Production websites should not have big ugly php errors. If you leave display_errors on you are asking for trouble. Even worse is when this mistake is made on a site frequented by geeks of all flavors. PHP already has a “bad rap” for security (deserved or not).

The latest site to be a perpetrator of this problem? http://www.dilbert.com/ home of the great comic. (thanks to Pierre for pointing it out) But please, turn display_errors off and log them!

- here’s a pretty look at the site, recorded for posterity by webthumb.

I like to set up “environments” in my applications that deal with things like display_errors and other ini settings that can be altered at runtime that I want changed depending on if I’m debugging, testing, or deploying the application.

What’s your favorite PHP website error story?

Edit: I’ve found a couple of linkbacks saying things like “oh you shouldn’t turn errors off you should fix them” - I think you missed the point. I’m not advocating turning ERRORS off, I’m saying on a production site don’t be stupid and show them to the user - hence display_errors should be off (see, display_errors not error_reporting…errr duh). Log your errors people!

Welcome to Css naked day! Here’s a pic of the pretty site courtesy of Webthumb so you can view the naked version even AFTER the day is done.

So what is Css naked day? I turn off the css for my site and you get to see my pretty semantic markup underneath the layers of images and pink butterflies. Enjoy!

You know a student who needs to make some cash this summer AND likes programming? The Google Summer of Code project is open for student applications, and PHP is one of the organizations in on the fun.

There’s a list of ideas on the PHP wiki - with a wide range of skill sets, from just knowing PHP to advanced C skills. Or a student can come up with their own fabulous idea.

PHP needs applications! So spread the word! Participation is open to any student, come and join the fun, and have a summer job where you get paid for doing what you like! Oh, and you help PHP in the process.

I use a lot of google’s services - gmail for a nice generic address, analytics for my website, google bookmarks to keep my stuff organized. I hadn’t had any problems - until today.

About 5:45 eastern time my email kicks up an error asking me to reenter my password. Now I’ve had a little bit of flakiness before with this. Re-enter the password and away you go. Generally I figured it was because I run two computers - my mac laptop and my windows desktop, sometimes at the same time and they sometimes stomp on each other. At least that’s what I assumed was the issue. I didn’t think much of it - it worked. And there had been an increase in “bounce backs” to my gmail account - but anyone with half a brain could look at the headers and see the mail just had my address in the “from” and didn’t come from google in any way. And the google spam filters seem to be getting worse…

So I try to log in a few times and I can’t get in. First rule of can’t log in (when you know the password is right) - you change your password. So I set that in motion, get a mail to my “main” mail account (on a server I control) to do the reset…and get a “your account is locked” message.

So I jump through a few more hoops and find a place to report a problem. And get a form letter back

Hello,

Thank you for your report.

You’re receiving this auto-reply message because you indicated that your Gmail
account has been disabled.

Please note that when we detect unusual usage of your account, we may
temporarily disable access to the account as we investigate. Please wait 24
hours and re-try to login to your account.

If you’re using POP or IMAP to log into your Gmail account and receive a ‘Sorry,
your account has been disabled’ message, please try logging in through the web
interface at https://mail.google.com. When we detect unusual usage of your
account, Gmail sometimes requires users to respond to a ‘captcha
<https ://www.google.com/accounts/DisplayUnlockCaptcha>,’ consisting of a set of
distorted letters, to log in to their account.

If you receive a ‘Sorry, your account has been disabled’ message when visiting
https://mail.google.com and believe that your account has been disabled in
error, please reply to this message so we can investigate your situation and
assist you in regaining access to your account if appropriate.

In most cases, Gmail accounts are disabled because of a perceived violation of
Gmail Terms of Use <http ://mail.google.com/mail/help/terms_of_use.html>. Google
reserves the right to suspend a Gmail account or the entire Google Account if
Gmail Terms of Use are violated. If you know your account has violated our Terms
of Service agreement, do not reply to this message, as our team is unable to
assist further.

Additionally, if you already have an open correspondence with a Gmail support
agent, please reply to the last message, as that agent will be better able to
aid you.

For other issues not listed here, please visit the Gmail Help Center at
http://mail.google.com/support. Also, if this issue has since been resolved,
please discard this message.

Sincerely,

The Google Team

“It may be locked for up to 24 hours” - what? So if someone has hijacked my account I can’t change my password? I have to wait around for 24 hours guessing when things WILL be unlocked and HOPE I’m the first one in and that the secondary email address hasn’t changed? And here is the big failure with single sign on. Not only can I not get to my gmail, I can’t access my bookmarks or the analytics on my site.

I replied to the mail - an hour later still nothing.

So, forget this, I’m ditching gmail. Even hotmail never gave me this kind of trouble. - If you need to contact me, do not use auroraeosrose@gmail.com - if you had sent me something there and never get a reply, send it to my php.net email address and it’ll find me in the right place.

I guess maybe I’ll have to give yahoo a try…

yes, goofy name… the goal? All dependencies for PHP (and GTK so PHP-GTK runs smoothly) and PECL compiled on at least Visual Studio 2005 - in a completely transparent process where source changes and project files and built binaries are available to anyone.

So, I’ve been slowly working on getting Open Source libraries compiling in five versions of Microsoft Visual Studio. Why? Well, first of all many open source projects don’t have good windows support. Any building that is supported is through MinGW - which isn’t necessarily bad but the binaries are larger and not as optimized. After all, I would hope Microsoft could make a better compiler for their OS than something brought over from the *nix world. However *nix devs feel comfortable in their old automake/gcc world. Things work the way they expect when building. And people don’t LIKE to build for windows - so they don’t, so windows users are stuck with very outdated (and I mean very) versions of libraries.

The problem is that Microsoft has moved off of the old MSVCRT runtime that MinGW links against and onto bigger, better (well actually smaller, faster, better) runtimes. In fact the MS documentation says

The msvcrt.dll is now a “known DLL,” meaning that it is a system component owned and built by Windows. It is intended for future use only by system-level components.

So your library or application shouldn’t be using it. Of course MS couldn’t make things easy, these new runtimes have to be distributed separately. And the licensing is dodgy, some claim linking against the dlls violates open source licenses because then you have to distribute the new dll (although MS has separate installers people can download).
And to really confuse you, each new compiler has its own version. There’s Visual Studio 2002 (.NET) which will link against msvcr70.dll; There’s Visual Studio 2003 (.NET) which will link against msvcr71.dll; There’s Visual Studio 2005 (The current “gold standard” of Windows devs) that links against msvcr80.dll; Finally there’s Visual Studio 2008, the new kid on the block, that links against msvcr90.dll. Oh, and don’t forget the outdated Visual Studio 6 that Microsoft doesn’t even distribute anymore, that still links against msvcrt.dll.

Have a headache yet?

Then let’s make things more confusing - let’s say you have an application with a bunch of dependencies - we’ll use PHP as a quick example. PHP on windows requires a branched bindlib static library, libiconv, and libxml2 to compile with the “standard” setup. That doesn’t take into account any additional libraries or PECL extensions. It uses some MS stuff as well, but those are Open Source items that it needs. If you take the “standard” versions of the libraries, the ones linked against msvcrt.dll, that are freely available but compile PHP with a newer compiler - let’s say 2005 - and link it against msvcr80.dll

Bad things can happen!

What kind of bad things? Crashes, memory corruption, all kinds of madness. So the correct way to allow PHP to change compilers is to also make all the dependencies change compilers as well. Can you say “yuck”.

To make things more fun, Visual Studio doesn’t support the autotools stuff at all. Even if you use MSYS (which MINGW provides) and hook it up to the windows compiler and linker (which will generate header files at least) it doesn’t write useable makefiles, and often has other issues. Which is why PHP5 on Windows has an interesting build system written in JScript that mimics ./configure on *nix. And MSVC is generally a fairly strict compiler - warnings (and often errors) galore. So building Open Source on Windows usually requires hacking header files and fixing compile errors. Fun.

At the moment you can find binaries, source, and MSVC project files for the libraries I’ve been working on at Perisama if you want to play. There has been discussion of creating some build scripts based on the PHP windows build system, or using a cross-compiler system like cmake for all these libraries. But the bottom line is most of the libraries need hacking to work properly with MSVC, which means “human intervention” at some point in the process.

Anyway, anyone crazy enough to help out is more than welcome. I’m currently working on the GTK dependency stack, which will hit quite a few PHP dependencies and PECL extension dependencies in the process. And yes I’d love to submit my hacks/fixes upstream, if someone could find me some information (where do you send libiconv patches?) Oh, and could you manage to convince people that it’s actually important to fix things for Windows, because half of OSS doesn’t give a rip… Well this is degenerating into a rant so - enjoy!