PHPDeveloper.org

Evan Sims' Blog: TwitterBash launches

Fri, 20 Jun 2008 11:25:24 -0500

Evan Sims has posted about the launch of a CodeIgniter-driven application that brings the bash.org quoting abilities to the world of Twitter.

Today marks the launch of TwitterBash, a concept conceived and design by my good friend Judson Collier. [...] TwitterBash takes the concept of the long Internet-famous bash.org, which allows folks to post snippets and quote conversations from IRC, and applies it to Twitter. Just sign up for an account, then head to the submit page. Pop in the permalink for a tweet you want to quote and you're done.

The site runs on the PHP5 CodeIgniter framework allowing for fast and easy development. There's already a pretty good amount of content, so go over and check it out (and submit some of your own).

Christopher Jones' Blog: PHP 5.3 "NOWDOCS" make SQL escaping easier

Thu, 14 Feb 2008 11:18:00 -0600

Christopher Jones has posted about an update to the development for PHP 5.3 that makes escaping SQL even easier in scripts - NOWDOCS.

Escaping quotes or other meta characters in SQL can be painful unless you get lucky with your quoting style. [...] Even with PHP's "Heredoc" syntax something will need escaping, but with PHP 5.3's new "Nowdoc" syntax no escaping is needed.

The only difference between HEREDOC and NOWDOC is that the initial keyword (like the first END in this statement: <<<'END' text here END;) that can make worrying about complex quoting rules a thing of the past.

Gareth Heyes' Blog: htmlentities is badly designed

Mon, 26 Nov 2007 10:23:00 -0600

Gareth Heyes has a quick new post to his blog today about the use of htmlentities and the false assumptions some developers have about it:

When someone uses htmlentities I've seen it time and time again that they expect that it filters variables from all XSS. This is wrong of course because the function requires a second parameter ENT_QUOTES which correctly replaces quote characters. Some developers aren't even aware that quotes can lead to XSS injection.

He reminds developers of the second parameter - the ENT_QUOTES parameter that correctly replaces quotes. Other people have mentions things in the comments as well like another optional parameter to force an encoding type and opinions about the function's use.

Terry Chay's Blog: Ed Finkler agrees with me

Tue, 01 May 2007 12:38:00 -0500

Terry Chay has some of his own comments surrounding the latest episode of the Pro::PHP Podcast, an interview with Ed Finkler about the state of PHP security.

Ed Finkler agrees with me. Thanks Ed. :-) Listen to the podcast. It's a realistic assessment of the state of security in PHP.

He also includes a favorite quote from the podcast (as said by Ed):

If web developer doesn't understand common security issues they shouldn't be considered developers...[Web applications] essentially are dealing with data that someone is inputting there. As a developer of web applications, you are essentially stewards of that data.