DBActive

Neglecting to check all application input to ensure it contains only valid content is simply asking for trouble.

Neglecting to check all application input to ensure it contains only valid content is simply asking for trouble.

The PHP development team would like to announce the immediate availability of PHP 5.2.3. This release continues to improve the security and the stability of the 5.X branch as well as addressing two regressions introduced by the previous 5.2 releases. These regressions relate to the timeout handling over non-blocking SSL connections and the lack of HTTP_RAW_POST_DATA in certain conditions. All users are encouraged to upgrade to this release. Further details about the PHP 5.2.3 release can be found in the release announcement for 5.2.3, the full list of changes is available in the ChangeLog for PHP 5. Security Enhancements and Fixes in PHP 5.2.3:Fixed an integer overflow inside chunk_split() (by Gerhard Wagner, CVE-2007-2872)Fixed possible infinite loop in imagecreatefrompng. (by Xavier Roche, CVE-2007-2756)Fixed ext/filter Email Validation Vulnerability (MOPB-45 by Stefan Esser, CVE-2007-1900)Fixed bug #41492 (open_basedir/safe_mode bypass inside realpath()) (by bugs dot php dot net at chsc dot dk)Improved fix for CVE-2007-1887 to work with non-bundled sqlite2 lib.Added mysql_set_charset() to allow runtime altering of connection encoding. For users upgrading to PHP 5.2 from PHP 5.0 and PHP 5.1, an upgrade guide is available here, detailing the changes between those releases and PHP 5.2.3.

One of the problems that we’ve run into when trying to get new platforms such as the Compact Frameworks or Silverlight to support Visual Basic is getting the VB runtime supported on the new platform. The VB runtime, besides having a bunch of user functions such as Left and MsgBox and such, contains a number of language helper functions that are required for the correct functioning of the language. For example, when you convert an Integer value into a String value, we emit a call to a helper that does the conversion for you, since there is no native IL instruction for this. The number of situations where we emit helper calls isn’t huge, but there are some core features of the language that just won’t work without them. This is why there’s been no officially supported way to remove the reference to Microsoft.VisualBasic.DLL.

More than the language, though, the problem is that the compiler won’t work without the helpers, either. Basically, the VB compiler will just crash when it fails to find a VB runtime helper. Even if you’re careful to avoid features that don’t use helpers, it still doesn’t mean you can just run without a reference to Microsoft.VisualBasic.DLL–there are still many cases where we sanity check for helpers even if we aren’t going to use them. Which means that even if you managed to figure out how to get the compiler to not reference Microsoft.VisualBasic.DLL, it was likely that lots of things aren’t going to work.

As we faced the prospect of more and more platforms starting to support .NET, we realized that we needed to do something about this situation in Orcas. So we did a feature we’ve been calling “runtime agility.” The runtime agility work basically enables new platform developers to compile without a standard reference to Microsoft.VisualBasic.DLL and we’ll only barf on missing runtime helpers if you try to use a feature that requires them. And when we do barf, we give you a nice error message telling you what helper was missing instead of just crashing. You can also redirect the VB runtime reference to another DLL if you’re building a new one for your platform. For platform developers, this means that they can more easily develop a VB runtime DLL for their platform without having to stub in a bunch of helpers that they don’t support. And, yes, if you really want to run without a VB runtime, you can now do that.

This switch is only supported on the command-line for Orcas–there’ll be no UI expression of it. The switch is “/vbruntime” and should show up, I believe, in Beta2.

As of MySQL 5.1 get MySQL slow query log logged in mysql.slow_log table instead of the file as you had in previous versions.
We rarely would use this feature as it is incompatible with our slow query analyses patch and tools
Fixing this is not trivial while staying 100% compatible to standard format as TIME type which is used to store query execution time and lock time does not store fractions of the second.

Today I’ve got some time to play with table based slow query log in production while tuning one of the systems. It is pretty nice to be able to work with data in SQL as it easy to filter all queries which happened within certain time interval (ie after I’ve done some changes) or filter out queries which you already looked at using LIKE statement.

As default table format for slow_log is CSV with no indexes typical operations like finding how many queries were accumulated in the logs or finding 10 last queries is not fast. The good thing however you’re allowed to change table to other storage engine and add extra indexes as you require. Doing so however may affect your performance - updating table with a lot of indexes may be significant overhead, so you can instead create analyze_low_log table of similar structure with needed index and populate it with insert… select statement as you need it.

One little gotcha which confused me first is the order query come in the log file. If you used to do tail -100 log-slow.log and now change it to SELECT * FROM slow_log ORDER BY start_time DESC LIMIT 100 you would find new queries coming to the top of the list rather than in the end. If you want to get new queries in the end you can do
SELECT * FROM (SELECT * FROM slow_log ORDER BY start_time DESC LIMIT 100) l ORDER BY start_time which shows last queries in the end similar to tail command.

If you’re lazy typing it over and over again you can create stored procedure, something like LAST_SLOW_QUERIES and use it instead, just remember unless you add extra indexes this table this can be rather time and resource consuming.

This is actually where being able to sort records by physical position quickly without need to have indexes would be quite handy

I also should tell log table implementation in MySQL is well though of in regards to avoiding trouble. For example you can’t ALTER log table while query is running, neither you can delete rows from it (or do any write queries) only read access is possible, with exception of TRUNCATE query. Which just recreates table which should be fast. Interesting enough however what would happen if one would use storage engine for log table which does not optimize TRUNCATE ? I guess it should be blocked as normal DELETE statements are blocked.

More than that. I found even if I convert table to MyISAM, disable concurrent inserts and run long reporting query on the log file query execution is still proceeds. I have not checked if concurrent insert is always forced for log table if it is allowed or if there is a buffer of slow log queries which is used if log table is locked.

One thing which would be rather handy is UDF or stored procedure to “normalize” query by removing comments and replacing constants with some placeholders as this would allow to aggregate log entirely in SQL finding most frequent slow query types or queries which load server the most.

The other handly feature would be the function which returns as as SET list of tables which query is using. This would allow for example to find all queries touching given table quickly which is now hard to do reliably.

I guess over time we would have more tools provided with these and similar features if not by MySQL than by community.

As many people know by now, Microsoft has decided to reschedule the PDC that was planned for later this year. This was very disappointing for me personally, since I was looking forward to seeing a bunch of the people that I usually see there and was one of the consolations I had for myself for not being able to go to MIX. It also means that our plan to talk more about VBx at the PDC is going to have to be shifted around. Not clear where/when our focus is going to move to, but stay tuned, we should have more information shortly…

Actually, the rel=nofollow attribute should prevent search engines from following special links. Some webmasters might have found out that nofollow links will help your search engine rankings though.

Reading this slashdot article today and two CIO magazine articles linked from it.

Such discussions started at right place at right time always attract a lot of flamers and can be fun to read.

What hit me this time is quality of the articles in CIO magazine. If this is what managers suppose to use to make their “informed” decisions about products, not a big surprise huge portion of IT budgets are wasted. It looks like someone who has not got a clue is writing for someone who does not even pretend. I see zero “meat” - mostly using of marketing materials. This applies both to pro-MySQL and against-MySQL articles.

The funniest argument for me was the age of the product. Where does this “older is better” comes from ? Oh yes I know, it comes from the point of view market old timers try to show the value of their technology to their customers and shareholders.

In reality however most of 30 year code would ether have to be scrapped and rewritten or it would become passive being hard to maintain and extend. Over time systems tend to get entropy it is as true as people aging as they are getting older. You can postpone things by healthy coding techniques as you can do by healthy living but you can’t stop the process completely.

Take a look at MaxDB for example, which has extremely old code base (with a lot written in pascal).

Indeed you can apply age argument to the code which is few months/couple of years old - indeed this may be not battle tested enough or just too dynamic in development (nothing stops you from starting to actively break old code though). Indeed there are some problems which may happen only once or twice a year in production but 10 years is enough by far.

As old time MySQL User I should say MySQL stability have not much improved (really going up and down) since MySQL 4.0. This even applies to Innodb tables which were already on par with general MySQL level of stability in MySQL 4.0

But now get back to the question of using MySQL.

I’m obviously biased and focused more on Web applications rather than Enterprise applications (though these are merging a lot these days). From my standpoint the question is when or how to use MySQL not just if it should be used or not.

There are many applications when MySQL works great, when there are some of applications when MySQL can be made to work and there are finally cases when MySQL limitations are not worth the trouble - would require too complex application changes or some other ugly workarounds.

In very many cases the problem of MySQL use is not problem of the product but problem of state of mind - you just develop applications for Oracle and MySQL differently and if you’re try to apply same patterns to MySQL as you used for Oracle or move existing applications without changes you may well run into trouble. PostgreSQL is probably closer to Oracle in this state of mind thing.

It is interesting one of mentioned reasons to use MySQL was MySQL simplicity and I’m afraid this is what is gradually leaving us.
MySQL 4.0 was indeed simple - you could not do anything complicated with it and you could get to know pretty much all features within rather short time. MySQL 5.0 with spice of enterprise features is far from being simple and MySQL 5.1+ with wide choice of storage engines are getting even more complicated.

It is true so far it is different degree of complexity than many other DBMS but it is increasing.

On the other hand many successful MySQL users would use few new technologies besides Stock MySQL 4.0 toolset. For example Google still has a lot of stuff on MySQL 4.0… looking at the patches they designed themselves such as Semi-synchronous replication, advanced Monitoring and scaling features some users need other features than MySQL adding in newer MySQL releases.

In other cases I can see people using for example SubQueries and Partitions and information schema for ease of management but rarely I would see large amount of big post MySQL 4 features used at the same time.

This is of course only technical side. There are obviously a lot of other factors but they are more obvious.

For Web shops and for most of enterprises you can use MySQL for free same as Linux. You do not have to pay for licenses and all
unless you want some extra services. You can use Community version and solve things yourself or use third party support, which indeed works as MySQL is OpenSource and nothing stops you from fixing bugs yourself or adding your own features. Again it is very similar as Linux - if you do not want to pay for RHEL you can use CentOS, Fedora or Debian,Ubuntu.

Most articles speaking about MySQL for Enterprises speaking about MySQL with full pack of services from MySQL AB. Obviously this is how MySQL AB wants its product to be seen so whomever uses MySQL buys services but it is important to understand this is not really required. Of course many enterprises may need that because of their internal policies and state of mind, but this may not have yet adapted to open source software world, at least when it comes to the classic enterprises.

Having said that I’m not advocating against buying services from MySQL. They indeed may be more efficient for you than having your own tool set and DBAs which can resolve all MySQL issues with help of Google rather than MySQL Support Team. You also may want to buy some services from MySQL simply so MySQL Development is continued. My point is simply you do not have to do if you do not have money for it or if you do not need them.

So this is fun articles and discussion to read and it brings up many thoughts but I better stop right here and go back to real work

As is always the case in a major release, there are a number of smaller features that don’t get very publicized because they’re not as big or sexy as the major features. One that someone asked me about privately in email was partial methods. VB will support them in pretty much the same way that C# does. In fact, rather than writing a big, long entry about it, you could just check out Wes Dyer’s excellent entry on them for C#. Pretty much everything that he says about them applies to VB, including the syntax (i.e. the use of the Partial modifier).

How’s that for lazy?

New feature: subscribers to Fog Creek Copilot can now cobrand Copilot with their own logo to provide seamless tech support to their clients.

Not loving your job? Visit the Joel on Software Job Board: Great software jobs, great people.