Notes from NY PHP Con

Today I’m at the New York PHP Conference. It’s interesting. I wish I had a little more time to spend here this week, but I have to get ready for next week’s ABA conference in Bangor.

I’d hoped to do some live reporting about this, but the wireless here at the Hoel New Yorker is quite flaky. It keeps coming in and out. This is often a problem at some of these old New York hotels that are full of iron in the walls.

First Session: Getting Rich with PHP

Really the second session of the day, but I didn’t get here in time for the first.

Yahoo’s Rasmus Lerdorf is talking about pretty much whatever he thinks is cool.

SimpleXML looks cool, though there are some obvious questions I have. The examples don’t consider the case where a book has no title or two titles when they write something like book->title to select the child title element of a book element. Hopefully this is addressed in non-toy examples.

APC cache looks worth looking into. I could use this to do a better job with the Amazon links.

Yahoo’s JavaScript libraries look worth looking into. They’re BSD licensed.

There are major security holes in PHP when used with IE. UTF-7 decoding is a problem. Remember to always send a charset header by configuring php.ini appropriately.

Lerdorf won’t shop at small web stores any more because they’re too vulnerable to hackers. He’s found lots of PHP security flaws in these sites.

He suggests that a number of mistakes were made in the design of browsers, PHP, and the Web early on. I tend to agree. The problem is people keep hacking on top of and extending JavaScript, cookies, frames, and other misconceived kludges instead of working on improving support for things that were actually designed properly from the start like XForms and HTTP authentication.


Caucho’s Quercus is cloning PHP 5/6 in Java. Interesting. Quercus can also call Java objects.

It enables distributed sessions which is completely the wrong answer and not very scalable. Quercus goes to great effort to work against HTTP and instead of doing much less work to work with it.


The lack of a decent debugger has always been one of my problems with PHP, so I’m looking forward to Derek Rethans’s session on Xdebug. Another plus: the wireless network in this room seems to be more stable.

Xdebug is open source. Version 2 is almost ready.

So far it doesn’t seem so much a traditional stepping debugger as a way of generating more information in the error message when a problem such as a file not found occurs. It also helps with echo printing.

pear install xdebug-beta

DBGp is a common debugging protocol for interactive debugging. There are other debuggers that support this, including ActiveState’s Komodo and a PHP plugin for Eclipse.


Zend’s Gregory Stoltz

Scalability goes down as well as up! It’s fractal and self-similar. It needs to work for one guy in a garage as much as for a million customer bank. Very true. Too often I find products that are incomprehensible because they’re only designed for the Fortune 500 and big IT depts.

1. Distributed file systems (one giant NFS) are bad.

Rsync is your friend. (Learning rsync has been on my TODO list for a year now.)

2. Blocking I/O is a problem.

3. Poor database design is a killer. e.g. MyISAM tables in MySQL

4. Failing to understand the web server and how PHP interacts with the web server.

5. Hanging up Apache. Big files should be sent by something else like tHttpd or Zend Download server.

6. Designing without scalability in mind.

7. Improperly dealing with database connections.

8. No development infrastructure. No process for going from staging to QA to production.

9. Failing to cache. (APC again).

10. Not knowing where to optimize. Know your requests per second number. Use a profiler.

Random Notes

I’m shocked to discover that PHP still doesn’t support Unicode. What is this, 1992?

I need to learn about PEAR.

2 Responses to “Notes from NY PHP Con”

  1. Colin Says:

    > There are major security holes in PHP when used with
    > IE. UTF-7 decoding is a problem. Remember to always
    > send a charset header by configuring php.ini
    > appropriately.

    I’m having trouble understanding the problem here.

    Could you give an example?


  2. Elliotte Rusty Harold Says:

    Sadly, no. I was just taking quick notes during the keynote on a subject I’m not intimately familiar with. Lerdorf gave one detailed example, the workaround for which I mentioned here (always send a charset header using the appropriate directive in a .htaccess file) and he implied there were many more things to worry about. However for more details you’d have to ask him.

Leave a Reply