Developers need to know a lot in order to build secure applications. Some of this is good software engineering and defensive design and programming - using (safe) APIs properly, carefully checking for errors and exceptions, adding diagnostics and logging, and never trusting anything from outside of your code (including data and other people's code). But there are also lots of technical details about security weaknesses and vulnerabilities in different architectures and platforms and technology-specific risks that you have to understand and that you have to make sure that you deal with properly. Even appsec specialists have trouble keeping up with all of it.

He links to several of the OWASP cheat sheets for things like:

• authentication best practices
• using HTML5
• preventing SQL injection
• input validation

Unfortunately, cross-site scripting attacks occurs mostly, because developers are failing to deliver secure code. Every PHP programmer has the responsibility to understand how attacks can be carried out against their PHP scripts to exploit possible security vulnerabilities. Reading this article, you'll find out more about cross-site scripting attacks and how to prevent them in your code.

Included in the tutorial is an example with a simple form and definitions of different types of XSS attacks - reflected XSS, persistent XSS and three ways to prevent them: data filtering, output filtering and data validation. He also links to a few "cheatsheets" to help even more (including this guide and a Zend Framework set of XSS test data.

All this is long gone in the past since the introduction of Zend_Application and the bootstrapping resource adapters. Zend introduced a standard bootstrapping mechanism into their framework. Many of the options from different framework components can now be configured in the applications configuration file application.ini. One problem persists although: the documentation. All the parameters for components like View, Session, Database etc. are documented either with the bootstrap resource, the component itself or both.

They've posted it to github complete with sections detailing:

• CacheManager
• Db
• FrontController
• Layout
• Navigation
• Router
• Translate

...and quite a few more. This is a great reference for anyone using the Zend Framework, no matter your experience level.

Date and time handling in general is a problem in programming. For PHP programmers, there's a good library out there that performs all the difficult tasks and provides convenient APIs. Zend_Date has several constants defined. It is good to know what each one of them represents.

You can either come back to this post if you need a reference or you can download the PDF and have it right at your fingertips.

In this post we release a yet another freebie: a Drupal Cheat Sheet Desktop Wallpaper, a desktop wallpaper that features most popular variables of the open source content management system Drupal. The wallpaper was created by Giovanni Scala for Smashing Magazine and its readers.

There's multiple sizes you can download for several of the popular resolutions like 1024x768, 1440x900 and 1920x1200. The cheatsheet describes the Page.tpl.php, Node.tpl.php, Comment.tpl.php, Nlock.tpl.php and Box.tpl.php interfaces.

You might think that I would know the driver API by heart at this point, but alas, my many trips back to the documentation are proof that my brain is like a fixed length queue - if something new goes in, something else must go out. So, I've created a cheat sheet that saves me some of those trips to the documentation. I'm hoping that others might find it helpful too

He mentions a few things that make the sheet particularly useful - signatures for the functions are included but not the type info for the parameters, a list of PHPTYPE constants, FETCH constants (for the return type) and CURSOR constants (for defining cursor return type). You can see a preview of it here (as a PNG) and grab the actual sheet here as a PDF.

When it comes to quickly dealing with large blocks of data, batch processing operations or screen scraping, regular expressions are often the most effective solution. There's just one problem, though - learning them can be as hard as learning a new language altogether. Here's how to get off to a flying start.

He points you first in the direction of the preg_* functions then towards a few examples (like with mod_rewrite) and tools to help you understand how things match, like the regex tested extension for firefox and the regular expression cheat sheet on AddedBytes.com.

Included in the list are several PHP-related ones, including:

• the Ilovejackdaniels.com PHP cheat sheet
• the PCRE cheat sheet for PHP from phpguru.org
• PHP Template Designers
• the symfony project's guide to the framework admin generator

There's tons more where that came from including lots of other web-related ones for CSS, HTML, Javascript and the like. Check out this page on techtarget.com for the full listing.

I think one of the most frustrating things about web development is designing applications for multiple platforms. Whether my frustrations lie with developing applications for multiple PHP versions with multiple cache systems or designing CSS for multiple browsers, nothing is more frustrating than having applications work on multiple server software. That is why I absolutely love every cheat sheet that I can run across for these situations.

This cheatsheet lists just about every $_SERVER value I can think of and where its supported (between Apache, Apache SSL, IIS, and IIS SSL). They've also marked the ones in bold that are availible consistently across all of the setups...]]> Wed, 09 Nov 2005 06:22:51 -0600