About the Author

Chris Shiflett

Hi, I’m Chris: entrepreneur, community leader, husband, and father. I live and work in Boulder, CO.


All posts for 2005

Happy Holidays

Essential PHP Security: Forms and URLs

The sample chapter of Essential PHP Security for MySQL's Developer Zone is now available: Chapter 2, Forms and URLs This chapter discusses form processing and the most common types of attacks that you need to be aware of when dealing with d…

Google XSS Example

Related: Google's XSS Vulnerability In the comments to my previous blog post, Ivo Jansch asks: To be able to comprehend how this may affect my website, could you explain how this could be exploited, even though you cannot demonstrate it? Rather than o…

Google's XSS Vulnerability

Related: Google XSS Example The recent cross-site scripting (XSS) vulnerability discovered in Google perfectly illustrates why character encoding matters. This example demonstrates how to use PHP's htmlentities() function with the optional third argumen…

Power PHP Testing

The tutorial that Geoff Young and I gave at ApacheCon has sparked some discussion (mostly via email) that I think will lead to better testing tools for PHP developers. A PDF of our slides is now available: Power PHP Testing (PDF) Geoff also has…

JApacheCon Wrapup

Despite the heavy emphasis on Java at this year's ApacheCon, I still enjoyed the conference and learned a lot. Michael Radwin was giving a talk that looked very interesting, but my travel plans prevented me from being able to attend. Although it's not …

CodeSnipers.com Interview

CodeSnipers.com recently interviewed me, and that interview is now available on their web site. Topics range from my book to my involvement in the PHP community. I've been interviewed before, but never about myself, so this was a new experience for me. …

JApacheCon

I'm at JApacheCon (ApacheCon that has been infested with Java) this week in sunny San Diego. On Sunday, Geoff Young and I gave our tutorial, Power PHP Testing, which went really well. Most of the attendees had PHP experience and no testing experience, …

PHPSecurity.org Launches

PHPSecurity.org, the companion web site for my new book, Essential PHP Security, is now online. Many thanks to Amy Hoy for the excellent design! I've included the table of contents, the (unfortunate) errata, some reviews, and the code repository. S…

Zend Framework Webcast

I just finished listening to the Zend Framework Webcast, hosted by php|architect. The recording will be available soon, and I'll update this post to provide a link as soon as it is. The core focus of the framework is Extreme Simplicity. In order to achi…

PHP Magazine December Issue

PHP Magazine just published their December issue. The cover article is an introduction to design patterns by Robert Peake. My column, Guru Speak, discusses the interesting things you can do with output buffering. My favorite output buffering trick isn't…

PHP Testing Tutorial at ApacheCon

With any luck, Geoff and I will be giving a PHP testing tutorial at this year's ApacheCon. Here's a snippet of the abstract: Admit it - deep down inside, you know you should be testing your PHP applications. With all of the different PHP test environmen…

Zend Framework Update

A few weeks ago, I posted my Zend Framework Wishlist. Most of the things I mentioned were off the top of my head, but I think it got people (including me) thinking about how we can make some security problems easier to solve. It also attracted the attent…

Computer Associates Steps Up

There has been much discussion recently about Sony's rootkit that is bundled with some corrupted CDs. The EFF lists some of the corrupted CDs, and David Sklar suggests building a corrupt CD tracker (using Ning). There is already at least one exploit that…

Richard Davey Has a Blog

I just noticed that another prominent member of the PHP community has started a blog. Richard Davey has been answering questions on various PHP mailing lists and forums for years, and now he has his own blog. Are you subscribed? Note: The list of blogs …

Convert Smart Quotes with PHP

A question that seems to come up pretty frequently on various PHP mailing lists is how to convert "smart quotes" to real quotes. Dan Convissor provided a simple example that performs such a conversion a year or two ago on the NYPHP mailing list. I've mod…

Zend Framework Wishlist

As has been widely discussed, Zend announced its PHP Framework this week. I wasn't invited to participate, so I think I can offer an unbiased opinion. The primary misconception seems to be that there is no code, and this isn't true. Although Zend thinks …

ZendCon Day Four

The first annual ZendCon has now come and gone. Prior to the conference, I had my doubts about an open source conference with a big business twist, but Zend and KB Conferences pulled it off. For the first time, the average conference attendee could s…

ZendCon Day Three

As expected, I wasn't able to keep up with blogging during the conference very well. I do want to mention Michael Radwin's talk, PHP at Yahoo. It was a nice mixture of business and technical content, and there were some key points that I wanted to note…

ZendCon Day Two

I missed Andi and Zeev's keynote this morning but got to see Rod Smith from IBM speaking about Web 2.0. Well, that was the title of his talk, but I'm not sure what was Web 2.0 about it. What I found interesting about Rod's talk was that he made the ent…

ZendCon Day One

I'm attending the Zend PHP Conference and Expo (which I've decided to call ZendCon for convenience) this week. The conference is taking place at the Hyatt Regency in San Francisco (Burlingame if you're picky). The venue is very nice, and the business…

Essential PHP Security Lives!

I just received my copy of Essential PHP Security, which means it should be on shelves within a few days. I'm very happy with it, especially the size. Apple's iPod nano isn't the only thing that's impossibly small. :-) A sample chapter will be availab…

Myspace CSRF and XSS Worm (Samy)

In the comments to my article on CSRF, someone questioned whether CSRF is really anything worth worrying about. Rather than give a hypothetical example, I can point to a real one that is getting some attention today: Myspace Hack Overview Mys…

PHP Quebec Call for Speakers

PHP Quebec's call for speakers is now open: PHP Quebec 2006 will take place in Montreal, Quebec, Canada, at the Plaza Montreal Hotel. The conference will take place between March 29th and 31st 2006. If you attended this conference last year, you know h…

Linux IM Clients

Slashdot is running a story about Linux IM clients. The article to which the story refers claims that the lack of a good IM client is hurting Linux as much as anything else. I find this surprising, since Gaim seems better than any IM client I've used (I'…

Pro-PHP on iTunes Top 100

Congratulations are due to Marcus Whitney and Chris Cornutt of the Pro-PHP Podcast for making the iTunes Top 100 Podcasts: Pro-PHP is also currently listed on the front page of Podcasts in the iTunes Music Store: Marcus and I are scheduled to recor…

Teach a Man to Fish

A recent comment by Jeremy Chin (replying to my article The Truth about Sessions) likens my writing to teaching a man to fish: Give a man a fish and he'll eat for a day. Teach a man how to fish and he'll eat for a lifetime. I definitely think your artic…

More Free Articles

I'm still trying to catch up on posting articles to my web site - there are now four more available for free: Security Corner: File Uploads (18 Oct 2004) Guru Speak: How to Avoid "Page Has Expired" Warnings (21 Oct 2004) Security Corner:…

Ning Launches

Earlier this year, I received an email from Marc Andreessen inquiring about some PHP security consulting. Being well aware of Marc's role in Internet history, I was curious to learn about his new project and eager to help out. Others were also curious, …

PHP Stripping Newlines

If you're picky about the format of your HTML like me, you've most likely noticed that PHP strips newlines that exist immediately after a closing PHP tag. Try the following code: <table>     <tr>     &…

PHP 5's Adoption

There seems to be a growing amount of interest within the PHP community about the slow rate of PHP 5's adoption. Call me crazy, but I tend to think of this as a testament of PHP's success, because it might mean: PHP 4 suits many people's needs, so…

eDonkey's Retirement

My former employer, MetaMachine, is retiring from the P2P industry. I think Sam makes some very good points in his testimony to the Senate Judiciary committee: First: Because the Grokster standard requires divining a company's "intent," the decision was…

Terry Chay on Remote Scripting (Ajax)

If you missed Terry Chay's OSCON talk this year, you're in luck - he has made the talk temporarily available from his web site. Because Brain Bulb has plenty of bandwidth and disk space, I offered to host the video there, so that it has a permanent home:…

User Group Tour

I'll be speaking at NYPHP tomorrow night (Tue, 27 Sep 2005). Directions and other details are available on the web site. If you're in (or near) New York, I hope you'll join us. I'm also going to be speaking at BostonPHP next week (Thu, 06 Oct 2005). I'v…

My Google?

Google is now redirecting users to My Google (or "Personal Home" or whatever they call it) if you happen to be logged in. I'm not a big fan of this behavior, but there's a link at the top to return to Classic Home, and this preference is persistent. It's…

Chris Cornutt Has a Blog

Chris Cornutt (enygma), of PHPDeveloper.org fame, finally has his own blog. In his words: I figure that being able to express things here (without having to worry too much that people won't think it's news) will be a nice change. There's been a lot goin…

New Design

For those of you who visit my personal web site, you'll notice that things look a bit better. Thanks to the design talent of Amy Hoy, both shiflett.org and brainbulb.com have had a bit of a makeover. This has actually been finished for a while, but I've…

PHP Security by Example

I gave three talks at this year's phpworks conference. The most popular was PHP Security by Example, a talk that consists entirely of exercises. This approach is unique in the sense that the focus is on first exploiting vulnerable code and then fixing it…

Essential PHP Security Is Finished!

A little over a month ago, I finally finished writing Essential PHP Security, a guide to secure PHP programming that I've been working on in my spare time for quite a while. I'm really happy with the results. The people at O'Reilly have been great to …

Zend PHP Conference and Expo

Zend has just released the full schedule for their PHP Conference and Expo taking place this October. It's going to be quite a bit different than the typical PHP conference, because it appears to cater to big businesses (and PHP developers employed by b…

Quoting PHP Strings

PHP developers generally understand the difference between using single quotes versus double quotes to enclose a string. If you need stuff to be interpreted, you use double quotes. If you need to indicate a literal string, you use single quotes: <?ph…

Google Talk

This is probably going to get more attention than it deserves, but apparently Google is announcing their own IM service tomorrow, and it uses the Jabber protocol. Here's hoping this eliminates the reliability problems I've had with Jabber. From my exper…

PHP Job Market Webcast

A webcast called The PHP Job Market is being offered this Wednesday by Zend. It focuses on the Zend Certification (it's one of the "ZCE Month" promotions), and it features guests that provide a few different perspectives. I'll be there to speak about my …

smugMaps

At OSCON, Don showed me a demonstration of smugMaps, a new service that he has created to "combine the power of Google Maps with over 32,000,000 smugmug photos." What makes Don's implementation really work is that he has made it easy for those of us with…

Ammar Ibrahim in Linux Journal

I just read an interesting article in Linux Journal about Ammar Ibrahim. It's nice to see the personal side of someone from the PHP community. (I think this approach is what is making the Pro PHP Podcast so popular.) I've known Ammar for several months …

PHP 6.0 Excitement

Now that Derick has renamed HEAD to 6.0, it's time to look ahead at all the great things that are (or might be) in PHP's future. Of course, a major driving factor in PHP's evolution is the Unicode support that Andrei is now merging in. This alone is enou…

Terry Chay on PHP Security

Terry Chay has a new post discussing PHP Security, the oxymoron. He eloquently deconstructs the arguments given in this thread on Slashdot. It's informative, funny, and well worth your time.…

Episode One

No, I'm not talking about Star Wars. The first episode of Ask Chris is now online. In this episode, I am asked about a comment I made during my talk at PHP West. During the talk, someone asked when stripslashes() should be used, and I said it should neve…

OSCON 2005 Recap

I had a blast at OSCON this past week. It tends to be my favorite conference each year for a number of reasons - the presence of so many smart, friendly people from the various open source disciplines being one. I gave a tutorial on PHP security. You …

Ask Chris

I just finished recording the first episode of Ask Chris, a new joint effort between the Pro PHP Podcast and Brain Bulb. I'd like to take a minute to explain how this show came to exist. I receive quite a bit of email from people asking technical questi…

ApacheCon EU 2005

ApacheCon EU was a nice conference - I gave talks on PHP security and testing PHP with Apache-Test. The testing talk went well, but having Geoff there would have made it much better. I modified the talk heavily in order to make it more pragmatic - I focu…

php|works Schedule Posted

php|architect has posted their schedule for php|works, which takes place this September in Toronto. Among the talks are three different PHP security talks by three different speakers, including a keynote by Rasmus on cross-site scripting (Ilia and I are …

Stefan Esser Discusses Security Guide

This is an interesting (and unexpected) continuation of the ethics and security discussion. Ben just pointed me to an interesting article by Stefan Esser, who claims to have found two errors in the PHP Security Guide. In the article, Stefan states: Be…

Ethics and Security

Paul Jones has published an entry on his blog discussing ethics and security. Although I don't have the time to properly respond, I do want to make a few points. There is a tendency to view security research (in any form) as malicious. This seems to be …

PHP Security Forum

If you're interested in PHP security, you might be interested in the PHP Security Forum being hosted by the PHP Developer's Network. I've already spotted a few topics that look interesting to me: Best Practices for "Remember Me"? Question ab…

PHP Security Makes OSCON Top Ten

I am surprised and delighted to discover that PHP Security is one of the Top Ten OSCON Tutorials. I am a bit disappointed to see that it is the only PHP tutorial to make the list. Perl and Ruby have two each. If you haven't registered yet, be sure to si…

Laura Thomson Has a Blog

Laura Thomson, who PHP folks might know as the coauthor (with husband Luke) of PHP and MySQL Web Development, finally has a blog (and a feed). Laura will be at the O'Reilly Open Source Convention giving a tutorial about PHP and MySQL Best Practices. If …

PHP Security Audit HOWTO

I had a nice time in Vancouver, although my visit was very short. This conference only had one track, and this approach has some advantages. For example, the speakers are able to reference material from earlier talks and be reasonably assured that most p…

PHP Security in Vancouver

I'm off to Vancouver to speak at PHP West. This entire conference is about PHP security, which is both surprising and encouraging. Security seems to be getting more and more attention within the PHP community, and even if I have very little to do with th…

Happy Birthday, PHP!

Ten years ago today, Rasmus announced Personal Home Page Tools (PHP Tools) version 1.0. Today, numerous people contribute to PHP and to the nurturing of its community, but the project has never lost sight of Rasmus's original goal of solving the web pro…

PHP Podcast: Hot or Not?

The PHP community now has its own PHP Podcast. You can already listen to the first show - Marcus explains his ideas for the Podcast and mentions some people from the PHP community that he would like to interview (although he prefers to describe such int…

Google Web Accelerator and PHP

You've probably heard about the new Google Web Accelerator, but if you're like me, you haven't bothered to try it out or give it much thought. After all, it can't possibly be worth running Windows. If you develop PHP applications, however, you might want…

PHP at OSCON 2005

The selections have been made for the O'Reilly Open Source Convention 2005 (US), and there are many great PHP talks to choose from. This was only my second year on the selection committee, but I think this had to be one of the toughest years. There were …

PHP in Cancun

I've been in Cancun since Wednesday for php|tropics. The resort is very nice. In fact, while Wez and I were standing at the counter to check in, I remarked that this place seems too nice for a PHP conference. As soon as those words left my mouth, a well-…

PHP Security Briefing at NOAA

I spent the past couple of days in Washington, D.C., to give a talk at NOAA's IT Security Conference. (NOAA is the National Oceanic and Atmospheric Administration.) The talk went very well, and I was glad to find such an eager audience. I also got to mee…

Zend Certification Self Test

In Preparing for the Zend Certification, I provided the answers (with explanations) to the Zend PHP Certification Self Test. Zend has since updated the self test, so I'm again providing the answers to it. Of course, I recommend that you take it before yo…

PHP Quebec Recap

As usual, I failed to really keep up with blogging while at my last conference. After returning, I realized that it would be very difficult to adequately describe the experience in words. PHP Quebec turned out to be one of the best conferences I've atten…

PHP Quebec

I'm in Montreal this week for PHP Quebec. My first talk, PHP Security Workshop, went really well. I learned from some of the other attendees that I rasmussed the other talks being given at the same time. It's nice to see security getting more and more at…

ApacheCon Europe, Here I Come

Like Christian, I got an email this morning about ApacheCon: The following sessions have been selected and scheduled: (1179) 'Testing PHP with Perl' (1180) 'PHP Security' (1181) 'PHP Security Briefing' PHP Security is a 180 minute tutorial that I'l…

Mastering PHP Security Reloaded

The talk I gave as part of php|symphony was a big hit. I got more positive feedback from that talk than any of the talks I've given in the past. I think it's due to a combination of the refinements I've made in the way I present this topic (PHP securit…

Where Are Your PHP Includes?

Do not store your PHP includes in document root. This is a terrible practice. Here is just one reason why: http://www.google.com/search?q=inurl%3Adb.inc Don't recommend naming PHP includes with a .php extension. Don't recommend including code in PHP in…

The [phpsec-news] Mailing List Launches

For those who don't visit the phpsec.org site frequently enough to notice, there is now a [phpsec-news] mailing list. The announcement explains its purpose: On 01 Apr 2005, the PHP Security Consortium will begin to offer a monthly newsletter. All PHP …

Magic Quotes are Worthless

The new issue of php|architect just came out, and this month's Security Corner topic is magic quotes. In this article, I explain why the magic quotes directive should always be disabled. Because I often see people cite security as a reason to enable magi…

Community Support for Brain Bulb

Thanks very much for all of the support I have received from the PHP community. It looks like Brain Bulb is off to a good start. I'd like to particularly thank those who helped publicize the announcement: Brain Bulb, The PHP Consultancy, Launche…

Apache-Test and SimpleTest

I've been answering questions lately on the SitePoint forums - PHP, Advanced PHP Programming, and Web Security. One topic really caught my attention - How many actually use unit testing?. No, it wasn't the grammatical error that caught my eye but rather…

Brain Bulb, The PHP Consultancy

I am very happy to announce the launch of Brain Bulb, a company that I've been planning for over a year. It's purely a PHP consultancy, and this is a reflection of my faith in PHP's promise. While it offers a few services already available elsewhere (d…

Writing a Technical Specification

My visit with MusiChristian.com went well. I spent three days learning more about their business and their existing technical infrastructure, and I was able to offer some general recommendations concerning their future. I am now writing a technical spec…

Zend PHP Conference and Expo

Zend just announced their PHP Conference and Expo. Unfortunately, they have chosen the same week in which OSCON Europe is already scheduled. OSCON is always my favorite conference each year, and I've been looking forward to OSCON Europe since I first hea…

The Birth of a PHP Consultancy

I'm flying to Tennessee this Wednesday to spend a few days meeting with MusiChristian.com and Patrick Reilly. Although I have yet to announce my new PHP consultancy (more on that later), this engagement marks the start of business. The purpose of the tr…

Sign Up for Mastering PHP Security

Today is the last day to sign up for Mastering PHP Security, a live 90 minute talk I'm giving tomorrow as part of the php|symphony series by php|architect. I'm still tweaking my slides (this is all new material), but here is the basic outline of the t…

Phishing

Phishing seems to be getting more and more popular. This can only mean one thing - it's successful. The usual scenario goes like this. You receive an email that makes it sound like you need to visit a web site in order to address some security concern w…

SHA-1 Broken

I just read on Bruce Schneier's blog that SHA-1 has been broken. Bruce states: SHA-1 has been broken. Not a reduced-round version. Not a simplified version. The real thing. He continues: This attack builds on previous attacks on SHA-0 and SHA-1, and i…

More on Filtering Input and Escaping Output

In my previous blog entry, I summarized the two most important steps (in my opinion) that all PHP developers should take to help secure their applications: Filter input Escape output These are essentially "the least you can do" in terms of…

My Top Two PHP Security Practices

Security is not a simple topic, but I think there is a great deal of value to be had in simplistic summaries of secure programming practices. Like an organization's mission statement, they provide a broad perspective that helps to keep you on track while…

Referer Buys You Nothing

I am very surprised at how often I see Referer checking being mentioned as a safeguard against form spoofing. I can't properly express how completely useless this is. I've even had people try to argue with me, convinced that this is a sound technique. C…

PHP Security Consortium Redux

The launch of the PHP Security Consortium was a big success. It required more work than I expected to get things going, but I think we're now set to make some very positive contributions to the community. In addition to being mentioned on PHP.net, Zend.…

PHP Security Consortium Official Launch

The PHP Security Consortium has officially launched. The following is the press release: Leading PHP Experts Join Forces to Establish the PHP Security Consortium NEW YORK, NY - January 31, 2005 - An internationa…

Zend's Marketing Controversy

I originally posted this as a comment on John's blog: I must have missed the backlash this time, but I understand the scorn over Zend's marketing statements. In my opinion, the concern has more to do with the lack of credit given to Rasmus than anythi…

Apache-Test for the PHP CLI

Now there's even more reason to be using Apache-Test to test PHP applications: Apache-Test for the php CLI From Geoff's blog: today I added the ability to run client-side PHP scripts to Apache-Test. so, now you can have t/foo.t t/bar.php …

XSS Cheatsheet

I stumbled upon an interesting resource today - the XSS Cheatsheet. This is a really wonderful collection of XSS (cross-site scripting) test cases. If you don't know what XSS is, you might find the following resources helpful: Foiling Cross-Site A…

Session Riding

I recently discovered a PDF that describes something called Session Riding. Having no idea what session riding is, I decided to read it. From the introduction: In this paper we describe an issue that was raised in 2001 under the name of Cross-Site Requ…

OSCON Call for Proposals

Want to go to the O'Reilly Open Source Convention 2005 for free? Go submit a proposal to give a talk. The conference runs from 01 Aug 2005 to 05 Aug 2005. Here is part of the CFP announcement: Complete details are available on the OSCON web site, but we…

2004 Highlights

Following in the tradition of my 2003 Highlights, I'm recording my personal highlights of this past year. This is mostly for my own curiosity. My second book, the Zend PHP Certification Study Guide, was published Began writing Security Corner…