Wil Moore’s profile

Hi, I write software love God and my family. Passion for sports, scalable architecture, testable code, relentless quality, and aesthetic design.

Latest Comments

1

I had been hearing for days that the Rails issue was similar to PHP register_globals; however, the two issues are fairly exclusive.

See the post by Vance as his example is spot on.

http://shiflett.org/blog/2012/mar/h...ithub#comment-8

Something like this:

$post->data($_POST['post']);
 
$success = $post->save();

Is indeed used in many PHP frameworks; however, I should add that the more respectable frameworks will also promote filtering (normalization) and validation of the data from the $_POST superglobal.

Once validated, the filtered hash of values would be passed to the model...never the raw values. This is essentially your whitelist. Any (full-stack) framework that doesn't promote that type of security out of the box is a framework you can easily dismiss.

If you are using a micro-framework that doesn't concern itself with any of this, that is fine, but just know what you are doing because you need to implement those security features yourself.

One liner to whitelist your parameters:

// $whitelist is an array of keys to accept
 
array_intersect_key($_POST, array_flip($whitelist));

Keep in mind that the above code is just a whitelist. You still need to filter (normalize) and validate.

BTW, I love many of the concepts behind Rails, but this recent issue is yet another reminder of why I don't use it in production. Not trying to disrespect anyone that does (I've seen some pretty cool Rails deployments), but it just doesn't work for me.

If you want to get into Ruby and are looking for a sweet web combination, check out Sinatra (based on Rack) + Data Mapper (version 2.0 is in the works and is looking awesome).

Posted in Hacking Rails (and GitHub).

Thu, 22 Mar 2012 at 04:18:33 GMT


2

I personally prefer the following which is quite readable in my opinion and should scale well also:

<?php 
 
$users[] = array('username' => 'shiflett',  'name' => 'Chris Shiflett');
 
$users[] = array('username' => 'dotjay',    'name' => 'Jon Gibbins');
 
$users[] = array('username' => 'a',         'name' => 'Andrei Zmievski');
array_multisort(array_map(function($user){
 
    return $user['username'];
 
}, $users), SORT_ASC, $users);
 
 
 
var_dump($users);

Also, this way, there is only one global variable floating around (vs. the foreach since PHP has no block scope).

Posted in Sorting Multi-Dimensional Arrays in PHP.

Sun, 03 Jul 2011 at 06:23:34 GMT


About

  • Twitter: @wilmoore
  • Location: Denver/Boulder
  • Joined: July 2011
  • Comments: 2