Brian Swan has a new post today looking at one way you can protect your web application from potential attack - preventing SQL injection by filtering input.

How to prevent SQL injection in PHP scripts is probably a topic that doesn't need anything more written about it. [...] However, it is important to have fresh information for new Web developers and I don't necessarily agree with some of the most common suggestions for preventing SQL injection. [...] So, this will be yet another post about preventing SQL injection, but I will offer my 2 cents about what I think is the right way to prevent it.

He explains SQL injections for those that are unsure on the concept with a basic form example and what he thinks is a better way to prevent it than just trying to escape the SQL - bound parameters. These allow you to both filter and protect your application from any would-be attacks that might come your way. He is, of course, using SQL Server so the parameter binding is included in the database functionality. Other databases might have to use something like PDO to accomplish the same kind of thing.

In a project she's been working on Lorna Mitchell was frustrated with something the CodeIgniter framework does natively - escape SQL statements done through the databaase layer's "select()" method. Thankfully, there was a simple fix to turn this behavior off.

I've been getting increasingly impatient with its tendency to try to escape my SQL code for me - this is a really useful default feature but it seems to assume I don't know what I'm doing and so it puts backticks all over perfectly acceptable SQL code, very annoying!

Thanks to a reply on twitter from damiangostomski to her frustrations she found the optional second parameter you can give the "select()" method, a boolean that tells it whether or not to escape the query (it's mentioned here) for those that were wondering.

The Zend Developer Zone has a quick post from albeva about an extension from the default controller in the Zend Framework to map URL parameters directly to the methods.

This not only makes parameter passing intuitive (rather than calling $this->_request->getParam() ) but also automatically uses the default value if provided and if typehinting is provided either via phpdoc comment or before the parameter (array or classname) it will do the required instantiation or type casting.

The post includes a snippet of sample code, but you can learn more about the script here.

On the ProDevTips blog today Henrik describes a situation where he "tried to be clever" with the array_map and array_filter functions and some of the confusion in their usage.

I knew array_filter existed and what it was all about since before, however I started working with something requiring array_map first, all well and OK, array_map looks like this: array_map('callback', Array). So then I assumed I could use array_filter in the same fashion, big mistake.

He was caught by the parameter order difference between the two and problems with how the callbacks worked. In the end, he he spent an hour to create a function to search an array for a partial match and didn't even end up using the array functions (opting for calls to stripos instead).

Continuing on with her series of tips for those building web services Lorna Mitchell has posted this new item to her blog looking at the importance of a version parameter in each call.

When designing a service API, there are lots of things you can do right, and plenty of pitfalls. Most of both of these are completely specific to the situation you are designing for but I have one tip that has helped me out in a number of scenarios: Include a version parameter with every method call.

She recommends this parameter for a single reason - you can modify the API, even existing functionality and, based on that value, know which version of the action the user's looking for. This enabled you to make improvements and updates to the service without requiring all of your users to have to recode everything - they have the choice to update or not.

On the echolibre blog J.D. has made a new post looking at Zend Framework routing and how you can customize it to get the user where they need to go.

I wanted to write a post that shows a few different ways to customise Zend Frameworks routing when you're using their MVC implementation. Most of this is covered in the documentation, but it can be a little difficult to dig out.

He starts with the normal routing setup (the standard /module/controller/action and /controller/action setups) and moves on to the "magic" - a way to have a standard "framework URL" without having to include an action. He sets up a route with a wildcard to catch anything for that controller and passes it off to a custom router that goes through the request values and returns the values as though they were formatted normally in the URL.

Ian Selby has posted a look at the newly released PHP support by the Aptana software:

Aptana (yes, this is a shameless plug) released version 1.0 of its PHP support yesterday, and it is something that you should definitely check out. Prior to working at Aptana, I was an avid user of Zend Studio, and Coda, simply because those were the best PHP IDEs as far as I was concerned. Over the past few months, however, we've been hard at work on the PHP support for Aptana Studio, and I can say with much confidence that it is in every way as good as every other PHP IDE out there, and better than some in other respects.

He talks about new features like content assist (adding userland code to the automatic completion), completion of functions with parameters already filled in and a PHP preview server and debugger built right in. You can get more information on the Aptana website.

New on the Developer Tutorials blog today is this look at handling background processes from your PHP script:

You've checked and double checked the integrity of user input, and you're doing some serious processing. There's only one problem: it's too slow. There's a simple solution: forking your processing script, and running the code as a background process asynchronously. It can email your user when it's done: they'll wait. In this tutorial, I'll show you how to get started with background processes in PHP.

Akash gives examples of the three keys to background processes - starting the script via an exec, talking to the process by passing additional parameters and including code to monitor the state of the background process via something like a MySQL "sessions" table that the script writes to.

Tim Koschutzki has five quick tips for the CakePHP users out there to help make your lives just a bit easier:

• The prd() convenience function
• How to debug your CakePHP emails?
• Use elements where possible and make them belong to the controller
• Combine your h1 titles with Cake's page title
• Avoid long parameter lists

Each tip comes complete with code and a brief explanation of its use.

On the Zend Developer Zone a new post points out feature that the controllers of the Zend Framework has - parameters on the actions.

Basically, Zend_Controller_Action is the parent of all of the controllers in your application. This controller is what C stands for in MVC, a design pattern used lately in web application development, especially in RIA development.

The post includes a tutorial on using the parameters in an example of a design pattern.