Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Community News:
Laravel 5 Now Includes Authorization
Sep 01, 2015 @ 15:50:41

In the latest release of the Laravel framework (v5.1.1) they've introduced authorization handling to the native framework. This allows you to integrate permissions checks and perform policy validation both on the backend and in the templates.

In addition to providing authentication services out of the box, Laravel also provides a simple way to organize authorization logic and control access to resources. There are a variety of methods and helpers to assist you in organizing your authorization logic.

The functionality includes the concepts of "abilities" (permissions, essentially) and validate the allow/deny status based on object properties, such as Users. The documentation shows how to perform the evaluations in the controllers, user model, form requests and even in the Blade templates. There's also a section on creating policies for more complex evaluations than just one-off permission checks.

To get a feel for what the community things of this new functionality, be sure to check out this Reddit thread with feedback, both positive and negative, on how it was implemented.

tagged: laravel framework authorization functionality permission policy allow deny

Link: http://laravel.com/docs/5.1/authorization

Johannes Schmitt's Blog:
A New Killer Feature for Symfony2 Security
Oct 31, 2011 @ 19:26:08

Johannes Schmitt has a new post about his "killer feature" he's added to the security for Symfony2 framework (as a bundle) - a new customized expression-based query language that's compiled down to native PHP to make permissions checking simpler and faster.

If you have used the Symfony2 Security Component to any modest degree, you will know that we have a quite heavy voting system which uses attributes like "IS_AUTHENTICATED_FULLY" to make authorization decisions. [...] If you are concerned about performance, then you should not be all too generous with the isGranted() calls. The second option would work as well, but writing a new voter each time you need to make a new check does not really seem ideal either. Fortunately, we can do better.

He includes an example of this expression language in a direct isGranted() call, a string that checks to see if a user has three different roles, and a snippet showing the same thing in the docblock comment of a controller method. The second is a bit more complex, checking for an admin role or if the user is the one that should be deleted. You can find more doucmentation here.

tagged: symfony2 framework security bundle expression language allow deny

Link:

PHPBuilder.com:
File uploads made easy
Sep 03, 2007 @ 16:28:00

PHPBuilder.com has a new tutorial posted to help you create a more complete file upload solution for your web application.

Every time I've written some code to upload a file, either to send it off as an email attachment or as an image for some dynamic content piece, I've always meant to write a few functions so I don't have to write the code again. [...] So I *finally* sat down and wrote this script.

They go through the settings first including the path to put the files in, types that are known and the ones that are allowed. Then its on to the code that creates the form field and handles the upload and validates it. You can download the code for the tutorial here.

tagged: file upload tutorial validation type allow file upload tutorial validation type allow

Link:

PHPBuilder.com:
File uploads made easy
Sep 03, 2007 @ 16:28:00

PHPBuilder.com has a new tutorial posted to help you create a more complete file upload solution for your web application.

Every time I've written some code to upload a file, either to send it off as an email attachment or as an image for some dynamic content piece, I've always meant to write a few functions so I don't have to write the code again. [...] So I *finally* sat down and wrote this script.

They go through the settings first including the path to put the files in, types that are known and the ones that are allowed. Then its on to the code that creates the form field and handles the upload and validates it. You can download the code for the tutorial here.

tagged: file upload tutorial validation type allow file upload tutorial validation type allow

Link:

Chris Shiflett's Blog:
Allowing HTML and Preventing XSS
Mar 16, 2007 @ 14:23:00

In this new post to his blog, Chris Shiflett helps to solve one of the problems that several web designers face when allowing user input but wanting to protect themselves as well - allowing HTML while preventing a user from including a cross-site scripting issue.

This problem comes up more and more often due to the rise of social networking and other Web 2.0 properties that embolden users. [...] Of course, BBCode inevitably comes up during these types of discussions, but I really hate the idea of using yet another markup language just because I'm too lazy to deal with HTML, especially if the markup language doesn't even try to be user-friendly.

He looks for a good solution, one that doesn't require learning a new markup or becoming overly complex (while avoiding strip_tags). He provides several chunks of code for different aspects of the method - first make the content safe, then move backwards in the translation for the items you want to allow.

tagged: allow html prevent crosssitescript secure user content input allow html prevent crosssitescript secure user content input

Link:

Chris Shiflett's Blog:
Allowing HTML and Preventing XSS
Mar 16, 2007 @ 14:23:00

In this new post to his blog, Chris Shiflett helps to solve one of the problems that several web designers face when allowing user input but wanting to protect themselves as well - allowing HTML while preventing a user from including a cross-site scripting issue.

This problem comes up more and more often due to the rise of social networking and other Web 2.0 properties that embolden users. [...] Of course, BBCode inevitably comes up during these types of discussions, but I really hate the idea of using yet another markup language just because I'm too lazy to deal with HTML, especially if the markup language doesn't even try to be user-friendly.

He looks for a good solution, one that doesn't require learning a new markup or becoming overly complex (while avoiding strip_tags). He provides several chunks of code for different aspects of the method - first make the content safe, then move backwards in the translation for the items you want to allow.

tagged: allow html prevent crosssitescript secure user content input allow html prevent crosssitescript secure user content input

Link:


Trending Topics: