• xom.nu (static HTML)
• The Cafes (WordPress)
• www.elharo.com (static+WordPress+custom PHP)

These sites are not mission critical, but I would like them to stay up. Reliable backups that I can download periodically are a must. I would like them to respond much faster than they do currently. (Xom.nu is pretty fast, but the two blogs can be dog slow at times.)

Traffic is not too heavy, though I don’t track hard numbers. I would like to be able to quickly ramp up to withstand a Digg effect if necessary.

These sites can all live on the same IP address. (They do now.)

I’d like the flexibility to install my own Apache modules and custom PHP extensions and modify the various config files such as httpd.conf and php.ini. Ideally I’d like to be install other frameworks such as Ruby on Rails or eXist if I feel like playing with them. That is, root access to the box would be very helpful, even if it’s virtualized. However I can probably live without that if it raises the price too high. Alternately, I could perhaps live with 24/7 phone support from a reliable sys admin who can make changes like that for me. However the ability to install and manage my own WordPress extensions and modified code is a must.

Any suggestions? So far here’s who I’ve looked at:

• Pair: $17.95 a month
• Dreamhost: $10.95 a month
• Speakeasy: $24.95 a month

Dreamhost is the cheapest, but may also be the least reliable. Anyone else I should consider?

The install was shockingly easy for a Unix server program: took me about ten minutes total including time to write this entry. That’s less time than it took me to install PHP in the first place.

Things do seem to be faster, though I’m still seeing occasional timeouts requesting pages. I really wish there were some decent profiling and logging tools that could tell me exactly where the system is bottlenecking.

[05-May-2007 06:11:56] PHP Notice: Undefined variable: livePreviewDivAdded in /var/www/thecafes/wp-content/plugins/live-comment-preview.php on line 24

so I decided to see if I could fix it. I think the problem is this line:

$livePreviewDivAdded == false;

I’m using this post to test that.

The code involves some really awful hacks and is a confusing mix of CSS, JavaScript, and PHP. I use CSS to hide the buttons I don’t like, and JavaScript to change the names of existing buttons and add new ones. PHP integrates this whole mess into WordPress. WordPress wasn’t really designed to support this level of customization. That’s why I have to use JavaScript to change the buttons after the page is loaded.

There are several features yet to be added:

• Abbr and acronym need pop-ups requesting the title, like the link button has for href.
• The span button needs a pop-up requesting the class.
• I need to reorder the buttons. In particualr I want the more button at the end.
• It needs a user-accessible, non-code-level API for adjusting behavior.
• I need to figure out how not to load these scripts on pages that do not have the edit box? Currently these generate JavaScript errors.

It may well only work in FireFox. I haven’t tested it in Internet Explorer or Opera, and it uses heavy CSS and DOM so there are likely cross-browser issues. In Safari, I can change the button names and add new buttons. However you can’t use CSS to style the buttons I’m removing. (Update: that was due to a bug in the CSS. It’s fixed now and this works in Safari too.) ) I may have to change that to use JavaScript too.

And I need to put this all in source code control, and use a decent IDE. Does Eclipse have a PHP plugin? Looks like there are several. Which one should I use?

Anyway here’s iteration 0.1 of the plug-in:

<?php

/*
Plugin Name: SemButtons
Version: 0.1
Plugin URI: http://www.elharo.com/SemButtons.html
Description: This plugin makes the WordPress editor button bar more semantic.
Author: Elliotte Rusty Harold
Author URI: http://www.elharo.com/
Update:
*/

// SCRIPT INFO ///////////////////////////////////////////////////////////////////////////

/*
    SemButtons for WordPress
    © 2007 Elliotte Rusty Harold - GNU General Public License

    This has only been tested with Firefox. The JavaScript may not work on other browsers. 

    This WordPress plugin is released under the GNU General Public License.

    This WordPress plugin is released "as is". Without any warranty.

    ToDo list:

    Abbr and acronym need pop-ups requesting the title.
    span needs a popup requesting the class.
    Make buttons reorderable.
    Provide a user-accessible, non-code-level API for adjusting behavior.
    Add a Tidy button to make posts well-formed.
    Can we avoid hooking in on pages that do not have the edit box?
    Put this all in source code control, and use a decent IDE. 

*/

add_action('admin_head', 'remove_buttons');
add_action('admin_footer', 'change_names');
add_action('admin_footer', 'add_buttons');

function remove_buttons(){
    ?>
      <style type="text/css">
         #ed_lookup, #ed_spell, #ed_del, #ed_ins, #ed_close { display:none;
      </style>
    <?php
}

function change_names() {
  ?>
    <script type='text/javascript'>
        // Probably should separate ID and name into two separate arguments
        change_button('ed_em', 'em');
        change_button('ed_strong', 'strong');
        function change_button(id, name) {
            var button = document.getElementById(id)
            button.setAttribute('value', name)
        }
    </script>
  <?php
}

function add_buttons(){
  ?>
   <script type="text/javascript">
    make_button('span', 3);
    make_button('cite', 2);
    make_button('abbr', 1);
    make_button('acronym', 0);

    // The i variable is an unbelievably ugly hack, perhaps
    // worthy of a daily WTF. The problem is one must pass
    // the distance from the end of the array because JavaScript
    // can't figure that out. PHP can't get the value from JavaScript.
    // There must be a better way to do this. Possibly it will
    // all fall out in the wash when I allow the position of individual
    // buttons to be specified.
    function make_button(name, i) {

        var toolbar = document.getElementById('ed_toolbar');

        edButtons[edButtons.length] =
        new edButton('ed_' + name,
          name,
          '<' + name + '>',
          '</' + name + '>',
          's'
        );

        var button = document.createElement("input");
        button.setAttribute("value", name);
        button.setAttribute("id", "ed_" + name);
        button.setAttribute("class", "ed_button");
        button.setAttribute("type", "button");
        button.setAttribute("onClick", "edInsertTag(edCanvas, edButtons.length-1-" + i + ");");
        button.setAttribute("accesskey", name);
        toolbar.appendChild(button);
    }
  </script>
 <?php
}
 ?>

Copy and paste this or download it.

Doubtless there are ways to improve this. Neither JavaScript nor PHP is my first language. Please comment if you see a simpler way to do anything.

Thanks to everyone on wp-hackers who helped out by answering questions and catching my mistakes.

The curly quote may be an accidental fix. I’m not sure what would happen if I figured out how to publish a real straight double quote in a title. I wonder if there’s a preference for that somewhere?

It’s not a big problem for this site, because I’m both the sole author and administrator, but it could be a problem on a site where author and administrator privileges are separated.

Yep, it’s a bug all right, at least in this version of WordPress. I haven’t tested it in the latest and greatest yet. (Update: several other people have now tested and verified the presence of the bug in the latest versions.) Links in titles can break the Posts box of the WordPress admin panel so it points to something other than the site it’s supposed to. I suspect this is a security hole too, though doubtless the WordPress folks will deny this. (They’re in denial about a lot of architectural flaws.) Still, I should be able to get them to fix this on non-security grounds so that doesn’t matter a great deal here.

However, now I start wondering if I can use this to inject JavaScript into the admin page? Hmm…

However I’m not sure how my hack will react when posts contain markup in titles and summaries so I’m playing with that now. Hence this post. I may delete it once I’m convinced I’ve covered the various special cases well enough.

Things may look a little funny in the feed until I’m done since I’ll be deliberately breaking things to see how WordPress behaves.

So far it seems like WordPress’s titles are guaranteed to be plain text except for numeric character references. i.e. it strips tags. That’s good since it will make it easier to use real XHTML in the Atom titles. I need to check if the the_title_rss() function really promises that it will never include any tags in the string it returns.

Also it seems I’ve uncovered a bug in WordPress itself outside the feeds, as this title shows:

A <strong style="color: green">Strong</strong> Test for Markup In Titles & Summaries

The bug is in the default theme. I’m fixing it here and I’ve reported it to the WordPress folks. To reproduce it yourself, create a post with this string as the title:

A Strong Test for Markup In Titles & Summaries

Publish it and look at what WordPress puts out into the h1 header:

<h1 class="single"><a href="http://www.elharo.com/blog/software-development/web-development/2007/03/17/a-strong-test-for-markup-in-titles-summaries/" rel="bookmark" title="Permanent Link: A <strong style="color: green">Strong</strong> Test for Markup In Titles &amp; Summaries">A <strong style="color: green">Strong</strong> Test for Markup In Titles &amp; Summaries</a></h1>

the_title_rss() function behaves appropriately. The bad text is probably coming from the_title and single_post_title though I haven’t verified that yet.

WordPress is stuffing the title text (including markup with < and > and “) into a title attribute without sanitizing it first. I suspect I could reproduce this just by using the ” and > characters in a title without explicitly putting tags into my title.

Arguably this is a theme bug, but it is present in the WordPress default theme. Here’s the relevant code from the theme:

<h2><a href="<?php the_permalink() ?>" rel="bookmark" title="Permanent Link to <?php the_title(); ?>"><?php the_title(); ?></a></h2>

I’ve updated my theme code so it no longer shares this bug. To do this, just change Permanent Link to <?php the_title(); ?> to Permanent Link to <?php the_title()_rss; ?>. You need to do this in three files, archive.php, single.php and index.php.

I’d hoped to do some live reporting about this, but the wireless here at the Hoel New Yorker is quite flaky. It keeps coming in and out. This is often a problem at some of these old New York hotels that are full of iron in the walls.

First Session: Getting Rich with PHP

Really the second session of the day, but I didn’t get here in time for the first.

Yahoo’s Rasmus Lerdorf is talking about pretty much whatever he thinks is cool.

SimpleXML looks cool, though there are some obvious questions I have. The examples don’t consider the case where a book has no title or two titles when they write something like book->title to select the child title element of a book element. Hopefully this is addressed in non-toy examples.

APC cache looks worth looking into. I could use this to do a better job with the Amazon links.

Yahoo’s JavaScript libraries look worth looking into. They’re BSD licensed.

There are major security holes in PHP when used with IE. UTF-7 decoding is a problem. Remember to always send a charset header by configuring php.ini appropriately.

Lerdorf won’t shop at small web stores any more because they’re too vulnerable to hackers. He’s found lots of PHP security flaws in these sites.

He suggests that a number of mistakes were made in the design of browsers, PHP, and the Web early on. I tend to agree. The problem is people keep hacking on top of and extending JavaScript, cookies, frames, and other misconceived kludges instead of working on improving support for things that were actually designed properly from the start like XForms and HTTP authentication.

Quercus

Caucho’s Quercus is cloning PHP 5/6 in Java. Interesting. Quercus can also call Java objects.

It enables distributed sessions which is completely the wrong answer and not very scalable. Quercus goes to great effort to work against HTTP and instead of doing much less work to work with it.

XDebug

The lack of a decent debugger has always been one of my problems with PHP, so I’m looking forward to Derek Rethans’s session on Xdebug. Another plus: the wireless network in this room seems to be more stable.

Xdebug is open source. Version 2 is almost ready.

So far it doesn’t seem so much a traditional stepping debugger as a way of generating more information in the error message when a problem such as a file not found occurs. It also helps with echo printing.

pear install xdebug-beta

DBGp is a common debugging protocol for interactive debugging. There are other debuggers that support this, including ActiveState’s Komodo and a PHP plugin for Eclipse.

Scalability

Zend’s Gregory Stoltz

Scalability goes down as well as up! It’s fractal and self-similar. It needs to work for one guy in a garage as much as for a million customer bank. Very true. Too often I find products that are incomprehensible because they’re only designed for the Fortune 500 and big IT depts.

1. Distributed file systems (one giant NFS) are bad.

Rsync is your friend. (Learning rsync has been on my TODO list for a year now.)

2. Blocking I/O is a problem.

3. Poor database design is a killer. e.g. MyISAM tables in MySQL

4. Failing to understand the web server and how PHP interacts with the web server.

5. Hanging up Apache. Big files should be sent by something else like tHttpd or Zend Download server.

6. Designing without scalability in mind.

7. Improperly dealing with database connections.

8. No development infrastructure. No process for going from staging to QA to production.

9. Failing to cache. (APC again).

10. Not knowing where to optimize. Know your requests per second number. Use a profiler.

Random Notes

I’m shocked to discover that PHP still doesn’t support Unicode. What is this, 1992?

I need to learn about PEAR.