If you haven’t heard already, a few pages of PHP source code for Facebook were leaked online. The site wasn’t hacked so much as a back door was left open.

Here’s what Facebook had to say:

“A small fraction of the code that displays Facebook web pages was exposed to a small number of users due to a single misconfigured web server that was fixed immediately. It was not a security breach and did not compromise user data in any way. Because the code that was released only powers the Facebook user interface, it offers no useful insight into the inner workings of Facebook. The reprinting of this code violates several laws and we ask that people not distribute it further.”

Some geeks were elated, some horrified, and some just shrugged. I fall into the third category.

It did offer a glimpse behind the wall of one of the most hyped companies of the moment and it’s always interesting to see how the industry leaders are doing things. While the code could provide details that might compromise the security of their other servers and pages, I’m guessing they are already re-engineering their setup to make any clues useless.

But this leak doesn’t mean that PHP is flawed. It doesn’t mean that any server hardware/software choice was to blame. It was misconfigured. It was human error. (“This sort of thing has cropped up before and it has always been due to human error.”)

Instead it is a cautionary tale about being thorough and vigilant. It should remind web developers and users not to assume sites are secure just because the code is good or the company is reputable. A website is only as secure as it’s weakest link. You can only take a limited amount of security for granted.

If you want to try to improve some of those weak links on your site… Nik Cubrilovic offers four tips to help prevent your server from doing the same thing. (Though a lot of people have blasted his assertion that PHP is known to sometimes return source code…) Vidyut Luther lists three more tips that can help.

Ulf Wendel at Internet Super Hero has explained what the mysqlnd driver for PHP is and why you might (or might not) need it. He also provides a nice history of the drivers and APIs that PHP uses to connect to MySQL.

In short, mysqlnd is a MySQL native driver for PHP that works like libmysql. It’s a replacement for libmysql but they can co-exist so that it doesn’t break existing applications. Primarily, mysqlnd offers improved speed, persistent connections, mysqli_fetch_all() and performance statistics calls.

In my opinion, if you are using ext/mysqli then you’ll want to check it out and see if the feature/performance trade-offs make sense for you. It’s primarily designed for advanced users who need to get every drop of performance out of PHP that they can. If you are using PDO/MySQL then you’ll want to avoid it because PDO isn’t supported yet. If you are using ext/mysql for general use (or don’t know what “ext/mysql”, “ext/mysqli” and “PDO/MySQL” are) then stick with what you’ve got—you’ll never notice the difference.

O’Reilly’s OnLamp has posted the second installment of their how-to guide on using Google Gears. (I wrote about Part I previously.)

In the second article, Jack Herrington walks us through how to use Google Gears’ SQLite database for offline data entry and how to sync the offline data with a PHP web application when connectivity becomes available again.

Previously I wrote about the Go PHP 5 campaign and their attempt to get developers and hosts to publicly declare their intent to abandon PHP 4 on February 5, 2008.

Their campaign just got a big boost. It’s official—PHP 4 dies at the end of 2007. (This is where you should insert the nostalgic music and a montage of all those moments with PHP 4 we remember fondly.)

From PHP.net:

Today it is exactly three years ago since PHP 5 has been released. In those three years it has seen many improvements over PHP 4. PHP 5 is fast, stable & production-ready and as PHP 6 is on the way, PHP 4 will be discontinued.

The PHP development team hereby announces that support for PHP 4 will continue until the end of this year only. After 2007-12-31 there will be no more releases of PHP 4.4. We will continue to make critical security fixes available on a case-by-case basis until 2008-08-08. Please use the rest of this year to make your application suitable to run on PHP 5.

For documentation on migration for PHP 4 to PHP 5, we would like to point you to our migration guide. There is additional information available in the PHP 5.0 to PHP 5.1 and PHP 5.1 to PHP 5.2 migration guides as well.

I think this is the right move and that it should be enough time for everyone to adjust. I’ll be watching the transition with interest. It’s an interesting case study in how to migrate a massive installed base away from an entrenched version. But after three years of having PHP 5 available, I think we all agree someone’s got to cut the cord.

Speaking of the future of PHP, the PHP internals team has been talking about implementing namespaces in PHP 6. The problem they want to solve is this: how do you keep two class names (such as “Connection”) from interfering with each other? On a small web site, it’s easy, but once a site becomes complex or you start adding in third-party plug-ins and re-using old code, it gets much harder. Currently developers are using very long class names to help ensure their uniqueness, and no one likes that solution much.

The leading proposal at the moment was put forward by Dmitry Stogov on the PHP-Dev list. His idea is to declare the namespace at the beginning of the file and then all function names would be prefixed with the namespace name.

I like the idea, I like the “::” seperators, but I don’t like being restricted to declaring it at the top of the file. Why not just envelope the namespace anywhere (using curly-braces)? Then you don’t have to be at the top of the file and you can put more than one namespace in a file. It seems much more flexible than a single declaration in a required position.

You could even go further and allow namespaces to be inside other name spaces.

Ruby gives this namespace behavior using Modules.

What do you think? They are looking or feedback and ideas.

Back in May, I posted about the PHP developer community’s desire to kill off PHP 4 and why that’s not so simple. (“How to Kill PHP 4?”) PHP 5 has been out for years and PHP 6 is on its way. My view back then was that the best approach was just to set an end of life date and plan for it.

A lot of people agree with me. Go PHP 5 has set February 5, 2008 as the execution date. There’s even a countdown clock! Right now there are 213 days left before a long list of software projects (including Drupal, phpMyAdmin, Typo3 and Symfony) and a number of web hosts make PHP 5.2.0 their minimum requirement. News of the switch is spreading and generating buzz. The Go PHP 5 announcement has over 800 diggs.

Your project can make the switch too and be part of their growing list. Of if you don’t have a big name project, you can encourage your web host to commit to the date, or pick a new web host who will. It’s simple: vote with your feet. Web hosts will go where their customers go.

You hear that PHP 4?… That is the sound of inevitability… It is the sound of your death…

I’m happy to announce PHP with MySQL Essential Training has been released on the lynda.com Online Training Library. It’s almost 11 hours of video training on PHP. I start with the basics of the PHP language and work up to dynamic web pages with a MySQL backend by demonstrating how to build a content management system.

Some of the topics it covers include: installation, PHP language fundamentals (variables, arrays, loops, functions, etc.), blueprinting an application, building dynamic pages, structuring and interacting with databases, how to build, validate and process forms, and regulating user access with passwords. I also provide practical advice, give best practices examples, and demonstrate refactoring techniques to improve existing code.

PHP with MySQL Essential Training is available online as streaming video to subscribers of the lynda.com Online Training Library ($25/month, $250/year, $375/year with exercise files included). It is will also be available as a CD-ROM soon both through Lynda.com and Amazon.com.

I also recorded Ruby on Rails Essential Training for the lynda.com Online Training Library which is available online to lynda.com OTL subscribers and on CD-ROM, both through lynda.com and Amazon.com, for $99.95.

If you try any of them and find that they are helpful, be sure to let me know!

Apparently the blogosphere was holding it’s breath for the iPhone. Today, suddenly, there are dozens more posts than usual. Plus, I was on the road last week, so there’s a lot to catch up on. Here are some highlights.

PHP news

• Zend Framework 1.0 has been released. Zend Founder and PHP godfather Andi Gutmans has the announcement. It will be very interesting to observe how it fares against the extremely popular Ruby on Rails framework. Leap ahead? Too little, too late? My personal hope is that both will compete to make each other stronger.
• PHPUnit 3.1.0 has been released.
• PHPDeveloper posted a primer to using AIR (Adobe Integrated Runtime) with PHP.
• Manning released the eBook of PHP in Action by Dagfinn Reiersøl with Marcus Baker and Chris Shiflett. The print version should hit bookshelves any day now.

Ruby on Rails news

• Award on Rails: a million yen for the best Rails application developed between June 10 and September 25, 2007. Judged by Matz himself. ($1M ¥ = US $8,300)
• Ryan Bates at Railscasts is holding a contest too: submit a documentation patch to Rails and on July 27 he’ll pick eight random winners for prizes including a Nintendo DS Lite, iPod Shuffle, Peepcode subscriptions and Pragmatic Programmer books. Railscast #50 will show you how to submit a doc patch. (I recently reported on the Rails community’s push for better documentation.)
• Remember when I talked about pagination and how it’s moving to a plug-in? Railscast #51 shows you how to get started with the plug-in will_paginate as an alternative to classic pagination.
• Chris Wanstrath announced Sake (pronounced like the drink) which allows Rake tasks (pronounced like the garden tool) to be called system-wide.
• Jamis Buck announced the release of Net::SSH 1.1.2, an update to the pure-Ruby implementation of the SSH2 client protocol.

Other news

• Internet Radio’s Day of Silence may have done them some good! Link via Slashdot

There’s been a lot of buzz about Google Gears. Google Gears is an open source browser extension that enables web applications to provide offline functionality using Ajax and SQLite. Basically, it allows applications to download data while they have a connection to a remote server, store the data locally in a database, and then retrieve and use the data even when the web application is offline. Imagine searching Google Maps while in your car or reading RSS feeds on a plane. Even better, imagine submitting data to a web application that gets uploaded once you have a connection again—a lot like having emails waiting in your outbox.

Rather than just write “Hey, Google Gears was announced!” like everyone else, I decided to hold off until someone wrote something more in depth. Well, now O’Reilly’s OnLamp has. Jack Herrington has written an article titled The Power of Google Gears (Part 1). It’s not just about Gears, he actually walks you through a sample implementation step-by-step. He uses PHP, PEAR, and Prototype, but he explains it well enough that it should be easy to do in any language or framework.

But, at least for now, you’ll need an internet connection to read the article.

Padraic has written a long how-to article for the Zend Developer Zone about Acceptance Testing (aka Functional Testing). He starts out by explaining what Acceptance Testing is and why its useful. After you are convinced, he goes on to explain how to set up and use PHPUnit and Selenium to start testing your PHP applications. If you’ve been putting off learning how to implement testing in PHP, this article should be a great way to get started.