Since I wanted to test this new API and didn’t knew how to test it, I decided to do something silly. I wandered how it would be like to have someone read me in realtime all the tweets about a given keyword. This is the part where the Mac OS X built-in text-to-speech comes in.

The result was a PHP script that called the OS X "say" command to read the realtime Twitter stream.

The code is very simple:

<?php
$username = 'TWITTER_USER';
$password = 'TWITTER_PASSWORD';
$keyword = 'twitter';

$fp = fopen("http://$username:$password@stream.twitter.com/1/statuses/filter.json?track=$keyword", 'r');

while($data = fgets($fp))
{
	$res = json_decode($data, true);

	$user = $res['user']['screen_name'];
	$tweet = $res['text'];

	echo ("$user says: $tweet");
	exec (escapeshellcmd("say $user says: $tweet"));
}

fclose($fp);
?>

Note the escapeshellcmd function that saves you from being owned in case someone “accidently” tweets something like ";rm -rf ~/".

You can just run this script in terminal, but first change the username and password to match your twitter account, and keyword to something you want to search.

Now you can annoy everyone at your workplace, with a voice reading out loud all your (not so) interesting tweets.

PHP Warning:  Directive 'register_long_arrays' is deprecated in PHP 5.3 and greater in Unknown on line 0
PHP Warning:  Directive 'magic_quotes_gpc' is deprecated in PHP 5.3 and greater in Unknown on line 0
PHP Warning:  PHP Startup: Unable to load dynamic library './gd.so' - dlopen(./gd.so, 9): image not found in Unknown on line 0
PHP Warning:  PHP Startup: Unable to load dynamic library './mbstring.so' - dlopen(./mbstring.so, 9): image not found in Unknown on line 0
PHP Warning:  PHP Startup: Unable to load dynamic library './mcrypt.so' - dlopen(./mcrypt.so, 9): image not found in Unknown on line 0
PHP Warning:  PHP Startup: Unable to load dynamic library './mysql.so' - dlopen(./mysql.so, 9): image not found in Unknown on line 0
PHP Warning:  PHP Startup: Unable to load dynamic library './mysqli.so' - dlopen(./mysqli.so, 9): image not found in Unknown on line 0
PHP Warning:  PHP Startup: Unable to load dynamic library './pdo_mysql.so' - dlopen(./pdo_mysql.so, 9): image not found in Unknown on line 0
PHP Warning:  PHP Startup: Unable to load dynamic library './zip.so' - dlopen(./zip.so, 9): image not found in Unknown on line 0

This seems to be a very common problem after the update. It occurs because most of the configurations in /opt/local/etc/php.ini are now obsolete with PHP 5.3.

So if your update went well, you should have two samples of php.ini in the mentioned folder. One for production and the other for development. To fix this problem just rename you current php.ini file to something else, and then rename one of the samples to php.ini. Restart apache and voilá. PHP cli is back with no warnings and all the installed libraries available.

I’m currently updating the add-on to 3.5, improving the user interface and maybe add some new feature. But for now if you wish to use the extension with Firefox 3.5 you can use a little hack that works with no problems.

Just locate your Firefox profile folder, and then open the extensions folder inside it. There will be one folder with the word “hashr” in the name. Open it an edit the file install.rdf.

Inside the file locate the following lines:

<em:minVersion>1.5</em:minVersion>
<em:maxVersion>3.0.*</em:maxVersion>

And change it to:

<em:minVersion>1.5</em:minVersion>
<em:maxVersion>3.5.*</em:maxVersion>

Save the file and restart Firefox. It should now be working perfectly. If not, check the add-ons manager to see if it’s disabled.

Edit: Mozilla has finally approved the new version of hashr, so this hack is no longer needed. You can find the addon here: https://addons.mozilla.org/en-US/firefox/addon/8539.

alias ls='ls -G'

Or you can even choose a better way. Adding the following to your ~/.profile:

export CLICOLOR=1

Now you just need to restart your terminal, and you have a all nice and shiny ls output.

The problem is… if you use a dark background, like any other sane person. The dark blue coloring the directories names is simply impossible to read.

To change that color you just need to add another line in your ~/.profile file:

export LSCOLORS=gxfxcxdxbxegedabagacad

What’s with the DNA chain? Well, it’s just some crazy way to configure the ls output color. You can find the corresponding color to every character on the ls man pages. Just to keep it simple, that combo turns the directory names to cyan, so that they become readable on top of dark backgrounds.

After of some weeks flirting with the Apple keyboard, today I finally bought it. I’m writing this post with it. And I can only say that this is the best keyboard one can have. It’s very slim and the typing is smooth, actually is pretty much the same as the new macbook keyboard.

I bought it to use at work, mainly because working endless hours in a laptop can injure your back and an external keyboard allows me to vary my posture when sitting in front of the macbook. Another reason, is that in summer time, having my hands resting in a macbook pro, turns out to be a hot and sweaty experience.

I opted for the USB version because I don’t really like batteries at all, and I wouldn’t be very tolerant with random bluetooth disconnects. Although the keyboard USB cable is short, Apple was king enough to include an extension for those who need a longer cable.

Here’s the Apple keyboard side by side with my old Revoltec Lightboard, so you can get an ideia about the size of this thing:

Just to end this post, as you can see on the first picture, I bought this keyboard at TB Store in Colombo. I definitely recommend this store to buy Apple stuff. Great customer service, nice and unusual bags for the shopped products and bonus key chain lanyards.

If you “worship” your google account, and the idea of losing it sounds catastrophic to you, because all your life is in it. You might just keep on reading this post.

What’s the problem?

The web is mostly an unsafe place, and having your google account logged while browsing “random” web sites, might be a russian roulette experience. Because with some recent techniques like clickjacking, an attacker might set up a web page with malicious code that uses your logged in google account session to perform actions on your behalf. And if you don’t believe this, you can try for your self in the following example.

You can try this using a dummy Gmail account if you feel insecure about it.

Log in to your dummy Gmail account, open a new tab and go to this website. Now click the “send” button on the page, and go check your dummy Gmail sent messages folder. You will see that you have just sent an email, without even noticing (well you did notice actually if you checked the status bar, but it was too late anyway).

The way to achieve a hack like this is not very complex. Quoting the author:

You get a copy of the generated HTML code of the target webpage, then you simply hide everything, except for the button you want to overlay.. you could draw other things using absolute positioning, but this is enough for most scenarios.

You can checkout the “ghost page” here: http://www.sirdarckcat.net/dad.html

This attack has it’s pros and it’s cons.. the most important pro is that it’s the best way of doing cross-browser exploits.. since you don’t depend on the sizes, margins, overflow rules etc.. that different browsers use.

Possible solutions?

The best way to prevent against these attacks, while it may not be the ideal solution, is by simply reducing the time you spend logged in on the browser. Actually, you can even use these services with no logged session on the browser.

The answer is simple: don’t use these services web interface on your personal computer. For Gmail, use a POP or IMAP client of your choice, for every other, use Prism. Prism lets you run web applications in a desktop/standalone mode. This way you have all your sessions encapsulated, in a kind of sandbox way. Leaving you free to use the browser in a more relaxed manner.

Why do I say “on personal computer” ? Because it’s in your daily use machine that you are more tempted to save login forms and such, leaving you vulnerable to the type of attacks I described. On other machines you are less tempted to do that, because it’s not your machine, or it’s a public computer, and you spend much less time on it.

While I’ve been talking about Google accounts and Gmail along this post, actually, every other service may be vulnerable to this type of attack, but generally Google services are usually more secured than the rest.

What can web developers do?

Not much really. For web developers, the way to prevent that your site gets opened in a iframe is the piece of code known as “the Framekiller“. This is a javascript code snippet to include in your HTML pages:

<script type="text/javascript">
if (top !== self) top.location.replace(self.location.href);
</script>

This works with the obvious javascript/client side limitations, so it shouldn’t be regarded as a reliable approach, but it definitely helps.

More on the subject

If you wish to know more about other similar techniques, you can check these links below:

CSS Attacks

Clickjacking

First, all methods were returning a SimpleXML object, which is a mistake in terms of flexibility. I’ve changed them all to just return a XML string. Now its up to the user (programmer) to choose the way to access/parse the XML.

Second, TwitterPHP is a class, you can instantiate it several times, for let’s say, accessing multiple accounts. At least you should be able to do that, but since I was reading the Twitter username and password from a configuration file (naive, I know), multiple instances could only use the same account. Now the problem is solved by simply adding the username and password as arguments of the constructor method and removing the configuration file.

Third and last, I switched from PHPDocumentor to Doxygen. This was mainly because I found out that Doxygen is much more flexible, I can use it with any other project with any other language. And the resulting documentation is more fast and clean than PHPDocumentor.

So you can take a look at the new version of TwitterPHP here and the documentation generated by Doxygen here.

In future releases I’m planning to add OAuth support and implement more Twitter API actions.

One of the most interesting things about Javascript OO is the way to define a Class. Actually there is no keyword “class” at all. So here’s an example on how to create a class Book in Javascript:

/**this will be the constructor method,
that automatically creates the class**/

function Book (isbn, title, author) {
    this.isbn = isbn;
    this.title = title;
    this.author = author;
}

/** And now the getters **/

Book.prototype.getISBN = function () {
    return this.isbn;
}

Book.prototype.getTitle = function () {
    return this.title;
}

Book.prototype.getAuthor = function () {
    return this.author;
}

If your class has attributes that are not passed as constructor arguments, you can declare the attribute just like we did for the methods:

Book.prototype.numTimesRead = 5;

//a setter
Book.prototype.setNumTimeRead = function (n) {
    this.numTimesRead = n;
}

Now if we wish to instantiate our class, it’s identical to most OO languages:

var mybook = new Book("123", "Dive into Python", "Mark Pilgrim");

//I tried to output this the ugliest way possible :P
document.getElementsByTagName("body").innerHTML = "Title: "+mybook.getTitle();

This will (pwn your body element) print the Book title, you can add any other info as you wish.

You may find more on object oriented programming with Javascript at the Mozilla’s Developer site.

I was thinking about writing a post on Extreme Programming, but I’ve just found a very good video of a lecture on the subject by Richard Buckland, that explains it the best way possible and with some humor. So here’s the video:

This is a highly recommended video for those that want to learn about Extreme Programming and Unit Tests.

Video Link: http://youtube.com/watch?v=XP4o0ArkP4s

This is definitely a tool of great convenience, but like almost everything in life, has a drawback. Actually, two drawbacks. First, spammers, phishers and alike are using this service to mask the URL of their malicious website so that when someone sees the link, feels comfortable about clicking it, and unaware of what’s coming. And second, it’s slowly building a “broken” web, because if this kind of services disappear, a good portion of links on the web won’t work anymore. And this can’t be good.

Against the first drawback, TinyURL has a feature that allows you to send a preview link instead of an instant redirection one, but it’s hardly used by anyone.

Some time ago, I developed a small online tool that unveils every tinyurl that is sent to it. But its usefulness is almost none, since no one will bother to visit another website just to unveil the tinyurl’s target. So, to simplify that process, I’m developing a Firefox Extension that integrates with the tool, so that when you visit a tinyurl, before that url is loaded, is passed trough the reverser and the target is shown on a confirmation popup or just a tooltip.

While the extension is not ready, I leave you here a small example of how to reverse a tinyurl in PHP. It’s very simple, and straightforward:

function reverse_tinyurl($url){
	$url = explode('.com/', $url);
	$url = 'http://preview.tinyurl.com/'.$url[1];
	$prev = file_get_contents($url);
	preg_match('/redirecturl" href="(.*)">/', $prev, $res);
	return $res[1];
}

Well, or maybe if you prefer Ruby:

require 'rubygems'
require 'net/http'

def reverse_tinyurl(url)
    url_parts = url.split('.com/')
    preview_url = "http://preview.tinyurl.com/#{url_parts[1]}"
    response = Net::HTTP.get_response(URI.parse(preview_url))
    original_url = response.body.scan(/redirecturl" href="(.*)">/)[0][0]
end

Or if you are more of a Python guy/girl:

from lxml import etree

def reverse_tinyurl(url):
    hash = url[url.find(".com/")+5:]
    preview_url = "http://preview.tinyurl.com/"+hash
    parser = etree.HTMLParser()
    tree = etree.parse(preview_url, parser)
    elem = tree.findall('.//a[@id="redirecturl"]')
    if len(elem) == 1:
        return elem[0].get("href")
    return None

This examples should get you started on developing something around this.