PHP, Suhosin and POST data

January 9th, 2012 1 comment

Last week one of my clients reported an issue showing some notices spilled by the application on their development and QA servers. After some regular debugging process, we noticed that the application is not receiving the complete POST data.

Solution was simple, open php.ini, check and increase the value for post_max_size. BANG!!! No change (ofcourse apache was restarted after change in ini). Some more time was spent debugging various things. Even the stupidest thing like whether browser is sending full data to server was also checked. But nothing helped. We again started scanning phpinfo for some help when suddenly we noticed that the servers were having Suhosin patch installed and active (suhosin.ini was a part of additional .ini files).

Suhosin is an advanced protection system for PHP installations. It was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core.

 

We started scanning phpinfo for Suhosin specific settings … EUREKA … we found the following –

suhosin.request.max_vars = 200
suhosin.post.max_vars = 200

 

Suhosin controls the number of variables that can be passed to a PHP script no matter what you set for post size in php.ini. The default value of this setting is 200 which means your PHP script will only see the first 200 values in $_POST array. All other data is silently truncated. We got this value increased to the one we needed for our script and everything was back to normal.

I spent quite a long time in finding and solving this issue and thus decided to quickly blog about this. Hope this tip will help someone save their quality time.

P.S.: Suhosin has lot of other configurations that may affect your scripts in some way. So, if you get into such a situation where everything looks normal in php.ini, look for Suhosin and its settings. You may find the solution to your problem just like I did.

Tags: , ,

Multipart posting with Apache Benchmark

March 21st, 2011 5 comments

Last week I wanted to load test an upload functionality created for one of the projects. The testing team was busy with other stuff so I decided to do it on my own. Being a hardcore programmer and someone who has never used any of the regular testing tools (read M$ Window$ based tools) I had the only option of using Apache Benchmark on my Ubuntu 10.10

Since I had already used ab (the Apache Benchmark command name), I was pretty confident that within few minutes I will be done. But multipart form posting wasn’t as straightforward as I had thought. My initial assumption was to provide a file path to -p option of ab and it would handle the stuff required for multipart posting. Unfortunately that wasn’t the case. I realized that I had to provide a file name but it should contain the complete information about the data to be posted. In other words, I had to manage the boundary required for multipart posting.

After some research and this small but important tip, I managed to prepare the POST data in the required format along with the correct Content-type required by Apache Benchmark. The final command looked like

ab -n 10 -c 2 -C PHPSESSID=rk53j7gsrmaiuc3gvo86ipltr1 -p /var/www/post_data.txt -T "multipart/form-data; boundary=1234567890" http://my-domain.com/upload.php

Following is the breakdown of options provided to the command –

I provided the cookie information (option -C ) along with the command since my upload script checks for authentication.
-p allows me to provide a file name which contains the complete information about the data to be POSTed along with multipart boundaries.
-T is for Content-type header. This is where I also tell ab about the boundary in my POST data along with the standard multipart/form-data content type.
And then finally the URL of where all the data has to be posted.

The contents of the post_data.txt file are

--1234567890
Content-Disposition: form-data; name="ID"

3
--1234567890
Content-Disposition: form-data; name="videofile"; filename="ab1_pod.avi"
Content-Type: video/x-msvideo

[base64 encoded file content here]
--1234567890--

Remember that the format of the file should be exactly the same (your boundary label can be different than mine though). Even if you miss a single new line or add an extra new line somewhere then you won’t get the expected results.

Finally to base64 encode the file to be posted, you can simply use PHP code as follows and paste the content in the above placeholder.

echo base64_encode(file_get_contents('/home/aditya/Videos/my_video.avi'));

That’s it. Happy testing.
As always, comments and suggestions are most welcome.

gnuNify 2010 – My Experience

March 17th, 2010 9 comments

Well, lot of my speaker friends have written about their experience in just concluded gnuNify 2010. You can read about them here, here, here and here as well. More or less I also share the same views. So I will follow the DRY principle in this case.

I am writing this post just for the records that I attended gnuNify 2010 as a speaker and delivered sessions on two very important topics in web development.

Abbas and me took some photos of the event in our free time. I have uploaded them on Flick. Do check them. And feel free to tag yourself if you find your pretty face 😉 somewhere in any of the photos.

Finally, a big thanks to Mr. Harshad Gune and his whole team at SICSR for organizing such a nice event. It was great to be there with you all. See you all at gnuNify 2011 🙂

Speaking at gnuNify 2010

February 14th, 2010 2 comments
gnuNify

19 & 20 Feb, 2010

I will be speaking at gnuNify 2010, which is an annual gathering of techies in Pune. This will be my second conference in as many months in Pune. The first one was PHPCamp.

I had submitted two CFPs this time and both of them got selected. Both the topics are related to my core field of work, PHP. Following is the brief description of what I will be speaking on –

Writing Secure applications in PHP

This is an effort to make PHP developers aware of some common security issues in web applications and ways to avoid those issues by writing secure code.

Scheduled on: 20 Feb. 2010, 10 am – 11 am, Room: 707

Profiling PHP apps with XHProf

Here I will talking about a profiling tool for PHP applications, XHProf.  It will cover installation, usage, viewing and understanding reports, etc.

Scheduled on: 20 Feb. 2010, 3 pm – 4 pm, Room 406

There will be lot of other interesting talks/workshops. Here is the complete list of sessions you can expect in gnuNify 2010. Visit their site to register yourself as a delegate to attend these sessions.

In case if you have not heard of gnuNify before, gnuNify is –

organized by the students of the SICSR in association with the Pune GNU/Linux Users Group (PLUG) to provide a platform for exchange of ideas and knowledge among the industry professionals, students and academia.

CakePHP workshop at Nagpur PHP Meetup

December 16th, 2009 6 comments

The 6th Nagpur PHP Meetup was concluded on December 5, 2009. This time it was more practical oriented and thus the format was changed to a workshop rather than just casual discussions or presentations.

Most of the companies working on PHP in Nagpur are still sticking to the old fashioned PHP programming where PHP and HTML are mixed together or are at the most using templating system like Smarty to separate their view logic.

CakePHP Logo

Abbas Ali from SANIsoft Technologies, through his workshop titled “Starting with CakePHP Framework”, introduced CakePHP, the most popular PHP framework, to the developers in Nagpur. He started with an interactive session on the need of MVC in programming, separation of business logic and view logic, etc. and then moved on to explain the same in relation to CakePHP.

The actual demonstration then began by showing how to download the framework from CakePHP website and setting it up in webroot. Since the workshop was about getting started with CakePHP, Abbas chose the ‘Hello World’ of frameworks, The Blog Tutorial. The tutorial started with creation of database and tables needed for it. Here, Cake’s Convention over Configuration was discussed in detail. Abbas explained how naming of database table names and columns can make wonders to your application and then proved it by showing the real working example.

Workshop then progressed with creation of models, controllers and views to add/edit/index the blog posts. Abbas along with Amit Badkas were giving their valuable inputs wherever needed while coding for the above functionality. The basic CRUD functionality was completed in nearly one and half hours and with just under 30 lines of code in the controller. Everyone present at the workshop was impressed with the time required and the amount of code that has to be written to make the whole functionality work.

After the workshop was over, as expected, there was lots of questions regarding components, helpers and various other things which generally everyone writes on their own. The magic of CakePHP had worked and everyone was thinking about most of the things getting done automagically for them. Thankfully, Cake had answers for every question that was thrown to us and we were able to satisfy everyone.

Finally, there were some concerns raised about the security and speed of CakePHP framework but then it is up-to the developer to use the framework wisely, keep profiling the code, using caching wherever possible. Using all these things together can ensure the best end result which will make everyone happy.

As always, we discussed about the next meetup which will be on Saturday, January 9, 2010. It was decided that all the future presentations should be more technical where someone won’t just talk about something but also show how to make use of it by writting actual code. And we are now waiting for Nagpurians to come forward and show their programming skills to everyone.

If you are interested in attending the meetup, drop me a mail with your contact details on aditya @ this domain. And don’t forget to follow me on Twitter for updates on meetup.