About the Author

Chris Shiflett

Hi, I’m Chris: entrepreneur, community leader, husband, and father. I live and work in Boulder, CO.


All posts for 2006

JavaScript Login Check

Jeremiah discovered a creative technique for testing to see whether someone is logged in on a particular site. The approach is pretty simple - when you browse a web site, each page is often different depending upon whether you're currently logged in. Thi…

YouTube Fixes Security Vulnerability

Until recently, YouTube has been vulnerable to cross-domain Ajax attacks due to their open crossdomain.xml policy. I notified them as soon as I discovered the vulnerability, and although I have yet to receive a reply, it appears they have fixed the probl…

Google Web Accelerator Debate

I was browsing Ajaxian and stumbled upon a rant from late last year about Google Web Accelerator (GWA): Google has reintroduced their Google Web Accelerator with a vengeance. It was evil enough the first time around, but this time it's downright scary. …

Ajax Security

Recently, Jeremiah posted an article about Ajax security. He's a good writer and manages to clarify some misconceptions, but I disagree with one of his points about XSS. (I'll get to that in a minute.) His discussion on XSS begins with a question and (sa…

Web Builder 2.0 Recap

Web Builder 2.0 turned out to be a good conference. I must admit to being a bit tepid about this particular conference, because the "2.0" in the name made me think of vacuous marketing talks, but the webmaster track had some solid technical content, incl…

Security 2.0 at Web Builder 2.0

I'll be giving a talk about Security 2.0 on Tuesday at Web Builder 2.0 in Las Vegas: Web 2.0 has been described as many things. It's the Web as a platform, a network of networks, the architecture of participation. However you choose to define it, the wa…

Stealing Saved Passwords

One of the greatest things about web application security is that once you understand the technologies involved, all you need is a bit of creativity to come up with your own exploits. The unfortunate thing about this is that multiple people independently…

ZendCon Wrapup

It has been more than two weeks since ZendCon, yet I can't seem to manage to find the time to recap the event. (Work has been keeping me busy.) This will be brief. Note: My photos from the conference are available on SmugMug with a few select ones on Fl…

Mashery API Management Service

A big congrats to Clay, Paul, and the other folks at Mashery on their successful launch. It sounds like they offer everything you need to support a public API. (Since I don't have a public API, I haven't tried it.) The key features listed on their web si…

Installing LWP on a Mac

Just in case anyone else runs into this problem, installing LWP on a Mac apparently overwrites /usr/bin/head due to the case insensitivity of HFS+. This is used by Apache during the build process, so it can go unnoticed until the next time you're buildin…

Damien Seguy Catalogues phpinfo() Statistics

As I mentioned earlier, Damien Seguy has been compiling phpinfo() statistics. He just sent me an email with an update on his progress: I just published the first part of a series of articles about PHP directives configurations. By gathering 11,000 phpin…

Formatting and Highlighting PHP Code Listings

For the impatient, here's a direct link to the example that highlights itself: http://shiflett.org/code/highlight.php As I mentioned in the previous post, shiflett.org is being redesigned and redeveloped from the ground up. (Nope, it's not finished yet…

PHP Tidbits

I'm developing a new web site for shiflett.org from the ground up, focusing on a clean, accessible design. As a result, I've been noticing all of the things I dislike about blogs, mine included. Navigation, commenting, and community are some aspects that…

Firefox 2.0 First Impressions

I've been using Firefox 2.0 for most of the day, and so far, I like it. The biggest disappointment is that it doesn't support HttpOnly cookies. Also, a few of my favorite extensions (del.icio.us, Foxylicious, and LiveHTTPHeaders) aren't compatible, but t…

DC PHP Conference Recap

This past Thursday, I attended the DC PHP Conference. Since I was only there for a day, I'm sure I missed a lot, but I did manage to do some of the things on my list. I attended more talks than usual, including: Getting Started with Zend Framewor…

Using CSRF for Browser Hijacking

Something the Myspace worm taught us is that traditional safeguards against CSRF (cross-site request forgeries) are rendered ineffective when XSS (cross-site scripting) vulnerabilities exist in a web application. This is because malicious content injecte…

DC PHP Conference Is Next Week

I keep forgetting to mention this, but I'll be speaking at the DC PHP Conference next week about PHP Security Testing and The Truth about XSS. For some reason, they haven't posted the schedule yet, but both of my talks are supposed to be on Thursday (19 …

Google Code Search for Security Vulnerabilities

Stephen de Vries sent an email to SecurityFocus's web application security mailing list earlier today to comment on the new Google Code Search: Google's code search provides an easy way to find obvious software flaws in open source and example applicati…

The Best City in America for PHP Developers

The Zend Developer Zone recently analyzed the best places to live in America and how the salaries compare for PHP developers. If you were to use this analysis as a metric to decide where to work, apparently you should choose Columbia, MD. Although I don'…

The crossdomain.xml Witch Hunt

After disclosing the security vulnerability in Flickr (a result of its crossdomain.xml policy), a number of other major web sites have been identified as being vulnerable to the same exploit: using cross-domain Ajax requests for CSRF. Among these new dis…

CakePHP Visits New York

Last night at the monthly NYPHP meeting, Nate Abele presented an introduction to CakePHP, a web application framework. The New York subway wasn't cooperating with my schedule, and due to a problem affecting all uptown 4/5 trains, I was 30 minutes late t…

Breach Security Acquires Thinking Stone

From Ivan's blog: It gives me great pleasure to announce that Thinking Stone and ModSecurity have been acquired! We will be joining forces with Breach Security, a company also focused on the web application firewall market. For anyone unfamiliar with I…

Cal Evans Interviews Theo Schlossnagle

The latest interview on the Zend Developer Zone is with Theo Schlossnagle. Theo is probably best known among the PHP community as the founder of OmniTI (where I work), a company that Cal describes as "one of the premier PHP consulting companies in the wo…

The Dangers of Cross-Domain Ajax with Flash

In a previous blog post, I discussed the insecurity of cross-domain Ajax. In the comments, I referenced a cross-domain Ajax with Flash demonstration created by Julien Couvreur: My initial observation leads me to believe that the target site has to all…

EuroOSCON Recap

Almost immediately after returning from my trip to Toronto, I headed to Brussels for EuroOSCON. I missed EuroOSCON last year, because ZendCon was scheduled at the same time. This year produced a similar collision - the Microsoft Web Dev Technology Summi…

Belated php|works Recap

I've been traveling non-stop since php|works, so I haven't had a chance to reflect on the conference, what I learned, who I met, and things like that. (Zak has been doing a good job of this lately, and I'd like to follow his lead.) I've probably forgotte…

A Day of Remembering

Living in New York, it's hard to let this day pass without acknowledging the events that took place five years ago, but no words I can write seem appropriate. I'd like to point you to an episode of the Daily Show that was broadcast a few days after the …

OWASP Autumn of Code

Clearly inspired by the Google Summer of Code, OWASP has launched the OWASP Autumn of Code: The Open Web Application Security Project (OWASP) is launching today a new project aimed at financially sponsoring contributions to OWASP Projects. The new …

Zend Gets Another $20 Million

According to this report, Zend has received "a $20 million boost through a fourth round of funding." According to Zend's own press release: The new funds will enable us to expand faster in emerging geographical markets, accelerate our product developmen…

Web APIs with PHP

Congrats to Paul Reinheimer whose book on Web APIs with PHP is now available. I haven't read it yet, but I know Paul has been working on it for well over a year, and it has already received a positive review from Nathan Smith: If you are looking for a g…

Social Design Patterns

Tim O'Reilly has an interesting post about dial tone. Yeah, I know, it doesn't sound that interesting, but it is one of those things like Web 2.0 and Ajax - a new word that describes an old idea: Dial tone is a fabulous metaphor for one of the key princ…

Interesting Security Blogs

I blog about a number of topics here at shiflett.org, and a favorite one is web application security. A reader recently asked for some other security blog recommendations, so I thought I'd mention a few of the ones I try to keep up with. Although not al…

Blood, Sweat, and Swear: Terry Chay on Pro-PHP Podcast

I just finished listening to Terry Chay on the Pro-PHP Podcast. Terry never hesitates to share his opinion, and it's always fun to listen to a smart guy who is passionate about what he does. You're also sure to walk away with several new quotes, such as …

PHP Gets HttpOnly Cookies

Via Ilia, Scott MacVicar has provided a patch that adds support for HttpOnly to setcookie() and setrawcookie(). This has been possible with header() all along, but this patch (applied by Ilia) makes things much easier. Andrew has more information about …

Cal Evans Interviews George Schlossnagle

Cal Evans has posted another interview, this time with George Schlossnagle. They discuss George's background, a little bit of OmniTI history, and some of George's opinions about PHP and scalability. When asked which technology has him most excited, Geor…

Rails Security and Nondisclosure

Since the announcement of a "serious security concern" in Rails yesterday, many people have taken the opportunity to criticize the Rails project as being too immature for "enterprise" use. I think that's overly harsh, but there are some very valid conce…

Cross-Domain Ajax Insecurity

I might turn this into a more coherent article. For now, this ad hoc explanation will have to suffice. Since the birth of Ajax (the name, not the technology), there has been an increased interest in various client-side technologies, especially JavaScr…

Kevin Yank Discusses CSRF

Kevin Yank has written a pretty good description of CSRF (cross-site request forgeries) in a SitePoint Newsletter from a couple of weeks ago. If you've read my CSRF article and don't quite get it, check out Kevin's description. I think he explains it ve…

Six Reasons PHP Sucks

Theo has posted the slides of his PHP lightning talk in PDF format. The topic? Why PHP sucks. I've never disputed the fact that PHP has problems, but for some reason, everyone who tries to explain why PHP sucks misses most of the actual reasons it does.…

OSCON People and Random Tidbits

One of the great things about OSCON is how it brings people together, and this year's conference was no different. I had the privilege of meeting a number of people for the first time: Andrew van der Stock, a well-known web application security ex…

Cal Evans Interviews Laura Thomson

Cal Evans has posted his interview with Laura Thomson: While at OSCON, I had the privilege of talking with Laura Thomson. Laura is the Director of Web Development at OmniTI. It's an interesting read and presumably the first of many, as Cal was busy int…

OSCON 2006 Redux

Several of my colleagues at OmniTI and I just returned from our trip to Portland for this year's OSCON. It's difficult to summarize such a conference in a single blog post, so I'll probably be blogging quite a bit over the next couple of weeks in an atte…

OmniTI Seeks Junior Security Analyst

Are you a good PHP developer searching for a cool place to work? OmniTI (where I work) employs several industry leaders, including Theo Schlossnagle, George Schlossnagle, Laura Thomson, and Wez Furlong. We do lots of interesting, challenging work for so…

PHP Security Hoedown at OSCON

For those of you attending OSCON in a couple of weeks, you might be interested in the PHP Security Hoedown BOF being hosted Wednesday night by Ed Finkler of CERIAS: An open discussion about the current state of PHP security. Are we making progress? What…

The OWASP PHP Top 5

OWASP, the Open Web Application Security Project, is famous for its Top Ten list of security vulnerabilities. David ported the list to PHP (PHP and the OWASP Top Ten), and now OWASP has released its own PHP-specific list, the PHP Top 5: The PHP Top 5 is…

PHP Security by Example

Almost an entire month has passed since my last blog entry, and a lot has happened. I'll try to catch up over the next week or two. About a week ago, the Flash version of PHP Security by Example was Dugg. I'm always disappointed to see trolls (Digg see…

Are Happy People Smarter?

I doubt many of my readers follow Robert Scoble (a Microsoft blogger), but in April, he announced a change in policy regarding the comments on his blog - he's moderating them: Yes, I am now approving every comment here. And I will delete any that don't …

PHP 5 Statistics

Damien Seguy wrote to let us know that Nexen.net has published their PHP statistics for May 2006 and PHP stats evolution for May 2006. He also provides a brief overview: PHP 4.4.2 will become the dominant version during June 2006. PHP 5.1.2 i…

Mob Mentality and Web 2.0

Disclaimer: I'm an O'Reilly author. I've been to Foo Camp. I've spoken at OSCON. This is an opinion piece. I'll provide plenty of quotes and links, so you should have no trouble digging into the issue and coming to your own conclusions. These are mine. …

ApacheCon Early Bird Ends Soon

Don't forget to register for ApacheCon Europe before June 6 to receive the early bird discount. This is also when the conference organizers decide which tutorials to keep, so don't wait until the last minute to sign up for your favorites, else you might …

Reporting Vulnerabilities

Ed Finkler (of CERIAS) just pointed me to a blog post made by one of his colleagues about reporting vulnerabilities. The post discusses the risks associated with reporting vulnerabilities, and the conclusions drawn are disappointing but understandable. …

OmniTI Acquires Brain Bulb

I'm very excited to announce that OmniTI has acquired Brain Bulb, which basically means that I'm now a principal of OmniTI and get to work with some of the smartest and friendliest people around, such as George, Theo, Wez, Laura, and Amy. While travelin…

PHP Lightning Talks

If you're attending OSCON this year, be sure to check out the PHP Lightning Talks being hosted by George and Laura: Lightning talks are a collection of 5-minute talks given by you, members of the PHP community. A mainstay of the Perl side of the convent…

PHP 5.1.4 Fixes Critical Bug

I haven't seen an official announcement, and it's not mentioned on the downloads page yet, but you can grab PHP 5.1.4 from your favorite mirror. Presumably, this release comes so soon after 5.1.3 due to the critical bug mentioned on PHPDeveloper.org. I …

Renkoo Launches Beeta

Congrats to Adam, Joyce, and the rest of the Renkoo team on the launch of their beta (beeta). I think George gives a decent one-line description of the service: Renkoo is essentially Evite on crack; an efficient, featureful, real-time way to coordinat…

php|tek Recap

I've been extremely busy since returning, but I do want to mention that Marco and the gang (Sean, Arbi, etc.) pulled off another great PHP conference with php|tek. This year, php|architect has provided a page listing all of the slides, and Trevor Lowing…

Boston PHP and the Zend Framework

I'm visting Boston PHP this Thursday to speak about the Zend Framework. I'll most likely focus on the topics presented in the Zend Framework Tutorial. The meeting begins at 6:30 PM at Optaros. There's a map if you need help finding it. I hope to see yo…

LinuxWorld Recap

LinuxWorld was an interesting conference, but the corporate atmosphere was rather alienating. There were only two PHP talks (both given by me), and I wasn't at the conference long enough to meet many other people, because I had a flight to Orlando (for p…

Storing Sessions in a Database

I've added another free article to my growing collection: Guru Speak: Storing Sessions in a Database This article creates the necessary functions in steps, so that you hopefully better understand the final product and can make your own modifica…

Zend Framework License

Good news - the Zend Framework License is now compatible with the GPL. This means you can use the ZF for your own GPL-licensed PHP project. From Andi's email: We have decided to change the license of the Zend Framework from a PHP-like license, to the s…

PHP News Catchup

Because I've been busy with work and travel in the last few weeks, there's a lot I haven't had the time to blog about. So, I decided to try to summarize the important stuff I've missed in one rushed, disorganized post. (Maybe you missed some stuff, too.)…

PHP Blogs Not on Planet PHP

I've been keeping up with Planet PHP for a while now. I like the Planet style of feed aggregation, and I think Christian and Toby have done a good job with it. Unfortunately, the blogs I read and the blogs Planet PHP aggregates no longer match very well…

PHP and Scalability (Again)

There's an interesting blog entry on O'Reilly's web site discussing Digg's PHP Scalability and Performance. As part of his research, the author (Brian Fioca, a Java developer) interviewed Owen Byrne, cofounder and Senior Software Engineer at Digg, and bu…

Looking for a Job?

From Laura Thomson's blog, OmniTI is looking to fill a Junior Web Developer position. If you like web development technologies (mod_perl, PHP, etc.) and working with some of the best in the industry (Laura, Wez, George, Theo, Amy, etc.), this might be an…

PHP Quebec Recap

PHP Quebec was an educational and entertaining conference as expected. The PHP Quebec User Group does a great job organizing the conference each year. My talk, Agile PHP Testing, was very well received. I think KISS might be the missing ingredient tha…

Windows on Mac

I've been too busy to blog this past week, but Apple's Boot Camp seems particularly noteworthy. If you have an Intel-based Mac, you can run Windows XP without having to do anything complicated. From Apple's announcement: More and more people are buying …

Zend_Filter Reviewed on SitePoint

Maarten Manders graciously took the time to review the Zend_Filter component of the Zend Framework. I think criticism and public discussion are healthy. Unfortunately, I don't have time to offer a very detailed response, but I'll try to remedy that with …

OSCON 2006

The talks for OSCON 2006 have been selected. For the first time in OSCON's history, there is going to be a PHP testing tutorial. :-) Geoff and I will give it, and it will cover Apache-Test (and test-more.php), Simple-Test, PHPUnit, and phpt. I'll also b…

Who Practices Test-Driven Development (TDD)?

Harry Fuecks maintains a good blog over at Sitepoint and recently wrote a piece on Evaluating PHP Applications. Noel Darlow, a regular contributor to the Sitepoint forums (and someone whose opinion I respect), comments: I think testing is a good indica…

Easy Cookie Hacking

When penetration testing a web app, it's hard to avoid a few manual tests. For example, you might try a simple cross-site scripting (XSS) exploit: <script>alert('XSS')</script> Or, perhaps its cousin: "><script>alert('XSS')</sc…

del.icio.us RSS Feeds

I've been using del.icio.us since 2004, and it has served me well. For those who still haven't tried it, it's basically a bookmark manager with a social twist. You can get a (nearly) real-time list of everyone's PHP bookmarks, everyone's MySQL bookmarks,…

Agile PHP Testing at PHP Quebec

Next week, I'll be speaking at PHP Quebec in Montreal about testing PHP applications. Agile PHP Testing is a new talk that focuses on really simple approaches to testing, and I hope to demonstrate how creating a test suite is close to what you're probabl…

php|architect: March 2006 Edition

Another edition of php|architect has been published. I was especially excited to read this one, because it's Ilia's first month writing Security Corner. It's nice to see a topic explained from a different point of view, and there is still too little inte…

Scalable Internet Architectures

From Mark Taber's Blog, I just found out that Theo Schlossnagle's book, Scalable Internet Architectures is scheduled for July. I've been anticipating this book for a few years. It's based on a very popular tutorial Theo has given at both ApacheCon and…

IBM's PHP Reading List

Daniel Krook and Carlos Hoyos of IBM have created a PHP reading list covering the following topics: Overview Getting Started Development Integration Extension Migration Security Community and News Other Reso…

SERVER_NAME Versus HTTP_HOST

A question was asked on the New York PHP mailing list concerning $_SERVER['SERVER_NAME'] and $_SERVER['HTTP_HOST']: Aren't these the same thing? There were several informative replies within the first few minutes, but there's more to this question than…

ZF Tutorial Update

I just updated my Zend Framework Tutorial. It now works with version 0.1.2 of the framework. I also fixed a few minor bugs and improved my explanation of several topics, particularly the front controller. This tutorial barely scratches the surface, so b…

Gosling Didn't Get the Memo

I just read a smart critique of James Gosling's recent interview. It's worth a read. For those who don't have the time or inclination to read the interview, it's basically the creator of Java trying to explain why PHP, Perl, Python, and Ruby do not pose…

Zend Framework Tutorial

I'm a little late announcing this, but I wrote a quick Zend Framework Tutorial for php|architect over the weekend. It was written in haste and likely contains some errors as a result, but I've arranged to have the tutorial updated frequently. Therefore, …

Zend Framework Preview

A preview of the Zend Framework is now available: framework.zend.com/download/tgz framework.zend.com/download/zip Please download it, read the manual, and give it a go. If you find any problems, please report them, so they can be fixed. C…

Another Google XSS Vulnerability

I don't want to provide any links or details before it is fixed, but Google has another cross-site scripting (XSS) vulnerability. It is more serious than the previous one, because: It works with any character encoding. (You can be a victim even if…

Brain Bulb Webcasts

I've been playing around with Snapz Pro lately. I originally intended to use it to help spice up some of my talks by offering prepared demos directly in Keynote, but I have also decided that it would be useful to offer various talks and demos to the PHP …

php|architect Magazine

I just got through reading the latest issue of php|architect - always a good read. Sean starts by announcing the departure of Marcus Baker as a columnist. I've always enjoyed Marcus's perspective on things, primarily because it's different. Luckily, S…

Ask Chris Is Back

It's been a few months since Episode One, but thanks to Marcus, Ask Chris is back on the air. The format is a bit different - instead of doing separate shows, we'll be doing a short segment at the end of each interview. This interview is with David Sk…

PHP News Roundup

I've been away for a week, and a lot has happened in the PHP world during that time. Tim Bray sparked a debate with his discussion On PHP. Greg and Marcus were quick to point out how silly it is to be comparing tools. It reminds me of soccer players who…

Mac OS X Annoyances and Resolutions

A few days ago, I posted my Top X List of Mac OS X Annoyances. As predicted, there were a few useless responses from the zealots who felt a need to defend the Mac, but there were also many useful comments - more on those in a minute. Some people seem to …

Spammer Wins Gold

Luke Welling has been doing a bit of research about his fellow countryman, Dale Begg-Smith, who won an Olympic gold medal last night in the freestyle skiing moguls. Described as an Internet entrepreneur, Begg-Smith is also known as "Spam Man" and owner …

Security: Digg Versus Furl

While adding links to my feed, I noticed similar security vulnerabilities in both Digg and Furl. (Josh Ribakoff of DevNetwork Forums played a part in discovering Furl's vulnerability.) Of course, I immediately notified each of them and offered a simple …

RSS Feed Enhancements

About a month ago, I added links to a few different services in my RSS feed. If I write something that people want to remember (or share), they can bookmark it (or promote it) with del.icio.us, Digg, or Furl. They can also see related posts with Technora…

Essential PHP Security Slashdotted

Thanks to everyone who wrote to let me know that Essential PHP Security was Slashdotted yesterday. Slashdot still amazes me. I think the book's Amazon.com Sales Rank is a testament to the power of Slashdot: Here's a closer view: The review is ver…

Top X List of Mac OS X Annoyances

As far as desktop operating systems go, they all suck, and Mac OS X sucks the least. Although I use Linux as my primary desktop OS, that's because it has been the best choice for me - a software developer (primarily interested in server-side technolo…

OSCON and NYPHPCon Call for Papers

The 8th annual O'Reilly Open Source Convention is returning to Portland this July (24 Jul - 26 Jul). It's easily my favorite conference, partly because of its diversity - the best of the best from all of the open source disciplines are there, and the c…

Luke Welling to Speak at Waterfall 2006

For those who missed the news, Luke Welling (of PHP's "Luke and Laura") has started blogging. It was via his blog that I learned of Waterfall 2006, sure to be one of the best conferences this year. Talks include gems such as: Pair Managing: Two Ma…

Tragedy Strikes One of PHP's Own

A little more than a week ago, I received an email from Robert Peake. According to the subject, it was a reply to an ongoing discussion we had been having. The contents of the email, however, were tragic. Robert and his wife had just lost their first-bor…

Test::Harness for PHP

In the tradition of test-more.php, Mike Lively adds to the growing list of reasons to be using TAP (Test Anything Protocol) by creating test-harness.php, a TAP-compliant PHP testing harness. This provides yet another testing option for PHP developers: …

PHP Easter Eggs

I can never remember the PHP Easter egg strings, so I'm putting them in my blog. This probably isn't news to anyone, but here they are for reference: PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 - PHP Credits PHPE9568F34-D428-11d2-A769-00AA001ACF4…

Ruby on Rails Fans

Update: Jeff Moore has written a compelling argument suggesting that Rails is for flexies. I'm glad to see all of the hype surrounding Ruby on Rails lately. I've always been an advocate of open source software, and Ruby (particularly Ruby on Rails) is y…

PHP Security and SABSA

Andrew van der Stock has started providing more details about a proposed security architecture for PHP, beginning with the SABSA (Sherwood Applied Business Security Architecture) approach. This approach is broken down into layers: Contextual …

PHP Security Architecture

Andrew van der Stock wrote to let me know that he has posted a contextual overview of a security architecture for PHP. I think he clarifies many of the things he mentioned in his previous post, and he makes a statement that has been a guiding principle f…

Test::Simple for PHP

Via PHPDeveloper.org, I just read a post on PhpGirl that discusses a familiar topic, testing: I'll write a Test::Simple for PHP. Yes, I know there exists one already that uses the power of Perl to test PHP files, but I didn't have time to figure out how…

Secure Logins

I use Yahoo for a few of their services. As Aaron notes, Yahoo makes you log in excessively. This is a bit annoying, especially since each login usually requires multiple clicks for me - I always choose the secure option, because it submits the form over…

PHP Insecurity

Andrew van der Stock has written a strong criticism of PHP's insecurity. Andrew is a seasoned security expert and a major contributor to OWASP, and he states: After writing PHP forum software for three years now, I've come to the conclusion that it is b…

addslashes() Versus mysql_real_escape_string()

Last month, I discussed Google's XSS Vulnerability and provided an example that demonstrates it. I was hoping to highlight why character encoding consistency is important, but apparently the addslashes() versus mysql_real_escape_string() debate continues…

Technical Vocabulary and Grammar

I sometimes wonder why people feel so compelled to use technical terms when talking about computers, even when they don't know what the terms mean. In my experience, those who know the least about a particular topic use the most complicated vocabulary wh…

Pro PHP Podcast

You've probably heard the good news about the Pro PHP Podcast. The guys behind the show (Marcus Whitney and Chris Cornutt) are joining forces with php|architect in what should be a good thing for all of us. A few months ago, Marcus and I tried to re…

2005 Highlights

In the tradition of my 2003 and 2004 highlights, I'm posting my personal highlights of 2005. As in years past, this is mainly for my own benefit. I hope everyone has a wonderful 2006. :-) Launched the PHP Security Consortium (31 Jan) Intervie…