This is coverage of Day 2 of the 2007 DCPHP Conference. Day 1 coverage is already online.
The Opening Keynote of the day was from Mike Potter of Adobe on "Designing PHP-based RIAs for Richer Internet Experiences". The focus was on Flex 2 and what Adobe has done with it in the space and how PHP developers are starting to use it. He showed off numerous toys and tricks that PHP developers are using and gave everyone a free copy of O'Reilly's "Programming Flex 2".
As an aside, it's interesting seeing Adobe's push in this space. At ZendCon last year, I caught an early demo of something (pre-Flex?) showing off what they could do and in the past year it's really blossomed and they've put a lot of effort and dollars behind it. It's fascinating watching large companies engage and interact with the Open Source community in positive ways. There's no reason we have to be at war… our goals are the same:
Provide useful and (usually) innovative solutions to our customers/employers on time and on budget.
</soapbox>
The first regular session of the day was on MySQL Security from Damien Seguy. He started off by showing how insecure a default MySQL installation can be. Some of the fixes were subtle and unexpected, but some of them were pretty basic like adding a root password. Then he dove into a few other ways to compromise or load down the database and/or escalate permissions by different users coordinating their actions, or even some creative sql insertion using regex and comments. Some of it was very deep MySQL black magic that involves configuration-level tweaks and parameters… which just aren't available in shared hosting environment. Luckily, he also laid out a series of steps and improvements that can be done at a code/query execution level without having to tweak the server.
The next session I attended was Laura Thompson's Write Beautiful Code (slides here). It was interesting to see that there are still a number of people who don't see any value to using version control… or having a "dev" environment which is not production. In addition, she hit a few topics such as simplicity, security, and generally getting stuff done. Laura has this skill of putting together these seemingly simple topics and pointing out where you are screwing up royally. And I mean that in the nicest way possible. 😉
The next session of the day was from Eli White on "Help, My Website has been Hacked! Now what?" or the working title "Oh noes! I can hakkerz! Halp!". No, not kidding, look at page 2 of the slides. In this one, he stepped through the process of detecting, fixing, and generally recovering from an attack. The most interesting thing is his response to whether or not to take down the site. He noted that in many cases, it's often better to leave the hole in place since you can easily test it. Of course, if it's gotten wide publication or hits something particularly sensitive, maybe not the best thing… but definitely an interesting perspective.
The next session of the day was mine. I spoke on RESTful Web Services (slides here) to a very full room. This year I took a less code-focused approach and instead looked at and discussed best practices. I think I'm going to tweak the presentation to include a handful of more tangible/specific examples – preferably live as I did last year – and see how that goes over.
The final session of the conference was from Mike Ho on "Beyond SQL and ORM: Object-Oriented Querying". Once again he showed off the beauty and impressiveness that is QCodo…. it's just amazing. He had a set of 18-20 different coding snippets and progressively built more and more advanced and impressive solutions as he went along.
And Mike made a pretty impressive claim along the lines of "If you properly use one of the frameworks to do your querying, SQL Injection attacks are impossible" (paraphrased). Pretty gutsy claim, but the more I think about it, the more I think he's right… but the key is "properly". An incompetent person can still break out of the framework and end up break things and opening holes…