There are quite a lot of posts on how to do this, but my differs a tiny little bit, so I’m saving it for my own future reference, and also for the benefits of the wider audience.

I am updating a multisite Drupal 6 installation. To the best of my knowledge, the only difference for Drupal 7 is that instead of the site_offline D6 variable the maintenance_mode variable is used in D7.

On Debian stable and later, you can sudo aptitude install drush and then just use it immediately after that.

Note: I recommend su webuser (or sudo -s followed by sudo -s -u webuser) before you run any non-testing drush commands, where webuser is the user which owns your web-exposed files (e.g. Debian’s default is, I think, www-data). I’ve seen a lot of recommendations to run drush as a super-user, but that does not make sense, and may actually cause problems with file ownership.

One last thing before we start: if your drush seems to work fine but hangs when untarring modules – check this solution.

Read the rest of this entry »

Production: see http://www.howtoforge.com/how-to-set-up-apache2-with-mod_fcgid-and-php5-on-debian-etch – it is for Debian Etch (which is old-stable), but many of the steps apply equally well to Debian Lenny (current-stable). Also, this is a very basic guide, as if you are going to host multiple sites from multiple clients, you most definitely will need some hosting control panel.

Development: see http://www.ruzee.com/blog/2009/01/apache-virtual-hosts-a-clean-setup-for-php-developers. This setup works very well, unless you need to create several virtual hosts every day – in which case necessary actions could be partially scripted.

Stimulated by a bug in a complex and unfamiliar web PHP application with heaps of custom tweaks by other programmers, I decided to try a more professional approach to PHP programming and debugging than the standard var_dump() and family.

As a result, I’m now using Eclipse PDT with Xdebug and Xdebug Helper (Firefox extension). Now I don’t understand how I used to debug my PHP programs before!

After proper configuration (I’m using local Apache, but it is also possible to debug remotely), my work flow is rather simple:

• use my web-app as usual, e.g. tweaking and testing here and there
• if something server-side goes wrong: click the XDebug helper icon in Firefox, and perform some server-request action (e.g. load a page)
• debugging is started in Eclipse PDT, where I can step through the code, set breakpoints, and examine all variables
• as soon as the problem is fixed – click the XDebug helper icon again to continue using the site normally (w/o invoking the debugger)

It takes some time to get used to, but then it’s a breeze.

Some advice:

• don’t use apt-get/aptitude to install Eclipse; it will be much easier both in the short and long run to use some all-in-one package from the Eclipse PDT site; all you need to do – download, extract, run!
• before actually starting to do anything, tweak the eclipse.ini file by increasing heap size from 40 MiB (default) to some larger value (I used 128MiB). If you don’t do this, then at some point your debugging will become painfully sloooow, and then you’ll start getting tons of “out of heap memory” errors, each one suggesting that you quit Eclipse immediately
• install XDebug with apt-get/aptitude – worked perfectly, and there’s /etc/php5/conf.d/xdebug.ini not to mess with php.ini
• do read XDebug guide for PDT 2.x (I’m assuming you got the 2.x version); it should be the only document you will really need to configure everything

I only wish Eclipse was faster – that is, written not in Java but e.g. C or C++.

Since some WP release, the comment author’s link in comments is broken – it has ‘ external nofollow’ attached straight to the href attribute (which breaks the link).

I assume that the problem is caused by Google Analytics, namely the “track outgoing clicks” feature (as recalled, might be inaccurate feature name). “Track outgoing links” adds some JavaScript code to all outgoing links, and that script has tick characters like this one ‘ which, incidentally, are also used for delimiting the values of comment anchor tags.

To fix:
Read the rest of this entry »

Yesterday I had a look at mod.email.php – the Email module of ExpressionEngine CMS.

It appears that it is very easy to use ExpressionEngine’s contact form (which uses Email module) to send emails to arbitrary addresses – simply put, send spam using someone’s EE.

And here’s why:

• recipients hidden field is passed to the client; it is encrypted, but with access to the mod.email.php code, it is a matter of several minutes to write your own email-encoding function which will produce a completely valid recipients field
• there’s also XID field, which seems to be unique for each page load

Spamming algorithm is clear, so I won’t elaborate. (I could have missed some session variables, though – didn’t check them.)

This information is valid as of ExpressionEngine 1.6.6, but nothing in the change-logs indicates that this mechanism was modified in the newer versions of EE.

Update: I’ve tested, and this vulnerability does exist. The simplest prevention measure is to enable Captcha for Contact Form.

I’ve notified the developers.

Note: this post is based on the comment by Simon, who generously shared his experience.

Step-by-step:

• Download the compiled ffmpeg with libmp3lame support (direct download links: older version ffmpeg.with.lame and newer version ffmpeg.2007-10-28.with-libmp3lame-support).
• Rename the downloaded executable file to “ffmpeg” (no extension), upload it to the directory on your server (in this example /home/myusername/).
• Download libmp3lame.so.0.
• Upload libmp3lame.so.0 to the same directory where you placed ffmpeg in.
• Create a php file with the following code (remember to change the paths to your own, where you actually uploaded binaries in previous steps):
  1. <?php
  2. exec("export LD_LIBRARY_PATH=/home/myusername/");
  3. echo passthru("/home/myusername/ffmpeg -formats");
  4. ?>
• If you access that PHP file with your browser, you should be able to see a list of formats which are supported by ffmpeg, and if you find “EA libmp3lame” somewhere in the output, then it means you now can Encode Audio in libmp3lame!
• If that doesn’t work for you: LD_LIBRARY_PATH can be a protected variable in PHP (you can check for this by searching for the “safe_mode_protected_env_vars” value in phpinfo() output). The workaround here can be to write your commands to a file from php, then chmod that file with 0755 permissions (rwx-rx-rx), and run the file through exec(). In this way, PHP is not changing the LD_LIBRARY_PATH, but telling the server to run a file, which tells the server to change it. This method worked for the original author of these instructions.

For passing arguments to the PHP wrapper script – check out PHP’s $argv variable (more on this here). If you decided to use shell-script as a wrapper for “export LD_LIBRARY_PATH”, then using $1, $2 etc will allow you to pass parameters to the shell script, e.g. in the example below

you could pass “input file” as first argument, “parameters” as second and “output file” as third to make such a wrapper script work.

Most frequent use: convert database from latin1_swedish to utf8_general_ci.
Original script found at: MySQL and UTF-8.

Update: the original script had an error, it would generate queries likes this one (note the bold part):

ALTER TABLE `links` CHANGE `link_rel` `link_rel` varchar(255) CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT NULL;

This is clearly wrong syntax (and logic). I fixed this by making comparison to NULL strict (with three equal signs instead of two):

// Does the field default to null, a string, or nothing?
if ($row['Default'] === NULL)

Update 2: based on comment by banesto, I modified the script; now it does not require specifying the from_collation, it’s sufficient to specify to_collation (which will be used for all the fields and tables). The modified code is:

if ($row['Collation'] == ” || $row['Collation'] == $convert_to)
continue;

Update 3: the long-lasting, re-appearing NOT NULL DEFAULT NULL problem is finally fixed.

Update 4: incorporated Russ’s fix to skip numeric fields (in order to leave autoincrement values intact).

Here’s the script itself: (to copy-paste: first click the “Plain text” header)
Read the rest of this entry »