Scriptplayground Network

I have been working on a large Flex project for a while now which has been a ton of fun. The core of the application is built in Flex with a class to manage remote calling to PHP files. This is basically how the data comes and goes through the application.

While testing and developing it locally I continuously ran small tests to ensure all the data was working properly and everything was. I decide to upload a build to my online environment for the client to check out and all of a sudden the Remoting classes were returning the same error:

Client.Error.DeliveryInDoubt
Message: Channel disconnected
Detail: Channel disconnected before an acknowledgement was received

This is usually caused by a syntax error in the PHP, but it worked locally.

Charles to the rescue (again)
I opened up Charles and started looking at the response from PHP, to which I found the following:

Fatal error: Uncaught exception 'VerboseException' with message 'file_exists(): open_basedir restriction in effect. File(/models/Debug.php) is not within the allowed path(s): (/tmp)' in /PATH_REMOVED/amfphp/core/amf/io/AMFBaseDeserializer.php:380

That is saying the file can’t be loaded from the root of the server.. well obviously, but the question is, why is AMFPHP looking for it there at all?

After talking to some friends and looking around the AMFPHP files I came across a function within the “globals.php” file.

setClassMappingsPath();

This allows you to set the path, which I did, but for some reason it was still failing. After some more time spent troubleshooting I found the function definition which can be found in “amfphp/core/amf/app/Gateway.php”.

function setClassMappingsPath($value) {
$path = realpath($value . '/') . '/';
$GLOBALS['amfphp']['customMappingsPath'] = $path;
};

The realpath() function seems to be the culprit. I am not saying this is an AMFPHP error, it could be a configuration error on this web server, which I will investigate further once the project is complete.

All I did to fix the error was comment out the realpath() check and set $path = $value. That stopped the incorrect loading of the class files and “magically” my Flex application started working properly once again.

When Errors are Good
The errors in this case were not all that helpful at first, but after looking into the code they really did paint a picture. The “Delivery in doubt” error that Flex throws will prove to be your best friend if you wind up with syntax or file errors within PHP.

Earlier last night I developed (in about 2 hours) the prototype of a Flash-based Wordpress theme. The concept is not entirely original, but I still was intrigued to create my own. I have a lot of distance to go and not sure when exactly I will be working on it, but for now here is the start.

I have a couple of tricks up my sleeve which I will talk about at a later release, but lets just say I am thinking in a “modular” way.

Here is the application:
http://scriptplayground.com/swfblog/

I was just sent a link from Wiley to the web site for my upcoming book. You can pre-order the book as well as find out more information about it. Also, for the first time, here is the cover. It is interesting to see your name on a picture of the cover of the book, I can only imagine what it feels like to see it in person.

Once the book is released (in May) I will post a more in depth overview, as well as take the time to thank the group of people that made this all possible.

Also, before I forget about it, PhotoshopWorld is fast approaching but there is still time to register. I do not gain any advantage to letting you know about the show, just know first-hand it is a great event with many awesome people.

The topic of security in PHP is a long standing one in the developer community. Often times you will find security is simply overlooked. The most recent example (that I found) is the Untraceable movie web site interactive puzzle game. Once you complete the game your time and name is entered into the database to be displayed on the high score screen.

Here is an example of that easy to modify URL (removed the full path)

http://…/score.php?score=02%3A41&name=JAMES%20B%2E

As you can see the time and username are clearly visible in the URL, which in this example is 2 minutes & 41 seconds.

Now that you can see the issue, lets look at how to stop this basic modification ability. This example will use ActionScript 3 and the MD5 library provided by Adobe’s AS3CoreLib.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

import com.adobe.crypto.MD5;
 
var salt:String = "439df098";
 
function sendScore(name:String, score:String):void
{
  var scoreHash:String = MD5.hash(salt + score);
 
  var query:String = "?n=" + name +
    "&s=" + score +
    "hash=" + scoreHash;
 
  var req:URLRequest = new URLRequest("score.php" + query);
  var urlLoader:URLLoader = new URLLoader();
  urlLoader.addEventListener(Event.COMPLETE, scoreSent);
  urlLoader.load(req);
}
 
sendScore("James", "2:41");

Once the ActionScript is developed, the next step is to work out the PHP.

The PHP will take the same salt (which would be private) and test the hash to determine if the entry is valid.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

<?php
 
// connection to database goes here
 
$salt = "439df098";
 
$name = $_GET['n'];
$score = $_GET['s'];
$hash = $_GET['hash'];
 
if($hash == md5($salt + $score))
{
  // Valid score submission.
  // enter score in database at this point.
}
else
{
  // error, log IP address for security purposes
}
 
?>

As you can see this code is not very advanced, but easily protects your score submitting or any type of form submission from fraudulent entries.

After a long day of compiling PHP, Apache, Imap, Mailman… and the list goes on I have the Zend Framework all setup. Haven’t ran any stress tests or long term analysis on the framework, but so far I am happy.

One super simple example is this Flickr Compositor which takes your search and creates a pretty neat composite image. There is also a bunch of other demos so in a matter of minutes you can really get an idea how powerful the Zend Framework is.

At the moment I have this system pretty feature packed, with apps such as:

• Zend Framework
• Zend Core
• Zend Debugger
• Zend Guard
• Zend Optimizer
• Zend Engine

When I get some more time I am going to be adding the Zend Framework to my development toolkit. I also plan to test out CakePHP and come up with a “best of” kit. The question is what do you prefer to use in your development?