpassword';
   $txn->VENDOR = $txn->USER; //or your vendor name
 
    //
   // transaction information
   //

   $txn->TENDER = 'C'; //sets to a cc transaction
   $txn->ACCT = '4111111111111111'; //cc number
   $txn->TRXTYPE = 'S'; //txn type: sale
   $txn->AMT = 1.00; //amount: 1 dollar
   $txn->EXPDATE='0210'; //4 digit expiration date
  
 
   $txn->FIRSTNAME = 'Joe';
   $txn->LASTNAME = 'Junior Shabadu';
   $txn->STREET = '123 mystreet';
   $txn->CITY = 'Philadelphia';
   $txn->STATE = 'PA';
   $txn->ZIP = '19115';
   $txn->COUNTRY = 'US';
  
   //$txn->debug = true; //uncomment to see debugging information
   //$txn->avs_addr_required = 1; //set to 1 to enable AVS address checking, 2 to force "Y" response
   //$txn->avs_zip_required = 1; //set to 1 to enable AVS zip code checking, 2 to force "Y" response
   //$txn->cvv2_required = 1; //set to 1 to enable cvv2 checking, 2 to force "Y" response
   //$txn->fraud_protection = true; //uncomment to enable fraud protection

   $txn->process();
   
   echo "success: " . $txn->txn_successful;
   echo "response was: " . print_r( $txn->response_arr, true );   

  }
  catch( TransactionDataException $tde ) {
   echo 'bad transaction data ' . $tde->getMessage();
        }
        catch( InvalidCredentialsException $e ) {
   echo 'Invalid credentials';
  }
  catch( InvalidResponseCodeException $irc ) {
   echo 'bad response code: ' . $irc->getMessage();
  }
  catch( AVSException $avse ) {
   echo 'AVS error: ' . $avse->getMessage();
  }
  catch( CVV2Exception $cvve ) {
   echo 'CVV2 error: ' . $cvve->getMessage();
  }
  catch( FraudProtectionException $fpe ) {
   echo 'Fraud Protection error: ' . $fpe->getMessage();
  }
        catch( Exception $e ) {
   echo $e->getMessage();
  }

You will probably want to implement better error checking than what I did in the example. However, you'll still want to display TransactionDataException messages back to the user, because they're usually invalid expiration dates or something similar.

jQuery isChildOf - is element a child of / ancestor of element - plugin

2008-07-15T17:49:00.000-07:00

If anyone knows of an existing jQuery method of determining whether an element is a child of another element, please feel free to post. I couldn't find one, so I developed the plugin below:


(function($) {
    $.fn.extend({
        isChildOf: function( filter_string ) {
          
          var parents = $(this).parents().get();
         
          for ( j = 0; j < parents.length; j++ ) {
           if ( $(parents[j]).is(filter_string) ) {
      return true;
           }
          }
          
          return false;
        }
    });
})(jQuery);

The usage is:

$(element).isChildOf(filter_string)

where filter_string is any of the expr values that can be passed to JQuery's is() function. You can get more information here

example:


<div id="parent2">
  <div id="parent1">
    <div id="child">
    </div>
  </div>
</div>

Alerts "true":


alert( $('#child').isChildOf('#parent1') );

Alerts "true":


alert( $('#child').isChildOf('#parent2') );

Alerts "false"


alert( $('#child').isChildOf('#notaparent') );

File Uploads with FUSE PHP MVC Framework

2008-06-18T10:25:00.000-07:00

I had a project today that required that PDF files be attached to job orders, and FUSE made the PDF upload a simple task. All I had to do was add an after_add() method in my controller to handle the upload, as shown below. The filename is the id of the job that was just added to the database, with a PDF extension:


function after_add() {
 
     if ( $this->is_postback() ) { 
        FUSE::Require_class('File/FileUpload');
 
       $upload = new FileUpload();
       $upload->file_input_name = 'waiver_file';
       $upload->destination_dir_create = true;
       $upload->allow_file_extension( 'pdf' );
   
       $upload->destination_path = APP_BASE_PATH  . DIRECTORY_SEPARATOR . 'files' 
                                  . DIRECTORY_SEPARATOR . $this->job->id . ".pdf";   

       $upload->process();
   
       parent::after_add();
    }
}

Note that I call parent::after_add() once I'm finished so that the regular FuseApplicationController after_add() method can take over and display a "changes saved" message to the user.

postfix smtpd connection hangs with no banner

2008-05-21T21:43:00.001-07:00

I ran into an issue the other day where my Postfix mail server would accept an SMTP connection, but then would just hang without ever sending the initial ESMTP welcome banner. I discovered that because of high mail traffic, I had reached the maximum number of smtpd connections, so the new connection was stuck waiting. Since the server load was fairly low, I just raised the smtpd incoming connection limit. You can do this one of two ways

First way: change the process limit just for smtpd in master.cf.
Note the 200 in the "maxproc" field (the default is 100)

smtp      inet  n       -       n       -       200       smtpd

Second way: change default_process_limit in your main.cf file (the default is 100).
This will affect all postfix processes, so be careful about taxing your server.

default_process_limit=200

CakePHP vs FUSE MVC framework - PHP

2008-05-13T21:49:00.000-07:00

Admittedly, I'm a bit biased on the topic since FUSE has been one of my development projects for quite a while, but recently I've been working with CakePHP quite a bit. I enjoy working with Cake, but can't help but think of certain things that FUSE does (in my opinion) a bit better. I've compiled a list of a few items where I think the FUSE MVC Framework has a bit of an advantage on CakePHP.

To be fair, I've also included a few things where FUSE falls short for the moment. Before I begin, I'd also like to add that I think Cake is a great framework, and I've certainly taken cues from my work with Cake to integrate new features into FUSE.

Where FUSE Wins

1. The Query Builder object

Fetching the last 10 active employees in CAKE:

// Controller
$where_conditions[] = 'Employee.active=1';

$this->data['Employees'] = $this->Employee->findAll(
              $where_conditions,
              null,
              null,
              null,
              10 );

// View
<?php foreach( $this->data['Employees'] as $employee ) {?>
<div>
<?php e($employee['Employees']['first_name'] . ' ' . $employee['Employees']['last_name'] );?>
</div>
<?php } ?>

The same thing in FUSE:

//Controller
$options['limit'] = 10;
$options['where'] = 'employees.active=1';

$this->active_employees = $this->employee->fetch_all( $options );

//View

<{ITERATOR active_employees}>
<div><{first_name}> <{last_name}></div>
<{/ITERATOR}>

The query builder is simply an object that, believe it or not, allows you to build queries. Nearly every method in FUSE that fetches data from the database (including aggregate methods like count_all()) can take a query builder object as one of its $options parameters, and it will apply the customization in that object to the query being executed.
Above is an example of the shorthand syntax for customizing queries. For more complex customization, you can use the SQLQuery object directly, as discussed in the FUSE Wiki

2. FUSE has a real templating system

Iterating through employees in CakePHP

<table>
<?php
foreach( $this->data['Results'] as $result ) {
?>
<tr><td><?php e($result['Employees']['name']);?></td></tr>
<?php
}
?>
</table>

The same thing in FUSE:

<table>
<{ITERATOR employees}>
<tr><td><{name}></td></tr>
<{/ITERATOR}>
</table>

Cake's templating system is too reminiscent of inline PHP, and is sure to send your graphics guy running in the other direction. The FUSE templating system was designed to be extremely simple but incredibly robust, not to mention made to integrate as seamlessly into HTML as possible.

3. Helper methods are easier in FUSE

To generate a dropdown box of all users by first name in Cake:

//Controller
$this->set('users', $this->User->generateList(null, null, null,'{n}.User.id', '{n}.User.first_name'));

// View:
<?php echo $form->input('SomeModel.user_id', array('class'=>'txt', 'type' => 'select')); ?>

The same thing in FUSE:

<{HTML/FormHelper::Select_all( 'User', 'id', 'first_name' )}>

Other compelling reasons to use FUSE over Cake include:

FUSE's User authentication and management system is much more intuitive than Cake's ACL implementation.

FUSE is also capable of doing nested included tables when fetching data. For example, using the 'include' option to any fetch method, one can account for the scenario where model A is linked to model B, and model B is linked to model C, but you want to select data from A, B, and C. Currently, in CakePHP, you would have to write the query manually. FUSE allows you to do:
```
$options['include'] = array( 'modelA', 'modelB', 'modelB.modelC' );
$iterator = $this->fetch_all( $options );
```

Where CakePHP Wins

1. CakePHP has a larger user base

Although FUSE has been in development for several years, it was only released to the general public in January of 2008. As a result, its user base is still growing, and CakePHP is a more established framework with more documentation, forums, and third party code dedicated to it. The features of each framework are generally comparable, but the size of the CakePHP community is a huge advantage over FUSE.

2. CakePHP supports database other than mySQL

FUSE 1.1 only has a database object for mySQL, but MSSQL, PostgreSQL and SQLite classes are in the works. Additionally, FUSE will not support using data from multiple databases in one project until 1.1.1.

3. CakePHP has more direct AJAX integration

FUSE supports a variety of AJAX options and makes it very easy to use JQuery, but as of version 1.1, it is not as well integrated as some of Cake's AJAX functionality.

4. Your comment here

I know I'm going to get flamed for leaving the "Where Cake wins" section so short, so I figured I'd offer the opportunity for readers to add their own favorite things about CakePHP by commenting on this entry

VB.net - reading extended ascii text file - StreamReader changes extended ascii to question marks

2008-03-27T21:25:00.001-07:00

Ran into an issue today reading a text file in Visual Basic .net. The file had extended ascii characters (special "curly quotes" to be exact) that were being read in as question marks because they were outside of the normal ascii character set. The solution was to set the text encoding to "default" in the StreamReader constructor, which is apparently the setting used for "Windows ANSI" text encoding:

Dim fileReader As System.IO.StreamReader
Dim filePath as String

filePath = "C:\path\to\file.txt"
fileReader = New System.IO.StreamReader(filePath, System.Text.Encoding.Default)

While fileReader.Peek <> -1

curLine = fileReader.ReadLine
' do something with curLine
End While

fileReader.close()

A simple Javascript slideshow

2008-03-19T22:23:00.000-07:00

I built this tool for a site I was working on, then realized it might be helpful to other people, so I thought I'd share it. The code below allows for a simple fading javascript slideshow that can be easily made by dynamic by your PHP or ASP (etc...) scripts. Included in the zip file is a working example slideshow along with the .js files you'll need to use it on your own site.

You can view the slideshow in action at this link:

http://www.phpfuse.net/JS_Slideshow/example/example.html

You can download the code and example at the link below. Enjoy!

http://www.phpfuse.net/JS_Slideshow/Simple_Javascript_Slideshow.zip

MVC and you: Partners in Freedom! (Why developers should be using Model View Controller architecture)

2008-02-18T00:02:00.000-08:00

“Model/View/Controller”. To some people, it seems to be nothing but a buzzword – an ambiguous term tossed around development forums and blogs; an idea that’s vague and confusing to anyone who hasn’t actually delved into MVC development. To others, MVC is an obvious way of organizing application structure, and there’s nothing new or exciting about it. And finally there are those of us who stumbled into MVC enlightenment almost by accident and realized, wide-eyed and drop-jawed, that it’s just the “right” way to build applications.

Consider me part of the third group. It wasn’t all that long ago that a Ruby on Rails-enthusiast friend of mine insisted that I start moving toward MVC development for the multitude of PHP projects I’m involved in. He knew I was working on a new PHP framework, and, thankfully, he was persistent in his endeavor to get me to delve into MVC sooner rather than later. My framework had the DB abstraction layer. It had the template system and the form validator and the photo handler and the AJAX module. But what was really missing was a way to tie it all together, and once I got about 20 minutes into MVC, I felt disappointed in myself for not having seen the light earlier. It just makes sense to develop within the MVC structure, and in this article I’m going to first give an introduction to what that structure is, then touch on a few reasons you should be using it, and finally describe a few hurdles you can expect to have to overcome while getting accustomed to it.

What is Model / View / Controller architecture ?

Model/View/Controller, or MVC, is essentially just a way of structuring application code. The idea is not new (it’s been around since 1979 according to Wikipedia), but it’s only happened fairly recently that MVC started to gain widespread acceptance as a viable way to develop web-based applications. A lot of the charge toward MVC-based web development was led by Rails, the Ruby framework that has gained significant momentum in the past few years.

MVC-based web development is based primarily on the “M”, the “V”, and the “C” themselves – the data Models, the presentation (or View), and the interface between them – the real workhorse - the Controller. Each component has a specific role, which I’ve outlined below:

1. The data Model is used to store and retrieve information from the database. In most MVC frameworks, a data model class will exist for each of your database tables. Because the model extends a parent class that has very robust, often clever functionality, you can often gain application-level access to your data (e.g. $employee->first_name) with only a few lines of code. Data models can also be related to one another just as their underlying tables are related, which provides even greater functionality when accessing data across tables (e.g. $company->employees->fetch_all()). This extensible, customizable method for mapping tables to objects allows you to access your database without necessarily having to write SQL. Basic read and write operations are performed through simple class members and methods, and even more complicated queries can be done without having to manually write SQL, though that option is always available.

2. The “View” in Mode/View/Controller is the presentation layer that contains the content the end user will see. In web applications, the view will contain your actual HTML tags. Using the features of the templating system included within the application framework, you can add dynamic functionality to the HTML output while still keeping the application code and the presentation separate. Such a separation allows for cleaner code in both the scripting language and the HTML, and it allows designers and programmers to have more independent control over their respective parts of the application development.

3. The Controller is, as mentioned above, the workhorse of the application. The code in the controller is what’s actually run when a page is loaded, and it handles the “pull and push” – taking data from the database via the data models, passing that data to the view, then rendering the output. In most web-based MVC frameworks, specific URLs are attached to specific controller and methods through a routing file, so, for instance, “/Blog/View/123” might call the view() method of a BlogController object and pass it the id of 123.

Sounds pretty complicated. Why switch from my tried and true methods of inline scripting?

One of the greatest pitfalls a developer can succumb to is using only the language, tools, or methods he or she already knows in order to accomplish a task, rather than seeking out and utilizing the best tools for a particular project. A little bit of time spent overcoming the learning curve can often introduce efficiencies, expand your skillset, and actually save a significant amount of time in the long run.

Many web developers have fallen into the trap of writing what can really be described as a collection of scripts, rather than developing a cohesive application, because the former is the way most of us were introduced to web development. The most common architecture used in, for instance, PHP development, doesn’t really qualify as an architecture at all. Most commonly, PHP-driven sites are comprised of a handful of individual script files that each handle incoming data from web forms or display data pulled from a database, but together lack any kind of standard structure. While this method is quick and dirty and works well for smaller applications, it simply does not lend itself to creating scalable, modular solutions that can be easily maintained and updated even as the size of the application grows.

MVC provides a very structured but very versatile approach to web development, lending itself to being immediately scalable while providing simple interfaces to common functionality. Consider how often your application needs to perform the same types of operations on different data – often this is referred to as CRUD: Create, Read, Update, Delete. Entire websites and web-based applications can often be accurately described as offering only these four features, operating on different data. Without a framework to provide CRUD functionality, the developer has to hand write his INSERT, SELECT, UPDATE, and DELETE queries manually, not to mention coding tedious input validation methods to ensure security and data integrity. However, any MVC framework worth its salt will provide all of that functionality in just a few lines of code. Interested yet?

Ok, you’ve convinced me, but what kind of learning curve can I expect?

The first thing you should know about MVC development is that everything is done through objects, so a solid understanding of object orientation will be extremely helpful in moving forward with any MVC framework. Additionally, HTML output is handled via templates (views) – you will almost never see HTML and PHP in the same file when doing MVC development. Instead, data is passed to the template (sometimes automagically, sometimes manually) and is accessed through special syntax (e.g. <{myvar}>) in the template itself. The separation of application code and presentation sometimes throws people off initially, but the benefits of this method become apparent very quickly. Finally, with MVC, you will not see your .php files in the URI the way you’re used to seeing them. Instead, you define a route that points a URI to a specific method in a specific controller. For instance, mysite.com/BlogEntries/List might call the show_list() method of your BlogEntryController. Not only does this kind of URI routing offer almost limitless customization as to what your URI will look like, it can also be used as an SEO (Search Engine Optimization) tool.

Which framework do you recommend?

Personally, I use FUSE (http://www.phpfuse.net). However, that’s a bit of a shameless plug, since FUSE is my own framework. (See the video below for how you can build a database-driven web app in about 5 minutes :-) Having worked with other frameworks, I honestly believe that FUSE is the easiest MVC framework for PHP, especially as far as initial entry is concerned. There are a slew of other great frameworks available, however, including Cake and Symfony for PHP, Rails for Ruby, Grails for Java, and many, many more.

subversion "working copy is corrupt" when trying to commit

2008-02-01T15:41:00.001-08:00

I was having an issue today with a new SVN repository when trying to commit a bunch of files and folders I had copied in to the now-versioned project directory. Most of the files would commit, but a few would fail with "working copy is corrupt". I discovered while browsing the project directory (outside of my IDE, which hides .svn folders) that a few leftover ".svn" folders existed because some of the folders I copied in had come from another versioned project directory. I deleted the .svn folders, re-committed, and everything was ok!

Five Things Web Developers Should Stop Doing

2008-01-25T17:12:00.001-08:00

This may not come as a surprise, but I spend a lot of time on the Internet. Whether it’s browsing around for my own enjoyment or diligently working on a web-based application, I end up seeing both the end result and the inner workings of a lot of other peoples’ development work. And while a large majority of design elements are ultimately a matter of preference, there are certain web development techniques and implementation choices that I find myself shaking my head at, and I’d like to address a few of them here. The following is a list of five things that, in my opinion, web developers should simply stop doing.

1 – Including application code and HTML in the same file

Although many web scripting languages are tailored for alternating between application code and HTML by use of special tags, the failings of this architecture become apparent fairly quickly when developing robust web applications. Not only does this inline scripting method create messy, oftentimes confusing code, but it can discourage effective use of functions and introduce difficulty when delegating the roles of designer and programmer to different people who may not share one another’s skill sets. The answer here is to use a templating system to separate the application code from the HTML presentation. Templating functionality is widely available for any web development language, and is an integral part of pretty much any development framework (e.g. Ruby on Rails, CakePHP, FUSE).

2 – Embedding video with a technology other than Flash Full Motion Video

Until Flash FMV became widely available, a common method for video playback on websites involved encoding multiple versions of the same video, then asking the user which player he or she preferred to use (e.g. RealPlayer, Windows Media, or Quicktime). This was always a necessary evil, as developers needed to ensure that the site content was available to all visitors. However, presenting potentially confusing video preference questions to the user can often lead to abandonment, not to mention that encoding, uploading, and linking multiple versions of the same video can be a time consuming process.

Thanks to the introduction of full motion video capabilities in Adobe Flash, which has shipped alongside the most popular browsers for several years, developers now have some level of certainty that at least one video player will be available to the majority of users. Additionally, Flash FMV prevents the need to spawn an external application for playback, which is another scenario that can lead to abandonment if the site visitor is unsure of how to answer their browser’s security questions.

Although sites such as YouTube have unfortunately given many people the impression that Flash FMV is only capable of low quality videos with poorly synced audio, this is simply not the case. Adobe has even launched a “Flash HD gallery” (available at http://www.adobe.com/products/hdvideo/hdgallery/ ) that showcases Flash’s HD playback abilities. However, most embedded videos (news clips, etc) are short, small clips that download quickly, so even a medium or low quality encode will suffice. If your specific needs dictate that you must leverage the more advanced features of players like Quicktime or Windows Media, then you will have to use what best suits your end goal, but otherwise, stick with Flash.

3 – Implementing Flash pieces that introduce custom UI elements

Flash is a phenomenal addition to any developer’s toolkit, and well designed Flash pieces can significantly enhance both the aesthetics and functionality of a website or web-based application. However, one thing that many Flash developers fail to steer clear of is overusing Flash where it’s not necessary, to the point of introducing custom user interface elements that can end up hampering usability. As an example, consider something that’s unfortunately fairly common – a Flash-based block of text with a scrollbar that is also implemented within the Flash piece itself. Not only is this an unnecessary use of Flash, since the same effect can be accomplished with fairly simple CSS, but you may be alienating visitors who simply aren’t tech savvy enough to adjust their understanding of the browser’s UI elements on the fly. It may not be apparent to some users that they’re even looking at a scrollbar, especially if the bar is stylized or implemented in such a way that it doesn’t behave like the standard scrollbar. Your visitor is used to the way their browser functions and how they use its features to browse the web, so your best bet is not to alter basic UI elements.

4 – Using long query strings where they’re not necessary

Most web applications rely on the URI’s query string to bring in relevant data that is acted upon by the application code, but poor design choices often cause the query string to grow to unreasonable, unnecessary lengths. Long query strings can severely hamper the ease with which users can link to particular pages on your site, so you could very well be losing visitors because they didn’t quite get the full query string when a friend copy & pasted it over to them.

The first thing to do to clean up your query strings is simply to use small identifiers for both variables and values. Try to use numeric IDs instead of long text strings to identify a specific resource, and keep your variable names short. You should also avoid passing data that could easily be extracted from data you already have. For instance, don’t pass both an item name and item id through the query string – you can just pass the item id and pull the name from the database.

If you want to go a bit further in cleaning up or even eliminating query strings, look into URI rewriting. URI rewriting is a fairly simple process by which the friendly URI the user sees (e.g. /Blog/2008/01) is transparently translated into something more useful on the server side (e.g. blog_list.php?year=2008&month=01). Nearly all Model-View-Controller frameworks (Ruby on Rails, FUSE, CakePHP, etc.) have advanced techniques for rewriting the URI on the fly.

5 – Sizing images by means of the width and height attributes of the img tag

This one should be a no-brainer, but I still see it fairly regularly. While it’s quick and easy to force an image down to certain size by using the tag, you’re doing yourself a disservice in at least two ways by utilizing this technique. The first problem with this method of image sizing is that web browsers aren’t particularly good at shrinking or enlarging images. The browser doesn’t do any kind of resampling, so you often get a pixelated version of your original image, even when shrinking it. The second issue with sizing images by way of the browser is that you may be wasting a lot of bandwidth. An image that’s 1000 pixels by 800 pixels has a much larger filesize than one that’s 200 by 160 pixels, so if you’re forcing it to appear at the smaller size anyway, you’d be transferring a lot of extra data for no reason by resizing it on the client side. To resize images to the size you need, use any of the widely available free tools or websites that allow you to do so.

So there you have it – just a few things I’ve seen during the course of my Web travels that I personally think should be done away with. Especially as development trends continue to shift toward more user-friendly, AJAX-enabled “Web 2.0” applications, it’s important to remember to leave behind techniques that, although familiar, have either been deprecated or were never great ideas in the first place.

PHP Security in a shared hosting environment

2008-01-25T16:57:00.000-08:00

Since its inception in 1994 as a set of basic development components, PHP has grown into one of the web’s most powerful development engines, having since been installed on literally millions of servers worldwide. And although PHP offers both the versatility and the built-in functionality to run in a reasonably secure fashion, most of those servers are configured in such a way that PHP scripts are at high risk for compromise.

Most PHP-enabled webservers are configured in such a way that the mod_php Apache module is loaded along with Apache itself, thereby allowing HTTP requests to be passed through the PHP engine, which preprocesses the data before it is sent to the client. While this configuration provides a simple, efficient way to get PHP up and running, it raises security issues when working in the most common webserver environment: shared virtual hosting.

Generally, it is unnecessary and wasteful to dedicate an entire server to hosting just one website. Since most sites demand only a small fraction of a server’s available resources, it is more common to have one server be home to a large number of virtual hosts. A virtual host is simply a configuration entry that points requests for a specific URL (for instance, www.google.com) to a particular directory (for instance, /home/www/mydomain.com).

The shared hosting model, though economical, immediately presents a security concern, since the HTTP server (for instance, Apache or Microsoft IIS) needs to have a considerable amount of control over the files and directories that are to be served to the client. If your application offers the ability to upload files posted through web forms, the problem is further compounded since the HTTP server now needs write permission on the destination directory. In the common virtual hosting configuration discussed above, if the HTTP server has write permission to that directory, then any user running a PHP script on that same server can also write to the directory. Obviously, this presents a major security concern. However, there are steps that can be implemented, as a server administrator or as a user, that will eliminate or mitigate the security issues, or at least isolate individual users so that a script exploit on one host cannot easily affect other hosts on the same server. In this article, I will discuss a few methods for more securely configuring PHP, and will offer some security-conscious techniques to use when writing applications. For the sake of convenience, I have grouped the article into three categories: Configuration directives and environment settings that can only be changed by a server administrator, a basic overview of PHP wrapping for the application developer, and general practices for securing PHP code. Even if you are not administrating your own server, I recommend reading through the first section in order to gain an understanding of the problem so that you can know what to expect from your web host. This article makes the assumption that your environment has PHP running on a Linux/Unix variant, with Apache acting as the HTTP server.

From the administrator’s perspective: Configuring your shared PHP environment

As the administrator of a virtual hosting server, you have full control over the HTTP server and the PHP engine, which is the ideal condition for tuning and securing your environment. First, let’s talk about separating the PHP interpreter from the Apache server, so that we negate the file permissions problem discussed above.

The PHP interpreter can be invoked in three different ways: as an Apache module (discussed above), as a CGI binary, and as a CLI. Since the CLI (Command Line Interface) isn’t relevant for serving web pages, I won’t be addressing it in this article. As mentioned above, the most common (and often default) method for invoking PHP is as an Apache module. However, let’s look at an alternative way of invoking PHP – namely, as a CGI binary.

When invoked as a CGI binary, Apache loads the PHP interpreter only when needed, passing necessary input (environment variables, POST data, etc) to the PHP executable, then collecting the output and sending it to the client. In this scenario, the PHP process is separated from the Apache thread, which makes it possible to run the processes as different users, thereby eliminating the permissions problem discussed above. However, by default, PHP is run as the Apache user, so we haven’t yet solved the problem simply by running PHP as a CGI binary. Our next step is to “wrap” PHP so that it is invoked as a user that we specify, not as the Apache user.

Note: Installing PHP as a CGI Binary can introduce other security concerns that are worth being aware of. While PHP is generally secure out of the box, It is advisable to take a look at http://us.php.net/manual/en/security.cgi-bin.php.

While Apache does have its own mechanism, suEXEC, for wrapping CGI programs, I will not be discussing it in this article. Instead, we’re going to look at another open source package: suPHP. Written by Sebastian Marsching, suPHP is a fairly simple Apache module that nicely wraps the PHP binary “in order to change the UID of the process executing the PHP interpreter” (suphp.org).

In my experience, installing suPHP has always been a fairly pleasant (as far as these things go) endeavor. You will need to refer to the suPHP instructions at http://www.suphp.org for installation information for your particular UNIX distribution, but as a lightweight application that makes use of Apache’s dynamic module API, installation of suPHP should be trivial.

There are many articles on using PHP’s ini directives to help lockdown your

server, and although that is not the focus of this article, I would now like to briefly touch on a few directives you should be aware of.

First, be sure to enable PHP’s safe_mode. Although some older applications have trouble running with safe_mode enabled, most have been updated to account for this directive, and its benefits are simply too numerous to ignore, especially if you are not able to use a PHP wrapper such as suPHP. Safe mode will be removed in PHP 6 in favor of alternative methods of implementing file and directory security, but for now, you should leave it enabled.

Next, if you cannot implement suPHP or another PHP wrapper, it’s a good idea to set open_basedir in all of your virtual hosts. Set “php_admin_value open_basedir /path/to/vhost/root” as a directive in your virtual host configuration to ensure that PHP is restricted from reading any files outside of the virtual host’s document root.

Finally, have a look at the disable_functions directive. While you do want to

make sure that your security procedures don’t prevent your users’ applications from running as they should, it’s often the case that few, if any, users will need any of the more potentially hazardous functions such as passthru(), exec(), and shell_exec(). If it is the case that none of your users need these functions, it’s a good idea to disable them.

(Note: In the event that only one user or application needs these functions, suPHP allows you to specify individual php.ini files for specific virtual hosts, which offers a middle ground between allowing these functions globally and restricting applications that need to use them for legitimate purposes.)

From the developer’s perspective: Why do I want a PHP wrapper?

Why do you want suPHP, or a PHP wrapper at all? Let’s look at a very common example – uploading images.

It’s a common condition that an application needs to accept image uploads via the web, and many developers operating in a shared hosting environment have run into the problem where, on the first try, PHP displays a “permission denied” error when trying to move the uploaded file into its destination directory. Our User vs. HTTP server permission problem is back again, where the HTTP server - user “www” or “apache” -does not have the proper permissions to write to a directory owned by the developer’s account. The common solution to this problem is to set the permissions on the destination directory to 777, giving all users system-wide read, write, and execute access. While this does work and your uploads can now flow freely, you’ve just ensured that any other user on the system – there are probably hundreds – could very easily issue an “rm –rf /path/to/your/uploads”, which would quickly and effectively delete everything in the directory. While I personally like to think that there exists camaraderie between users on the same server, this probably isn’t true, and you also have to consider that someone else’s account may have been compromised (probably by a lack of input checking on an upload form – more on that below).

With suPHP (or another PHP wrapper) enabled, you are free to leave your upload destination directories with the same permission as your other web-accessible files – namely that only your user account has write access, and the Apache user can read files and traverse directories. In fact, if your user account is in the same group as the Apache user, you can set these directories to have permission of 750, which is much more restrictive than a wide-open 777.

The primary downside to using a PHP wrapper is that there is in fact a performance hit, since the PHP interpreter has to be invoked for every request, rather than being started as part of the Apache server. However, in my experience, the performance decrease is generally unnoticeable. If your application is extremely performance-critical, you will want to run benchmarks before deciding to use a wrapped PHP environment, or consider graduating to your own dedicated server where you can ensure that only you and your developers have any kind of access to your application files. In the dedicated server scenario, the security concerns of using PHP as an Apache module are largely mitigated. ( Note, however, that if one site on your dedicated server is exploited in a mod_php setup, other sites or files will most likely be vulnerable as well, whereas a server running suPHP with PHP’s safe_mode enabled and open_basedir directive configured will generally be able to jail the attack to one virtual host’s document root)

General practices for PHP application security

At this point, I’d like to briefly go over just a few coding techniques you can use to increase the security of your application. Please understand that this is by no means a comprehensive list, and simply adhering to the suggestions below does not ensure that your application is secure. However, you should make it a point to be security conscious when writing code, rather than trusting your environment to eliminate or mitigate any potential attacks on your application.

1. Sanity-check your data

- This is probably the simplest and most effective way of preventing exploits in your application. Sanity checking just means that if you’re expecting the user to enter a number, make sure you actually received a number. If you’re expecting a string with alphanumeric characters only, verify that that’s what you got. Also, never trust this kind of validation to javascript only, as javascript can easily be disabled on the client side. Finally, never pass user data directly to an SQL query without validating it first. While PHP’s magic_quotes mechanism is great for helping to prevent SQL injection attacks (an attack where a user can enter data in such a way as to run their own arbitrary queries), again you should not rely exclusively on the environment for your application security.

2. Check the type and extension of uploaded files.

- Allowing file uploads is inherently risky, but very often it’s a necessary part of an application. PHP allows you to gain a lot of information about uploaded files before they’re ever written to their final destination, so make use of the information contained in the $_FILES array to ensure that you’re getting the type of file you’re expecting. A basic way of validating the file type is simply to ensure that the extension of the file indicates that it is (or is purported to be) the type of file you’re expecting. A common exploit for upload scripts is for an attacker to upload a malicious PHP script to your site, then browse to the uploaded script to gain control of your files. Even a basic check to make sure that, for instance, only files with a .jpg extension are allowed to be uploaded would prevent this type of exploit. However, I also recommend verifying the MIME type of the file, which is contained in the $_FILES array under the key ‘type’, and will look like: “image/jpeg” or “application/pdf”. Be as restrictive as possible – rather than validating against a list of extensions that are NOT allowed (php, exe, etc), check to make sure that the extension and/or MIME type matches a small group of file types that ARE allowed.

3. Use a .php extension for ALL files with PHP code contained in them.

Often I come across files in PHP projects that have a .inc extension, because they are meant to be included, not browsed to directly from the web. This is a common condition, but there’s a potential security issue here if those files contain any sensitive data (e.g. database passwords). Because .inc files are not parsed by the PHP interpreter, they can be passed directly to the client side if they’re available via a web request, which would allow anyone to read the php code directly. Hopefully the directory these files reside in is denied read access by webserver rules (see below), but even so, there’s no sense in risking an accident where the user ends up being able to browse directly to the file. Use .inc.php.

4. Make use of your webserver’s access control rules (e.g. .htaccess)

- Even if all the php files in your application have a .php extension as discussed in #3, you should still make use of your HTTP server’s access control to prohibit any files in sensitive directories from being served via the web. For instance, if you keep your database passwords in “include/db.inc.php”, this file, and all files in the include/ directory should be prevented from being served via the web. Even though the .php extension will ensure that client-side users can’t read the code if the PHP interpreter is functioning, there is the potential condition that the HTTP server has loaded without the PHP interpreter. Botched upgrades or configuration errors can sometimes cause this condition, and in the event that someone browses to a PHP file without the PHP interpreter ever having been loaded, they will again see the code just as you do when editing the files. In Apache, disabling directory access is usually as simple as creating a file called .htaccess (note the leading period) in the directory, then adding the line: “Deny from All” (no quotes) to that file and saving it.

My favorite web tools of 2007

2007-12-28T13:40:00.000-08:00

As the year comes to a close, I thought it would be fitting to reflect on what development tools helped make 2007 easier for me. These tools weren't necessarily created in 2007, but as someone who has a tendency to want to re-invent the wheel, I previously found myself overlooking great third-party products and ideas, so consider this a thank you to those people who contribute great, free code to the community.

1. Scriptaculous (http://script.aculo.us)
Provides: Easy drag and drop, animation, and AJAX functionality

Building on the Prototype Javascript framework, Thomas Fuchs, with the help of a community of open source contributors, has given us an easy-to-use but extremely powerful toolkit for some of the more tedious Javascript tasks we face - namely UI features (e.g. drag and drop) and AJAX functionality. Those of us who have been around long enough to have had to work with positioning and controlling user interface elements know the headaches involved in getting your event handlers to fire as you expect them or tracking the x and y coordinates of the mouse. In fact, I suspect the #1 most common reason for keyboard smashing and monitor punching among developers goes something like "graphic element expanded beyond its container instead of properly wrapping to the next line".
With Scriptaculous, implementing drag and drop, including sortable lists, is about as easy as it can feasibly be, and the AJAX-related classes are a godsend. Even someone with only moderate experience in javascript should be able to implement advanced UI features and AJAX functionality without much trouble. Scriptaculous is well integrated with Ruby on Rails, and I expect that it will soon be driving a lot of the AJAX functionality in my own PHP MVC framework, FUSE

2. The Free Rich Text Editor (http://www.freerichtexteditor.com/)
Provides: a full WYSIWYG editor, a la blogger's "compose" feature

Definitely file this under "things I would NOT like to have to write from scratch"! Released under the Creative Commons License (thankfully), this rich text editor control allows you to easily implement full WYSIWYG functionality into your web application. With a wide range of editing functions, from bulleted lists and visual color selection to drag and drop image placement, it just doesn't get any better than this. A simple .js configuration file provides you with customization options, and once you add in a few tags, you're all set. Custom WYSIWYG in under ten minutes. This one has been integrated into FUSE since the day I found it!

3. Model / View / Controller architecture
Provides: Sanity

Ok, this isn't exactly a "tool", and the idea has certainly been around for a long time (since 1979 according to Wikipedia) , but MVC has finally started to gain real acceptance in the web development community to the point where it's becoming the standard for large scale, web-based applications. Due in some part to the popularization of Ruby on Rails, along with other MVC frameworks like Cake, Symfony(, or FUSE), web developers have finally started realizing that procedural scripting, especially the sort that mixes application code and presentation (e.g. PHP and HTML in the same file), isn't the best method for creating scalable, manageable applications. At this point, most MVC developers will look at you with a true sense of confusion and disappointment if you suggest ANY other way of developing a web app, but it seems that the majority of web programmers are still stuck in the "Chapter 1 of 'Building your first PHP applicatoin'" mentality, mixing procedural code in with HTML and packaging it all up in ugly URLs with long query strings. Get with the program, guys!

So there you have it - some things that helped me keep what's left of my sanity for the past year. I may add to the list if I think of something that really needs to be mentioned, but the three items listed were part of my daily development life in '07, and I suspect that all of them will keep me company for '08 as well.

Managing include files in Javascript

2007-02-01T01:47:00.000-08:00

As I continue to write Javascript libraries for use on various projects, I decided it was time to write a simple include() function so that I don't have to manually add superfluous <script></script> tags that I may or may not need on any given page.

Using the XMLHttpRequestObject, I was able to create an asynchronous request to fetch the source of my .js file. Then I create a new script object and set the .text or .innerHTML attribute of that object (depending on browser - IE requires .text) to the fetched source. So far I've tested it in IE 6 and FF 1.5.

Usage for including "/script/myscript.js":
Note: in reality, the include() call would be done from inside another .js file.


<head>
<script language="Javascript" src="ScriptManager.js" type="text/javascript"></script>
<script language="Javascript" type="text/javascript">
ScriptManager.script_base_link = '/script'; //set up our base link
//ScriptManager.script_file_extension = '.js'; //defaults to .js
ScriptManager.ErrorHandler.silent = false; //set to true or remove in production

try { 
 ScriptManager.include( 'myscript' );
}
catch (e) {
 ScriptManager.ErrorHandler.handle_error( e );
}

</head>

And that's all.
The code for ScriptManager.js is below.
Copy & paste this into ScriptManager.js:


function ErrorHandler() {


}

ErrorHandler.handle_error = function ( e ) {

 try {
  ErrorHandler.show_error( e.message );
 }
 catch(e) {
 }

}

ErrorHandler.show_error = function( message ) {

 try {
  if ( !ErrorHandler.silent ) {
   alert( message );
  }
 }
 catch(e) {
 }

}

function HTTPRequest() {

 //
 // Properties
 //
 this.request_object = null;
 this.async = true;
 this.onreadystatechange = null;

 //
 // Methods
 //
 this.get_request_object = get_request_object;
 this.send = send;
 this.is_busy = is_busy; 
 this.abort = abort;
 this.get_readyState   = get_readyState;
 this.get_status       = get_status;
 this.get_responseText = get_responseText;

 function get_request_object() {

  try {

   if ( !this.request_object ) {  
 
    var http_request;

    if ( typeof(XMLHttpRequest) != 'undefined' ) {
     http_request = new XMLHttpRequest();
    }
    else {
 
     try {
      http_request = new ActiveXObject('Msxml2.XMLHTTP');
     }
     catch(inner_e) {

      try {
       http_request = new ActiveXObject('Microsoft.XMLHTTP');
      }
      catch(inner_e2) {
      }
     } 
    }

    this.request_object = http_request;
   }

   return this.request_object;
  }
  catch(e) {
   throw e;
  }
 }

 function get_readyState() {

  try {
   if ( request_obj = this.get_request_object() ) {
    return request_obj.readyState;
   }

   return null;
  }
  catch( e ) {
   throw e;
  }   

 }

 function get_status() {

  try {
   if ( request_obj = this.get_request_object() ) {
    return request_obj.status;
   }

   return null;
  }
  catch( e ) {
   throw e;
  }   

 }

 function get_responseText() {

  try {
   if ( request_obj = this.get_request_object() ) {
    return request_obj.responseText;
   }

   return null;
  }
  catch( e ) {
   throw e;
  }   

 }

 function send( which_url ) {

  try {
   var http_request_obj;

   if ( !(http_request_obj = this.get_request_object()) ) {
    throw 'Your web browser does not support this function.';
   }

   if ( this.is_busy() ) {
    this.abort();
   }

   if ( this.onreadystatechange ) {
    http_request_obj.onreadystatechange = this.onreadystatechange;
   }
   http_request_obj.open("GET", which_url, this.async);
     http_request_obj.send(null);

  }
  catch(e) {
   throw e;
  }
  

 }
 
 function is_busy() {

  try {
   if ( request_obj = this.get_request_object() ) {

    switch ( request_obj.readyState ) {
     case 1,2,3:
      return true;
      break;
     default:
      return 0;
      break;
    }
   }

   return 0;
  }
  catch(e) {
   throw e;
  }


 }

 function abort() {

  try {
   if ( this.request_object ) {
    this.request_object.onreadystatechange = null;
    this.request_object.abort();
   }
  }
  catch(e) {
   throw e;
  }
 }

}

HTTPRequest.READYSTATE_COMPLETED = 4;
HTTPRequest.STATUS_OK = 200;

////
//// ScriptManager
////
function ScriptManager() {

}

ScriptManager.include = function( file_name ) {

 try {
  var file_path;
  var head;
  var body;
  var request = new HTTPRequest();
  var script_obj;

  script_obj = document.createElement('script');
  script_obj.setAttribute('type', 'text/javascript');

  if ( !ScriptManager.has_script_file_extension(file_name) ) {
   file_name = file_name + ScriptManager.script_file_extension;
  }

   file_path = ScriptManager.script_base_link + '/' + file_name;

  request.async = false;
  request.send( file_path );

  if ( typeof(script_obj.text) != 'undefined' ) {
   script_obj.text = request.get_responseText();
  }
  else if ( typeof(script_obj.innerHTML) != 'undefined' ) {
   script_obj.innerHTML = request.get_responseText();
  }

  if ( head = document.getElementsByTagName('head')[0] ) {
   head.appendChild(script_obj);
  }
  else if ( body = document.getElementsByTagName('body')[0] ) {
   body.appendChild(script_obj);
  }
  else {
   throw 'ScriptManager::include requires a  or  tag';
  }

 }
 catch ( e ) {
  ScriptManager.ErrorHandler.handle_error(e);
 }
}

ScriptManager.has_script_file_extension = function( file_name ) {

 try {
  var ext = ScriptManager.script_file_extension;

  if ( ext ) {
                   if ( file_name.substring(file_name.length - ext.length, file_name.length) == ext ) {
                           return true;
                   }
  }
 
  return 0;
 }
 catch ( e ) {
  throw e;
 }

}

ScriptManager.script_base_link = '';
ScriptManager.script_file_extension = '.js';

ScriptManager.ErrorHandler = ErrorHandler;
ScriptManager.ErrorHandler.silent = true;

Getting Java JVM and midp SSH to run on a Motorola Q

2006-11-22T02:05:00.000-08:00

I bought a Motorola Q a few days ago with the full intention of using it for emergency SSH access when I'm not in front of a computer. I was a little disappointed to find that getting a terminal app with SSH wasn't as easy as I had expected, but I got it working nonetheless.

If you want something quick for SSH or Telnet, try zaTelnet at the link below. It installed fine on my Q (make sure you download the version for SmartPhone running Windows Mobile 5), though it does seem a bit slow while working. It's freeware, but it's not open source, which makes me a bit wary. However, it does seem to work fairly well:

http://www.codebrowser.org/

If you're looking to get a Java VM installed so you can run MidpSSH, it's more involved, but not too bad, and then you have a Java VM for other Midlets.

First, you need the JVM for the SmartPhone, which is still in the "evaluation" stage from IBM Websphere, but it seems pretty stable. You have to sign up for an IBM account (free, just annoying) to get to the download, but this is the link:

http://www14.software.ibm.com/webapp/download/preconfig.jsp?id=2006-04-06+13%3A40%3A41.975747R&S_TACT=104CBW71&S_CMP=

after you signup (and wait a few minutes for your account to become active, apparently), follow the steps below:

1. download the executable file listed under "CLDC 1.1/MIDP 2.0 for Windows Mobile 5.0 Smartphone Edition/ARM". The filename will begin with ibm-weme-wm50-sp-arm-midp20. Also download install.pdf under the same heading.

2. run the file and complete the install wizard.

3. Once installed, browse to C:\Program Files\IBM\WEME\runtimes\61\wm50-arm-sp-midp20

4. in there you will find a zip file called weme-wm50-sp-arm-midp20_6.1.0.20060727-102926.zip
(Note: the filename might have a slightly different version number after midp20_, but it's the only zip file in the directory)

5. Extract the zip, then follow the instructions in the install.pdf file and you should be good to go.
(Note: The bin/, lib/, and examples/ directories referred to in the install file are the ones from the extracted .zip file, *not* from the _jvm directory.)

The install.pdf file details how to install their example app, but you can follow the same steps to install midPSSH.

"mySQL server has gone away" in PHP when using mySQL stored procedures

2006-11-09T23:18:00.000-08:00

There seems to be a lot of conflicting information floating around about stored procedures in PHP, and I spent a bit of time myself grappling with a "mysql server has gone away" error when using the CALL statement to run a stored procedure. I think I've managed to get things squared away, both in the code and in my head, as to the caveats of mySQL 5 stored procedures in PHP. Here's the lowdown:

Per mySQL's own documentation for the C API of mysql_next_result:
"each CALL returns a result to indicate the call status, in addition to any results sets that might be returned by statements executed within the procedure."

This means that you should use mysqli_multi_query() when calling your stored procedure.

Additionally, this means that you cannot simply call mysqli_store_result() to store your buffered result in a variable then move on to your next query, which is perfectly reasonable for normal queries. Even for procedures that return a single resultset, you need to make sure you iterate through the "call status" result even though you won't be using it for anything. In fact, this status result seems to be kind of nebulous in that you can't use_result() or store_result() on it (as far as I can tell), but you need to iterate through it (via next_result()) before executing another query.

My problem with the way this all works is that since all of my procedures only returned a single result set, I wanted to be able to access them exactly as I would any other query (including storing the result so I could use it later), without having to manually iterate through this extra status result each time I called a procedure. Below is what I came up with.

Note: I'm using the procedural functions for the mysqli interface because people who are just getting acquainted with mysqli will recognize the syntax more easily, but you should definitely look into the object oriented approach for using mysqli functions.


function &procedure_get_result( $procedure_call ) {

 //
 //note: error handling has been removed from this function
 //for the sake of the example, but you'll want to check the
 //return values of functions like mysqli_connect(), etc...
 //

 $result_count = 0;
 $result_loop_silence = 0;
 $false_ret = false;

 $dbh = mysqli_connect("localhost", "my_user", "my_password", "my_dbname");

 //
 // if the word CALL was included in the parameter, just strip it out.
 // We'll add it later.
 //
 if ( substr(strtoupper($procedure_call), 0, 4) == 'CALL' ) {
   $procedure_call = substr( $procedure_call, 4 );
 }

 $procedure_call = trim($procedure_call);

 $query = "CALL {$procedure_call}";

 if ( mysqli_multi_query($dbh, $query)  ) {

   $result = mysqli_store_result($dbh); //this is the result we want!

   while ( mysqli_more_results($dbh) ) {

     //
     // iterate through the call status result set
     //
     if ( $result_count > 0 ) {
       //
       // this function only supports a 0th and a 1st result set
       // so show a warning if we have more
       //
       if ( !$result_loop_silence ) {
         trigger_error( 'Too many results returned for ' . __METHOD__ . '. Use multi query.', E_USER_WARNING );
         $result_loop_silence = 1;
       }
     }

     mysqli_next_result($dbh);

     if ( $status_result = mysqli_use_result($dbh) ) {

       //
       // this never seems to get executed with
       // CALL that only return one result set plus the
       // status resultset, but we'll leave it in
       //
     
       $status_result->close();
       mysqli_free_result($status_result);
                             
     }

     $result_count++;
 }

 return $result;

 }

  return null;
}

mySQL natural number ordering

2006-10-12T20:58:00.000-07:00

Had a situation today where I needed to order a list that looked like "DISTRICT 1, DISTRICT 2...DISTRICT 10, DISTRICT 11". Ordering this field with a simple ORDER BY groupField ASC puts "DISTRICT 10" and "DISTRICT 11" before "DISTRICT 2", which is not what I wanted. Also, the field wasn't always going to be setup as single string, a space, and a number, so I couldn't just SUBSTRING out the trailing number. Found the solution in the mySQL forums:

ORDER BY LENGTH(groupField) ASC, groupField ASC

now the ordering is as you'd expect from a user standpoint.

IE doesn't show option text when dynamically creating an optgroup

2006-09-14T23:51:00.001-07:00

I dealt with a bit of a headache tonight trying to figure out why Internet Explorer 6 wouldn't display any option text if I created an option within an optgroup dynamically (using Javascript). It turns out that you have to set the innerText property of the option before appending it to the optgroup. Just setting the label or text properties of the option is not enough, you need to set innerText, like so:

select_obj = document.getElementById('my_select_box_id');
optgroup_obj = document.createElement('optgroup');
option_obj = document.createElement('option');

option_obj.label = 'option label';
option_obj.value = 'option value';

if ( typeof(option_obj.innerText) != 'undefined' ) {
option_obj.innerText = 'option label';
}
else {
option_obj.text = 'option label';
}

optgroup_obj.appendChild(option_obj);
select_obj.appendChild( optgroup_obj );

IMP Error connecting to IMAP server. 22 : Invalid argument.

2006-07-16T17:13:00.000-07:00

IMP was giving me this error today when trying to login. Turns out that since I had the IMAP server set to use SSL (the default), PHP needs openSSL *compiled statically*, not just the openSSL extension. To fix this in FreeBSD using ports, I just did:

cd /usr/ports/lang/php4
make config
-> check the "Build OpenSSL statically" option
make clean
make
make deinstall
make reinstall

horde sidebar menu hangs on login after turba configuration

2006-07-16T15:01:00.000-07:00

I was installing horde today on a new server, and noticed that after doing all of my configs, the sidebar would hang pretty much indefinitely when trying to login. I poked around for a bit and eventually found that turba was the issue. A little googling and a mailing list post led me to the information that the problem is the LDAP source in the turba/config/sources.php file. I don't use LDAP, so I commented out the LDAP source by changing:

if ( Util::extensionExists('ldap')) {

to

if ( false && Util::extensionExists('ldap')) {

in config/turba/sources.php and it now works perfectly.

InnoDB table creation fails after an improperly dropped table

2006-04-07T01:50:00.000-07:00

I was playing around with InnoDB on my development server, somehow screwed things up pretty bad, and had to delete some .frm files from the db directory manually. However, I found that even though some of my tables didn't exist in show tables, I couldn't recreate them. the mySQL client was spitting out fairly ambiguous InnoDB errors (can't rename table, etc), and it was confusing me quite a bit. I even found that I could create the tables as myISAM, but once I tried to change engine to InnoDB, it wouldn't let me. I even tried dropping the entire database and recreating it, but the InnoDB data dictionary still had information about those tables in that database! I found some more insight by using the mySQL command "show engine innoDB status;", which told me the last foreign key errors. Turns out the foreign key constraints were still applied to my table even though the table didn't actually exist. I tried dropping the keys by name, but that didn't work. It didn't issue any errors, but it also didn't do anything. Ultimately I had to recreate all the keys as they had originally appeared (matching the name and type exactly), then drop the table properly.

Windows Explorer freezes when video files are in the folder you're viewing

2006-03-24T21:11:00.000-08:00

I recently started having a problem where any time there was an avi file in the folder I was viewing, explorer would freeze up and have to be shutdown from task manager. Over at annoyances.org, I found a handy fix that took care of the problem right away. Here it is:

NOTE: before doing this, you should make a backup of your registry by going to start->run, typing regedt32 , then going to File > Export and saving the registry file somewhere safe.

1. Click Start
2. Click Run
3. Type: regedt32
4. Browse to the registry key (the things that look like folders on the left side of the screen) HKEY_CLASSES_ROOT\SystemFileAssociations\.avi\shellex\PropertyHandler.
5. Delete the Key on the right hand side called "default" by right-clicking and hitting "Delete".

That should be it. If that doesn't work, the following command might help, but it will disable all AVI thumbnail preview capability:

go to Start > Run, type: REGSVR32 /U SHMEDIA.DLL and press OK. To undo this change, simply go to Start > Run, type: REGSVR32 SHMEDIA.DLL and press OK.

ACT 2005 Install fails on SQLHotfix818.exe on Small Business Server 2003

2005-12-06T10:15:00.000-08:00

This problem showed up while I was migrating a client onto a new SBS 2003 server. The ACT install would just about complete, then complain about an invalid exception in SQLHotfix818.exe at the very end. Subsequently trying to start ACT would cause an "Object reference not set to instance of object" error. I tried a lot of things, but here's what ended up working:

1. Go to Add/Remove Programs and remove any references to MS SQL Desktop Engine (including SharePoint and SBSMonitoring, you can reinstall these if you need them. If you actively use either, make sure you have a backup!).

2. Rename C:\Program Files\Microsoft SQL Server to something else, so the ACT install can't find it.

3. Make sure the SYSTEM user has full access to the C:\ drive (per ACT KB article #16478)

4. Make sure all services that start with MSSQL$ are stopped (Start -> Administrative Tools -> Services)

5. If ACT is installed, uninstall it.

6. Now install ACT, and you should be good to go.

Horde/IMP won't create sent mail folder. This is what the server said: Invalid mailbox name

2005-12-05T18:44:00.000-08:00

I was setting up the new version of IMP today, and found that I couldn't create folders from webmail. I knew it wasn't an IMAP permissions issue, because I could create & subscribe to folders with no problems from my IMAP client. It turns out that with Courier-IMAP, the IMAP server I prefer, you need to set the following options in your server confing (probably /usr/local/www/horde/imp/config/servers.php):

under $servers['imap'] (or whatever server you're using - 'imap' is the default - change the namespace and folder lines to read:

'folders' => 'INBOX.',
'namespace' => '',

Note the trailing dot after INBOX. Then you have to LOG OUT AND LOG BACK IN before the changes will take effect. The docs suggest that these options should be the other way around for Courier-IMAP, but it doesn't seem to work that way.

Changing file associations in windows as a non administrator user

2005-09-22T15:15:00.000-07:00

It seems that non-admin users on Windows 2000 and Windows XP can't edit their own file associations. This becomes a problem when you have a nonstandard association that needs to be in place for everyone in the office/organization. I grappled with this problem a bit, but eventually found that I could write a simple VBscript to edit the current user's registry settings to add in my own file assocations for a given extension. The code is below, simply save this script with a vbs extension (example: fileAssn.vbs) and add it as a login script for any users who need the association:

Option Explicit

Dim objShell
set objShell = WScript.CreateObject ("WScript.Shell")

'----------------------------------------------------------------
' Don't edit above here
'
' Below is an example of associating PDF files with AcroRd32.exe
' You can change this to whatever you need, and just
' copy and paste the line over again to add more associations.
'-----------------------------------------------------------------

addFileAssociation ".pdf", "AcroRd32.exe"

'-------------------------
' Don't edit below here
'-------------------------
Sub addFileAssociation( fileExt, whichApp )

If ( Left(fileExt, 1) <> "." ) Then
fileExt = "." & fileExt
End If

objShell.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\" & fileExt & "\Application", whichApp

End Sub

passing username to spamc through maildrop with postfix

2005-09-17T22:47:00.000-07:00

I'm setting up a purely virtual postfix/mysql mail server, and I wanted to implement spamassassin to filter spam. Initially I had intended to use procmail, but postfix doesn't currently support procmail for virtual users, so I had to go with maildrop. All I wanted was to enable the line:

xfilter "/usr/local/bin/spamc -u USERNAME"

and have the username changed to the recipient for the mail being processed. After stumbling through some changes in master.cf and trying different maildrop variables, I found that the easiest way to get the username to the script was simply to pass ${recipient} as a parameter to maildrop in master.cf, like this:

maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient} ${recipient}

(yes, ${recipient} should be there twice.) This way, I can always pull the recipient email address directly into the maildroprc file by referencing $1. So my xfilter line became:

xfilter "/usr/local/bin/spamc -u $1"

then I just fleshed out my maildroprc script (i'd post it here but it's pretty specific to my setup, and other howtos on maildrop/postfix are available) to handle what happens if a mail is tagged as spam.

Windows XP automatically tries to search when you click a folder

2005-07-26T11:50:00.000-07:00

A friend of mine came to me with this issue, and after a bit of searching, I came across http://windowsxp.mvps.org/searchwindow.htm . Running "regsvr32 /i shell32.dll", as suggested by that site, fixed his problem, so I figured I'd repost it here, since it took me a while to find:

The following is from http://windowsxp.mvps.org/searchwindow.htm:

If you double-click a drive or folder, Search Companion may start and the drive or folder may not open. 'Search' will be the top most in the right-click context menu for a folder or drive. This usually happens if you've edited the File Folder or Drive via the Folder Options File Types dialog, in order to add a context-menu item such as "Command Prompt here", "Print Directory" feature for folders or drives.

References:
http://support.microsoft.com/?kbid=321379
http://support.microsoft.com/?kbid=321186

Quick fix

Click Start, Run and type this command:

regsvr32 /i shell32.dll
(Tip from David Candy)

To fix the problem manually, open Registry Editor and navigate to:

HKEY_CLASSES_ROOT\Directory\shell

-and-

HKEY_CLASSES_ROOT\Drive\shell

In the right-pane, locate and click the (Default) value under the keys mentioned above
Click Modify on the Edit menu.
Type the word none in the Value data box, and then click OK.
Exit Registry Editor.

Windows (WSH) Shell Login scripts won't run after allowing specified programs

2005-07-26T11:26:00.000-07:00

In an attempt to lock down some workstations that were having spyware trouble, I made use of the Windows 2000 "Run only allowed windows applications" option in the Group Policy Object. [Note: this feature is expanded in Windows Server 2003 as "Software Restrictions Policies" in the GPO editor, but the idea is the same]. Since the network users only use a handful of applications ( MS Word, Internet Explorer, etc ), I was able to specify these as allowed programs, disallowing everything else. However, even if I specified my login scripts in the "allowed programs" list as my_script.vbs, they still weren't running. On a hunch, I added wscript.exe, the interpreter for VBS scripts, to the allowed program list, and everything ran fine after that. I also allowed sndvol32.exe (which will allow users to access the sound mixer to change their volume), calc.exe, notepad.exe, mspaint.exe, and a few other various windows "accessories" that everyone should have access to.

Bottom line:
Can't get VBS scripts to run due to having specified an allowed list of windows applications? Try adding wscript.exe to the list.

Users restricted from changing their volume settings for the same reason? Try adding sndvol32.exe.

Proftpd can't find libmysqlclient.so.14 inside chroot jail

2005-06-02T15:54:00.000-07:00

I was trying to make the switch to purely virtual ftp users in Proftpd, but noticed that the jailed Proftpd binary (created with my Proftpd Chroot script) was having trouble finding the mySQL libraries. No problem, I thought, it tells me what file it can't find, so I'll just copy them into their respective homes underneath the chroot jail. The first two went fine, libm.so and libz.so, but even after copying libmysqlclient.so.14 from /usr/local/lib/mysql/ to /usr/chroot/proftpd/usr/local/lib/mysql, which is underneath my chroot jail, Proftpd still couldn't find it on startup. After tinkering with the file location and doing some google searching, I found a thread related to shared objects that suggested using strace on a binary file to determine where exactly it's looking for a particular shared object. Aha! Proftpd running under the jail, for reasons I haven't yet figured out, wants libmysqlclient.so.14 to be in /usr/lib. No mySQL sub directory or anything, just in the standard /usr/lib directory. After moving the file there, proftpd started up like a charm.

mysqldump out of memory error 5

2005-03-01T01:20:00.000-08:00

Tonight I was trying to mysqldump some large tables, but kept getting "mysqldump out of memory error 5". I knew I had dumped tables larger than the ones I was dumping, so I wasn't sure what was going on. After poking around with mySQL settings in my.cnf to no avail, I decided to try optimize table. That seemed to fix the problem. The reason it came to mind is because I had purged about 100,000 rows of the problematic table earlier in the day and thought maybe it needed cleanup

bottom line:
mysqldump giving "out of memory" error, try:
optimze table myTable

Windows MSI installer won't install

2005-02-28T22:29:00.000-08:00

I was trying to install Veritas Backupexec 9.1 tonight, and it kept failing with "backupexec failed to install msde". The Veritas site said to try to install manually, and I found that I couldn't execute the MSI file at all. It simply did nothing when I clicked the file, but that was a problem I had seen before. Security settings on MSI files have to be very leniant for some reason, so I simply granted "everyone" full access to the install files. I'm not sure which user actually needs access in order for the install to run properly (maybe SYSTEM?), but since security isn't going to be important on files I'm deleting, I just granted EVERYONE full access to the entire folder. You should not, however, make a habit of doing this on files you don't want your entire organization to have access to.

Bottom Line:
clicking an MSI file seems to do absolutely nothing? Try granting full access permissions to the windows group "EVERYONE" and see if things change. If security is important on the MSI file, take away the full access as soon as you are finished installing.

PHP Sessions stop working after mod_php4 upgrade to php 4.3.10

2005-02-02T13:58:00.000-08:00

Last night I upgraded PHP to php 4.3.10 from 4.3.9. Everything seemed to have gone well, but today people complained about some scripts not working. I did some digging and found that session_start() would stop the script cold with no error messages. I was rather confused for a while, then decided to just recompile the session extension ( /usr/ports/www/php4-session/make && make install ) and things seemed to work after that. Now I'm going to recompile all extensions in case something else was broken in the process. Hopefully I won't be breaking anything myself.

Found Windows 2000 Sound Drivers for E-Machine Etower 533id2

2004-12-13T08:42:00.000-08:00

Came across these drivers after some searching, thought someone else might find the link useful. This machine (Etower 533id2) uses the Crystal CS4281 Chipset.

http://www.opendrivers.com/freedownload/217909/Crystal-CS4281-Sound-Driver-Windows.html

Selecting an age from a birthday date field in mySQL

2004-12-08T23:43:00.000-08:00

I added this to the mySQL manual a while back, but it seems to have been filtered out in more recent versions of the docs. Although I prefer to do my arithmetic in PHP, this query will determine an age from a date field birthDate in mySQL.

SELECT YEAR(NOW()) - YEAR(birthDate) - IF ( MONTH(NOW()) < MONTH(birthDate), 1, 0 ) - IF ( MONTH(NOW()) = MONTH(birthDate) AND DAYOFMONTH(NOW()) < DAYOFMONTH(birthDate), 1, 0) AS age

FreeBSD thinks vpopmail isn't installed even when it is

2004-12-01T13:02:00.000-08:00

I grappled with this problem a little bit today, where FreeBSD kept insisting on installing vpopmail from other ports even though it was already installed. The port install would fail, however, because FreeBSD won't install over another package without making "reinstall". I couldn't figure out why it thought vpopmail was not installed until I froze the screen when it was checking, and I noticed that it looks for /usr/local/vpopmail/lib/libvpopmail.a. Since I install vpopmail to /home/vpopmail, that file was in /home/vpopmail/lib/ !
I just did:

mkdir -p /usr/local/vpopmail/lib
ln -s /home/vpopmail/lib/libvpopmail.a /usr/local/vpopmail/lib/libvpopmail.a

and the problem went away.

Installing vpopmail to a directory other than the default

2004-11-29T14:29:00.000-08:00

I was setting up a FreeBSD machine with Matt's Mail Toaster today, and I couldn't seem to get vpopmail to install anywhere except for /usr/local/vpopmail, even though I specified in toaster-watcher.conf that the vpopmail directory should be /home/vpopmail. After some digging, I found that the vpopmail install checks the home directory of the vpopmail user in order to find out where it should install to. So, I did

chsh vpopmail

and changed the home directory to /home/vpopmail. To get it to work seamlessly, though, I also had to set PREFIX=/home before doing the vpopmail install, so the line was:

env PREFIX=/home toaster_setup.pl -s vpopmail

or, if you're using the ports on your own:
env PREFIX=/home make install

Capitalizing the first word of every sentence in PHP

2004-11-24T22:03:00.000-08:00

Someone asked me tonight for a function that capitalized the first word of every sentence in PHP. I thought I could do it with a one line preg_replace, but it didn't want to let me call strtoupper or ucfirst on backreferenced variables for some reason. I didn't really look into it, but I wrote this function instead. It's not necessarily as efficient as I'd like it to be, but it works, and I thought someone might be able to use it.

$text = 'Here is a sentence. here is one not capitalized. and another';
$fixed_text = uc_sentence_start( $text );
echo $fixed_text;

function uc_sentence_start( $value ) {

preg_match_all( '/(\.\s*)([a-z])/m', $value, $matches, PREG_OFFSET_CAPTURE );

for ($i=0; $i< count($matches[0]); $i++) {

$match_pos = $matches[0][$i][1];
$dot_space = $matches[1][$i][0];
$char = $matches[2][$i][0];

$replacement = $dot_space . strtoupper( $char );

$value = substr_replace( $value, $replacement, $match_pos, strlen($replacement) );
}

return $value;
}

Mappoint North America can't run

2004-11-22T14:28:00.000-08:00

Just something I've picked up along the way. If you're seeing the following message when trying to use the MapPoint VB control (MappointControl.ocx):

"MapPoint North America can't run because it is not registered on your system, or it can't be found. Install MapPoint North America and try again."

Try going to start -> run and typing (including quotes):

"C:\Program Files\Microsoft MapPoint\Mappoint.exe" /regserver

If you have Mappoint installed to a different location than the default, replace the location above with the correct path. However, make sure that while the path stays in quotes, the /regserver is outside the quotes and separated from the path with a space, as above.

Apache make_sock errors

2004-11-22T09:23:00.000-08:00

While trying to resolve a latency issue today, I restarted apache and kept seeing these errors:

[Mon Nov 22 12:12:57 2004] [info] (2)No such file or directory: make_sock: for port 443, setsockopt: (SO_ACCEPTFILTER)
[Mon Nov 22 12:12:57 2004] [info] (2)No such file or directory: make_sock: for port 80, setsockopt: (SO_ACCEPTFILTER)

The port seemed to be bound but wouldn't accept any connections. After running "sockstat" a lot and scratching my head, something occurred to me. I normally have an ipfw throttle pipe running just to prevent an attack or sudden popularity increase in a website or image from sucking up thousands of dollars of bandwidth. I *thought* I had disabled it with "ipfw pipe flush" to troubleshoot the latency problem, but then I remembered that you need to issue two commands to fully clear the ipfw throttling rules:

ipfw pipe flush
ipfw flush

That solved the problem with Apache not accepting socket connections.

(As of this writing, the latency is still there, but I'm growing more and more certain that it's a problem somwhere upstream.)

Proftpd mySQL Authentication & Quotas on FreeBSD

2004-11-20T22:40:00.000-08:00

Tonight I tried setting up Proftpd with mySQL authentication on a development box running FreeBSD 4.10. I got it to work using the steps below, but some security concerns arise from using mySQL user accounts without a system account behind them. Since this setup uses one FTP account to create user home directories and upload files, a compromise to this FTP user would cause the attacker to gain access to all FTP user home directories. I guess it just depends on how much you trust the DefaultRoot directive in Proftpd. I run Proftpd in its own chroot environment ( http://jim.centerfuse.net/projects/proftpd_chroot/ ) in addition to using DefaultRoot, so I'm used to feeling pretty safe with my Proftpd install. Anyway, here's how I did the install/configuration

1. install proftpd-mysql from the ports with WITH_QUOTA set:
cd /usr/ports/ftp/proftpd-mysql/
env WITH_QUOTA=yes make
env WITH_QUOTA=yes make install

2. Add the global proftpd user & Proftpd group to your system.
I used uid & gid 5500 simply because that's what was used at one of the sites I was referencing (listed below).

pw groupadd -n Proftpd -g 5500
pw useradd proftpd -u 5500 -g Proftpd -s /sbin/nologin -d /dev/null -c "Proftpd User"

3. Create the mySQL database

create database proftpd;
grant all on proftpd.* to 'proftpd'@'localhost' identified by 'password'

( change 'password' to something secret! )

4. Create the mySQL tables for the users & quota

create table proftpdUsers (

sqlUID int unsigned auto_increment not null,
userName varchar(30) not null unique,
passwd varchar(80) not null,
uid int unsigned not null unique,
gid int unsigned not null,
homedir tinytext,
shell tinytext,
primary key(sqlUID)

) ;

create table proftpdGroups (

sqlGID int unsigned auto_increment not null,
groupName varchar(30) not null unique,
gid int unsigned not null unique,
members tinytext,
primary key(sqlGID)
);

CREATE TABLE proftpdQuotaLimits (
name VARCHAR(30),
quota_type ENUM("user", "group", "class", "all") NOT NULL,
per_session ENUM("false", "true") NOT NULL,
limit_type ENUM("soft", "hard") NOT NULL,
bytes_in_avail FLOAT NOT NULL,
bytes_out_avail FLOAT NOT NULL,
bytes_xfer_avail FLOAT NOT NULL,
files_in_avail INT UNSIGNED NOT NULL,
files_out_avail INT UNSIGNED NOT NULL,
files_xfer_avail INT UNSIGNED NOT NULL
);

CREATE TABLE proftpdQuotaTallies (
name VARCHAR(30) NOT NULL,
quota_type ENUM("user", "group", "class", "all") NOT NULL,
bytes_in_used FLOAT NOT NULL,
bytes_out_used FLOAT NOT NULL,
bytes_xfer_used FLOAT NOT NULL,
files_in_used INT UNSIGNED NOT NULL,
files_out_used INT UNSIGNED NOT NULL,
files_xfer_used INT UNSIGNED NOT NULL
);

5. Add a test user to the proftpd database

(assumes /home/ftp is where you keep your ftp users. Otherwise, change the homedir location). This is certainly not a necessary step, but you should probably check to see if your configuration is working. You can delete this user later.

insert into proftpdUsers values ( 0, 'test', 'test', 5500, 5500, '/home/ftp/test', '/sbin/nologin' );

6. Set your proftpd configuration to use the mySQL authentication and quotas:
(NOTE: this is not a complete configuration file, it's basically just the default config file with mySQL auth & quotas added, but note that the User and Group directives are the user & group we added in step 2. )

MaxInstances 30

# Set the user and group under which the server will run.
User proftpd
Group Proftpd

# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
DefaultRoot ~

# Normally, we want files to be overwriteable.
AllowOverwrite on

# Bar use of SITE CHMOD by default
<Limit SITE_CHMOD>
DenyAll
</Limit>

DenyAll

# The passwords in MySQL are encrypted using CRYPT
SQLAuthTypes Plaintext Crypt
SQLAuthenticate users* groups*

# used to connect to the database
# databasename@host database_user user_password
SQLConnectInfo proftpd@localhost proftpd yourdatabasepassword

# Here we tell ProFTPd the names of the database columns in the "usertable"
# we want it to interact with. Match the names with those in the db
SQLUserInfo proftpdUsers userName passwd uid gid homedir shell

# Here we tell ProFTPd the names of the database columns in the "grouptable"
# we want it to interact with. Again the names match with those in the db
SQLGroupInfo proftpdGroups groupName gid members

# set min UID and GID - otherwise these are 999 each
SQLMinID 5000

#============
# User quotas
# ===========
QuotaEngine on
QuotaDirectoryTally on
QuotaDisplayUnits Mb
QuotaShowQuotas on

# create a user's home directory on demand if it doesn't exist
SQLHomedirOnDemand on

SQLNamedQuery get-quota-limit SELECT "name, quota_type, per_session, limit_type, bytes_in_avail, bytes_out_avail, bytes_xfer_avail, files_in_avail, files_out_avail, files_xfer_avail FROM proftpdQuotaLimits WHERE name = '%{0}' AND quota_type = '%{1}'"

SQLNamedQuery get-quota-tally SELECT "name, quota_type, bytes_in_used, bytes_out_used, bytes_xfer_used, files_in_used, files_out_used, files_xfer_used FROM proftpdQuotaTallies WHERE name = '%{0}' AND quota_type = '%{1}'"

SQLNamedQuery update-quota-tally UPDATE "bytes_in_used = bytes_in_used + %{0}, bytes_out_used = bytes_out_used + %{1}, bytes_xfer_used = bytes_xfer_used + %{2}, files_in_used = files_in_used + %{3}, files_out_used = files_out_used + %{4}, files_xfer_used = files_xfer_used + %{5} WHERE name = '%{6}' AND quota_type = '%{7}'" proftpdQuotaTallies

SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4}, %{5}, %{6}, %{7}" proftpdQuotaTallies

QuotaLimitTable sql:/get-quota-limit
QuotaTallyTable sql:/get-quota-tally/update-quota-tally/insert-quota-tally

Thanks to the following sites for being great references, and providing most of the information in this post:
http://www.khoosys.net/single.htm?ipg=848
http://www.castaglia.org/proftpd/modules/mod_quotatab_sql.html