The open source PHP dynamic language is one of the most widely deployed languages on Web servers today. But what operating systems are PHP developers using to develop and deploy their applications? It's a question that has been asked before and now it's being answered with a new study from Zend, one of the lead commercial backers behind PHP.

The study surveyed 2,000 PHP developers in December and found that 85 percent reported that Linux was their primary operating system as a production environment for PHP.

Windows came in at a distant second at 11 percent while Mac OS X came in third at just 2 percent. However, when Zend drilled down into which platforms respondents prefer for their development, the rankings change dramatically.

According to the study, 42 percent of respondents reported that Windows was their primary operating system for development. Linux came in as No. 2 at 38.5 percent while Mac OS X remained in third place at 19.1 percent.

The findings indicate that while Microsoft Windows remains the top platform for developing in PHP, its lead may be narrowing. Back in 2006, a Microsoft executive reported that 85 percent of PHP developers were developing on Windows, but only 20 percent deployed on a Windows machine. The change comes despite joint work by Zend and Microsoft to improve the capabilities of PHP on Windows servers.

that the new study was based on over 2,000 completed surveys conducted in December 2009, some of which came from Zend customers. The survey was made public through the Zend Framework website, the Zend monthly newsletter, Twitter and DevZone.

I have also noticed recently from reading blogs and lists that the majority of CFML open source developers seem to deploy Railo or Open BlueDragon on Linux, which is a major paradigm shift from ColdFusion developers who primary use Windows.

I don't think this is a matter of preference but rather one of necessity as pretty much all the PHP documentation is for Linux, most PHP apps are written for Linux/Apache and are not supported on windows even if you can get them working.

If you have tried to install Railo then will have discovered this can also be quite a task and a challenge to get working, especially on windows/IIS7, and there are far more blog posts and docs explaining how to get it running on Linux, as well as ready made virtual disk images, which I suspects encourages people to take the path of least resistance and install Linux.

In the case of CFML this does however tend to be done using virtualisation software such as virtualbox or vmware to run a linux development servers on windows, so cfml developers do still seem to be using windows as their primary desktop OS, so I do wonder if Zend took this into consideration with their study and if many of those who listed Linux as their primary development OS may in fact be running it as a virtual machine on windows. This feeling is further extrapolated by the fact that developers are mainly using servers distros like CentOS.

You also need to consider all the obvious facts as well:- While Linux has a lot going for it and plenty of software, most of the best/popular software, especially web dev/design products like Dreamweaver and the rest of the Adobe line is not available on Linux. Sure there are alternatives, but they are certainly not in the same league and you can't walk into PC World and buy any of it. For those who have always been running a Linux desktop this will of course not matter at all, but for the rest this will be a big issue, especially if it is software you have spent a lot of money on, so running a virtual machine makes sense.

Of course it could be the other way round entirely and developers are running a windows VM on linux, but this would seem an off way of doing it if their primary tools are on windows.

Before the Linux fanboys start ranting, let me make it 100% clear that this is not a linux vs windows slanging match and I will delete all churlish comments attempting to turn it into one. If you comment keep it on-topic and professional.

As of today, Railo 3.1 is now available at CFMLdeveloper.com.

If you already have an account then simply login to HELM and go to Packages -> add new and choose one of the new Railo Plans. Please note that the SETUP fee still applies for all new packages, but is still a one-time fee for fraud validation purposes and your hosting is then FREE forever. For more info please refer to the HELP pages.

If you do not yet have an account then simply SIGNUP from the hosting page.

Please don't forget to check the Hosting support pages if you get stuck, most common questions can be found there.

I just had to share this as it is totally awesome. So many times I could have used this.

The now-familiar release cycle of Adobe's Creative Suite is signalled by two things: the hype and expectation of  those who rely on Adobe's applications and prices that, especially for UK users, seem to soar further into the stratosphere with every new version.

A single new feature, though, has awed the PC Pro office and suddenly made CS5 seem like fantastic value for money. It's been dubbed the Content-Aware Fill, and has been shown off in a YouTube video narrated by Bryan O'Neil-Hughes, a product manager on the Photoshop team.

The dull, businesslike name hides a potentially revolutionary feature: if you're not happy with an item in your picture, select it, delete it, and Photoshop will analyse the surrounding area and plug the gap as if it never existed.

It seems easy to use and incredibly proficient: O'Neil-Hughes used it to remove lens flare, turn patchy and litter-strewn grass into a perfectly manicured lawn. He quickly removed entire trees and let Photoshop stitch together the grass and sky that would take their place. It's a testament to the new tool's proficiency that we couldn't tell that the image had been modified.

He didn't stop there: a simple click removed a dusty track and replaced it with desert, and a panoramic image's clumsy borders were filled out within seconds. Best of all, Photoshop handled these modifications without fuss and quickly delivered picture-perfect results.

Without this feature, making these edits could take hours or, in more complicated cases, even days. The Content-Aware Fill, though, took just seconds and has got us even more excited about the impending release of CS5. We'll have a full review available when the software is released but, for now, this demo should be more than enough to whet your appetite.

Firefox was the application that had the most reported vulnerabilities this year, while holes in Adobe Reader more than tripled from a year ago, according to statistics compiled by Qualys, a vulnerability management provider.

Qualys tallied 102 vulnerabilities that were found in Firefox this year, up from 90 last year. The numbers are based on running totals in the National Vulnerability Database.

However, the high number of Firefox vulnerabilities doesn't necessarily mean the Web browser actually has the most bugs; it just means it has the most reported holes. Because the software is open source, all holes are publicly disclosed, whereas proprietary software makers, like Adobe and Microsoft, typically only publicly disclose holes that were found by researchers outside the company, and not ones discovered internally, Qualys Chief Technology Officer Wolfgang Kandek said late on Wednesday.

Meanwhile, Adobe took the second place spot from Microsoft this year. The number of vulnerabilities in Adobe Reader rose from 14 last year to 45 this year, while those in Microsoft Office dropped from 44 to 41, according to Qualys. Internet Explorer had 30 vulnerabilities.

A shift in focus
The numbers illustrate the trend of attackers turning their focus away from operating systems and toward applications, Kandek said.

"Operating systems have become more stable and harder to attack and that's why attackers are migrating to applications, he said. "Adobe is a huge focus for attacks now, around 10 times more than Microsoft Office. However, other widely used targets like Internet Explorer and Firefox are still far from secure."

Research from F-Secure earlier this year provides further evidence that holes in Adobe applications are being targeted more than Microsoft apps. During the first three months of 2009, F-Secure discovered 663 targeted attack files, the most popular type being PDFs at nearly 50 percent, followed by Microsoft Word at nearly 40 percent, Excel at 7 percent, and PowerPoint at 4.5 percent.

That compared with Word representing nearly 35 percent of all 1,968 targeted attacks in 2008, followed by Reader at more than 28 percent, Excel at nearly 20 percent, and PowerPoint at nearly 17 percent.

As a result, Adobe needs to respond the way Microsoft did in 2002 when it launched its Trustworthy Computing initiative, and make securing its software a company-wide priority, researchers say. F-Secure even recommended that people stop using Reader and use an alternative PDF reader.

Adobe has taken some action, announcing in May that it would release its security updates on a regular schedule, quarterly and coinciding with every third Microsoft Patch Tuesday.

Another study released this week focuses on which applications are the riskiest to users. Based on the most severe vulnerabilities in popular applications that run on Windows and which are not updated automatically, Firefox again tops the list, followed by Adobe Reader and Apple QuickTime, according to Bit9, a provider of application white listing technology.

The list of risky software compiled by Bit9 based on the National Vulnerability Database also includes Java, Flash Player, Safari, Shockwave, Acrobat, Opera, Real Player, and Trillian. Last year, the Bit9 list of the most risky apps included Skype, Yahoo IM, and AOL IM, but those three were not on this year's list.

Not included on the list are programs from Microsoft and Google because of the ability for users of their software to have patches installed automatically. Microsoft software can be automatically and centrally updated via the Microsoft Systems Management Server and Windows Server Update Services, and Google Chrome is automatically updated when users are on the Internet, Bit9 said.

The lists do not take into account the amount of time it takes for companies to release patches, particularly when there is an exploit in the wild. Bit9 noted that Microsoft Internet Explorer was given an "honourable mention" because of a zero-day vulnerability related to ActiveX that went un-patched for three weeks in July.

Microsoft isn't alone in taking longer than customers would like to fix holes. In March, Adobe released a patch for a zero-day vulnerability in Reader and Acrobat--about two weeks after it was disclosed to users and nearly two months after exploits had been discovered in the wild.

Adobe customers will have to wait about a month for a fix to the latest critical zero-day hole in Reader and Acrobat. The company announced on Wednesday it would not patch the vulnerability until its next scheduled quarterly security update release on January 12.

For those looking for a secure alternative to Adobe PDF reader, try Foxit Reader.

http://www.foxitsoftware.com/pdf/reader/

SECURITY ALERT!

There has been an increase in the past few days of sites being hacked via file upload scripts, particularly a number of high profile ColdFusion based sites.

The hacker gets in by uploading a CFM, ASP, PHP or other supported file type to the server and executing the file, thus escalating his access.

If you have any publicly accessible areas of your site where files can be uploaded then you should make sure you are not vulnerable, make sure that you are validating allowed uploaded file types and not allowing executable files to be uploaded.

In particular you should pay attention to things like image uploads on forums or other applications which people seem to think are safe because it only allows images to be upload. Many scripts will actually accept the uploaded file to the final destination folder before validating it and then deleting it if it is not valid, thus giving a window of opportunity for the file to be executed.

What happens is that the hacker uses a load testing tool that constantly executes the URL on your site where he knows his file will be uploaded (e.g. mysite.com/files/xyz.cfm), this is done many times a second, so when he then uploads the file it will get executed in those few milliseconds before it is deleted.

To avoid this scenario you should perform checks prior to accepting the upload, or upload the file to a temp location first that the hacker cannot access and then move it to the destination folder once it has been verified.