Chris Shiflett is an author and speaker who leads the web application security practice at OmniTI.
Thanks very much to everyone who participated in this year's PHP Advent Calendar. The entire calendar is available at the following URL: http://shiflett.org/blog/2007/dec For reference, the complete list of entries is below. (See also Chris Cornutt's...
Today's entry is provided by Nate Abele. Name Nate Abele Blog cake.insertdesignhere.com Biography Nate Abele of OmniTI has been a core developer of the CakePHP web framework for over two years. He is known ...
Today's entry is provided by Jay Pipes. Name Jay Pipes Blog jpipes.com Biography Jay Pipes is the North American Community Relations Manager at MySQL. Coauthor of Pro MySQL (Apress, 2005), Jay regularly ass...
Today's entry is provided by Derick Rethans. Today also happens to be Derick's birthday, so I hope you'll join me in wishing him a very happy birthday. (Because I'm a little late posting this, and Derick lives in Norway, I'm afraid this is a belated bi...
Today's entry, provided by Luke Welling, is entitled Following the Big Dogs on Web Application Security. Name Luke Welling Blog lukewelling.com Biography Luke Welling is from Melbourne, Australia, but curre...
Today's entry, provided by Adam Trachtenberg, is entitled User-Defined Functions in SQLite. Name Adam Trachtenberg Blog trachtenberg.com Biography Adam Trachtenberg is the Senior Manager of Platform Evangel...
Today's entry is provided by Marcus Börger. Name Marcus Börger Blog marcus-boerger.de Biography Marcus Börger is a specialist in C, C++, databases, UML, XML, and of course PHP. To the PHP community, he i...
Today's entry, provided by Christian Wenz, is entitled WSDL Despite PHP 5. Name Christian Wenz Blog hauser-wenz.de/blog/ Biography Christian Wenz got hooked on PHP when he introduced it to one of the largest web sites back i...
Today's entry is provided by Ilia Alshanetsky. Name Ilia Alshanetsky Blog ilia.ws Biography Ilia Alshanetsky is an active member of the PHP development team and is the current release manager for PHP 5.2. Ilia is also the pr...
Today's entry, provided by Jeff Moore, is entitled What We Can Learn about Software Development from a Failing Restaurant. Name Jeff Moore Blog procata.com/blog/ Biography Jeff Moore is a columnist for php|architect who has ...
Today's entry, provided by Paul Reinheimer, is entitled Channels and Output. Name Paul Reinheimer Blog blog.preinheimer.com Biography Born in Vancouver, raised in Ontario, educated in Windsor, currently roa...
Today's entry, provided by David Sklar, is entitled Timing and Profiling. Name David Sklar Blog sklar.com/blog/ Biography David Sklar is a Software Architect at Ning, author of Learning PHP 5 (O'Reilly), PH...
Today's entry, provided by Terry Chay, is entitled Filter Input; Escape Output: Security Principles and Practice. Name Terry Chay Blog terrychay.com/blog/ Biography When Zend puts your face on a trading car...
Today's entry is provided by Ed Finkler. Name Ed Finkler Blog funkatron.com Biography Ed Finkler is the Web and Security Archive Administrator for CERIAS at Purdue University. As a member of the PHP Securit...
Today's entry is provided by Ben Ramsey. Name Ben Ramsey Blog benramsey.com Biography Ben Ramsey is a software architect at Schematic and the founder of the Atlanta PHP user group. He is the co-author of ph...
Today's entry is provided by Chris Cornutt. Name Chris Cornutt Blog blog.phpdeveloper.org Biography Chris Cornutt is the senior editor of PHPDeveloper.org, a popular PHP news site, as well as a lead PHP dev...
Today's entry, provided by Ivo Jansch, is entitled Design Patterns. Name Ivo Jansch Blog jansch.nl Biography Ivo Jansch is CTO of Ibuildings, a UK and Netherlands based PHP service company. Ivo is an active...
Today's entry, provided by Matthew Weier O'Phinney, is entitled Don't Reinvent the Wheel. Name Matthew Weier O'Phinney Blog weierophinney.net/matthew/ Biography Matthew Weier O'Phinney is currently a PHP de...
Today's entry, provided by Elizabeth Smith, is entitled SPL to the Rescue. Name Elizabeth Smith Blog elizabethmariesmith.com Biography Elizabeth Smith is a PHP Windows geek, lover of all things PECL, PHPWo...
Today's entry, provided by Davey Shafik, is entitled APIs, UIs, and Other Underused Acronyms. Name Davey Shafik Blog pixelated-dreams.com Biography Davey Shafik is an author, speaker, and developer with 10 ...
Today's entry, provided by Cal Evans, is entitled Five Resources Every PHP Developer Should Know About. Name Cal Evans Blog blog.calevans.com Biography Cal Evans is currently the Editor-in-Chief of the Zend...
Today's entry is provided by James McGlinn. Name James McGlinn Blog blog.phpdeveloper.co.nz Biography James McGlinn is the CTO of Eventfinder (a major New Zealand entertainment site) and founder of the NZ P...
Today's entry is provided by Sebastian Bergmann. Name Sebastian Bergmann Blog sebastian-bergmann.de Biography Sebastian Bergmann is a long-time contributor to various PHP projects, including PHP itself. He ...
Today's entry, provided by Elizabeth Naramore, is entitled Writing Code is Like Doing the Dishes (5 Reasons Why Documenting Your Code Makes You a Better Coder). Name Elizabeth Naramore Blog naramore.net/blog/ Biogra...
Welcome to the PHP Advent Calendar. If you are unfamiliar with the format of an Advent calendar, Wikipedia has a pretty good description. The PHP Advent Calendar is similar in spirit to the Perl Advent Calendar, a tradition the Perl community has susta...
Via Jeremiah, I see that PayPal's new vulnerability disclosure policy includes an amnesty clause for well-intentioned security researchers: To encourage responsible disclosure, we commit that - if we conclude that a disclosure respects and meets all t...
The 5th of November. Just kidding. No, remember tonight's PHP Meetup, starring Andrew van der Stock of OWASP: Andrew van der Stock, Executive Director of OWASP (Open Web Application Security Project) will be speaking about upgrading the security of ol...
The DC PHP Conference is right around the corner, and it looks like it's going to be great. (It's not too late to register.) Not only is this conference inexpensive ($450 for both days, $250 for one, and $150 for students), it boasts an impressive line...
Tim O'Reilly has described the Internet as the new OS. Recent observations lead me to believe it's new the new Unix. Consider the following philosophy: Write programs that do one thing and do it well. Write programs to work together. Write programs ...
Much ado was made of Derek Sivers's choice to migrate CDBaby from Ruby to PHP. Although I think CDBaby itself is noteworthy, this particular decision isn't. A similar decision was made when Friendster migrated from Java to PHP. Derek's motivation seems...
For the past few weeks, I've been trying Twitter. (If you use Twitter yourself, you can follow me.) I'm only following a few people at the moment, because I'm primarily using the mobile interface (particularly nice on the iPhone), and I don't want to g...
Alexander Andonov (Mordred) has written an articled called The Unexpected SQL Injection for the Web Application Security Consortium: We will look at several scenarios under which SQL injection may occur, even though mysql_real_escape_string() has been...
As you may have heard, Paul Jones is joining us at OmniTI. We're very excited to have him, and you can meet him in person by attending the Columbia PHP Meetup Monday night (please RSVP), where he'll be speaking about framework and application benchmark...
Earlier this month (on the 4th, to be exact), OmniTI celebrated its 10th birthday. From humble beginnings in Theo's basement to a company of almost 50 employees, things have certainly changed. We now have an entire division devoted to email (Message Sy...
I often get distracted when following discussions online due to the abundance of flawed logic. It's distracting enough that I sometimes find myself tending to disagree with someone whose argument is illogical, even if I agree with the conclusion. (I ca...
Another conference has come and gone. As always, the folks at php|architect hosted a good conference, and it was nice to meet some new people and see old friends. There weren't even any hotel snafus this time. :-) I really enjoyed my keynote. Not on...
I've been very busy since OSCON, so my blog pipeline is full. Hopefully I can properly catch up on some topics I've been meaning to discuss in the next few weeks. If you've been busy like me, you might be wondering how to catch up and keep up with the ...
Earlier today, my editor and friend Tatiana Apandi launched Women in Technology, a series on the O'Reilly Network that she describes as follows: This series is comprised of articles written by women on the topic of "Women in Technology," which will ru...
My schedule for the remainder of 2007 is mostly solidified, and I wanted to take a moment to mention the conferences I'll be attending. (I have been cutting back on conferences this year, but there are always a few that I don't want to miss.) php|work...
Inspired by the XSS POST Forwarder, I just created the CSRF Redirector. It's a simple tool that makes it easy to test CSRF using POST, hopefully demonstrating how prevalent CSRF vulnerabilities are as well as reducing the misconception that forging a P...
Nitesh Dhanjani just posted a reminder of an AT&T/Cingular vulnerability he first mentioned over a year ago. If you've recently purchased an iPhone, here's the scary part: The AT&T/Cingular voicemail system is configured by default not to ask for a pa...
If you want to keep up with the latest in web application security, you might want to add Planet Web Security to your reading list. In his announcement, Christian Matthies offers this brief description: I am pleased to announce the launch of Planet We...
I've been focusing on work and neglecting my blog lately, but I want to take a moment to highlight HTML Purifier, a tool developed by Edward Yang. Edward contacted me a few days ago to let me know that he has just released version 2.0, and because this...
While lamenting Ronaldinho's red card and writing an overdue column for php|architect this weekend, I took a break to read Kevin Yank's latest post, Good and Bad PHP Code. In the post, he provides a few useful PHP interview questions, including some q...
Terry Chay's latest post is a work of art. This is why I read his blog. (If you're easily offended, you shouldn't.) He gives a quick slap in the face to those with more ego than intelligence (an issue highlighted by Jeremy Privett), then launches into ...
php|tek was another well-organized event from the folks at php|architect. Just like my previous experience traveling to a conference, I arrived at JFK to discover that my flight had been cancelled. (This is becoming an unwelcome tradition.) A few more ...
After a very long and eventful day filled with multiple cancellations, delays, and overbooked hotels, I'm finally in Chicago (well, Schaumburg) and ready for php|tek. I'm fighting a cold (and currently losing; the travel problems haven't helped), so I ...
As I write this, Digg is offline after being overrun with stories about the HD DVD key that was recently leaked. Why are such stories so popular? Primarily because the original story about the leak was removed, which itself was a reaction to recent th...
And it never was. In the original article about Ajax, the author states: The name is shorthand for Asynchronous JavaScript + XML, and it represents a fundamental shift in what's possible on the Web. Although he never calls it an acronym and never us...
I'm proud to welcome Luke Welling to OmniTI. Luke is a prominent member of the open source community, probably best known as the co-author (along with Laura) of one of the best selling open source books of all time, PHP and MySQL Web Development. Those...
Anurag Agarwal (whose blog is part of my planet) has been interviewing members of the web application security community for the past few weeks. As part of each interview, he has been providing a pretty thorough list of each person's contributions. The...
There are a number of quality PHP and open source conferences each year. Here are a few that are taking place in the next month or two: php|tek 16 - 18 May Chicago, Illinois eLiberatica 18 - 19 May Braşov, ...
A few readers have asked for my opinion regarding the recent fuss over a "new kind of web-based attack" that's being called JavaScript hijacking: Security researchers have found what they say is an entirely new kind of web-based attack, and it only ta...
I'm a bit late for CSS Naked Day, but since I finally have a blog that respects web standards, strives for accessibility, and produces logically-ordered markup, I decided to give it a go. What is CSS Naked Day? The idea behind this event is to promot...
The April meeting of the Columbia PHP Meetup will feature Eli White, Digg's PHP guru: For our April PHP meetup, Eli White of Digg will be giving an insider's tour of Digg, including what they're up to and how they're using PHP. We've got a great meeti...
Today I am revealing an exploitable security vulnerability in Amazon. Before I do, I want to provide some history and context. On this day last year, I informed Amazon about a pretty serious vulnerability and demonstrated it with a few examples and a ...
One of the most common problems faced by web developers is allowing some HTML without creating XSS vulnerabilities in the process. This problem comes up more and more often due to the rise of social networking and other Web 2.0 properties that embolden...
I began my blog with a post entitled A New Beginning. For the first time since that post, the title seems appropriate again. A few months ago, I decided to put more effort into my blog, starting (but not ending) with a new design. I'm very picky about...
I've been subscribed to the general PHP mailing list for many years. I used to be very active, answering hundreds of questions a month, but lately my participation has dropped. While scanning through my backlog of email earlier, one subject caught my e...
During the lightning talks at tonight's PHP Meetup, Andrew van der Stock (executive director of OWASP) announced the Spring of Code 2007, an effort that will distribute $100,000 to worthy projects, divided approximately as follows: $20,000 for o...
I just created the Columbia PHP Meetup Group, something we have been wanting to do for a while. The inaugural meeting is going to be held at our headquarters on Mon, 05 Mar 2007: For our first PHP meetup in Columbia, we're going to be hosting lightnin...
I've recently returned from a trip to Australia and New Zealand, during which I participated in Kiwi Foo Camp. Over the next few days, I plan to blog about some of the interesting discussions in an attempt to bring them to a larger audience. One of my...
I'm subscribed to a lot of mailing lists - PHP, mod_perl, MySQL, web application security, etc. This week, there was an interesting conversation on the NYPHP mailing list - consulting rates. It all started with an email from Edward Potter. He had prev...
I'm a perfectionist. As a web architect, I tend to obsess about URLs. I want them to be simple, user-friendly, and descriptive. I want them to be beautiful. I dislike underscores, file extensions, and superfluous characters. I hate the www subdomain, a...
I've been concentrating on work this past week, but I wanted to quickly mention the Adobe PDF XSS vulnerability discovered by Stefano Di Paola and Giorgio Fedon. This is being called UXSS (universal cross-site scripting) due to the fact that it can aff...
For the fourth consecutive year, I'm going to try to record my personal highlights from the previous year. To get things started, here are a few memories from 2006 off the top of my head: I had an amazing surprise 30th birthday party featuring ...
I'm happy to take the blame, Mitch. :-) Hope you like it as much as I do.
Trying out Vidoop now, and it's all your fault.
404 not found :( What's with this OpenID thing, you know how long it took me to figure out I h...
I am very interested in the possibilities of this service. However, I am wondering about what is ...
Awesome code! Thanks!
