Summarising knowledge has as much value as writing a 200 page treatise on a topic, so here is a list of 20 brief points you should bear in mind when battling Cross-Site Scripting (XSS) in PHP. Minus my usual book length brain fart . Chances are good that ignoring or acting contrary to any one of these will lead to a potential XSS vulnerability. It's not necessarily a complete list - if you think something needs to be added, let everyone know in the comments.

His tips include things like:

• Never pass data from untrusted origins into output without either escaping or sanitising it.
• Remember that anything not explicitly defined in source code has an untrusted origin.
• Always include ENT_QUOTES, ENT_SUBSTITUTE and a valid character encoding when calling htmlspecialchars().
• Use rawurlencode() to escape strings being inserted into URLs and then HTML escape the entire URL.
• Validate all complete URLs if constructed from untrusted data.
• Remember that HTMLPurifier is the only HTML sanitiser worth using.
• Ensure that cookies which must only be transmitted over HTTPS are marked Secure.

He points out that XSS is still one of the most "popular" (and easy to exploit) attack methods out there, so keep these tips in mind when writing up your code.

• ALWAYS do the simplest thing that will work
• NEVER trust anything that comes from the user
• NEVER use include for controlling logic
• NEVER create a file of useful functions, even if it's called helpers.php

There's also been some discussion about this list over on Reddit - you can comment on it over there if you agree/disagree with some of his points.

Laravel is a PHP framework which uses the MVC pattern. Of course, there are many such projects and I'm not going to compare Laravel with other frameworks in this article. Instead, I'm going to share with you what's new in the newest version of Laravel - Laravel 4.

There's a list of things that have changed (each with a summary of what they are):

• Decoupled Components
• Creating a "Normal" Project
• Routes
• Better Code through Testing
• The Container and Its Bindings
• Improved CLI
• New Database Features
• Using Stand-Alone Components

Good tools are invaluable in figuring out where problems lie, and can also help to prevent problems from occurring in the first place, or just help you to be more efficient in general. Command line tools are particularly useful because they lend themselves well to automation and scripting, where they can be combined and reused in all sorts of different ways. Here we cover six particularly powerful and versatile tools which can help make your life a little bit easier.

The tools they mention are all things you'd install on a unix-based system:

• Curl
• Ngrep (network packet searching)
• Netcat (to work with network connections)
• Sshuttle (SSH tunneling)
• Siege (HTTP benchmarking)
• Mitmproxy (capturing proxy, both HTTP and HTTPS)

In this article I'll talk about a common task you might have experienced while developing a PHP application: listing files and directories. I'll discuss several basic and advanced solutions, each having its pros and cons. First I'll present three approaches that use some very basic PHP functions and then progress to more robust ones which make use of SPL Iterators.

The solutions they look at are the built-in functions like glob and readdir/opendir as well as SPL iterators up for the task - FilesystemIterator, RecursiveDirectoryIterator and GlobIterator. Code samples are included in the post, showing how to use each method to get and list the files. A few helpful hints are also included to finish off the tutorial (mostly about "tricks" to using the functions effectively).

Developers need to know a lot in order to build secure applications. Some of this is good software engineering and defensive design and programming - using (safe) APIs properly, carefully checking for errors and exceptions, adding diagnostics and logging, and never trusting anything from outside of your code (including data and other people's code). But there are also lots of technical details about security weaknesses and vulnerabilities in different architectures and platforms and technology-specific risks that you have to understand and that you have to make sure that you deal with properly. Even appsec specialists have trouble keeping up with all of it.

He links to several of the OWASP cheat sheets for things like:

• authentication best practices
• using HTML5
• preventing SQL injection
• input validation

One of the very first ideas we had for this blog was to convert some of the wonderful gems of the early era of our site, the undisciplined period, to blog posts. Questions that were once enthusiastically received by the community, but no longer fit Programmer's scope.

The post has the top twenty answers to the "What's your most controversial programming opinion?" question as proposed on StackOverflow and includes things like:

• Programmers who don't code in their spare time for fun will never become as good as those that do.
• The only "best practice" you should be using all the time is "Use Your Brain".
• Not all programmers are created equal.
• If you only know one language, no matter how well you know it, you're not a great programmer.
• Your job is to put yourself out of work.
• Readability is the most important aspect of your code.

Check out the full post for the complete list...and for the 100+ comments that have been added to it by programmers with both agreeable and disagreeable opinions.]]> Tue, 04 Sep 2012 10:14:44 -0500 http://www.phpdeveloper.org/news/18240 http://www.phpdeveloper.org/news/18240 Security has become more of a hot topic in the PHP community recently and PHPMaster.com has pulled together a list of resources you can read up on to get some great ideas for securing your application.

The unfortunate truth of the matter is there's no excuse for [the LinkedIn, Yahoo!, eHarmony and Last.fm] leaks; they would not have been possible if simple, well-known security precautions were taken. Are you protecting yourself and your applications by guarding against SQL-injection attacks? Are you filtering and validating user input? Are you properly hashing user passwords? I hope so! If not, read some of the security-focused articles PHPMaster has published throughout the past year and apply these best practices to your code today!

Articles in their list include:

• Why You Should Use Bcrypt to Hash Stored Passwords
• Input Validation Using Filter Functions
• Multi-Factor Authentication with PHP and Twilio
• Monitoring File Integrity

Check out the rest of the post for links to other great articles.

This is a list of over 50+ Documentation Manuals and Guides for Programmers, Web Developers, and Web Designers. I will actively update this list with more Manuals as I come across them. If you would like something added, please leave it in the comments section below. Over time it will become more refined and better organized and in return, more useful so please bookmark and share with your friends.

Linked resources include:

• the PHP manual
• the HTML5 reference
• Zend Framework docs
• Redis docs
• Dochub.io (online code searching)

Sometimes you may want the users on your site to upload the zip file and then check what are the contents of that zip file. In this article I will tell you how to extract the contents of the zip file. I temporarily extract the zip files to a directory and then delete it afterwards. You can chose to keep the extracted content if you want.

The tutorial walks you through the code, showing you how to use their "ZipArchive" class to grab the file, extract the contents and display a list of the "child files" inside it. You can see a live demo of it in action or just download the source and dive right in.