The battle over Flash and its role (or lack thereof) on the iPhone came to a head today when Apple CEO Steve Jobs published an open letter explaining why his company won’t support Flash on the iPhone, iPod touch and iPad.
Adobe CEO Shantanu Narayen spoke with The Wall Street Journal to deliver his response. Unsurprisingly, the arguments from both parties are self-serving in parts and gloss over some realities.
It’s time to cut through the BS and, in turn, determine what the Apple-Adobe feud means for consumers and developers.
H.264 Rules Web Video, Not Flash
For most end-users, the debate over Flash is largely a debate about web video. Yes, Flash is used in other ways — for web-based games and ever-decreasingly in website design — but thanks in large part to YouTubeYouTube
, Flash is most commonly associated with web video.
In his letter, Steve Jobs highlights a point that I have made myself on many occasions: Web video is overwhelmingly encoded in H.264. Not only is the H.264 codec the default encoding setting for practically every video service online, it is also by and large the default codec for raw video from digital video cameras. That means that if you upload video from your Flip camera directly to YouTube, it doesn’t have to convert that video into a new format, which requires more time and resources.
Adobe started to support H.264 back in 2007, essentially buying Flash time as a video container without forcing video services like YouTube to transcode the native H.264 video into something else that Flash could use.
HTML5 Is the Best Way to Deliver Video on Mobile
The problem for Flash isn’t that it can’t adapt to contain other types of video; it is that software and hardware, particularly on the mobile side, have moved in a direction that natively supports the playback of H.264 content. Why bother using a container if you can play the file natively and get the memory advantages of not having a container plus hardware optimization?
Even on devices that support Flash Lite, the video experience is almost always optimized for H.264. HTML5 just makes the process easier to integrate across multiple platforms. While the proprietary and licensed nature of H.264 has turned some browser makers away from supporting H.264 in the HTML5 video standard (Mozilla and OperaOpera
are the most vocal opponents), mobile devices that already have it licensed by hardware vendors are going to use the technology. The quality, player experience and even live stream and ad insertion abilities of HTML5 are expanding all the time as well.
Look at the Sublime Player demo from Jilion for a great example of what can be done with HTML5 and web video. SublimeVideo is working on a solution that will serve HTML5 video by default in mobile browsers, SafariSafari
, Google ChromeGoogle Chrome
and Internet ExplorerInternet Explorer
9, and serve Flash video by default in browsers such as FirefoxFirefox
and Opera.
The fact that so many web video providers are working to embrace HTML5 isn’t because Apple doesn’t support Flash, but because it is the best way to deliver video to all smartphone users. With or without Apple, the shift to native playback is where web video is headed.
Flash Hasn’t Proven Itself on Mobile
Even if you completely disagree with Apple’s position on Flash, the reality is this: Flash has not proven itself on mobile platforms. Specialized systems like Popbox, the new TiVo Premiere and some other embedded iTV systems aside, as a technology Flash has existed almost solely in the desktop browser.
Flash 10.1 is supposed to be the first version of Flash that will actually ship on a number of mobile phones in a way that is more than just Flash Lite. Flash Lite, which is the current implementation that some Windows Mobile and AndroidAndroid
phones support, is not a great experience. It doesn’t have hardware acceleration and is limited in terms of what types of content it can support.
Adobe claims that Flash will be shipping on supported devices later this summer, but at this point, I’ll believe it when I see it. It also looks like the minimum requirements are going to be the equivalent of what the Nexus One offers, meaning it will only be available on the high end of the smartphone market, not the mid or low-end. The promise of Flash on mobile devices has been long in the making, but aside from demonstrations, it hasn’t happened.
Flash on Mobile Has Issues
Even on hardware that is supposed to support Flash, Flash is often not included. For instance, when Firefox Mobile was released for the Nokia N900, Flash support was removed at the last minute. Why? Because it wasn’t a good experience.
Even on Intel’s Atom platform, Flash has issues. This is why playing back fullscreen HuluHulu
or HD YouTube clips is often painful on a netbook (even an ION or Tegra netbook). Again, Flash 10.1 is supposed to bring hardware acceleration that will make those types of processors handle video in more robust ways, but frankly, when there are still longstanding issues with Flash on x86 computers, how can we expect the transition to mobile to be problem free?
This isn’t to say Flash couldn’t become a killer, hardware optimized superb mobile platform — but at this stage, everything that Flash is so good at doing on the desktop isn’t happening with Flash on mobile devices. Rather than defend Flash’s performance on mobile devices with words, I’d much rather have Adobe actually release working products that show off why the technology can work well across platforms, including mobile.
One Size Never Fits All
It’s nice to get caught up in the fantasy of building an application that can be deployed on any type of device and work the same way across the board. Sun Microsystems called this “write once, run anywhere,” and it was the defacto slogan for Java. However, as anyone who has ever actually written for Java knows, the differences in Java virtual machines (JVM) means that that in practice, it can often take more time to try to debug a solution and get it working on another platform than it would to just write it natively for that platform.
Web applications are actually the closest example of “write once, run anywhere” actually working. Even then, browsers still need to be optimized for specific platforms in order to run applications built using web languages. This is one reason why native application building for smartphones has become so popular: native applications usually offer a better experience than simply using the web.
It’s fine to aspire for solutions that will work well across a variety of platforms, but users need to continue to be aware of the technological realities that prevent that from happening. If nothing else, the Apple-Adobe debate highlights that computer software — web based or otherwise — is not one size fits all.
Did we mention that 2010 would be a big year for HTML5? Apple and Google are pushing it big time, and now so is Microsoft. When Internet Explorer 9
comes out, it will support HTML5 and help make it more common across the Web.
“The future of the web is HTML5,” writes Dean Hachamovitch, the general manager for IE at Microsoft in a blog post
talking about Web video. Microsoft still supports Flash as well, but HTML5 and Flash are at loggerheads. By throwing its weight behind HTML5, Microsoft giving Website designers one more reason to abandon Flash.
The post specifically talks about Microsoft’s plans to support only the H.264 codec for HTML5 video. Again, Flash players now support H.264 also. But the more H.264 video is out there, the less need there will be for Flash players because those videos can play directly in an HTML5 browser, such as IE9, Safari, or Chrome.
And, as Apple CEO Steve Jobs discussed in his we-don’t-need-no-stinkin’-Flash rant
yesterday, H.264 is much more mobile-friendly:
To achieve long battery life when playing video, mobile devices must decode the video in hardware; decoding it in software uses too much power. Many of the chips used in modern mobile devices contain a decoder called H.264 – an industry standard that is used in every Blu-ray DVD player and has been adopted by Apple, Google (YouTube), Vimeo, Netflix and many other companies.
Although Flash has recently added support for H.264, the video on almost all Flash websites currently requires an older generation decoder that is not implemented in mobile chips and must be run in software. The difference is striking: on an iPhone, for example, H.264 videos play for up to 10 hours, while videos decoded in software play for less than 5 hours before the battery is fully drained.
Hachamovitch is more diplomatic. He also notes that “Flash does have some issues, particularly around reliability, security, and performance.” Nevertheless, he adds that too many consumers rely on Flash, so Microsoft will continue to work with Adobe to make it better.
And if it doesn’t get better, . . . well, by that time HTML5 will be more widely distributed on sites across the Web. Microsoft and Apple and Google will make sure of that.
I do to! Are you ready for HTML5??
The mediafront platform is an open source (GPLv3) front end media solution for the web. Through its integration with popular content management systems, it employs an innovative and intuitive interface that allows any website administrator to completely customize the front end media experience for their users without writing any code.
In addition to this amazing module included is the OSM (Open Standard Media Player) Player. This media player is open source (GPL) media player that is built to dynamically deliver any type of web media, including HTML5, YouTube, Vimeo, and Flash.
Requirements: jQuery Framework
Demo: http://www.mediafront.org/project/osmplayer
License: MIT License
The PHP language includes lots of helpful functions for easily filtering, cleaning and manipulating content, all of which are excellent tools in the hands of a skilled developer. A solid knowledge of these filtering tools will help you achieve enhanced security and functionality in your projects.
Today, I’m going to give you a crash course on PHP’s basic filtering functions so that by the end of the tutorial you’ll be able to easily escape data, strip tags, remove words and more.
Escaping Strings
First up is string escaping, implemented with what is probably the most basic of PHP’s filtering functions – addslashes(). This function escapes single quotes, double quotes and backslashes for you, allowing you to (more) safely accept form data, etc. Say for example you have an input field (named ‘title’)and someone types "Suzie's Blog". Those double and single quotes can cause some problems, but not for long:
1.$title=addslashes($_POST['title']);2.//$title is now safe to use!3.4.echo$title;5.//outputs \"SuzieAs you might guess, addslashes() has an inverse function: stripslashes(). On a side note, in case you ever find yourself developing a custom WordPress plugin, stripslashes() is incredibly useful for removing the slashes that WordPress adds to saved options values.
So all this is pretty handy, but for MySQL queries it’s smart to use something a bit more powerful. Up next-
Escaping MySQL Queries
MySQL injection attacks are a very real concern, making data sanitation a must for any web developer. Thankfully, mysql_real_escape_string() provides a way to easily and safely escape dangerous characters from a MySQL query before executing it. This is perhaps the most often used PHP sanitation function. Here’s an example:
1.$title=$_POST['title'];2.//$title could be anything, including an injection3.4.$title= mysql_real_escape_string($title);5.//It's now safe:6.mysql_query('INSERT INTO blogs(title) VALUES($title)');This function is one that anyone working with PHP and MySQL will use quite often – it’s elegant and potent (it even works on binary data).
Encoding HTML Entities
Htmlentities() is another fun and useful function. It will take automatically encode character entities like < (&) and “ ("). It's most useful for taking non-malicious user input that simply has special characters in it and formatting them for display. Here’s how you might use it, supposing someone submitted a title called Me & My Dog, "Buddyquot; > An Essay:
1.$title=$_POST['title'];2.3.$title= htmlentities($title);4.//encode the string5.6.echo$title;7.//outputs a correctly encoded titleThis function isn’t designed to be a security filter (for filtering malicious data), it’s simply a convenient way to make sure user data is encoded correctly. It also has an inverse function, html_entity_decode().
Stripping Tags
Sometimes you don’t want to just encode html tags, you want to strip them out completely. PHP’s strip_tags() is the perfect solution, doing just what the function name implies. Say someone sends in malicious data:
1.$title=$_POST['title'];2.//$title's value = "Happy <script src="http://evilsite.com/hack.js" ></script> Birthday!"3.4.$title=strip_tags($title);5.//remove dangerous tags6.7.echo$title;8.//outputs "Happy Birthday"That’s it – all tags are removed just like that. A useful function indeed. But what about if you want to strip some tags (like script, img) but leave some (strong, a, p). Read on!
Advanced Data Filtering
These functions that we’ve just been through will work the majority of the time, but there will be situations where they aren’t quite versatile or powerful enough. Thanfully, we have regular expressions. Using some regexp patterns and the powerful PHP function preg_replace(), we can filter, strip, replace, or remove pretty much anything we want without much trouble at all. Believe me, this thing is powerful.
You can check out more about preg_replace() here, but the basic idea is that it accepts two arguments – what to look for (called a needle) and what to look in (called a haystack). The needle and haystack can be strings or arrays (if you have multiple phrases/words/patterns to search for).
Here’s an example of how you’d set up preg_replace to strip all script tags and leave other tags:
1.$dangerous_content="Hello, <script type='text/javascript'>alert('hacked!')</script> how are you?"2.//this is the malicious content we need to sanitize3.4.$script_tags="/"/"/"/"/"/"/"/"/"/"/"/"/"/"/"/"/"/"/"/"/"/"/"/"/"/"/"/"/"/"/"/"/"/"/"/"/"/lt;script +(.+)<\/script>+/i""/lt;script +(.+)<\/script>+/i""/lt;script +(.+)<\/script>+/i""/lt;script +(.+)<\/script>+/i""/lt;script +(.+)<\/script>+/i""/lt;script +(.+)<\/script>+/i""/lt;script +(.+)<\/script>+/i""/lt;script +(.+)<\/script>+/i""/lt;script +(.+)<\/script>+/i""/lt;script +(.+)<\/script>+/i""/lt;script +(.+)<\/script>+/i""/lt;script +(.+)<\/script>+/i""/[[posterous_whitelist_block_97]]lt;script +(.+)<\/script>+/i"lt;script +(.+)<\/script>+/i";5.//match anything between opening and closing script tags6.7.$fixed_content= preg_replace($script_tags,'',$dangerous_content);8.//malicious scripts have now been removed!You could also set it up to strip out a series of forbidden words (profanity, spam words, etc.) like this:
1.$forbidden=array('forbidden1','forbidden2','forbiddenN');2.//these words are the ones that will be stripped out3.4.$fixed_content= preg_replace($forbidden,'',$_POST['comment_text']);5.//goodbye, forbidden wordsAs you can see, it’s actually surprisingly easy to manipulate data with PHP and prepare it for use. Nothing stands in your way!
Find Out More
Before you go, here are some more great tutorials on PHP filtering, validation and sanitation: