Friday, March 30, 2007

PHP: Calling Parent Class Constructors

For the past few weeks I have been working with PHP for a web application. With tons of annoyances, PHP can throw someone off balance if they are familiar with other languages.

One issue I came across, with tons of erroneous information regarding a solution, was a very simple issue of calling a parent classes constructor. For the below, I was using PHP 5.1.2 since I have been developing with PHPEclipse.

In this example, I have a base class, similar to this:

class BaseClass


private $_myValue;

function __construct()


$this->_myValue = new SomeClass();



Very simple, so I need this called in my extended class in order to initialize that myValue variable.

Now I saw some annoying solutions, which did not work, such as the below:

class DerivedClass extends BaseClass


private $_someOtherValuesNotInBase;

function __construct($initalizing)


$_ someOtherValuesNotInBase = $initalizing;




This didn’t work. PHP cried about not being able to find the method BaseClass(). Then I came across this little gem, which also did not work.

class DerivedClass extends BaseClass


private $_someOtherValuesNotInBase;

function __construct($initalizing)


$_ someOtherValuesNotInBase = $initalizing;




So, with all these erroneous solution, what is the correct answer? The following worked for me after some trial and error:

Class DerivedClass extends BaseClass


Private $_someOtherValuesNotInBase;

Function __construct($initalizing)


$_ someOtherValuesNotInBase = $initalizing;




Wednesday, March 28, 2007

Eclipse: Using GEF

I was reading this article on OSNews about "Creating Eclipse-Based Applications Using GEF" this morning. Interesting read if your into Eclipse based development.

Tuesday, March 20, 2007

Security: Programming and Digital Security

Richard Bejtlich responded to a question regarding whether it is necessary to know programming as a pre-requisite for security work. Rich gave the perspective of a security researcher who doesn't program. With his credentials, he is proof that enough that you don't.

However, I can offer a little different perspective, from a programmers point of view. When I worked for Rich several years ago, that was my first introduction to the realm of security from the other side of the fence. As a programmer, I had no real problem following along with his tutorials and assigned book reading about TCP/IP packets (yes, Rich actually assigned book work for our job, I think I was the only one who actually read any of it) since I had programmed socket based programs before. In reading about buffer overflows, I didn't have any problem since I was already very familiar with the problems that are common with memory management in C and C++. Understanding other bugs like Off-By-One, Out of Bounds, integer overflows, null pointers, and other programming headaches that can cause security issues helped in understanding exploits, how they are executed, and how they are written. Being able to read source code helped understand what code was doing, since most security code out there is very poorly commented. In understanding sockets and memory management, I was easily able to understand remote exploits. When I read the infamous Phrack "Smashing the Stack..", my background in ASM helped to understand how this worked and why.

My point of view on this question is, it is not necessary to have a programming background in order to be an effective security professional. A strong understanding of networking and networking technology, yes. An inquisitive mind and an investigative instinct, yes, at least in the NSM model. But is doesn't hurt to at least understand some fundamental programming concepts. Some basic scripting, whether it is BASH, Perl, or whatever is definitly a plus. So from my personal experiences, I can say its good to have, but not necessary.

Thursday, March 15, 2007

BIRT: Hide Report Table When No Data is Returned

Recently, a question came up on the BIRT newsgroup about hiding a table in a BIRT report when no data is returned. This is actually a very simple task to accomplish using the Hide Element expression in the property editor for BIRT.

In the following demonstration, I will use a scripted data source that will return data only if the user has a report parameter set to true. When no data is returned from the dataset, the Hide expression in the table will hide the table, and in a Label element, it will tell the user that no data was returned from the data set.

So I create a BIRT report called hideTable.rptdesign. In this report, the first thing I do is create a report parameter called rprmHideTable. I like to prefix my report parameters with rprm, which stands for Report Parameter, which differentiates report parameters from data set parameters. I set the data type to Boolean, the display type to Check Box, and set the default value to true.

Figure 1. Report Parameter rprmHideTable

Next, I create a new data source. I select scripted data source as my type, and name it dsrcScripted. Then I create a new data set called dsetScripted that is based off of dsrcScripted. It will have 1 column, which I will label as A, with a type of any. Now I need to put in my generic script to handle the generation of data. I open up the script tab in the report designer, select dsetScripted, and choose the Open event. I use the following code in the Open event to initialize my generic counter.

x = 0;

Now I go into the Fetch event. This is where I am going to generate my data returned from the data set. I use the following code to generate my data, which will be controlled by my report parameter.

if (params["rprmHideTable"] == true)
if (x < 4)
row["A"] = x;

return true;

return false;

Now, I can drag over my new data set into my report designer and do a test run to see the issue that was brought up. Sure enough, when I run the report with my parameter set to false, the header row of the table is still shown, even though no data is there. That’s obviously not what we want. Well, fixing this is easy enough.

Figure 2
. The report with parameter set to true

Figure 3. The report with parameter set to false. Oh no, that’s not what we want

To fix this, all we need to do is select the Table using either the report designer pane or using the outline, and under the Property Editor, under the Properties tab, choose visibility. Then we will check the Hide Element checkbox, and in the expression editor, use the following expression.

(Total.count() <>

What this will do is set the hide element value expression to true when the total number of detail rows in the table is less than 1, basically 0. And that’s all there is to hiding the table when no data is returned.

Figure 4. Hide the table expression

So then, how do we go about displaying a label letting the user no that no data was returned. This too is an easy enough task to accomplish, and works in a similar manner to hiding the table, but in reverse.

I am actually going to use a bit of scripting to do this, but there are a number of different ways this same task can be accomplished. First, I will switch over to the script editor, and in the outline I am going to choose the root report. In the Initialize event, I will use the following code to initialize a global variable called rowsReturned.

rowsReturned = 0;

Then I will go back into the Visibility expression for my table, and change the Expression to the following:

rowsReturned = Total.count();

(Total.count() <>

Now, I will drag over a label just below my table in the report designer. I will type in the message “No data was returned”. Then, in the Property Editor, I will select the Visibility property for this item. I will set the Hide checkbox to true, and I will use the following expression:

(rowsReturned > 0)

Now, when I preview the report, I see the table with data when data is returned, and the message “No data returned” when the data set returns nothing.

Figure 5. No Data Returned

This same principle can be applied to a number of different visual elements in BIRT. For example, lets say you wanted to hide a column based on some report parameter or environmental variable, you can. You can create a report parameter asking the user if they want to display the footer row in a table to avoid having to see aggregate numbers, and all sorts of different options to show or hide different aspects of a report. This allows a more savvy developer to think about things like row level and element security. So imagine being able to write one large report, and then, based on some value retrieved from an applications HTTPSession object such as user credentials, showing and hiding various elements of a report. This allows you to create one large report, and filter out elements based on security settings. It really allows you to get flexible with the possibilities of BIRT in an application.

BIRT: Integration with Spring

Jose Noheda wrote up an article on integrating BIRT with Spring over at his blog. This is a good demonstration on how the BIRT technology can be integrated with custom web applications, which is one of the main purposes of the BIRT project.

Sunday, March 11, 2007

Firefox; 20 Extensions for Firefox

I came across this article from a Slashdot link that contains "20 Must Have Firefox Extensions". Most of these seem a little silly, but I was glad to see FireFTP make the list. I was disappointed that some really needed ones, like User Agent Switcher didn't make the list.

Saturday, March 10, 2007

Windows: Notepad Can Break

In a keynote speech at EclipseCon, Dr Herbert Thompson pointed out this funny little bug with Windows Notepad.

-Open up notepad.exe
-type "this app can break" without the quotes
-Hit file/save, type in a filename.

The text will be garbled, or in Simplified Chinese. Apparantly there is a bug with the text encoding. I did a search, and found some funny alternatives.

-"Bush hid the facts"
-"1111 111 111 11111"

PHP: Using phpEclipse

The universe works in very strange ways. It’s almost as if some benevolent force guides things, and in the grand scheme of things, fate and events work together like cogs in a large machine. Seemingly unrelated events come together to affect the going ons of unconnected scenarios. Call it divine intervention, call it fate, call it whatever, but events do have significance, even if their apparent worth is not visible on the surface.

For example, I have been working on a PHP based project for the past few weeks. One of the main hang-ups I have had is with finding a decent development environment. I typically base my judgment on IDE’s by a benchmark standard of what did the ‘ole Borland Turbo IDE’s offer back in the late 80’s and early 90’s. So things like debugging with the ability to step through line by line, while seeing the change in variables, color highlighting, and with scope awareness become very important. Since my migration to Eclipse in the recent months, I’ve now gotten to a point where other features have become necessary as well, such as Unit Testing capabilities right at the tip of my finger. My current issue was that while there are tons of IDE’s for PHP out in the wild, none of them offered the features that I need to be productive as a developer. Or at least, they don’t offer them in a way that I find useful. That or they charge, and since I’m a lone developer, I have absolutely no intention of purchasing software, especially when it’s for a free environment.

So, after weeks of searching, I settled on the Eclipse PHP Development Tools project (PDT). I need to emphasize the word settle, because it didn’t do the things I need. Its scope awareness was incredibly limited, and as a result its code completion capabilities were equally limited, had no unit test capabilities, and the debugger failed to work after several different configuration changes.

So, it is ironic that my answer came during EclipseCon 2007. I gave two presentations on BIRT this year, which seemed to go over pretty well. I had intended to go see the presentations about PDT to see if maybe there were some configurations or extensions to make it a little more useful, and to see if what the roadmap was going to be. However, fate intervened. Attending my day long BIRT tutorial was one of the developers of the phpEclipse project. It turns out, his attendance was mutually beneficial, he got to learn the basics of BIRT, and after the class, and he offered to talk to me about phpEclipse.

The install packages recommended to me are as follows:

-EasyEclipse 1.2.11 (phpEclipse does not support Eclipse 3.2 just yet)

-XAMPPLite 1.5.2 (The debugger doesn’t support newer versions just yet)


I would also recommend going with SimpleTest for PHP Unit testing. I tried to get phpUnit2 to work, however the older version of PHP that is installed with XAMPPLIte does not support it.

Installation is fairly straight forward. Install EasyEclipse per its instructions. Install XAMPPLite per its instructions. Then, follow the steps here to get the debugger to work. Then, follow the instructions for installing SimpleTest and you are good to go.

There are a few limitations to this installation. First, it doesn’t seem to support debugging from within Eclipse. You have to run the application from a web browser with the module you are debugging started. This is kind of annoying, but still a step up from the broken debugger in PDT. Other than that, I can’t complain


Figure 1. Code Completion

Figure 2. Unit Testing

Figure 3. Debugging, with variables, for online PHP applications

Friday, March 02, 2007

XBox: The Video Marketplace

Having an opportunity to watch an HD movie has been something I have been playing with in the back of my mind. On one hand, I really want to go with a HD platform, and having decided that Sony can suck my big toe due to their arrogant attitude towards consumers and their incredibly ridiculous pricing scheme, and the fact that I am already a XBox 360 owner, I have been leaning more towards HD-DVD. Suprisingly, the thought never occured to me that I can already watch HD content on my 360 without the extra 200 dollar add-on, right through the Video Marketplace.

So last night I decided to make tonight a night at home with the Mrs. So, we decided to grab the HD version of "Lady in the Water" that my fiancee has been bugging me to see. So, heres the run down of my thoughts on this service.

-Quality of the video was excellent
-The price was right, cheaper than a movie at the theater, plus I get to drink beer
-Better than having to wait in line with smelly people at the video store or waiting in a mailing queue for availability (although, I don't think our movie purchase would have had that problem)

-Download time of movie was too long, should allow a decent amount of buffering to start playing
-Movie selection is very small. We only found maybe 2 other movie really worth watching, 1 of which I can pick up at the 5 dollar bin at Walmart, if I hadn't boycotted them altogether.
-Not enough HD content
-The 24 hour viewing window after hitting play is lame. What if I just want to check the quality, but don't actually plan on watching until the weekend? Seeing as how the d/l time is so long, I think this is a viable scenario, obviously overlooked my Microsoft.

Overall thoughts:
I think Microsoft is sitting on a potential cash cow here. While my local cable provider offers HD content for rent, its not as high of quality (apparantly Time Warner is under the impression that 480p and 720i constitutes as High Def, and they don't need to offer anything better. Of course, average consumers just wont get it), their choices are even smaller, if not more up to date, than the Video Marketplace, and they don't offer television shows, you'd have to pay even more money than the already increased cable fees, and rented content is only good for 1 day. The only real bonus is with a PVR, I can at least record and watch later, and the time from pushing the buy button to watch button is a hell of a lot shorter than on the XBox.

Microsofts plan should be clear to even the most untrained circus monkey (middle management). Get more networks on board with the TV service to get more shows such as, the whole first season of Supernatural (one of the most underrated shows on TV), Lost (although I already watched the entire run up to date thanks to ITunes, but I might be willing to watch it again in HD) and 24. Get more movie studios on board. Hey, they are common grounds kind of guys. Movies studios have unrealistic expectations of DRM, Microsoft has unrealistic expectations of DRM. Both strong arm unsuspecting and individuals unable to defend themselves. If these guys got on the ball, I might gripe less about their tactics if I could actually watch first run movies in the comfort of my own home. This whole experience has only reaffirmed my original belief that the modern movie theater is a dead relic, and should go the way of the dodo.