Stuart Herbert has two new posts to his blog showing how to use the ContractLib tool he's created to define programming "contracts". In the first he shows some sample usage of the tool and in the second he compares the functionality of ContractLib's features and PHP's own "assert" method.

ContractLib is a simple-to-use PHP component for easily enforcing programming contracts throughout your PHP components. These programming contracts can go a long way to helping you, and the users of your components, develop more robust code.

In his example tests he shows how to set a pre-condition on a method's input ensuring that it will always be the correct datatype (array). In his comparison with PHP's "assert", he lists out some of the features that either one has and notes that ContractLib allows you to be much more flexible with your checking than just simple statements.

On the DeveloperDrive.com site there's a recent post anyone wondering about cross-site scripting should give a read. They introduce you to the basic concept and two things you can do to help prevent them.

This little fable describes the most common vulnerability found in web sites, the Cross Site Scripting (XSS) attack. According to a report from WhiteHat Security 83 percent of websites they tested have had at least one serious vulnerability and 66 percent of all websites with vulnerabilities are susceptible to XSS attacks making it the most common vulnerability web developers face. To fix this, it takes 67 days on average. Tools like WebScarab and Paros Proxy can be used to scan sites for possible vulnerabilities.

They offer two simple pieces of advice that it's all too easy to forget when developing applications - validate all user input to ensure it's what it should be and escape any untrusted output (even sometimes your own!) before pushing it out to the page.

Sometimes a little (external) testing of your website is in order and Gagan Chhatwal has posted his list of ten tools you can use to check everything from how much load the site can take to what can be done to optimize the load time.

When maintaining or running a website , Webmasters need to keep in mind that one of the pertinent issues they will need to focus on is :Website Testing, which is not only vital for the website itself but for the user as well and one should not overlook its importance. [We have] collected some vital and free website testing tools which will help Webmasters in testing their sites thus saving users to conduct time consuming needless searches in finding the best resources pertaining to Web related tools and info.

Among the tools on the list are services like:

• Load Impact
• Browser Mob
• Host Tracker
• Built With
• CSE HTML validator

Most of these resources are free services, if not then they have a trial where you can see if it's a good fit.

Court Ewing has written up a new post to his blog about creating a "choice" list (a select list as defined by Symfony 2) with dynamic options and validating the resulting submission. His example uses Doctrine 2 entities to work with most of the data handling.

A standard select list can be created using Symfony's choice field type; it is pretty clear how to create a new choice field with simple, non-dynamic options (e.g. gender), but it gets a little more complicated when you want to create and validate a dynamically generated choice list.

He includes the code for a simple entity, a Post model to fetch the category information and the set up of the form element - a select list of post types/categories. He also includes a bonus section showing how you can achieve the same thing without a model to bind to. The code's a little bit more complex than the previous example, but it's basically just reproducing some of the validation and fetching logic manually.

On the Zoomzum blog there's a new post with ten regular expressions PHP developers can use to accomplish some common tasks (like email validation and date formatting checks).

Regular expression for the PHP developers, on of the most popular tool for validating data is the regular expression. In this list we provides some validation - string match, password match validation, email address validation, date format and many more which helps developer to make their application more fast and easy to execute. [...] Have you note that, regular expressions are more slower than the basic string function, its takes a short time to execute than any others.

Included in their list are things like:

• Password Match Validation
• Validate URL
• Validate URL using Preg_match
• UK Postcode Validation
• SSN,ISBN and Zipcode Validation

A few of these could be done with either one or two string calls or some of the filtering functions that are included in PHP.

In a new Zend Framework related post to his blog today Rob Allen takes a look at a different operating mode he found with Zend_Date changing how it handles format specifiers.

I discovered recently that Zend Framework 1's Zend_Date has two operating modes when it comes to format specifiers: iso and php, where iso is the default. When using Zend_Validate_Date in forms, I like to use the php format specifiers as they are what I'm used to and so can easily know what they mean when reviewing code that I wrote months ago.

His example code shows how you can use the standard date formatting strings in a Zend_Form validator (the "php" format) and an example using the Zend_Date::MONTH or Zend_Date::YEAR identifiers (the "iso" format). He also shows how he met two other requirements - validation for empty and a consistent format on the date validation ("Y-m-d").

Jani Hartikainen has posted a reminder for all developers to filter their incoming data. He points out a specific issue with arrays.

You've written a PHP based web app, and you've made sure it doesn't cause errors if the user submits unexpected values via any URLs or forms. But there's something you quite likely forgot to test: What if the data that's expected to be a singular value happens to be an array? If you assumed a GET or POST parameter will never be an array, your site probably joined the ranks of several high-profile sites that go into funny-mode when given unexpected arrays...

He gives an example exploit of how PHP handles arrays, both in normal PHP and in the Zend Framework, and how those could be interpreted and data could be injected into your script.

DevShed finishes off their series on data validation with this eighth part - a look at using static methods to create a simple validation helper class (a rework of earlier code).

The methods of the [previously created] helper were always called in the object scope, implying that there was a previous instantiation of the class. In this particular case, this process is completely unnecessary, aside from encouraging a bad programming habit. Therefore, in this last tutorial of the series I'm going to improve the source code of this validation helper class by declaring all of its implemented methods static.

In the code they redefine their methods (like validate_int and validate_alpha) to be static and directly callable without having to make an instance/object of the class.

DevShed has posted the seventh part of their "validator" series today. This time they look at validating IP addresses with the filter_var function.

You can surely appreciate this functionality when developing modules, classes, plug-ins, etc. that must perform some kind of strong validation on incoming data. The filter extension comes armed with another handy filter, though, that permits you to check some common things, such as the IP addresses of client machines.

The give an example of using the FILTER_VALIDATE_IP constant to check the IP address format and include the optional FILTER_FLAG_IPV4 check for the IPv4 format.

DevShed continues their validation series today with this new tutorial, a look at validating URLs, host and paths with the filter extension bundled with PHP.

Validation process performed on URLs [in the previous part of the series] was pretty simplistic. Thus, in this sixth episode of the series I'm going to dig deeper into the usage of the FILTER_VALIDATE_URL filter to show you how to validate different portions of a URL, including its protocol, host and eventual paths.

They enforce the filtering by adding in the FILTER_FLAG_SCHEME_REQUIRED or FILTER_FLAG_HOST_REQUIRED flags to the filters to ensure the information is valid too (not just in the right format).