Summarising knowledge has as much value as writing a 200 page treatise on a topic, so here is a list of 20 brief points you should bear in mind when battling Cross-Site Scripting (XSS) in PHP. Minus my usual book length brain fart . Chances are good that ignoring or acting contrary to any one of these will lead to a potential XSS vulnerability. It's not necessarily a complete list - if you think something needs to be added, let everyone know in the comments.

His tips include things like:

• Never pass data from untrusted origins into output without either escaping or sanitising it.
• Remember that anything not explicitly defined in source code has an untrusted origin.
• Always include ENT_QUOTES, ENT_SUBSTITUTE and a valid character encoding when calling htmlspecialchars().
• Use rawurlencode() to escape strings being inserted into URLs and then HTML escape the entire URL.
• Validate all complete URLs if constructed from untrusted data.
• Remember that HTMLPurifier is the only HTML sanitiser worth using.
• Ensure that cookies which must only be transmitted over HTTPS are marked Secure.

He points out that XSS is still one of the most "popular" (and easy to exploit) attack methods out there, so keep these tips in mind when writing up your code.

Oracle OpenWorld and JavaOne conferences are happening in San Francisco next week. It will be a busy and exciting time.

The PHP-related sessions are at OpenWorld this year including:

• High-Performance Web Applications with C/C++/PHP/Python
• Develop and Deploy High-Performance Web 2.0 PHP, Ruby, or Python Applications
• PHP, Ruby, Python, and Perl: Develop and Deploy Mission-Critical Apps with Oracle Database 11g
• Extending Oracle E-Business Suite with Ruby on Rails

For more information on the OpenWorld conference (happening October 2nd through 6th in Moscone Center in San Francisco, CA) take a look at the main event site.

August is one of the months that I devote to job trends. Last week I focused on the Python, PHP, JavaScript, Flex and Groovy.

According to the results on Indeed Javascript is in huge demand right now, completely overshadowing the others on the list. PHP came in second here. The results from SimplyHired show a similar story, but the gap between Javascript and second place - Flex - is a bit smaller. PHP came in third here.

Sections of the reference sheet include

• arithmetic and logic
• arrays
• execution control
• libraries and modules
• objects
• reflection

It's interesting to see how the various languages compare, where some have shortcuts for things and others fail at the same (or make it much more difficult). Descriptions for the different row types are also included.

Yesterday I came across a question: Do Web-Scripting Languages Really Need OOP? Here's my answer: only if you want to do more than an Hello World script (which is paradoxically how old school programmers measure the utility of a language.) I'll express some of my thoughts without compromises, which will be up to you.

He opposes the claims of the other post, noting that there's a reason most PHP frameworks are object-oriented and his concern with some of the comments on the post. He also responds to two of the comments on the post - one about the private scope and the other about namespaces.

The object-oriented revolution has not been without controversy. [...] Still, there's no doubt that the revolution has largely succeeded. Most of the popular programming languages in use today are either fully object-oriented or have object-oriented extensions. [...] We feel that the benefits of OOP for 'major' (that is, compiled) programming languages like Java and C++ are clear. On the other hand, we feel that the benefits of OOP for scripting languages (like Perl and PHP) are less obvious and are most debatable in the case of Web-scripting (PHP).

They go one to explain some of their reasoning including the differences between scripting languages and others and how OOP has been implemented on the scripting side. They point out some good things about OOP in PHP but still think it's "tradeoffy" for some of the problems with it.

For a very long time I have wondered if there were any real benefits between Perl, PHP or Python from a performance standpoint [...] So after much wondering I have decided to answer the question for myself once and for all. I am going to perform three tests that I think typify the use cases for all three languages, I am also going to code the same tests in C and in static HTML.

This first post shoes the results from the most basic of tests - a "hello world" that's echoed out to the page. He ran the tests with Apache's ab tool for 10,000 times and recorded the request per second, average request time and the overhead as compared to plain HTML. It's interesting to see the jump from the HTML baselines when the languages start getting involved with the stock PHP install coming in as the slowest of the group.

CSRF, or Cross-Site Request Forgery, is a vulnerability very common in websites. [...] This can be dangerous, especially if your admin interface is compromised: There may be a button on the other site which goes to your admin interface and deletes the latest blogpost for example - and you wouldn't want that!

His method is a three-step process for protection - use POST, protect against cross-site scripting and use a CSRF key in the form to help prevent abuse. A simple script is included to show it working and is adapted to work in a controller plugin for the Zend Framework.

Three years ago, Lynn Greiner interviewed the big cheeses responsible for the popular scripting languages PHP, Perl, Tcl, Python, Ruby and JavaScript to find out where the languages were headed. In this follow-up discussion, she asks the dynamic language luminaries what has changed since then.

Representatives from (previously) Netscape, the Perl Foundation, the Python Software Foundation and the IronRuby team were all included. Topics asked about include the differing needs for different languages, trends on adoption and why some of these shifts are happening.

The article, "You Used PHP to Write WHAT?!", covers the basics of the language - its status in the web programming world, the functionality it offers and the database interfaces it includes. They also include a hit list of reasons PHP is popular and why it's a good choice for your project.

Then things get a little strange - they move from their PHP praise to three things that have more to do with unresearched "facts" than the reality of the language:

• Security and PHP
• Working with PHP and the shell
• Scaling and PHP (in enterprise environments)

These incorrect assumptions have lead to many comments both from the PHP community and from users of other languages (like Java and ColdFusion) sharing thoughts on the contents of the article and the language in general. Check out the article's comments to see for yourself.

Community Comments:

• Cal Evans
• Luke Welling
• Harun Yayli