Community

It might be worth changing your example code from using htmlentities to htmlspecialchars.

Running text through htmlentities often leads to problems when content ends up in XML feeds where html-entities mean nothing.

I was going to mention some examples like eacute; etc. (i.e. accent characters in european languages); saldy, I can't figure out how to get an ampersand past your filter...

Posted In Allowing HTML and Preventing XSS.

Sat, 05 Jul 2008 at 13:53:51 GMT

so, is it push up, pushup or push-up?

just curious...

--steve

--www.hundredpushups.com

Posted In Miscellaneous.

Fri, 04 Jul 2008 at 10:19:28 GMT

It's sad to think that even now, nearly 4 years after this was originally written, that there are still thousands of developers that don't even consider these simple tools for security...

Posted In .

Thu, 03 Jul 2008 at 12:59:37 GMT

I've been a Mac user for over a year now and I didn't know about the [say] command! What a nifty little thing..

You got to love PHP after that song :-)

Posted In Miscellaneous.

Wed, 02 Jul 2008 at 12:05:29 GMT

Hi Chris,

First of all, great article and discussion.

I'm a fresh graduate, so a bit different point of view regarding to knowing history behind coding skills.

I have a very pragmatic way of doing things and for me this thing with history keeps repeating. Almost always, more less in the middle of the process (learning new coding language or other tech) I start asking myself these historical questions

why this tech was created?

what was initially the problem?

who was the gay that solved it?

what was his background?

And I end up knowing pretty well a maturing process of this technology. Now, this gives a very nice perspective of tech industry which you probably cannot achieve while only coding. Knowing Tech history is also a key to innovation. If you look at problems that technologies were solving in the past, probably you could construct a better solution these days. Many people simply don't care, because they lack this historical perspective, and focus on 'earning money from coding efficiently'.

My personal opinion is that this knowledge is not necessary on the interview process, but it might be helpful of assessing ones large, local perspective and hence problems that this person may solve in work.

Saludos

Marcin

Posted In Who Created PHP?.

Wed, 02 Jul 2008 at 06:54:08 GMT

That was a fun time, wasn't it Andrew?

Posted In Miscellaneous.

Tue, 01 Jul 2008 at 18:34:22 GMT

I remember my first experience with T_PAAMAYIM_NEKUDOTAYIM. Probably the best PHP error in existence.

Posted In Miscellaneous.

Tue, 01 Jul 2008 at 15:11:16 GMT

Wow Chris that was too much.. I love the anthem haha.

Posted In Miscellaneous.

Tue, 01 Jul 2008 at 14:43:38 GMT

I think its a bad idea to rerequire password when user is already authenticated.

A better method to prevent CSRF is to provide a token, both a hidden one and a visible one. The visible token could be a CAPTCHA image and the user has to CAPTCHA-authenticate. Since a javascript or a software cannot solve a captcha, both XSS and CSRF are prevented

And lock your tokens to IP number, and you have prevented most of the XSS attacks too.

Posted In Foiling Cross-Site Attacks.

Mon, 30 Jun 2008 at 17:31:31 GMT