YOURLS 1.7 and social bookmarklets

Last post in our series “What’s cool with YOURLS 1.7” — be sure to check previous posts dealing with SQL injections, security matters, HTTP improvements and other important subjects.

Today we’ll discuss about being social.

Social Bookmarklets

Bookmarklets have been polished and you have now 3 more to use. Head to the Tools page of your YOURLS install and you will discover these new buttons:


These bookmarklets will allow you to shorten a URL and share that short URL to Twitter, Facebook or Tumblr, all in one click. For extra goodness, you can also select text on the page you’re shortening before clicking the bookmarklet, and if the social site allows it, that text will serve as a highlight for your shared bit. Try it!

Oh, and of course, if you share links on social networks this way, be sure to tell your friends about YOURLS! :)

Happy shortening !

This ends the tour of new features in YOURLS 1.7. Have fun using it, shorten URLs like it’s your birthday, star the project on Github, follow @yourls for general YOURLS news and tell your friends about it.

Depending on feedback we may release a 1.7.1 if and when we feel it’s necessary. The next batch of features that will make it into 1.8 and 2.0 are currently being under development and, as usual, there is *no ETA* :)


Short URL to this post:

YOURLS 1.7 and automatically encrypted passwords

Another day, another highlight of a new feature in YOURLS 1.7. In case you weren’t there when the party started, we already covered defense against SQL injections, HTTP requests robustness, funky UTF8 charsets support, proxy support, automatic checking for a new version and a few other neat stuff.

Today will be about increased security of your credentials with automatic password encryption.

Password encryption ?

When you set up YOURLS for the first time, or when you add a new user, you edit your config.php and add a user and a password. Something like:

$yourls_user_passwords = array(
	'joe' => 'MyPassword',

Simple and easy. Now, the thing is: if someone sees that file for whatever reason, they know your YOURLS password (which is the same for most of your other stuff online, admit it).

Previously in YOURLS you could manually hack the config file to encrypt yourself passwords, using a salt and a MD5 hash. Near perfect and practically undecryptable, except that whenever something has to be done manually, well, it has to be done. And you don’t do it.

We’ve improved things in YOURLS 1.7 : encryption is now automatic.

Automatic password encryption !

After you’ve edited your config file, simply use YOURLS. Next time you’ll check your config.php, instead of a clear text password, you’ll see something like this:

$yourls_user_passwords = array(
    'joe' => 'phpass:!2a!08!gRCCvpvK22BgiNzN9q9fXOnjCXqjk88aQoZP/P0wydAj7bB2',

What happened? Using a military grade encryption library, YOURLS has silently encrypted your password to something completely and absolutely unbreakable.

Your password remains unchanged when you want to use it, so your YOURLS install is still as private as your password is secure, but that password does not exist any longer in clear text.

If you need to change your password, simply edit your config file again with a new password, and next time YOURLS will run, it will simply encrypt it again. Don’t want that to happen, for some and probably bad reason? No problem, just add define( 'YOURLS_NO_HASH_PASSWORD', true ); to your config file and you’re done.

If you have any question or problem with that feature, be sure to first check the wiki about YOURLS Usernames & Passwords.

Next time: social bookmarklets and other miscellaneous goodness.

Short URL to this post:

On YOURLS 1.7 and

In case you missed it earlier: YOURLS 1.7 is out, and I’ve started a series of posts explaining why it’s twice greater than the Great Wall of China.

Previous posts explained how protecting against SQL injections is cool, and how better HTTP requests are neat. Today, let’s discuss how awesome it is to chit chat with

“Update, dude”

One image is better than 1000 words, they say, so here’s one image:

Update, dude!

This is what you’ll see now when there’s a new version of YOURLS and you’re missing the party. That, my dear estimated YOURLS user and fan, is awesome. Since we’re now sure you won’t be missing the next update, we’ll be much less reluctant to push a X.Y.1 release when we’ve fixed a tiny annoying bug.

Your own YOURLS setup will be now chatting with the mothership (aka when it gets bored, and telling you about a new version as soon as it is available is only the visible part of the feature.

YOURLS phone home

Just like E.T., YOURLS will now phone home. What does that mean exactly?

It means that your YOURLS setup will, along with checking once in a while if there’s a new version, send a few stats to the mothership to help us understand how you have installed YOURLS and how we can improve things in the future. These stats will provide us tremendously useful insights and facts, and I’m not overstating this.

At the moment, several stats are collected, and this number will most likely decrease with every new version. Only a few hundred installs have checked in, and things will widely change as many more install YOURLS, but here are the current trends:

  • Less than 9% of you are running PHP 5.2. This is very good news, because we want to drop PHP 5.2 support as soon as possible, and a huge surprise when compared to the whole internet or to what WordPress users are running (I’m expecting this share to go way up as more update their install, though)
  • 96% have MySQLi installed, 95% have PDO. I’m very surprised and I’m not sure what to think, since I was expecting no less than 100% here.
  • Two thirds of you don’t use any plugin. It might be an indication that YOURLS could be streamlined and go on a quick diet to move a few core features into YOURLS plugins. Or maybe it just means that 66% of you just find it perfect as it is.
  • 90% use the default English locale. I think this shows we’re not promoting enough the existence of translations for YOURLS, in your language. Si. Da. Oui.
  • The average domain length running YOURLS is 11.8 characters, shortest being 5 (xx dot xx), longest being 55 and a proof that some of you are running YOURLS with completely unexpected use case (I mean, I would have imagined the whole point of running a URL shortener would be to run it off something already short, right?)
  • 51% of you have more than 1 user defined, so they’re obviously a need for user management, and this will help us eventually prioritize that feature

Future stuff from the mothership

At the moment, checking for a new version is the main job of the API server. There are a few other API available, and the list will grow with more services, the obvious one being to check for plugin updates.

Feel free to use these API in your scripts and apps, and if you have any question about usage or any issue with using it, open an issue here.

Thank you for your cooperation !

From now on, an easy way to contribute to YOURLS is to simply run YOURLS, since, doing so, you’re sending these stats that will help us make good design decisions in the future.

I can’t express it enough: this will be tremendously useful for us.

Nothing sensitive is sent (no login, no password, no cookie key) and, of course, everything collected shall be made public, for everyone’s benefit. Once we have enough stats to make numbers a bit more reliable (a couple thousands I’d say), we’ll figure a way to share them, probably on

But, you know, privacy!?

No sweat, we got you covered.

We know some of you just don’t like to report anything about their install, because they’re working on a super top secret project, or because they’re high profile military spies, or because they’re just folks with no other valid reason that they want to do it.

If you want your YOURLS install to skip phoning home, just add the following line at the end of your config.php:

define( 'YOURLS_NO_VERSION_CHECK', true );

No more checking for new version, no more sending super secret stats. Please do this only if you believe you have a reason to do this, as we’d rather have your stats in: the more we get, the more we can make out of it.

That’s it for today’s highlight! Feel free to ask here in the comments any question on this particular topic. Next time, next cool feature: username encryption!

Short URL to this post:

What’s new in YOURLS 1.7 : better HTTP requests handling

As you may know, YOURLS 1.7 was released a couple days ago (announcement). I promised a few blog posts highlighting the goodness and new features this version brings, so let’s get started.

Besides better protection against potential SQL injection attacks and overall security measures, what’s new in YOURLS 1.7?

Better HTTP requests handling

Instead of a half-baked home-grown set of functions to perform HTTP requests, YOURLS is now using the awesome PHP library Requests.

“Yeah, err, probably cool”, you’re thinking, “but how exactly is that useful for me?” I hear you, let me elaborate.

Proxy support

The first direct benefit for you, kind user, is that YOURLS is now proxy-compatible, and you can install it behind a proxy or firewall. The will primarily interest corporate users or anyone setting up a YOURLS shortener in a corporate environment. If you’re into this, be sure to check the documentation: YOURLS proxy support.

By the way, this is an excellent example of how open source projects can cross-pollinate each others. Requests is an excellent library I wanted to use, I contributed to it to add proxy support, and now it powers the inners of YOURLS.

Better support for UTF8 titles

There’s a more direct benefit for the masses of that HTTP request handling improvement. Now, YOURLS should more reliably fetch titles from pages you’re shortening, no matter how ẘεḯґ∂ and ḟüᾔḱƴ character set they’re using.

You mean people write like this? OMG.

This should work better than ever, with most combination of charsets, as declared by HTML pages or by server header.

Interactions with

And that is the one feature I’m particularly in love with. It’s so neat, it deserves its own blog post. Next time!

Short URL to this post:

YOURLS 1.7 “Tom Araya” released

I’m pleased to announce the release of YOURLS 1.7 “Tom Araya”

\m/ Tom Araya \m/

In our now centennial tradition of naming YOURLS releases after a metal vocalist, I’m dedicating this release to Tom Araya, from the most excellent badass old-school thrash band we all love, Slayer. Well, vocalist, or maybe screamist, you be the judges :) Before you continue reading, feel free to crank up some good ol’ relaxing tune.

Update now. Seriously, now\’;UPDATE `your_table` WITH `crap`

YOURLS 1.7 brings several exciting new features, and I will cover major ones in an upcoming series of short blog posts. If you’re of the TL;DR type, check the changelog.

The first feature I want to highlight is not even a feature, it’s a bugfix: in YOURLS 1.7 we have scrutinized several aspects regarding security and we have fixed a potential SQL injection vulnerability.

If you run YOURLS for your own and only use, update ASAP, but if you run a public URL shortener, update riiiiiiiiiiight nooooooooooooow (read that in Tom Araya’s voice to get the feeling)

This update is a simple drop-in replacement: download the latest archive, unzip and upload to your server, overwriting existing files. No update procedure, no DB upgrade.

Update as soon as you can, and do your friends a favor: tell them a new version of YOURLS is out and they should update, tweet and retweet the good word.

Speaking of tweets

A quick note regarding tweets: @yourls used to broadcast boring nerd stuff, aka commit messages. No more boring stuff, it’ll be limited to YOURLS news of general interest. The hardcore nerd herd can follow @yourls_dev instead, where you’ll get an idea of the coding activity and pace.

Executive summary

Update now. Blog posts about awesome features in the next days.

Short URL to this post: