I finally found this post which presented a solution:

“Turn off MultiViews. It seems when MultiViews is enabled there is confusion between MultiViews and the RewriteRules. So if you go to /user there will be no problem, MultiViews will translate it to /user.php. However when you go to /user/blah/login/blah or one of the other more complex clean URLs it gets confused.”

Adding “Options -Multiviews” to my .htaccess file fixed the problem. Not sure why this only happens on my GoDaddy account and not locally or at our other hosting accounts. Is this the one and only error that results from Multiviews and ModRewrite colliding, or are there others? If so, maybe I’ll shut off Multiviews on all my web sites until I need to add multiple language support.

So even though PHP claims to offer associative and indexed arrays, the implicit casting will be busily converting associative keys to index keys behind the curtain. Things get particularly ugly with integers g.t. 2^32 (above bug report plus Bug 34419). And notice the snippy resolution comment: “This hasn’t changed, will not change, and is not a bug.” So large integers that start off as strings are cast to integers, but being too large, are then converted to floats. That’s intuitive.

I was storing objects in an associative array, using the objects’ id as the keys and I was generating the ids with uniqid(). Uniqid generates 13 character strings that appear to be hexadecimal values cast to a string. Most of these values will have an [a-f] character, but occasionally they contain only digits. In this unfortunate case, these are cast to long integers then cast again to a float. Except that I serialized one such array and saw a negative integer listed as the array key! Whatever the exact mechanism, after unserialization I was unable to retrieve one object from an array, even using array_keys().

This is a PHP language design flaw, in my opinion. The default unique-id generator generates values that randomly map into two disjoint sets of array keys: associative string keys or numeric index keys. Given the schizophrenic array index casts, one would certainly expect uniqid() to uniformly generate strings or integers. So at a cost of about 12 hours, I now know to use the optional prefix argument all the time.

Such problems are avoided in Perl because arrays are declared to be associative or numeric, so keys aren’t being cast behind one’s back. PHP is younger than Perl, which I judge to be largely free from these types of asymmetries. And I didn’t look through all of the remaining PHP bug reports after finding the info I needed: since two years have elapsed, maybe PHP has improved this by now.

openSUSE 10.2

• Apache2, PHP 5.2, mod_php, mod_rewrite.
• PHP magic_quotes_gpc is set to off in openSUSE (the proper choice, but not the PHP default as I painfully learned when installing at the ISPs).
• PEAR supported in the Apache PHP include path.
• Subdirectories written into by the application (e.g. Smarty template compilation area) need world-write privilege.

GoDaddy Hosting

• Apache1.3, PHP4 (5.1.4 optional), CGI/fastCGI, mod_rewrite.
• Cannot use php_flag because using CGI, must use php5.ini instead.
• Switch from PHP 4 to 5 in .htaccess:
  AddHandler x-httpd-php5 .php
  AddHandler x-httpd-php .php4
• PHP magic_quotes_gpc on by default, turn off with local php5.ini file.
• AllowOverride Options disabled, can’t use in .htaccess.
• Files created by web site users (i.e. by the httpd user) have the same uid/gid as my ftp login user. An excellent configuration approach, as I don’t need to give world write privileges to local data subdirectories.
• ini_set(’session.cache_limiter’, ‘private’) causes server 500 error.

A2 Hosting

• Apache 1.x (server_signature empty), PHP 5.2, mod_php, mod_rewrite.
• PHP magic_quotes_gpc is on by default, turn off using php_flag (here is the Running PHP as an Apache Module PHP man page describing how to use php.ini directives within .htaccess).
• Subdirectories written to by the application need world-write privilege. My ftp area is a public_html directory, so A2 uses mod_userdir. The home directory looks similar to my local workstation.
• ini_set(’session.cache_limiter’, ‘private’) works fine. Moved this parameter to a php_flag directive.
• A2 mentions PEAR support on their web page, but they don’t add the directory to the PHP include path and only offer a handful of modules. Will add modules per customer request, but what will happen if they move my account to a different server?

Web Hosting Requirements

• PHP Extensions: CURL, XMLWriter.
• Apache Modules: rewrite.

I want to host a PHP application on a shared, remote server where I have only ftp access. I have to assume such a server is not secure, since any sysadmin at the hosting service can browse at will. I’m surely not the first person to host an S3 application on a remote server, yet there are only unanswered threads in the AWS forums regarding best security practices. So I’m guessing that some users are uploading the AWS secret keys and hoping for the best.

Here are the ways I’ve considered for using S3 from a Shared, Remote Web server:

1. Upload Secret Key – either in plain text or nominally concealed by an XOR hash or hex encoding. It would be concealment only, not encryption, since PHP is not compiled.
2. Encrypt and Upload – use another language (Java) or extension (Zend engine) that provides some security. AWS has some sample Java code that does this.
3. Use Public Buckets – from a secure machine, create a public_read_write bucket on S3. The PHP application on the shared server can then use anonymous access to read and write objects without requiring the secret key.
4. User Grantee – the AWS documentation states that access can be granted to anyone who has an account on amazon.com, even those without an AWS account. Obviously, such a person would not have a secret key. So the shared server application could use an amazon account to access a bucket with such a grant. However, the documentation does not explain how to sign a request with a canonical account name without a secret key.

I rejected options 2 & 4 as having too many unknowns at this stage of development. Adding a new language just to encrypt a key is a big hit in complexity. Similarly, with no cookbook example and the rather hastily assembled user documentation, I expect lots of trial and error for option 4. But once documented, option 4 would be my clear first choice.

Options 1 & 3 shift risk between a particular bucket and one’s secret key. With option 3, anyone who discovers the publicly read/writable bucket can use it immediately without even needing to find my PHP source code. But since they don’t have my secret key, I still have control over the bucket and can turn it off (delete it or make it private).

Option 1 exposes no public buckets on the web. But the worst case (someone gaining access to the remote server and stealing the secret key) has a big exposure. Only Amazon customer service can turn off a secret key, and they’re available only by email and only during business hours. If they take a week to shut off the key, I’d be liable for all of the charges.

My choice is option 3. I’m more comfortable with the risk profile being concentrated onto one bucket. Also, option 4 is a straighforward upgrade once more documentation becomes available. One unknown: is there any easy way for hackers to scan AWS S3 searching for public buckets? Let’s hope not.

• Test Utility for Amazon S3 in PHP – from the AWS Developer Connection, it provides s3-test-utility-php.zip which contains: s3.php, index.php, and readme.html. Using the browser GUI provided by index.php to control s3.php, I was able to create a bucket and upload an object. Code is documented and lists the derivation history of the code (see Storage3 and Mission Data Blog below).
• Amazon S3 Sample in PHP – an alternative s3.php that has some common heritage with the Test Utility s3.php.
• Storage3 Project – the predecessor of the AWS Test Utility package, provides file Storage3.php plus the required PEAR modules (making it easy to install on a remote server where PEAR can’t be invoked).
• Mission Data Blog – presents the original putObjectStream() method that has now been modified to use a file in the AWS Test Utility.

I want to stream data directly to S3 (without first saving to a file) thus the current form of the AWS Test Utility package won’t work directly. I can either use the Storage3 project or substitute the Mission Data putObjectStream() method back into the AWS Test Utility s3 class.

• All commands run as root.
• pear remote-list
  WARNING: channel “pear.php.net” has updated its protocols, use “channel-update pear.php.net” to update.
• pear update-channels – successful.
• pear info <pkg> – always responded “No information found for ‘pkg’. I tried both installed packages and the packages I wanted to install.
• pear remote-list – listed available packages and Net_Socket was not listed, even though I could see it on the PEAR web site.
• pear install HTTP_Request -
  install ok: channel://pear.php.net/Net_Socket-1.0.6
  install ok: channel://pear.php.net/Net_URL-1.0.14
  install ok: channel://pear.php.net/HTTP_Request-1.4.0
• pear info HTTP_Request – now it lists information about this package. Something isn’t working; I certainly should be able to get info about a package before installing.
• pear list -
  Installed packages, channel pear.php.net:
Package Version State
Archive_Tar 1.3.1 stable
Console_Getopt 1.2 stable
Crypt_HMAC 1.0.1 stable
HTTP_Request 1.4.0 stable
Net_Socket 1.0.6 stable
Net_URL 1.0.14 stable
PEAR 1.4.11 stable
• This shows another problem. YaST offered a few PEAR packages at install time and I selected a few including PEAR::DB. The DB package appears in /usr/share/php5/PEAR along with Archive Tar and Console Getopt, yet is not listed above. Why not?
• pear run-tests -pr Crypt_HMAC – “running 0 tests”, even though HMAC has a test.php file under the test subdirectory. So I don’t understand this command either.