PHP Parse Error on new PHP 5.3.2

As we were notified on our forums, the updated PHP 5.3.2 version seems to have changed a behaviour of quoting array variables within strings, which produces a PHP parse error on a serendipity file include/functions_entries.inc.php at line 1433 (in Serendipity 1.5.3).

The fix is actually quite easy, if you replace the code found at line 1433 from this:

serendipity_db_query("DELETE FROM {$serendipity["dbPrefix"]}entries WHERE id=$id");
serendipity_db_query("DELETE FROM {$serendipity["dbPrefix"]}entrycat WHERE entryid=$id");
serendipity_db_query("DELETE FROM {$serendipity["dbPrefix"]}entryproperties WHERE entryid=$id");
serendipity_db_query("DELETE FROM {$serendipity["dbPrefix2]}comments WHERE entry_id=$id");

to this:

serendipity_db_query("DELETE FROM {$serendipity['dbPrefix']}entries WHERE id=$id");
serendipity_db_query("DELETE FROM {$serendipity['dbPrefix']}entrycat WHERE entryid=$id");
serendipity_db_query("DELETE FROM {$serendipity['dbPrefix']}entryproperties WHERE entryid=$id");
serendipity_db_query("DELETE FROM {$serendipity['dbPrefix']}comments WHERE entry_id=$id");

If you can't easily spot the difference: It's changing ["dbprefix"] with double quotes to ['dbprefix'] with single quotes. We're sorry for this inconvenience, which is already fixed in our SVN branches and will be part of the next release.

Thanks a lot to fyremoon from the forums, this thread.

Server Maintenance

The s9y.org server currently is experiencing some issues. Jannis, our master-bithorder is investigating the issue and we hope it will be resolved shortly. The s9y.org server powers the main wiki as well as the forums; this blog here is hosted on a different machine.

Meanwhile: Summer.

Update 2010-07-05: The server was up and running during parts of the weekend, but it seems the situation was not resolved completely. The server is now once again up and running, but the bootup-process seems to be blocking due to some MySQL issue. The hardware does not report any specific failure, so we're a bit clueless as to what is happening, but we currently do not have the time to completely setup a new server. We'll further investigate the issue, and hope that this outage won't repeat itself too soon.

If something fails, the SourceForge.net support options on SourceForge.net/Projecs/php-blog will be there. We'll also try to work out a possibility for a secondary forum installation that people have offered, and see if we can setup a dump of s9y.org on a static install.

Update 2010-07-06: And the server went down again. We cannot seem to find the reason why it hangs. We might need to completely reinstall the machine. We try to make it happen as soon as possible and post updates here.

Update 2010-07-06, #2: Until being able to reinstall the machine, we try to fix the situation by manually booting the machine's services - currently it seems as if the machine "lives" for about 24-30 hours after each reboot.

Update 2010-07-06, #3: I created a temporary support forum on SourceForge: SourceForge Forum for Serendipity.

Flattr Plugin

Flattr is a new service that is up and coming the last days in the blogosphere. Their service offers a social micropayment platform that lets you show love for the things you like..

The service allows normal people (consumers) to create an account, where they can deposit a certain amount of money. Whenever they appreciate a blog entry, an image, a video or any other content they see on a flattr-enabled website, they can easily click a link to add support to this website. At the end of a certain period, the deposited money is distributed among all the authors of things, that the consumers liked.

In first regard, this is not really a service to get paid from, but rather a service to spend money on. The modern web has become more and more of a place where people expect free high-quality content. Now it's time to remember, that quality content is not something that has been free for all people all of the time. This is a new phenomenon of the internet, and people work hard on offering this content, just on their own and to contribute to mankind. With flattr, you can show appreciation for those great deeds, by giving something back to things that wouldn't otherwise be there.

This is a bit in the spirit of the early Paypal-donation days, but with a twist: The distribution of a specific deposit and the easy way to "bookmark" interesting things to rembemer them once a fresh billing cycle arrives. It's a bold move in the opposite direction that Facebook just recently went with their global "I like" method. Flattr not only gathers the information, but enables the originating authors to notice that other people appreciated their work.

Much ado about something, a plugin to this Interface from within Serendipity is mandatory. Even though the API of Flattr is terribly easy to implement with a small javascriptlet, the Serendipity Plugin does have its unique usage scenarios:

  • You can decide on a per-entry basis if you want to announce a blog entry for flattr.com appreciations.
  • You can enter the metadata (language, category, description) seperately for each blog entry (inside the usual blog entry administration).
  • If you don't provide specific information, the globally entered fallback will take effect and is used for flattr-submission. Like if you did not specificy a custom category for a blog title, the global category will be used.
  • The flattr-Badges are integrated within the RSS-Feed (for javascript-enabled RSS readers)
  • When using the Freetag-Plugin, its tags can be automatically used as flattr-tags - or you can override them with custom tags.
  • The plugin allows you to place the badge either inside the entry footer, the entry body or even place it in a custom Smarty template variable so that you can place it anywhere.

The plugin is available now on Spartacus, or for direct download. Just unzip to your plugin directory, and enable the event plugin inside the Serendipity plugin management interface.

Feedback on how to improve the plugin is welcome, preferrable on the Serendipity Forums.

Serendipity 1.5.3 released, Security Issue with Xinha

Serendipity 1.5.3 has been released, as a security-fix release with no other relevant changes.

A security issue has been discovered by Stefan Esser during the course of the Month of PHP Security. This issue was found in the WYSIWYG-Library Xinha (that Serendipity uses), and affects certain plugins to Xinha (Linker, ImageManager, ExtendedFileManager, InsertSnippet) which can use a dynamic configuration loader. This loader allows to upload file with arbitrary PHP-Code and thus allows remote code execution, even when not logged in to the Xinha/Serendipity backend.

Due to the seriousness of this bug, we urge everyone to upgrade their installations. People who don't want the hassle of a full upgrade and are not using the mentioned Xinha-plugins actively, can simply delete the file htmlarea/contrib/php-xinha.php, which will render the mentioned plugins and exploits useless.

Thanks to Stefan Esser for reporting this issue to us, and making a quick bugfix possible.

Serendipity 1.5.2 released

Serendipity 1.5.2 has been released to address the outstanding issue of SQLite installations with Serendipity. Upgrading an earlier version of Serendipity prior to 1.5.1 to this version should work without any problems, fixing the database upgrades that were faulty in Serendipity 1.5.1. This is the same patch that has been advertised in the old blog posting.

Users who had upgraded to Serendipity 1.5 already can fix problems by checking the database table 'serendipity' and make sure to insert a md5 hashed password, with hashtype=0.

SQLite users should backup their database file (a random file name ending in .db) before updating. For users of other database systems, the Serendipity 1.5.2 update does not contain any changes and can be left out.

Serendipity 1.5.1 with SQLite

UPDATE: Serendipity 1.5.2 release

Some SQLite upgrades from Serendipity prior to 1.5 to the current version might create a problem, that the database update cannot properly update the serendipity_authors database table structure to insert the new "hashtype" (int) column. Due to that column missing, this can lead to the inability to log in.

Sadly SQLite does not easily allow to ALTER a table structure, so unless you have a SQLite admin tool to manually that column, and until the Serendipity Team can provide a proper fix, you should not yet update. Due to Christmas 2009.1 getting released soon, this might takes us a few more extra days.

If you have NOT yet uploaded the new serendipity release and executed the update, you can simply copy the file sql/db_update_1.5-alpha1_1.5-alpha2_sqlite.sql onto your installation, which fixes the upgrade procedure.

Side information: Hashtype defines whether md5 (value '0') or salted sha1 (value '1') is used for the stored encrypted password of the serendipity_authors table. Once you login with a hashtype=0, serendipity will automatically convert your password to sha1, and adjust the hashtype column. This is why once we fix this issue in 1.5.2, we must make sure that no manuall updates you might have used are overwritten, that could lead to Serendipity no longer knowing which hashtype was used for your column. That requires some thoughtful thinking, and a bit more time instead of a hotfix that might make the situation worse.

Note that this ONLY applies to users UPGRADING and using SQLite. A fresh installation as well as using other Database types is not affected.