Caleb Gilbert's blog

A Side Project: Part 1, Getting Started

"A Side Project" is a series of articles about an online web application I am working on. In Part 1 I share some of the thoughts and motivations which brought me to starting this project in the first place.

The seed for what is new, has some old roots
In 2005 I became involved with Drupal after discovering it in the course of working on an ambitious side project of mine. It was a discovery that would change my life, professionally and otherwise, much for the better. Ironically, the very thing, which got me into Drupal in the first place (e.g., online side projects) had became one of the unfortunate casualties in more recent years as my professional Drupal activities increased. Sure, I had little projects - went to meetups, cons, made some patches here, contributed this there - but building my own online site/service from the ground up with the intention/hope of achieving something big, that went by the wayside.

19 March, 2013

Example Varnish VCL for a Drupal / Pressflow site

A few months ago I set up Varnish on my Macbook Pro and have deployed it for a production site which serves anonymous and (a lot of) authenticated users. Initially, I spent a couple months just running it in my local environment, including backporting the Varnish.module to Drupal 5. In retrospect, I'm glad that I spent the time to learn how Varnish and it's configuration file works before deploying it, as it's paid off in a big way as our production site now has something which is equivalent to:

  • in-memory static file server for all users (e.g., the equivalent of hooking up something like nginx or lighttpd as a front end to Apache (or whatever you're using).
  • in-memory boost.module in terms of database-relief for anonymous users.

Contrary to popular belief the two items above are in no way an automatic benefit of simply installing Varnish. If the configuration file, and Drupal installation, is not massaged with care one definitely won't get the database relief from anonymous page caching, and the benefits from Varnish-as-a-static-file server will not nearly be optimized. Bottom line Varnish can be a temperamental piece of software. It only gives back what you put into it.

To this end, the settings in the Varnish VCL file can make or break whether you get a substantial benefit from it. Below is an example VCL file, which was formed from a good amount of research and a lot of trial and error:

18 May, 2010

Some highlights from Drupalcon San Francisco

Published in: 

Drupalcon San Francisco was great. Here is some of what stood out to me, in no particular order:

  • Tim O'Reilly's keynote was great (see link for it in comments). It put perspective on where Drupal fits into the larger world and reminded me that I actually came to Drupal for a reason, not just for technology or Drupal itself. While listening to the keynote, I couldn't help but think that Dries' personal push for RDF in core (which I've seen some head-scratching about from some) might owe part of its genesis to his own talks with O'Reilly.
  • The presentation YOU SHALL NOT PASS: Managing Expectations and Boundaries of Clients is one of the hidden gems of Drupalcon. If you're not project managing your clients/work the way they describe, you're doing it wrong (or at least for less money, more aggravation, and less satisfaction!).
  • Larry Garfield's session Objectifying PHP was a wonderful session for anyone who is ready to move to the next level with object oriented methods (pun intended) and practices.
  • The money, as well as the number of people, and type of people involved with Drupal these days has definitely changed the feel of the conference as compared to earlier ones I've attended. This is true even comparing it to DC which was only last year, let alone the first one I went to 4 years ago (OSCMS). There is no good or bad implied here, just worth noting since it has implications (and things will likely continue in this direction for a while).
  • For the past year or so it's been cliche to say, 'No one person one can know everything about Drupal anymore'. For me the new saying is, 'No one person would even *want* to know everything about Drupal anymore'. There are vast, vast knowledge areas within Drupal that have their own following, experts, and activity levels. Don't get me wrong, it's *all* extremely interesting, but gazooks...
  • For now videos/screencasts for presentations (they don't all seem to have them) can be found by going to this page and clicking through to the individual presentation page you're interested in. UPDATE: Videos posted here too.
  • Hottest Drupal-related career: Project/QA manager. The need for developers and themers, is plenty hot of course, but I'd be willing to bet that at least some of the larger Drupal-based companies/shops would choose a competent project/QA manager over a competent developer if forced to choose only one.
  • The way Drupal 7's $page array, hook_page_alter, and drupal_render works, simultaneously makes me want to use Drupal 7 RIGHT DARN NOW, as well as makes me wonder just how horrifically these features will be abused. (who needs a custom theme anymore - Garland with a bunch of hook_page_alters should work just fine, right) ;)
  • If you want the sneak peak for the next North American Drupalcon, look no further.

If you have a highlight you'd like to share please leave a comment.

22 April, 2010

Install intl PHP extension for MAMP / Symfony2

Published in: 

Many Bothans died to bring us this information (or at least my patience died a small death). Stashing this here for next time and/or to help someone else hopefully.

First do:

export PATH=/Applications/MAMP/bin/php/php5.3.14/bin/:$PATH
brew update
brew install icu4c

Next download PHP source that matches your MAMP version.


cd /Applications/MAMP/bin/php/php5.3.14
mkdir include
mv ~/Downloads/php-5.3.14 include/php
cd include/php
sudo ./configure
pecl install intl

Finally, add "" to your php.ini and restart Apache

20 March, 2010

Drupal security: video example of user account hijacking with XSS

In this short screencast a variety of security holes are shown, as well as some malicious things which are made possible due to these lapses. We'll take a walk-through of two security issues showcased in the vulnerable.module, as well as two other exploits which I put together:
  • User account hijacking via cookie/session XSS thievery
  • User account hijacking via password-changing-inline-XSS

It's worth noting that in the screencast we demonstrate security exploits in the context of a Drupal installation which uses custom code (e.g., the examples in the video do not represent actual vulnerabilities in Drupal core). Likewise, these exploits and security holes potentially apply to any web site, Drupal or not, which accepts user input.

Cracking Drupal (also, my review) Writing secure code
2 March, 2010

Simple cross-browser Xdebug helper. Session starter and stopper, no add-ons needed.

During a recent browser upgrade I found myself stuck in a bit of a corner. The Firefox add-on I had been using, Xdebug Helper, was discontinued, and the supposed replacement add-on for it didn't work correctly.

Since the functionality of this now-defunct add-on made my life a lot easier (e.g., don't have to manually append/strip '?XDEBUG_SESSION_START=default' in my browser all day long to start/stop debugging sessions) I took it upon myself to keep this functionality and perhaps get rid of yet-one-more-add-on (which pays off when upgrade time comes).

In all their simplicity, here are two bookmarklets you can use to start and stop a Xdebug session in your browser of choice. Note that if you are using a custom proxy key value then you'll need to change the '=default' part in the bookmarklet to '=YourProxyKey'.

The 'start session' bookmark
Save this bookmark and then all you need to do to start a debugging session (assuming that you have Xdebug setup correctly and a breakpoint set in your code, of course) is to select the bookmark. I chose to put my bookmarks in the Toolbar at the top of window to make it even easier to get to. Also, just for the sake of posterity here is the code for the bookmark.

The 'stop session' bookmark
Save this bookmark and put it next to your 'start session' bookmark. When you're done with your session, simply click this bookmark and viola. Again, here is the code:
javascript:(function(){var currentUrl=location.href;var gotoUrl=currentUrl.replace("?XDEBUG_SESSION_START=default","");document.cookie='XDEBUG_SESSION=default;expires=Fri, 3 Aug 2001 20:47:11 UTC;host=none;path=/';location.href=gotoUrl;})();

1 February, 2010


Subscribe to RSS - Caleb Gilbert's blog