...composed of an indefinite, perhaps infinite number of hexagonal galleries...

© 1994-2017. David Sklar. All rights reserved.

PHP 5 Bootcamp at Big Nerd Ranch

I’m going to be teaching a PHP 5 Bootcamp at Big Nerd Ranch in October. I think the Big Nerd Ranch approach of technical immersion in luxury surroundings will be a lot of fun!

OSCON Slides

The slides from my OSCON talks are available. The HTML_QuickForm material is at

and the SOAP material is at

PHP Certification

Zend recently announced its Zend PHP Certification program. (I helped out on the advisory board to come up with the certification test.)

This is an encouraging step for the mainstream and commonplace use of PHP. Certifications certainly aren’t a iron-clad guarantee that someone is a superstar programmer, but they can be helpful in the resume-weeding, interviewing, and hiring process.

If you’re going to be at OSCON next week, you can take the certification exam at a discount. Sign up at”, choose test center “Oregon: Zend Technologies - Mobile1”, and use discount code OSCON2004.

PHP 5, Xdebug 2, and KCachegrind on Windows

I think Xdebug is swell. It provides much helpful insight on what’s happening inside your PHP programs and makes me a speedier bug-finder and bug-fixer.

One of the big changes between Xdebug 1 and Xdebug 2 is in profiling output. In Xdebug 1, profiling output is displayed when you call the xdebug_dump_function_profile() function. You can put it at the bottom of the page you’re profiling, stick it in a popup window with some fancy JavaScript and output buffering footwork. You can also have the debugging output written to a textfile.

Xdebug 2 goes a different route. Instead of generating plain text or HTML profiling reports, it produces a profiling data file in Calltree Profile Format. This is meant to be read by a program like KCacheGrind.

While this makes the profiling data a little less immediate, because you have to fire up a separate application to view it, it also makes the data much more useful. KCacheGrind displays graphical call trees, provides for sorting the profiling data in various ways, and is in general a very flexible and powerful app for this kind of data analysis.

For a while, though, I was out of luck, since KCacheGrind requires KDE, which I assumed only runs on Linux. However, once I found the KDE on Cygwin project, getting KCacheGrind up and running on Windows was a snap.

I just followed the instructions and everything installed in a few minutes (I already had Cygwin installed). KCacheGrind is in the kdesdk package. One thing to watch out for: The KDE/Cygwin installation instructions tell you to run “rebaseall” after installing. This shell script uses Cygwin’s rebase.exe program. Visual Studio.NET also ships with a rebase.exe executable with different command line syntax, so make sure your path is set up (or edit /usr/bin/rebaseall) so that the Cygwin version is called, not the MS version.

Learning PHP 5

My third book, Learning PHP 5, is just about done. It’s a straightforward introduction to building dynamic web sites with PHP for folks who have no PHP experience and little or no programming experience.

It starts with the basics of how PHP talks to your web server and web browser and works up to form handling, database access, sessions, XML, and more.

You can pre-order it or read more about it. It should be in stores in July.

HTML_QuickForm talk at NYPHP

At this month’s NYPHP meeting on May 25, I’m giving a talk on HTML_QuickForm. The meeting is at 6:30 pm at Digital Pulp, Inc. (220 East 23rd Street, Suite 900).

My talk covers:

- Working with different element types

- Validating input with built-in and custom rules

- Processing submitted form data, including file uploads

- Customizing form display with the default renderer

With HTML_QuickForm, a form is a logical collection of typed form elements instead of an undifferentiated blob of HTML. This makes it simple to decide dynamically what elements go in a particular form, to assign appropriate error messages and validation rules to individual elements, and to control the form layout in a systematic way across an entire site.

Instead of relying on ad-hoc functions and methods for tasks like checking whether required form fields are filled in, preserving a default value in a dropdown menu, or adjusting the style attributes of form elements, use HTML_QuickForm for a simple, structured approach to form management.

Pollute the Pirated Software Pool, Part II

About eight months ago, I wrote a blog entry about the possibility of malware posing as pirated mainstream software. A recent MacWorld article describes it actually happening. A file available via Limewire pretends to be a demo of Word 2004 for the Mac. When you download it and run it, it wipes your files.

How many people out there who would never click on an attachment in a strange e-mail run programs that they find on P2P networks? It’s all untrusted data and it’s just going to get worse.

Hamlet, a temporary variable from Denmark

The Shakespeare Programming Language is both funny and and excellent example of the arbitrarily expressive power of source code.

DRM and the False Privacy of Email

Much of the Gmail-inspired outrage has focused on what happens to email messages sent by non-Gmail subscribers to Gmail subscribers. “If you want to sign up to have Google’s version of SkyNet scan your messages for ads,” some objectors say, “that’s fine, but don’t involuntarily subject me to that scanning just because I send you a message.”

That is, Gmail subscribers themselves may willingly opt-in to whatever onerous TOS Gmail provides, but third party correspondents are afforded no such opportunity, nor should they have to.

This faulty objection springs from the seductively misleading “privacy” of email.

When I send you an email message, that message is out of my control the instant I send it. This is a lesson that has been learned by countless Internet users who accidently include someone they’re mocking on a CC: list, mistakenly send personal correspondence to a mailing list, or send something so outrageous that their friends can’t keep it to themselves and it ends up in the New York Times.

It is this last circumstance that is most relevant to the Gmail debate. The custodianship of email messages you send lies with the recipient. Shared values of (on- and off-line) etiquette, friendship, and sociability usually govern that custodianship acceptably. When I share sensitive personal thoughts with friends, whether via e-mail, phone, or good old face to face conversation, they don’t rebroadcast those thoughts to others. Not because of a legal requirement or a Terms of Service agreement, but because of our friendship. Even handwritten letters (with ink and paper, remember those) are subject to unauthorized distribution. In a professional context, I choose to whom and how I disclose confidential or sensitive information based on my judgement about the trustworthiness and motivations of the recipient of the information. A non-disclosure or other legal agreement helps, but doesn’t prevent disclosure. It just makes punishing the disclosure easier.

The technology that underlies e-mail doesn’t remove the need for the same kind of social guidelines for how it is used. If I find the computerized scanning of e-mail text to generate context sensitive ads repellent (which I don’t), then I must balance my repulsion with my desire to communicate with It is certainly impractical for me to familiarize myself with the practices of all handlers of all destinations of all email messages I send, but that is not a new problem.

When you send someone an e-mail message, what do you know about the server that it eventually ends up on? Do you trust the administrators of that server? Where do that server’s backups live? Who is the night manager at that off-site storage facility? All of these unknowns certainly affect your privacy as an e-mail author. These mysterious individuals and locations guard your prose. Any one of them could give or sell it to the world.

Encrypting your correspondence doesn’t really buy you much more bulletproof protection. Yes, a PGP encrypted e-mail message gives you some protection against snoopers while the message is in transit and probably guarantees that the first person to read the decrypted message is your chosen recipient. But what happens then? Does the recipient save a plain text copy of the message to his computer? Forward on the decrypted contents to others? The same social necessities and system administration unknowns apply.

So, how to pre ventnefarious, rude, encryption-inexperienced, or just plain disagreeable correspondents from making (dare I say it) fair use of your email messages that you don’t like? One way is to cuddle up to the DRM boogeyman. If the Internet has made everyone a publisher, no personal printing press turns out more content than the email client. Individual publishers of email now have something very much in common with the media behemoths that want to squash song sharing. The same technology that is derided for putting restrictive encumbrances on legally acquired PDFs, DVDs, and MP3s could also prevent perceived villains like the Gmail ad-bot from operating on your lovingly crafted email content.

Such a restrictive solution as bad a policy for email as it is for most other digital content. Email authors must realize that they give up control when they send an email. This has always been true, but perhaps the Gmail fuss makes it clearer.

Over and over again, I read and hear that the communication implications of the Internet mean distributed publishing power, grassroots efforts, infinite channels, reduction in centralized control, insert starry-eyed phrase of choice. If true, this applies to everyone, not just large corporations. If we are publishers, we all must give up some control of our creations.

Efficiency is not one-dimensional, part MMDXXI

In a discussion of the varying levels of efficiency in different web server configurations, Adam Trachtenberg writes, in part:

We've long since passed the inflection point where hardware resources
are more expensive than business objectives and developer costs, yet
we still persist in undervaluing those two assets. Just because
hardware has a tangible price doesn't mean that it's the only part of
the process with a cost.

Well put. Read Adam’s entire message.