When I say “you need to learn JavaScript,” I don’t mean “learn how to copy and paste an example,” or “learn how to generate JavaScript with PHP.” I mean learn it as well as you already know PHP — or better.

Why? Because JavaScript drives rich clients, and all indications are that clients will be getting richer. You won’t be able to get away with just adding small snippets of JS to add tooltips and simple animations. Complex processing and UI management will require real knowledge of how to write JS, and how in [sic] interacts with the client’s APIs — the DOM, local storage, networking, OS features, and more.

And I will add: not jQuery, not MooTools, not Dojo, but real, actual, JavaScript (and DOMScripting). Finkler tells you why and points you to some resources for learning more.

PC: Developing Web applications in Arabic requires special care. What are the most important concerns and what components do you provide to address those concerns?

KA: Besides the search issue presented above, some of Arab countries use Hijri calendar instead of Gregorian calendar. So I developed classes to convert dates between those two calendars, as well as an Arabic version from date and strtotime PHP functions. … Another issue that is handled in this project is related to rendering Arabic text correctly in some libraries like GD, PDF, SWF and even VRML.

This interested me simply because it raises awarness of cultural, linguistic, and character set challenges that monolingual developers, or Western character set developers don’t often think about. [Via PHP Developer]

Uses PHP’s native str_word_count() function.

function select_number_of_words($input,$number_of_words){
	$output = '';
	$input = strip_tags($input);
	$input = str_word_count($input,1);  // second parameter returns the string as an array.
	for($i=0; $i< $number_of_words; $i++){
		$output .=$input[$i].' ';
	}
	return trim($output); // cut off the last space.
}

For this tutorial, you will need:

• A Zen Cart-based shopping cart
• A Google Analytics account and the tracking code for both conversions and page views.
• Experience with PHP and MySQL programming

Also check out Google’s support article How do I track e-commerce transactions? and become BFFs with the Zen Cart wiki.

Creating a custom functions file

Create a file to house your custom functions. Name it whatever you’d like (with a PHP extension, of course). Put it in your includes/functions/extra_functions/ directory.

A word of caution: I created these functions with my own SQL, outside of the Zen Cart framework. There may be a better way to do it.

In the file you created above, add the following code:

# get the product ID out of session key
function custom_get_prodId($productkey){
	$pid = explode(':',$productkey);
	return $pid[0];
}

#get the product data
function custom_get_product($prodID,$return='all'){
	global $db;
	reset($data);
	$q = sprintf("SELECT
			pd.products_name,
			pd.products_description,
			cd.categories_name, p.products_price
			FROM categories_description AS cd, products AS p, products_description AS pd
	 		WHERE  p.products_id = 183
   				AND p.master_categories_id = cd.categories_id
   				AND p.products_id = pd.products_id",$prodID);
	$res = $db->Execute($q);
	return $res->fields;
}
# get the current user's data
function custom_get_userinfo($custID){
	global $db;
	reset($data);
	$q = sprintf("SELECT
			ab.entry_street_address,
			ab.entry_postcode,
			ab.entry_city,
			ab.entry_state,
			c.countries_name,
			c.countries_iso_code_2
			FROM address_book AS ab, countries AS c
			WHERE customers_id=%d
			   AND ab.entry_country_id = c.countries_id
				  ",(int)$custID);
	$res = $db->Execute($q);
	return $res->fields;
}

Adjust the names of the tables if you have added a custom table prefix during your Zen Cart configuration. We’ll use these functions to get us the user data and product data we need.

Edit the checkout success and global footer files

Add the conversion tracking code — provided by Google Analytics — to the checkout success page template. It’s located in your templates directory, includes/templates/YOUR_TEMPLATE_DIR/templates/tpl_checkout_success_default.php.

Also add the regular Google Analytics tracking code to your footer file (found in includes/templates/YOUR_TEMPLATE_DIR/common/tpl_footer.php).

Below your Google Analytics code, but also in your footer file, add the code below.

<?php
# do this on the checkout success page only.
if($_GET['main_page'] == 'checkout_success'): 

$userdata = $_SESSION['cart'];
$moreud = custom_get_userinfo($_SESSION['customer_id']);
?>
<script type="text/javascript">
pageTracker._addTrans(
    "<?=$userdata->cartID; ?>",
    "www.YOURDOMAINNAME.com",
    "<?=$userdata->total; ?>",
    "",
    "<?=$_SESSION['shipping']['cost']; ?>",
    "<?=$moreud['entry_city'];?>",
    "<?=$moreud['entry_state'];?>",
    "<?=$moreud['countries_name'];?>"
  );
<?
# for each product ID key in the userdata session
foreach($userdata->contents as $k=>$v):
	/*
	the product id gets stored as an array key as xxx:funkymd5key
	ex: 183:fw920e8ktw327uio67xew9mn. custom_get_prodId extracts
	the product id part of that key.
	*/
	$pid = custom_get_prodId($k);
	$data = custom_get_product($pid,'all');
?>

 pageTracker._addItem(
    "<?=$userdata->cartID; ?>",
    "<?=getProdId($k); ?>",
    "<?=strip_tags($data['products_name']);?>",
    "<?=$data['categories_name'];?>",
    "<?=number_format($data['products_price'],2);?>",
    "<?=$v['qty']; ?>"
  );
<? endforeach; ?>
pageTracker._trackTrans();
</script>

<?php endif;
} // flag_disable_footer
?>

News of a vulnerability in the Snoopy open source PHP library has surfaced. WordPress uses the Snoopy library to power feeds in administration section’s Dashboard.

A fix — WordPress 2.6.3 — was released today. You can download the entire package, or just download the two affected files and upload them to your server.

Jay Pipes of MySQL AB and co-author of Pro MySQL, comes to Atlanta this month to present “Join-Fu: The Art of SQL.”

I’ve seen Pipes speak before, and his presentation was incredibly informative. If you do a lot of development with MySQL, you should definitely attend.

Related:

• Jay Pipes’s Slides for Join-Fu: The Art of SQL (I and II) (I do not know whether this will be the same talk as the one Pipes will give next month.)
• RSS for Tech Events

This year, though, the conference has an added bonus: PyWorks, a conference devoted to Python. Registering for one conference allows you to attend both.

Both conferences have an open call for papers, which ends July 25, 2008. Registration costs $599 (discounts are available).

RSS: Tech Events

The line feed (LF) and carriage return (CR) characters (and their hex code equivalents (%0D and %0A) are forbidden in CodeIgniter’s framework. The hard part is tracking down exactly where that extra line break character lives.

In my case, there was an extra line of blank, barren, not-all-that-obvious white space at the very, very end of one of my controller files, just after the closing ?>.

Related:

• PHP header error messages
• Four common P H P errors and what they mean

I developed this PHP function for a project I’m working on. I’m posting it here in case I need it again, or in case you find it handy.

#Input text files must contain one item per line
function print_menu($txtfile_or_files){
	$args = func_get_args();
	$num_args = func_num_args();
	$input = array();

	for($i = 0; $i < $num_args; $i++){
		// get contents of each text file specified
		$lines = file($args[$i]); 

		// get each line from each file an add to array
		for($j = 0; $j < count($lines); $j++){
			array_push($input,$lines[$j]);
		}
	}
	// sort alphabetically
	sort($input,SORT_STRING);		

	for($i = 0; $i < count($input); $i++){
		$value = str_replace(' ','_',strtolower(trim($input[$i])));
		echo '<option value="'.$value.'">'.trim($input[$i])."</option>\n";
	}
}

Configuration and use

The variable $txtfile_or_files should be a comma-separated list of paths to plain text files. This function accepts multiple arguments, in case you want to string multiple files into one menu.

Each text file should contain one item per line. For example:

Red
Blue
Orange
Green

Add another line or two of code if you need to indicate whether the form field value has already been selected.

Yeah, as I type this, I’m getting hit with an attack. I’m not precisely sure of the motive. I just know that there are two directories on my server that should not be there and the attack appears to be coming through a specific URL. It’s been happening for several days nowIt just started today, according to my server logs, and the attacker is using / attempting to use PHP functions that interact with the shell.

He was also able to grab a whole bunch of data about my server as you can see from the above-linked code. I have my suspicions about how it is getting through, but nothing I can prove just yet. I’m going to look into it and see what I can come up with.

In the meantime, I’m just going to ask nicely that he (assuming this is a guy) please, please stop, and don’t mess up any of my stuff while visiting.

And please take steps to disable certain system-affecting functions in your php.ini file (if you have access).

UPDATE: This crack appears to involve a ShellBOT as well.

UPDATE 2: ShellBOTs are bad. Apparently they open a connection to an IRC server allowing all kinds of nasty things to happen. So hoping nothing serious was compromised.

UPDATE 3: Interesting to know: when working in the shell, your file name does not need to have the ‘proper‘ extension that it would on a web server in order to be executed.

Let’s say you have a plain text file named ‘hello.txt.’ It contains one line: <?php echo 'hello world';?>. In order for this file to run as a web page, it would need to have a .php (or whatever is designated in your server configuration file). But as a shell script, it could have just about any name and still be executed by typing ‘php hello.txt’ at the command line.

In this case, the attacker grabbed (or attempted to grab) a ShellBOT written in Perl from another server (file name b.txt) and execute it by sending the ‘perl b.txt’ after the wget command.

UPDATE 4: I’m pretty sure my suspicions have been confirmed. It seems that at least one other person has had an issue with WP Super Cache opening their server to attack. I suspected this early on, and deleted the plugin and its associated files. As an added measure, I disabled those functions that can execute system commands. So far, so good. I can’t say my server is now secure, but I’m hoping that hole has been filled.

PHP supports more than a dozen database setups, including the SQLite library bundled with PHP 5. That’s a lot of databases, and each one has its own connection syntax and server-specific functions.

So what happens when you want to be able to swap one database for another? You turn to an abstraction library, such as PDO.

In Learning PHP Data Objects, Dennis Popel takes you through the process of building an application using PDO with MySQL and SQLite.

Aimed squarely at PHP developers who are new to PDO, Popel covers how to make connections, handle errors, and use prepared statements with PDO. He also discusses transactions, MVC development, and the appropriateness of using PDO versus other abstraction libraries.

Where Learning PHP Data Objects shines, however is in its code examples. They are easy to follow, and Popel smartly alerts readers to potential gotchas in developing the sample application.

The book assumes an understanding of OOPHP — necessary because PDO is entirely object-oriented. To get the most out of it, you should be familiar with object-oriented principles and syntax. While Appendix A does give readers a quick overview of OOPHP, for a more thorough treatment, you’ll need to look elsewhere.

It’s a solid, though not quite perfect book. For example, Popel only sort-of mentions a potentially huge gotcha: when you may need to specify a unix_socket parameter in the connection string. It’s a problem I think would be common enough and confusing enough to discuss and demonstrate. I also think Popel could have been a bit clearer about when and why to use PDOStatement->closeCursor().

Those are minor quibbles however, easily solved by consulting the documentation or doing a Google search. Overall, this book is nice introduction to the whys and hows of using PDO to develop database driven applications.

It’s counterintuitive to a degree, but it’s actually expected behavior. The good news is that the fix is easy. Simply include the unix socket path in your connection string.

$connection = new PDO("mysql:host=localhost;dbname=test;unix_socket=/path/to/socket/found_in_php.ini_or_my.cnf",'username','password');

Related: Notes from “Introduction to PDO,” a talk by Ilia Alshanetsky at NYPHPCon 2006.