We’ll do a quick walk-through to get started with error logging.

Prepare php.ini

There are a few options that need to be set in php.ini to make proper logging possible. If you don’t have access to php.ini you can attempt to set the options at runtime (your mileage may vary.) An alternative to using php.ini is setting directives in an .htaccess file, but I won’t be discussing it in this post.

error_reporting  =  E_ALL
display_errors = Off
log_errors = On
error_log = /file/writeable/by/web/server/

Let’s look at this options a bit closer to understand what they do. error_reporting can take a number or different settings that grant an entire discussion all their own. I like using E_ALL which can be a little chatty at times, but can help to write better code. With PHP 5 E_STRICT has also been included, and has to be declared explicitly (not included in E_ALL.) This setting doesn’t provide additional logging, but gives recommendations to write even cleaner code.

display_errors is usually turned on during development, and turned off when going into production. If you are using logging, you’ll soon realize that it’s not necessary to turn this on at all.

log_errors is almost self explanatory, but could cause a newcomer to wonder why log files aren’t being written. This is the first place you should look if you aren’t getting logging information.

error_log has to be set to the path of a file writable by the web server; this is the second place you should look if your logs aren’t working. File ownership and permissions aren’t as daunting as they seem and you’ll be doing yourself a huge favor by learning how to apply them properly. If log_errors isn’t turned on, then this setting will have no effect whatsoever.

Set Up Your Box

This is where the rubber meets the road. Once you have all your settings in place and you’ve verified that errors are written to the log, it’s time to start using it. Open a terminal (command line as some folks call it) and give it the following command:

tail -f /log/file

The tail command retrieves the last 10 lines of a given file, the -f switch tells it to do it in real time. That is to say, that the display will be updated each time there’s a new entry in the log as opposed to having to run the command each time you want to see what’s going on. Leave this terminal running at all times and make it the first thing you glance at when something isn’t working right.

Talk To The Log, It Listens

So far you are able to view errors generated by PHP which is incedibly useful, but how about sending your own messages to the log? Enter error_log. This function allows you (in its simplest form) to send a custom message to the log. Let’s see an example, enter the following bit of code in a file and access it with your browser.

<?php
if ( 1 > 0 )
{
    error_log('it would be weird to NOT get this message');
}
?>

Now the log in the terminal (that’s ALWAYS open) will display something like

[22-Mar-2010 06:54:05] it would be weird to NOT get this message

This function also provides several other options such as being able to send the message via e-mail, or to a TCP port. So you can imagine the possibilities for customizing responses to different situations are endless. Here’s a list of useful resources that will help you in your logging quests.

• error_log – Manual
• Errors and Logging Configuration Options – Manual
• php.ini Guide: Error Handling and Logging – Added Bytes
• tail () – Unix man pages (if you have *nix system available just type ‘man tail’ )

This post only covers the very basics of logging PHP, but it’s intended as a starting point. I’m very interested in learning how you use logging or what debugging techniques you’ve developed. Don’t be shy and leave a comment.

Bookmark It

Hide Sites

So what’s the solution? We will use a ‘hash’ to store password validation. Without getting scientific a hash is the result of a transformation applied to the password string. This transformation is very likely one of the better known cryptographic methods such as MD5 or SHA1.

Let’s see it in practical terms. The user provides a password of  ”abc123″ , once hashed with SHA1 it looks like 6367c48dd193d56ea7b0baad25b19455e529f5ee. A hexadecimal number 40 characters in length. The process of hashing is one way only, so it’s not possible (for regular folks) to guess the password by looking at the hash. Next time the user logs in, the system will hash the password entered and compare it to the stored hash to validate the credentials.

So far so good, except that “abc123″ is a fairly easily guessable password, and it would probably be included in a dictionary based attack using rainbow tables. A rainbow table is a lookup table containing hashes based on a dictionary of possible passwords; “password”, “Password”, “root”, etc. would be the kind of passwords that you might find in said tables, and of course “abc123″ would make the list as well. So, in this case even though it’s harder to do, it’s still possible to reveal the actual password from the hash. As usual, using had-to-guess passwords mitigates this risk.

The solution to this issue is to use a ‘salt’ which is a random value attached to the password. By appending the salt, the rainbow table becomes useless, as the number of possible combinations makes it nearly impossible to guess using this method.

Photo by PhyrePh0X

Let’s tie all the pieces. The user signs up and picks a password, we take the password salt it with a random value, hash it, then store the hash and the salt. In PHP it might look somewhat like this:

$password = 'password';

$salt = sha1(rand()); //According to PHP.net some systems such as Windows will use a max number of 32768 unless explicitly specified

$hash = sha1($salt.$password); //Hash the concatenated string of the password and the hashed random salt

//Store values

See the output of this example

Going back to the original example, you wouldn’t be a able to e-mail the exact password back to the forgetful user at this point, instead, send him a link to a password reset page where they can enter a new one, and you can store it in the form of a new hash.

As usual this is only a little something to get you started and not an in-depth production ready sample. Use common sense when dealing with security and user experience issues. It’s possible that you work in an industry that has certain requirements regarding storing passwords and such, make sure you always check what’s appropriate for the particular project you are working on.

Do you use any of these methods in your projects? What else do you do to ensure security and a good user experience?

Bookmark It

Hide Sites

Work

Fortunately I’ve been extremely busy with three projects I’m working in parallel. The first one is a new site for a well known real estate agent in the Atlanta market. The site has a custom-made admin interface to allow her and her team to edit their own content and some other details, without drowning them in unnecessary features. We should be going live in early February so we are in the final stages which can be extremely hectic. We already have some very cool features (hint) to follow the launch which I’ll probably write about later.

The second project is a web application that makes use of the Amazon Mechanical Turk API which took me a bit of time to learn. Unlike some of the APIs I’ve written about, this one is more complex. I’m planning on extending this project into a full PHP library for the Mechanical Turk API once it’s finished. I will very likely release it as an open source project from the beginning.

The third project is longer term and it’s based on a WorpPress MU, although with the upcoming merge it’ll just be WordPress. It has to do with a national religious-based organization and will probably spawn many blog posts along the way as well. I’m really excited about this project as it’ll allow me to dig very deep into WordPress.

Projects

As any developer, designer or webbie out there I have a list of personal projects I’d like to tackle at one point.

Blog re-design: I don’t consider my blog to be ugly, but it certainly isn’t beautiful either (and it has some details that need fixing badly), and the best word to describe it is probably “simple”. I’ve been working on some ideas here and there and hopefully will get to release a new theme soon. Here’s a preview of the latest iteration (please give me your $0.02).

Collaborate with WordPress: During Wordcamp Atlanta many of the speakers tried to motivate the audience to help WordPress grow. What a good job they did! I came out of the event energized to start lending a hand. So expect me to start picking up some tickets, writing plugins, etc. very soon.

Start an open source project: I’ve been wanting to start one for a very long time, and I think it will be a small PHP library for Amazon’s Mechanical Turk API.

Learn Objective-C: I’ve been meaning to learn a new language for a long time. Writing iPhone and/or Mac applications sounds very appealing and that’s the direction I want to take. Of course, this will take a big commitment on my part so I’ll have to wait until I have a bit more time to tackle this one.

Tools

When I say tools I don’t just mean my editor and ssh client -although these are fundamental- but actually all the things that help me as a web developer. Here’s a list that might have some tidbits you can use as well.

Software tools: I write in Coda, keep track of my code in GitHub, use a Linux VPS to host my projects (and this blog), use FileZilla to transfer files, and FireBug and FirePHP to debug.

Stay-on-top tools: It’s hard to stay on top of everything in the web development world, but there are some key blogs and podcasts that help reduce the noise to signal ratio. My favorite podcast is BoagWorld which is also a very neat blog. Here’s my entire podcast playlist if you want to look for yourself. I usually listen to them in the car which would otherwise default to NPR, talk radio or some lame FM station.

If you can spare a couple of hours every week, do yourself a favor and sign on to DCTH (Design Community Twitter Hours). You will learn, network, have fun and spend time in great company with awesome webbies from all over.

Not all my activities take place in front of a computer.  I’ve joined several groups of interest through Meetup.com which have helped me learn, make friends and even find new clients. Also, working from home was taking a toll in my social interaction level, so I joined Ignition Alley, a great co-working space in midtown Atlanta.

So as you can see I have more than a plate-full going forward. What do you have going on? Please share your own experiences, tips, projects and whatnot.

Bookmark It

Hide Sites