Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Pádraic Brady:
20 Point List For Preventing Cross-Site Scripting In PHP
Apr 23, 2013 @ 14:27:02

Pádraic Brady has posted a 20 point list that wants to help you prevent cross-site scripting (XSS) issues in your applications.

Summarising knowledge has as much value as writing a 200 page treatise on a topic, so here is a list of 20 brief points you should bear in mind when battling Cross-Site Scripting (XSS) in PHP. Minus my usual book length brain fart . Chances are good that ignoring or acting contrary to any one of these will lead to a potential XSS vulnerability. It’s not necessarily a complete list – if you think something needs to be added, let everyone know in the comments.

His tips include things like:

  • Never pass data from untrusted origins into output without either escaping or sanitising it.
  • Remember that anything not explicitly defined in source code has an untrusted origin.
  • Always include ENT_QUOTES, ENT_SUBSTITUTE and a valid character encoding when calling htmlspecialchars().
  • Use rawurlencode() to escape strings being inserted into URLs and then HTML escape the entire URL.
  • Validate all complete URLs if constructed from untrusted data.
  • Remember that HTMLPurifier is the only HTML sanitiser worth using.
  • Ensure that cookies which must only be transmitted over HTTPS are marked Secure.

He points out that XSS is still one of the most "popular" (and easy to exploit) attack methods out there, so keep these tips in mind when writing up your code.

tagged: list tips preventing xss crosssite scripting

Link: http://blog.astrumfutura.com/2013/04/20-point-list-for-preventing-cross-site-scripting-in-php

Chris Jones' Blog:
Scripting Language Related Sessions at Oracle OpenWorld and JavaOne, October 2011
Sep 27, 2011 @ 17:05:43

Chris Jones has a new post today sharing a schedule of a few scripting-related sessions coming up at Oracle's OpenWorld and JavaOne conferences.

Oracle OpenWorld and JavaOne conferences are happening in San Francisco next week. It will be a busy and exciting time.

The PHP-related sessions are at OpenWorld this year including:

For more information on the OpenWorld conference (happening October 2nd through 6th in Moscone Center in San Francisco, CA) take a look at the main event site.

tagged: oracle scripting session openworld javaone conference

Link:

Rob Diana's Blog:
Web And Scripting Programming Language Job Trends - August 2011
Aug 15, 2011 @ 17:09:40

In a recent post to his blog Rob Diana has posted a summary he's created of Indeed.com and SimplyHired.

August is one of the months that I devote to job trends. Last week I focused on the Python, PHP, JavaScript, Flex and Groovy.

According to the results on Indeed Javascript is in huge demand right now, completely overshadowing the others on the list. PHP came in second here. The results from SimplyHired show a similar story, but the gap between Javascript and second place - Flex - is a bit smaller. PHP came in third here.

tagged: web scripting language job trend indeed simplyhired

Link:

Hyperpolyglot.org:
Syntax for Common Tasks - Side-by-side (Ruby, Perl, Python & PHP)
Aug 15, 2011 @ 15:12:50

On Hyperpolyglot.org there's an interesting listing of scripting language syntax - PHP, Python, Ruby and Perl - showing some of their common syntax and data structures side by side.

Sections of the reference sheet include

  • arithmetic and logic
  • arrays
  • execution control
  • libraries and modules
  • objects
  • reflection

It's interesting to see how the various languages compare, where some have shortcuts for things and others fail at the same (or make it much more difficult). Descriptions for the different row types are also included.

tagged: scripting language compare syntax table

Link:

Giorgio Sironi's Blog:
Missing the point (OOP in scripting languages)
Jul 29, 2010 @ 13:49:59

On his blog today Giorgio Sironi has a response to this post from the I Am Learning PHP blog asking if web scripting languages really need OOP functionality.

Yesterday I came across a question: Do Web-Scripting Languages Really Need OOP? Here's my answer: only if you want to do more than an Hello World script (which is paradoxically how old school programmers measure the utility of a language.) I'll express some of my thoughts without compromises, which will be up to you.

He opposes the claims of the other post, noting that there's a reason most PHP frameworks are object-oriented and his concern with some of the comments on the post. He also responds to two of the comments on the post - one about the private scope and the other about namespaces.

tagged: opinion oop objectoriented scripting

Link:

I Am Learning PHP Blog:
Do Web-Scripting Languages Really Need OOP?
Jul 26, 2010 @ 18:51:33

On the I Am Learning PHP blog today there's a new post asking if web scripting languages really need object-oriented functionality or not:

The object-oriented revolution has not been without controversy. [...] Still, there's no doubt that the revolution has largely succeeded. Most of the popular programming languages in use today are either fully object-oriented or have object-oriented extensions. [...] We feel that the benefits of OOP for 'major' (that is, compiled) programming languages like Java and C++ are clear. On the other hand, we feel that the benefits of OOP for scripting languages (like Perl and PHP) are less obvious and are most debatable in the case of Web-scripting (PHP).

They go one to explain some of their reasoning including the differences between scripting languages and others and how OOP has been implemented on the scripting side. They point out some good things about OOP in PHP but still think it's "tradeoffy" for some of the problems with it.

tagged: opinion scripting language oop compare

Link:

L2Admin.com:
Battle of the server side scripting languages - Perl, Python & PHP
Jul 21, 2010 @ 13:34:20

New on the L2Admin.com site today is the first part of a series they're doing comparing three of the popular server-side scripting languages for web development - PHP, Perl and Python - and what benefits each can give.

For a very long time I have wondered if there were any real benefits between Perl, PHP or Python from a performance standpoint [...] So after much wondering I have decided to answer the question for myself once and for all. I am going to perform three tests that I think typify the use cases for all three languages, I am also going to code the same tests in C and in static HTML.

This first post shoes the results from the most basic of tests - a "hello world" that's echoed out to the page. He ran the tests with Apache's ab tool for 10,000 times and recorded the request per second, average request time and the overhead as compared to plain HTML. It's interesting to see the jump from the HTML baselines when the languages start getting involved with the stock PHP install coming in as the slowest of the group.

tagged: serverside scripting language compare benchmark

Link:

Jani Hartikainen's Blog:
How to CSRF protect all your forms
Oct 16, 2008 @ 17:07:26

Jani Hartikainen has posted a few ideas on cross site request forgeries in a new blog entry, including some methods to help prevent it in your application.

CSRF, or Cross-Site Request Forgery, is a vulnerability very common in websites. [...] This can be dangerous, especially if your admin interface is compromised: There may be a button on the other site which goes to your admin interface and deletes the latest blogpost for example - and you wouldn't want that!

His method is a three-step process for protection - use POST, protect against cross-site scripting and use a CSRF key in the form to help prevent abuse. A simple script is included to show it working and is adapted to work in a controller plugin for the Zend Framework.

tagged: csrf crosssite request forgery xss scripting form protect

Link:

CIO Magazine:
PHP, JavaScript, Ruby, Perl, Python & Tcl Today: The State of the Scripting Universe
Sep 08, 2008 @ 16:17:47

Recently CIO Magazine had a roundtable interview with representatives from each of the major language players on the web today - Javascript, Ruby, Perl, Python, Tcl and, of course, PHP.

Three years ago, Lynn Greiner interviewed the big cheeses responsible for the popular scripting languages PHP, Perl, Tcl, Python, Ruby and JavaScript to find out where the languages were headed. In this follow-up discussion, she asks the dynamic language luminaries what has changed since then.

Representatives from (previously) Netscape, the Perl Foundation, the Python Software Foundation and the IronRuby team were all included. Topics asked about include the differing needs for different languages, trends on adoption and why some of these shifts are happening.

tagged: javascript ruby perl python tcl scripting interview roundtable

Link:

CIO.com:
You Used PHP to Write WHAT?!
Jan 30, 2008 @ 19:47:00

Stefan Koopmanschap has pointed out an interesting article over on the CIO magazine website that has some in the PHP community a bit up in arms about comments it makes towards the language.

The article, "You Used PHP to Write WHAT?!", covers the basics of the language - its status in the web programming world, the functionality it offers and the database interfaces it includes. They also include a hit list of reasons PHP is popular and why it's a good choice for your project.

Then things get a little strange - they move from their PHP praise to three things that have more to do with unresearched "facts" than the reality of the language:

  • Security and PHP
  • Working with PHP and the shell
  • Scaling and PHP (in enterprise environments)

These incorrect assumptions have lead to many comments both from the PHP community and from users of other languages (like Java and ColdFusion) sharing thoughts on the contents of the article and the language in general. Check out the article's comments to see for yourself.

Community Comments:

tagged: scripting language popularity shell scalable enterprise security

Link:


Trending Topics: