From eric at eric.nu Tue Sep 2 14:19:14 2008 From: eric at eric.nu (Eric Junker) Date: Tue Sep 2 14:19:42 2008 Subject: [ciapug] phar Message-ID: <48BD91B2.8020403@eric.nu> Has anyone had a chance to play around with phar? http://us.php.net/phar It looks like a good way to package third party libraries and other things that you rarely modify. In one example I saw they packaged phpMyAdmin into a single phar archive. Eric From eric at eric.nu Tue Sep 2 14:27:04 2008 From: eric at eric.nu (Eric Junker) Date: Tue Sep 2 14:27:29 2008 Subject: [ciapug] HttpOnly cookies to prevent XSS Message-ID: <48BD9388.8010709@eric.nu> I came across this information and thought some of you might be interested. If you use cookies for authentication you should be aware of the HttpOnly flag for cookies. When this flag is set on cookies it makes the cookie 'invisible' to javascript which means XSS attacks can not steal your cookies. Not all browsers support HttpOnly but IE7 and FF3 support it. If you are using PHP 5.2 or later setcookie() has support for HttpOnly otherwise you can set the flag manually by using header(). http://www.codinghorror.com/blog/archives/001167.html http://blog.mattmecham.com/2006/09/12/http-only-cookies-without-php-52/ Eric From cmlburnett at gmail.com Tue Sep 2 19:10:13 2008 From: cmlburnett at gmail.com (Colin Burnett) Date: Tue Sep 2 19:10:42 2008 Subject: [ciapug] phar In-Reply-To: <48BD91B2.8020403@eric.nu> References: <48BD91B2.8020403@eric.nu> Message-ID: On Tue, Sep 2, 2008 at 2:19 PM, Eric Junker wrote: > Has anyone had a chance to play around with phar? > http://us.php.net/phar I have to admit that my first response was: oh my god..... *gasp*. Reading some of the details it seems basically like a rip-off of Java's JAR. Files plus manifest with optional signature. Except JAR's signature cryptographically ensures the integrity where as phar's signature is basically just a checksum (which I see no reason why it couldn't be maliciously changed). I don't know java nor JARs so that's from my understanding of wikipedia. I look forward to the Wikipedia article on "phar hell" to match JAR hell and DLL hell. Especially since there's nothing in the phar to indicate version of the contents. It would appear the PHP team learned nothing of DLL hell (I hope they've heard of it otherwise history *will* repeat itself again) and why .NET has assemblies and a GAC. When you reinvent the wheel...don't forget the axle! Colin From tony at tonybibbs.com Tue Sep 2 20:12:00 2008 From: tony at tonybibbs.com (Tony Bibbs) Date: Tue Sep 2 20:12:24 2008 Subject: [ciapug] phar Message-ID: <601749.12825.qm@web704.biz.mail.mud.yahoo.com> Keep in mind the new version of PEAR will use Phar's and PEAR packages already know plenty about their version (and other package meta data). That said I don't see how this is as big of a problem until you deal with non-PEAR packages like the ones in the Zend Framework (don't get me started). One thing worth noting Phar's are opcode cache friendly. --Tony ----- Original Message ---- From: Colin Burnett To: Central Iowa PHP Users Group Sent: Tuesday, September 2, 2008 7:10:13 PM Subject: Re: [ciapug] phar On Tue, Sep 2, 2008 at 2:19 PM, Eric Junker wrote: > Has anyone had a chance to play around with phar? > http://us.php.net/phar I have to admit that my first response was: oh my god..... *gasp*. Reading some of the details it seems basically like a rip-off of Java's JAR. Files plus manifest with optional signature. Except JAR's signature cryptographically ensures the integrity where as phar's signature is basically just a checksum (which I see no reason why it couldn't be maliciously changed). I don't know java nor JARs so that's from my understanding of wikipedia. I look forward to the Wikipedia article on "phar hell" to match JAR hell and DLL hell. Especially since there's nothing in the phar to indicate version of the contents. It would appear the PHP team learned nothing of DLL hell (I hope they've heard of it otherwise history *will* repeat itself again) and why .NET has assemblies and a GAC. When you reinvent the wheel...don't forget the axle! Colin _______________________________________________ ciapug mailing list ciapug@cialug.org http://cialug.org/mailman/listinfo/ciapug From tommyo at gmail.com Wed Sep 24 00:11:24 2008 From: tommyo at gmail.com (Thomas O'Neill) Date: Wed Sep 24 00:11:48 2008 Subject: [ciapug] Hiring Developers - $50 bucks for code samples!! MN Anyone?? Message-ID: Hey Chicago PHP Friends. I work for a kick ass company that is hiring full-time onsite employees in our Twin Cities office. Anyone interested in moving to Minnesota to work with a bunch of really smart web developers? We put together a little website to tell more about working at Sierra Bravo. Please check it out! http://www.nerdery.com Also, please digg it! http://digg.com/programming/50_for_doing_a_code_sample_applying_for_a_Programming_job -- Tom O'Neill tommyo@gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://cialug.org/pipermail/ciapug/attachments/20080924/d69d4600/attachment.html