Ben Ramsey’s profile

I’m a web craftsman, author, and speaker. I enjoy APIs, open source software, organizing user groups, good beer, and spending time with my family.

Latest Comments


Is there a broken content negotiation example somewhere that everyone is using?

I've been playing around with the mimeparse library and converting it to use Composer, as well as conform to PSR standards. See: (shameless plug)

After re-reading your post, I decided to give this a try, using your second Accept line (with the quality parameter on application/json):

$accept = 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8,application/json;q=0.0';
$quality = \Bitworking\Mimeparse::quality('application/json', $accept);

Oddly enough, $quality comes out as the value 1, rather than 0, as one would expect.


This library has been around for a while; has versions in Python, Ruby, Erlang, Java, JavaScript, and PHP; and I suspect it is either widely used or widely imitated. I went back to the HTTP spec to see if a value of 0 or 0.0 is considered invalid or undefined, and it's clearly not (from RFC 2616, section 3.9):

A weight is normalized to a real number in the range 0 through 1, where 0 is the minimum and 1 the maximum value. If a parameter has a quality value of 0, then content with this parameter is `not acceptable' for the client.

This is clearly a bug in the library, which is also in my version of the library right now, until I fix it (or get a pull request). :-)

Posted in The Accept Header.

Tue, 17 Jul 2012 at 01:21:36 GMT


I'm sincerely happy for you all, and I wish you the best! It makes me happy to see good friends doing good work, and I know the work you produce will be great. I know it may sound odd to say, but I'm proud to see you putting this into action and making it work. May 2010 be a prosperous year!

Posted in Hello, Analog.

Fri, 01 Jan 2010 at 01:51:21 GMT


Leslie, while I agree that there needs to be a hint in the mark-up because this will give user agents the ability to present the short URL in a special way to the user (if desired), most of the popular blogging software are written in either PHP, Python, or Ruby, and each of these languages has the ability to set HTTP headers at the language level, so your host most likely has support for setting custom headers.

Posted in A rev="canonical" HTTP Header.

Mon, 13 Apr 2009 at 16:21:20 GMT


I meant to include this in my previous comment, but following your example, you could also do something like the following:

Link: <>; rel="alternate shorter"; title="Short URL for Post"

While reading the RFC for Link, I found it interesting to note that it states:

Applications that don't merit a registered relation type may use an extension relation type. An extension relation type is a URI that, when dereferenced, SHOULD yield a document describing that relation type.

So, if using the Link header with either rel or rev, until either "canonical" or "shorter" are accepted as registered IANA relation types, then, according to spec, the Link header syntax should be something like the following:

Link: <>; rev=""

Posted in A rev="canonical" HTTP Header.

Sun, 12 Apr 2009 at 05:12:43 GMT


Yep. Looks like Link is still in the Internet-Draft stage, but it's current, which is a good thing.

My preference would to see Link used for this rather than introducing X-Rev-Canonical. The Link header is extensible, provides the full benefit of HTML link tags in an HTTP header, and is already well-defined.

Posted in A rev="canonical" HTTP Header.

Sun, 12 Apr 2009 at 04:57:10 GMT


I have a rebuttal on the usage of rev="canonical" that I've posted on my own blog here:

Posted in Save the Internet with rev="canonical".

Sat, 11 Apr 2009 at 04:27:30 GMT


[Cal Evans] has become the personification of Zend that the PHP community considers one of our own. [...] So, it occurred to me that not only would ZendCon not be the same without Cal, neither would Zend.

I couldn't have said it better. I've long been wanting to write a post about how much I appreciate Cal's involvement and dedication to the community. Cal makes the community feel like they are important to Zend. I think Cal was one of Zend's smartest hires.

Posted in ZendCon.

Mon, 22 Sep 2008 at 02:06:24 GMT


Very nice and much more full-featured that myopenid. I've made the switch. Thanks, Chris!

Posted in OpenID with myVidoop.

Tue, 06 May 2008 at 15:07:50 GMT


Tim, I did ponder it for a while, but I didn't have a specific resource to which I could point people. I could have pointed people to the website, but the project is currently a bit dormant (and I accept most of the fault for that) and doesn't yet provide a directory or map of user groups. While the one place that does provide a directory,, doesn't attempt to verify any of its listings or purge inactive or non-existent groups. Finally, the one place many people do use to find user groups is, but I've long had a beef with the Meetup model. In my opinion, it doesn't really suit a typical user group model. Plus, they changed their business model mid-swing, requiring all user groups to pay for the service.

So, the PHP user group bullet was to fall in the Connecting with the Community section, but, as far as finding a good, active, and valuable user group to participate in, I can't offer a great resource, but I can say this: if you find a PHP user group in your local area, give back to the community by getting involved and making it better!

Posted in PHP Advent Calendar Day 11.

Thu, 13 Dec 2007 at 02:30:56 GMT


To explicitly set the charset in your Content-Type header for all PHP pages, make sure the following is set in your php.ini file:

default_charset = "UTF-8"

... or whatever character set you wish to use. This will eliminate the need to set a header() from your application, and it will ensure that the Content-Type headers sent look something like this:

Content-Type: text/html; charset=UTF-8

Are there any implications in having the character encoding explicitly set to UTF-8? Also, if the question is elementary, can I cite being a webappsec-impaired designer in mitigation?

Not an elementary question. I think sometimes the use of UTF-8 confuses people into thinking it's being used as a security measure. The use of UTF-8 isn't for security purposes. You could just as well set your charset to ISO-8859-1. The point from a security standpoint is to escape your output in the same encoding in which your pages are being sent to the client. This means that you should explicitly set the charset in the Content-Type header and specify the same charset in htmlentities()/htmlspecialchars().

Using UTF-8 as your charset simply means you can support the display of multibyte characters in the content you send to the browser. If your charset is set to ISO-8859-1, for example, and you try to send a unicode character to the browser, it will render funny.

Posted in Character Encoding and XSS.

Wed, 13 Jun 2007 at 02:10:35 GMT


  • Twitter: @ramsey
  • Location: Nashville, TN
  • Joined: September 2004
  • Comments: 39