After many days of speculations all around the web about Facebook’s rewrite of PHP, today Haiping Zhao from the Facebook team has announced “HipHop for PHP”. The basic idea of HipHop for PHP is that it turns the code you write in PHP into C++ which then can be turned into machine code.

Even though there are others idea that have tried accomplishing the same goal as HipHop for PHP, I believe it is quite safe to assume that Facebook has a large enough user-base to produce code that is solid enough to run and can run well.

The announcement has been made on the Facebook blog earlier today, and tonight there is going to be the video tech talk that everybody can watch:

This evening we’re hosting a small group of developers to dive deeper into HipHop for PHP and will be streaming this tech talk live. Check back here around 7:30pm Pacific time if you’d like to watch.

A few questions come to mind even though we haven’t seen the code just yet. My main concern though is the one of buffer overflows and the security implications of turning PHP code into C++. As they say on the blog, it took nearly 18 months before having a relatively stable version and 3 developers. This is a very short lapse of time to develop a solution used by so many.

Another interest of mine related to this release is how does it compete with the likes of phc or roadsend php. If it does at all.

However I have noticed on their blog that Facebook has also developed HPHPi which seems to let you use HipHop but without having to actually compile your code before running it (The concept seems a bit like APC’s stat on and off switch from the few lines of description), which seems like a quite interesting idea for the development stages.

Watch out! The semantic web is on the way, a thought that many (and not just the marketeers) may find daunting . Why? Because system and web app developers that want to take advantage of the semantic web will need to learn a lot of new standards and change the way they work.

I have been studying and working with web standards (XHTML, RDF, ATOM, RSS) for well over 4 years now, something I am glad of,  because recently something struck me. Conventions are arising, for example DOAP, SKOS and others, that are built on top of the Resource Description Framework otherwise known as RDF, if they aren’t, they are usually built on something very similar or related. (more…)

Today the Irish Internet Association announced the setting up of a new working group for web development. The main aim of the group is to educate decision makers on the web development process. This will cover areas such as server-side technologies, front-end technologies, development processes, best practices and standards in web, security and data protection.

Anyone who has ever worked with a client to build a web site or web application will know that there are areas where the client could benefit from having a better understanding of what is involved in the development process. Ultimately, when a client is better advised in these areas, they can make more informed decisions. This also can be beneficial to the development company or freelancer, as it can ensure better communication from the beginning of a project. (more…)

Over the past number of days a few issues have arisen around Twitter’s security platform. Most of the security “problems” discovered were either minor or required a high level of social engineering. One thing that has been realized and that is becoming common knowledge, is that once you are logged in to twitter, as soon as you visit another web site, that other site can make an Ajax request and retrieve your user profile.

Personally, I believe that this will be one of the features of web3.0*. The ability to have a single login, not having to log in anywhere and your profile will be recognized, etc. (OAuth, OpenID, etc). We could almost say browser-identifiable-security where one browser window (with as many tabs as you want) could be associated with a single account and all websites you visit would know about you and your information. The idea itself is very neat, but brings with it issues around user privacy.

(more…)

About two weeks ago I was uploading something to skitch.com and saw an inline button. So being a security person myself, I decided to try some XSS on their fields. 1, 2, 3, 4 tries done, I was able to load some of my javascript from a remote host and the nice thing is that this was a public URL. So for fun I sent the URL to a few friends. What that script was really doing was taking their cookies, writing to a file on my server and sending them back to the main page of skitch. So basically what people told me was that the link didn’t work, they were sent to the main page. In the meantime I was finishing my PoC by editing my cookie with their cookies. After about 10 minutes I had changed their first name and last name. (more…)