Stop child-processes from keeping lock (LockHandler)


This kept me busy for a while. I have a queueing system that run constantly on our servers – built in PHP because, why now :)

Basically I have the controller, run as: php app/console aqueue:controller --bootstrap  – this merely starts, and one by one run the child-processes and disowns them, like so:

However, the problem is – in order to make sure somebody doesn’t run the bootstrap script more than one at the same time, I get a lock at the top of the console command before continuing – and if I can’t get the lock, it exits immediately. It’s a safety measure.

I get the lock like this:

The problem is, once you start the child-process – each of them ALSO holds the lock that the aqueue:controller created above. Thus, when the bootstrapping controller is done, but the child processes are still running (as they should be) – it can’t start the bootstrapper again because the lockfile is held by other processes.

To fix this: Simple, release the lock.

So to do this easily and elegantly, you merely create a destructor that releases the lock in the bootstrapping command, like so:

Once this is done, the lockfile inheritance problem goes away :)


Exiting script mid-way – gracefully (with a die-file)


Why I never thought of this before, I don’t know. But this is saving my bacon right now:

The scene:

I have a script that does 10 000 things on each loop on my DB. Unfortunately, because of the architecture that I’m interacting with, I can’t wrap the entire thing in a transaction. If I could, then killing the script mid-way will have no negative effect on the db, because it’ll just roll back the whole thing.

However, killing the script in the middle having it non-transactionalised, introduces a whole range of negative side-effects – life for instance inflating the summary data I’m building.

Anyways, forget the above, it doesn’t matter.

All I want to do is to “tell my script” that I’d like it to quit after the current iteration of the loop.

My solution: Give it a “die file”.

Say for instance my script’s name is “maintenance20150216.php”

I put the following code inside it:

Cool thing about this? All I got to do while the script is running:

This in turn creates the “die file”, which tells the script to quit after the next iteration of the loop.

This way I don’t have to kill or ctrl-c the script and risk it quitting at the wrong place inside the loop. My script can run for it’s calculated days of processing, and if I need to make a change – or at the very least have it back off for a bit to give the DB a breather, I can do so easily and safely now.

Culling your module/actions (Symfony1)


This post is centered around Symfony1 – but it translates to other frameworks quite easily if you have filter chains. The reason we needed to do this, was to figure out which of our old legacy symfony1 module/actions are still in use, how heavy the usage is on each, and which ones are not being used anymore – so we can delete them, yay fun :)

Just some background: We’ve run Symfony 1.4 for a long time, and most of our legacy systems were written in that. Then when Symfony2 was launched, we started to write new code in there, and slowly started to move things from the old legacy system into the new system – especially things we wanted to make changes to. We’re a point now, that we would like to get rid of all the front-end module/actions in our old system.

Here’s the approach that seems to be working rather well…

Figuring out what module/actions are still in use:

A filter does the job nicely. We wrote a small filter that which merely logs to a file the time and what module/action was called. (lib/myDeprecationFilter.class.php)

(Please ensure that you install Monolog using composer – but you really can log it any other way you want as long as your parser then knows how to read that)

You then have to put this in your filter.yml in your app folder (somewhere similar to apps/yourAppName/config/filters.yml)

(the order in which you put this really doesn’t matter)

The log file:

When you make this live (remember to clear cache), you’ll notice that the log file is created and starts to get entries written to it, here’s an extract of how it looks like:

Monolog adds a nice bunch of information bits to the logfile, which we use for other things – but the two that you’re concerned about is the action and the module that’s being logged, called “ctxt_action” and “ctxt_module” respectively.

It may be prudent to logrotate this file, as it will grow fast (very fast for our site) and we don’t want it to be the cause for a filled up disk error ;). Merely add something like this in your logrotate.d:

(note the rotate 30 – we thus only keep 30 days worth of logs)

Reading / Parsing the log

This is not nearly as elegant as it can be, but who cares – it’s only for us internally.

As you can see above (please excuse the hardcoding – no need to put the CLI handler in here), we then run through all the files (including the compressed .gz ones that logrotate create) and reads every single line (nice and inefficient, right? 😉 ). We then do counts into an array (using @, lol… I mentioned this is an internal tool right?), and then output the contents of the array.

It looks something similar to the below extract:

From the above, you can see that we have a multi-dimensional-array that has the module name and then the actions inside it which was called.

The above then shows you which modules (for a start) have been called in the last 30 days (remember our logrotate?)

For our systems, it’s safe to assume that if somebody have not looked at a module/action in 30 days we have created and linked the new one in our new Symfony2 install and that clients/customers cannot get to the old one anymore (except off course if they have it bookmarked)

From here it’s easy to extract the module names only (with a simple regex) and put that into a file.

Then you list the modules in your apps/appName/modules folder, and put that in another file.

And then simply run a diff between the two files.

The ones that’s in the directory listing but not in the called list – those are the ones you want to delete / cull off your server and get rid of in your code :)

Luckily for us we don’t really dig into the actions as we rewrite the entire module into the new code and only then do we remove it from the old code, so we don’t have to overcomplicate it.

Have fun and let me know if you have something to add to this :)


Know your IDE (Data Sources in PhpStorm 7+)


Sometimes it’s the small things that makes a huge difference to your day. It’s those tiny things that makes a developer grin – smile even! :)

Like, for instance, setting up your Data Source so that SQL statements not only look cool, but actually give you some added productivity.

Having a look at PhpStorm when putting a simple SQL statement in, it’s got a rather ugly colour depicting that you don’t have a data-source set up. On top of that, it actually displays a little light bulb when clicking on it indicating that something is wrong, but the IDE knows how to fix it if you just gave it a little bit of into.

Screenshot 2014-09-05 23.19.17







If you look at the screen grab above, you’ll note the colour of the string containing the SQL, as well as the light bulb, which I clicked on.

Clicking on the “Configure Data Source” gives us the ability to set up the data source, and for good measure which database to connect to as a default:

PS: You may need to have PhpStorm install the JDBC first, check at the bottom of the pop-up window for details on that.

Screenshot 2014-09-05 23.24.20












It’s always a good idea to test the connection first, but if all goes well and you save and apply… your SQL statement inside your file suddenly changes colour and you have some extra functionality there:

Screenshot 2014-09-05 23.27.50




Note that it highlights the column name in a bold and slightly different colour. This indicates that the column actually exists.

Also, when working with complex databases, it’s not always possible (or even necessary) for developers to memorize all the fields – and their spelling – by heart. Now, because you set up your data-source, you get code-assist!!! Awesome, right!

Screenshot 2014-09-05 23.31.13








As you can see, not only do you get code-assist on the column names – but it also tells you which is the primary key with the little key-icon, it tells you what the data type is of the column, and it indicates that the column is referenced to another table (in the case of the project_id field with the little highlighted part of the icon).

Pretty awesome, hey!

So go ahead, learn your IDE and set this kind of thing up.

You won’t be disappointed!




alter table … change column… NOT NULL DEFAULT 2 — weird behaviour


>> EDIT:

So, thanks to @morgo and @cmptrwizard I now know what was going on :)

Turns out, old decisions do sometimes come back and bite later on hehe… who knew self-deprecating-sarcasm.

We turned STRICT_TRANS_TABLES off way back when we upgraded to MySQL 5.6 – meaning that the error MySQL was supposed to through due to the alter not going to do what I was hoping (my mistake), was not thrown. This resulted it the failure being silent – which is what bugged me for days :)

Thanks guys for the assiste.


Original post follows…

This is just weird, and it’s bugging me. It appears when MySQL does the alter table operation on a previously nullable column it does run through it changing the current null values to the new default – but instead of using the default specified it uses the base default value of the core.

Have a look at this to reproduce it:

Ok, let’s add some rows, so we have a nice view of things:

Looking at the data, we find it looks like this:

Ok so far so good. Now, let’s alter the table’s “some_value” column to be a default of “2”.

Now, when doing this on a large table it’s pretty clear that MySQL actually runs through the table entries and changes their values (as it takes minutes to run on a big enough table). So we know it’s not just changing the metadata of the table.

Right, let’s look at the data again:

Do you see what I see? The “some_value” of row with id 101 was changed to “0” – zero. But the alter table statement said the default should be “2” – two.

Ok, did I break the table? Let’s test inserting a row without the “some_value” filled in – which in the past would’ve made it null… but now that I altered the definition it should make it “2”.

Ok cool, so let’s retrieve the data again:

Anybody know why the heck this is?


Analytics – Not just for Corporates


We sometimes forget that analytics isn’t only for use in corporates / company websites, but also for personal use!

In our office, we were talking about Google Analytics ( and tracking of sites. I thought it’s worth mentioning that a lot of people have side-line or personal projects to make some extra cash lately. What we (and even us Software Engineers) don’t always realise, is that we can do a LOT more with our site if we run some analytics on it.

Google Analytics is a great tool. Best of all, it’s free!

My colleague showed me how he tracks his wife’s site with Google Analytics. I was amazed to find out that with the Adwords special how quick the traffic picked up! Within days he had loads more people browsing the site!

We started to talk about Google’s Webmaster Tools, which – as one of the guys put it – makes sure you didn’t do something stupid (

Another great way to drive the rating of the site up, is by having other sites link to it. In the interest of that, I’ve linked to it below :) Hey, don’t judge, I’m helping out! :)

The product his wife is selling, is a pillow for pregnant ladies, and a lot of the guys in the office got their ladies the product already, and they’re raving about it! Seriously, awesome product!! Go check it out here. (

I think the following quote from the site sums up why it’s the best thing since sliced bread: “Cushi has be design to ensure a good night’s rest and support for your baby bump, hip and back during pregnancy.”

Linda Atletiek


So proud of my little girl! She had her first athletics this past Saturday… and she was awesome! :)

(She’s the one on the 4th used lane from their left coming 2nd at the end of the race)

That’s my girl!!!!


Binary Matrix Security

Warn about Security Holes, but don’t be an asshole

The view of the world from the perspective of the Developer having the Security Problem:

We’ve all read about security, password encryption vs password hashing, why encryption is better than clear text, why hashing is better than encryption, why bcrypt is better than say sha1, and so on. But the fact of the matter is, is that most projects on the outset de-prioritises these security concerns for other, “more important” things at the time, like for instance getting the job done and launching the project.

“Sure, we’ll look at security after launch” is most commonly used among developers, and yes even though this is the wrong thing to do and we all agree that it’s the wrong thing do to, a lot of us if not most does exactly this.

The problem with this is, however, that we never “get around to it” when it comes to fixing these things. The reasons for it is three-fold. Either we’re lazy. Let’s not do that when it comes to security. The other two reasons are more understandable though. We’re perhaps just too darn busy. For the business factor we have to actively as professionals in the industry make an effort to “make the time” for these important “behind the scenes” work – especially when it comes to security, but this is a whole different discussion.

The other more common reason is “because it’s really difficult and we’ll likely have to change our client base’s behaviour”. This is tricky, because a lot of times either the company you work for has a management team that’s really great at marketing and business, but don’t really care that much about security (or perhaps know that much about it). One can convince them to take the plunge by pointing out the marketing or PR nightmares if we get hacked, but it’s still difficult. Also, most of our client-base are really not phased about security, in fact they don’t even know what it is until one of two things happen: 1) you change something and they notice or 2) you get hacked and they notice because it’s in the local newspaper (or news site). Both, unfortunately, bad, because both create phone-calls and support tickets, generally which you have enough of and would like to not create more admin by changing something.

Anyways, so let’s all agree that it’s the right thing to do to make the security change required and change the behaviour of the clients. The sooner the better, but now that you’re 6 years into a project it’s going to take some time. It’s not only going to take time, it’s going to be difficult to juggle security and ease-of-use to make sure that the clients don’t complain too much. My advice: Plan! Plan how you’re going to attack the problem, make sure you talk to your internal security specialists (or external consultants (or both)) to make sure you’re doing the right thing. Then lay out your time-line and try to stick to it as close as possible.

All said and done, as Developer ultimately it’s your responsibility to protect your client’s data, including and very importantly, their passwords.

The view of the world from the perspective of the “Guy who notices the security hole”:

Now, to get to what the subject of the post is about. Let’s switch our role from being the developer who’s charged with fixing the security problem, to some random client (or prospective client) who’s using the system/site/service or about to sign up for it.

From time to time we as internet users come across security holes in systems. The world is full of security problems as discussed above. But for all the security problems that we notice there’s almost always somebody behind that who really care about fixing that problem, but whom are faced by the difficult task of doing so (accompanied by all the human and technical problems surrounding it). And furthermore, in this group there’s a sub-group of developers who are in the planning phase or the active development phase of fixing the problem. This is where my story resides.

With the modern web of social media everywhere, we tend to talk a lot… a LOT… online. We generally tend to talk more about the things that we’re passionate about and especially that we know more than others about (well, we hope so anyways). Some of us are developers and some of us are even security specialists, even working for a security consultancy firms. Thus we’ll tend to talk about security problems. However, we need to be careful about when we talk about it, how we approach the discussion, and how public the discussion is.

Let me use an example of what happened a while ago:

Our team was faced with a security problem (not quite as big as the one described above, but still complex and tough to fix) for quite some time. We’ve spend a great deal of time and effort planning how we’ll be fixing the problem. Development on fixing the problem was about to start, in fact the morning of the below described incident, we had a water-cooler-chat where it was agreed that development on the problem is starting and we’ll finish the initial phase of it in about 2 weeks (hey, a nice agile scrum sprint!)

Then the “unthinkable” (read “annoying thing”) happened:

Now, we’ve had security concerns raised by clients and prospective clients numerous times. Most companies in the IT industry do. Every few weeks we get the odd ticket where a client is concerned about a security problem on our system. Usually it’s a small security hole that we plug and make sure it exists nowhere else on our system. But every few months we get the more serious concern, to which we thank the client and assure them that we’re looking into it (which we do/did). This time, though, the concern broke on a very public way – on Twitter. Yes, you can just imagine the storm this kicked up! Think about it… on twitter, for everybody to see, a concern was raised about the security of our system.

Now, this is not the first time it happens in this fashion, but what’s annoying is that the individual who tweeted it should’ve known better – he/she is a “professional security consultant”.

The wrong assumptions of it was made on twitter which made the problem look even worse to the public and untrained eye (no we didn’t store passwords in clear text, but this was said on the internet, which naturally makes it true *sarcasm*). Now, as everybody knows, the people running social media on an organisation is extremely good at what they do; that said, they’re not security specialists. Thus, starting a discussion/fight on Twitter (on twitter!!) with a company about security means you’re fighting/discussing a matter with somebody who is ill-equipped at answering your questions properly. The team running the social PR did exactly what they were supposed to do, they tried to mitigate the public problem by ensuring the tweeter that we’re serious about security, and that they will take it up with the relevant department. Still the tweeter attacked the problem (publicly). The tweeter proceeded to paste a link to an article about it. Again the social team assured him that it’s being looked at. Yet, the tweeter again explained that we’re being stupid (yes, I agree we were stupid) and that this is “security 101” (ok) – still, publicly… on twitter… with a company of thousands of followers. Then the social team took a different approach, to which the tweeter baited them by asking something along the lines of “So, I can assume that you’ll sort the problem out?”.

Let me categorically state: We were in the wrong here. When it comes to the question around security, we did the wrong thing. But that’s not what the issue is that I have here.

What scares me, is that we have a so called professional, a person who knows what the effects of talking publicly about security, whom broadcasts the fact that this security hazard exists (and even makes it seem to be a bigger hole than it actually is). Let me put it another way: This person basically SMS’d (Texted) tens of thousands of people about the security vulnerability. Think I’m being too harsh? Read the definition of twitter: “Twitter is an online social networking and microblogging service that enables users to send and read “tweets”, which are text messages limited to 140 characters. Registered users can read and post tweets but unregistered users can only read them. Users access Twitter through the website interface, SMS, or mobile device app.[read more here]

Luckily, nothing bad happened, however the carefully planned timeline and actions that we were going to take over a 2 week period went out the door. Thousands of rand in money of the time and resources spent planning, and the first part of the development was flushed down the drain. All because there was a public announcement of the security hole.

Upon inspecting the user, I noticed that she/he did not contact us about this in a private manner whatsoever. There was never a phone-call from the user. There was never a support ticket created about the problem. Nothing at all. The first time this user interacted with us was when the tweet was made.

This, sir/madam, is called being an asshole.


So, the moral of the story, to all my colleagues and friends and readers of this blog, if you spot a security vulnerability… by all means, notify and warn the company about the problem. Because face it, we’re all in this together, and we’d like our industry to get better at what we do, and we’d like to see security holes to go away. Heck, even make a fuss about it and cause some hairs to raise with throwing a few choice-words around over the phone until you speak to somebody who gives a damn about security. But for the love of world peace… don’t… be… an arse and post it on twitter/facebook/google+/linkedin/whatever social media you procrastinate on.

If you’re so concerned about the company’s security and they don’t do anything about it, then take your business elsewhere if they don’t listen. But really, think before you post, don’t just have verbal (or keyboard) diarrhoea.

Side-note: The security problem was “plugged” with a bad hack, and then fixed properly afterward – but only a fraction of the ease-of-use features that we were planning to build in to it was implemented thus hurting innocent clients, because… well… once again, our window has closed – and now that the security hole was plugged, we no longer had a burning need to work on the cosmetics of this project, there’s other more important things to work on.

So, the tweeter in question wanting to help the industry (well I hope so) by publicly posting a security vulnerability to get the company’s attention, but actually ended up just hurting the industry.


… happy surfing and posting… and remember…

… don’t be an asshole :)


Visualising the Evolution of our Source Code


We have well over 100k lines of code in the core system right now, that’s not even counting all the supporting templates, images etc that is all over the place.

We run a hybrid system between Symfony 1.3 and Symfony 2.1, parts of our system is in the old Symfony and parts in the new Symfony2.

People always likes cool pictures (especially the kind that move), so I set off on a path to take our SVN repository of everything and visualise it.

Luckily for me, there’s already a tool to do this, called Gource. I have Gource 0.38 but it’s already at version 0.40 already with some nifty extra features.

Here’s the youtube video of the code as it progressed from 2007 up to August 2013. Can’t believe it’s been 6 years worth of development! (Best viewed at HD-720p)

In order to do this, you go into your base-SVN folder and do the following commands:

As you can see, it’s rather straight forward.

  1. Firstly you get the SVN log – this takes a while especially on a large project like this.
  2. Secondly you run the log (in XML format) through gource to create the video – you pipe the video to ffmpeg to make the mp4
  3. Lastly if you’d like, open it in iMovie and add sound to it, like I did.

Important to notice that you shouldn’t fiddle with the video while gource is running, because everything you do to the app while it runs is saved to the mp4. Just… be patient :)

You can find gource here:

I just installed it with brew (in OSX), instructions can be found here:

Well, it was fun :) And it looks pretty, so I guess it was worth the hour it took me :)

Hoe om jou katjie ‘n pilletjie te gee


1. Plaas jou katjie in die buig van jou arm asof jy ‘n klein baba vashou. Sit jou regter wysvinger en duim aan beide kant van sy snoetjie en oefen versigtig druk uit, terwyl jy die pil in die ander hand gereed hou. Sodra jou katjie sy bekkie oop maak, gooi die pil in en gee die katjie die geleentheid om dit af te sluk.

2. Soek die pil op die vloer en gaan haal die katjie agter die bank uit. Plaas die katjie weer in die ronding van jou arm en herhaal die proses.

3. Gaan haal die dêm kat uit die slaapkamer en gooi die nat pil in die drom.

4. Neem ‘n nuwe pil uit die dosie, plaas weer die kat in jou arm, terwyl jy beide voorpote stewig vashou. Forseer sy kake oop en druk die pil binne in sy mond met jou regter wysvinger. Hou die kat se bek vir ten minste 10 tellings toe.

5. Haal die pil uit die visdam met die klein netjie en gaan haal die mal kat bo van die kas af. Roep nou jou maat uit die tuin uit om jou te kom help.

6. Kniel op die vloer en dwing die kat tussen jou knieë vas, neem sy pootjies in ‘n baie stewige greep, ignoreer die harde gegrom. Laat jou maat die kat se kop ferm vashou en dwing sy bek oop met ‘n hout liniaal. Gooi die pil via die liniaal in sy bek in en vryf jou kat se keel om sy slukproses aan te moedig.

7. Haal die besimpelde kat van die gordynreëling af en neem nog ‘n pil uit die dosie uit. Maak ‘n aantekening om ‘n nuwe liniaal te koop en ook om die gordyne te laat regmaak. Vee die stukke glas en keramiek van die beeldjies en potte op sodat jy dit later kan weg gooi.

8. Draai die blasende kat in ‘n groot handoek toe en laat jou maat bo-op die kat lê of sit, sodat net die kat se kop uitsteek onder jou armholte. Suig die pil met ‘n strooitjie op en forseer die blêrrie kat se bek oop. Blaas die pil, deur die strooitjie, in die kat se keel af.

9. Lees die pamflet deur, om te sien of die pille skadeloos vir mense is en drink ‘n koue bier om die smaak uit jou mond uit te kry. Ontsmet jou maat se arm, sit salf op die wond en draai ‘n verband om. Verwyder die bloedvlekke van die vloer.

10. Gaan haal die fokken kat uit die buurman se garage, neem nog ‘n pilletjie uit die boks en drink nog ‘n bier. Sit jou kat in die klerekas sodat net sy kop uitsteek. Forseer sy bek oop en skiet die pil met ‘n kettie in sy keel af.

11. Gaan haal die skroewedraaier uit die garage en hang die kasdeur terug op sy skaniere. Soek die whisky bottel, neem ‘n groot sluk en ontsmet die krapmerke op jou wange. Maak seker of jou tetanus-inspuiting nog geldig is. Gooi jou stukkende trui in die drom en gaan trek ‘n ou overall aan.

12. Bel die brandweer om die satan-helskat uit die boom uit te kom haal. Vra jou buurman om verskoning vir die taalgebruik en neem die laaste pil uit die dosie.

13. Tape beide voorvoete van die bliksemse kat aan mekaar vas met duct tape. Bind hom stewig aan die poot van die eetkamer-tafel vas met ‘n stuk ankertou. Trek jou welding-gloves aan, druk die pil in ‘n stukkie vleis en gooi ‘n groot glas vol water. Hou die klein bliksem se kop agteroor, gooi die vleis in, gevolg deur die hele glas water, hou sy fokken bek toe vir 5 minute.

14. Neem die bottel whisky en drink hom leeg. Vra jou maat om jou, so gou moontlik, by Ongevalle te kry, want jy word al lighoofdig van die bloedverlies. Laat hulle jou vingers en voor-arm vas werk en die laaste pil uit jou oog uit verwyder. Bel onderweg vir Hyperama om ‘n nuwe eetkamer-tafel te bestel.

15. Bel ook die SPCA om te reël dat hulle die gemuteerde satanskind van ‘n helkat kom haal en stop by die Petshop om te vra of hulle nie dalk klein hamsters het nie.

Hier gekry:

Go to Top