Author: David Goodwin

This will end my fit of blogging diarrhea. Honest.

On Saturday, I ran to Kidderminster (21 miles in total). It went quite well, although my left thigh ached a little and I got a sore groin. Afterwards I also noticed my feet were aching on the outside of my sole (they don’t normally)….

Yesterday morning I went running again, only for 30ish minutes and found my thigh seemed worse and my right knee was unhappy too. And my lower back aches a little.

I’m wondering if my new running shoes are responsible – or if it’s just because I somehow pushed myself too far on Saturday (considering my running routine has been a mess for the last month with me rarely managing to run more than twice a week (i.e ~8-10 miles if optimistic)). I was going to write “I read somewhere” but I ended up looking for the site instead. This article I read at https://www.anipots.com talked about using Organic CBD Nugs for certain pains that occur in runners. I’m not sure I want to take something for it just yet, there’s still a possibility I pushed myself to hard, as I mentioned. I hope it goes away on its own and I can find a good balance of time, distance, and rhythm to my runs. What would make me most unhappy is to find I have done some permanent damage to my back, my knees or my ankles by wanting to go out there and being healthy. I… well, you’d read a very angry blog post about it, that’s for sure.

Stay tuned. Or not. Today and tomorrow will be run-free days in the hope something will repair itself.

Why do some programmers not ensure data is escaped for the right output ‘layer’… today I came across some legacy code which appends strings together to create a CSV file – it went along the lines of  :

$line .= $foo . ‘”,”‘ . $bar . ‘”,”‘ . $etc…. . “\n”;

There was no attempt at escaping the data being embedded, so if it contained a ” (which I know some records do) it will/would fail (yes, one premises has “…” in it’s name, and it’s caused us problems already with similar code).

The easy answer in this instance is to use PHP’s fputcsv() function (which has been around since 5.1).

What other demons are lurking there waiting to cause trouble I wonder?

(See also my random tweet linked to this)

If you want to allow WordPress to pass it’s HTTP requests through Squid (for security or whatever), edit wp-includes/class-snoopy.php and set the necessary details.

Shame WordPress doesn’t just have a configuration option or something for it. (

While updating some security training materials, I thought I’d include some more information on OpenId – with the hope of demonstrating how the typical username/password mess which web applications create can be countered (for example see here )

So, being a PHP type, and having seen that the Zend Framework supports OpenId, I thought I’d create a simple demo. The documentation looked good, and I quickly got a test script online (see below). So – to test it, I thought I’d try using Google as my OpenID provider (afterall StackOverflow does) and I obviously have a Google account.

So, the Zend Framework gives the following test code :

<?php
require_once(dirname(__FILE__) . '/Zend/OpenId/Consumer.php');
require_once(dirname(__FILE__) . '/Zend/OpenId/Extension/Sreg.php');
$sreg = new Zend_OpenId_Extension_Sreg(array(
 'nickname'=>false,
 'email'=>false,
 'fullname'=>false), null, 1.1);
//echo file_get_contents('https://www.google.com/accounts/o8/id');
$status = "";
$consumer = new Zend_OpenId_Consumer();
if (isset($_POST['openid_action']) && $_POST['openid_action'] == "login" && !empty($_POST['openid_identifier'])) {
 if (!$consumer->login($_POST['openid_identifier'], null, 'http://*.palepurple.co.uk', $sreg)) {
   //echo $consumer->getError();
   $status = "OpenID login failed.";
 }
} else if (isset($_GET['openid_mode'])) {
 if ($_GET['openid_mode'] == "id_res") {
   if ($consumer->verify($_GET, $id, $sreg)) {
     $status = "VALID " . htmlspecialchars($id);
     var_dump($sreg->getProperties());
   } else {
     $status = "INVALID " . htmlspecialchars($id);
   }
 } else if ($_GET['openid_mode'] == "cancel") {
   $status = "CANCELLED";
 }
}
?>

<html><body>
<?php echo "$status<br>" ?>
<form method="post">
<fieldset>
<legend>OpenID Login</legend>
<input type="text" name="openid_identifier" value=""/>
<input type="submit" name="openid_action" value="login"/>
</fieldset>
</form>
</body></html>

Which doesn’t work if you try to use https://www.google.com/accounts/o8/id [Google’s OpenID provider URL]. It just fails with a hopeless “Discovery Failed” error message. I spent an hour or two poking it, and making fruitless Google searches (or so it seemed). Then I gave up and tried using a different provider – success.. it all works.

Various postings imply there is/was a problem with the Zend Framework’s OpenId consumer – although to start with I thought it might have been due to my local PHP configuration (E.g. lacking support for openssl/mhash or something else, but this wasn’t the case). See also this and this

Thankfully the code does work when using other providers – e.g. MyOpenId. One nice feature of OpenId, which I wasn’t aware of, is that you (the web client application) can also request e.g. nickname, name, date of birth and country of residence from the OpenID provider (which is what the Zend_OpenId_Extension_Sreg stuff is all about – I’ve made the request parameters all optional, otherwise you get an auth failure when the provider doesn’t return the data you require).

Anyway, it’s really, really, easy to do. Shame about the poor support for Google though.