preinheimer's Profile

The strip_tags() function when comibined with allowed tags doesn't do much for you in terms of security. You yould be able to do something like <b onClick="evil-stuff-here"> in a bold tag if it's allowed. Tag allowances allow for attributes, many of which are evil :(

Posted in /blog/2007/mar/allowing-html-and-preventing-xss.

Thu, 15 Mar 2007 at 13:56:03: Link

I'd like to see that level of integration between my browser and sites I've chosen to "trust". Sure it's nice to see a colour coded address bar, but what does it really mean to me? Having ambient changes indicate that I really am at a site I trust would help a lot. Take it beyond the site, bring the browser into the equation, that way even if the site isn't doing it, the the browser can still help.

Posted in /blog/2007/feb/ambient-signifiers.

Thu, 22 Feb 2007 at 21:26:01: Link

I'm presently re-configuring my entire blog, with the new system launching with my new (far over due) layout and theme.

I'm planning on working with a combination of systems, something like yours of year/month/title, but also a short url of simply domain.com/ID. People give each other two urls in two fundamentally different ways, electronically and verbally. I want to support both.

Pretty urls like the ones you're suggesting work really well electronically, but I've always had a hard time reading such urls to other people, dashes, underscores, tildes, etc. just seem to cause confusion for the non-technical.

There are two difficulties as I see it, first search engines don't like duplicate content at multiple URLs, second how to give that duplicity of information to people in a consistent manner. I'm still working on thise.

Posted in /blog/2007/jan/url-vanity.

Sat, 13 Jan 2007 at 19:35:42: Link

That's it, Distance yourself from the project without even reading it :p

I think our original editor's departure only confused the recognition issue.

Posted in /blog/2006/aug/web-apis-with-php.

Mon, 28 Aug 2006 at 21:47:15: Link

Did you move?

Posted in /blog/2006/jul/omniti-seeks-junior-security-analyst.

Wed, 26 Jul 2006 at 14:53:14: Link

I'm happy with your choice to stick to validating, rather than moving into escaping as well.

At present, I feel the methods involved in escaping data are pretty well understood, *_escape_string(), *_real_escape_string(), htmlentities() and such. It's validating data that I need help with :).

The only advantage I can see to moving some level of escaping into the framework is in terms of keeping up to new threats as they are discovered. Since presumably, updating the zend framework will be easier than finding my own use of the apropriate escaping functions in all my code. I could however replicate that functionality myself by using a single library for all my projects.

Posted in /blog/2006/mar/zend-filter-reviewed-on-sitepoint.

Wed, 29 Mar 2006 at 12:26:32: Link

http://namb.la/popular/tech.html

Point 9

Posted in /blog/2006/mar/php-architect-march-2006-edition.

Tue, 21 Mar 2006 at 18:27:12: Link

While the token is an excellent method, it isn't fool proof. IIRC the myspace worm first retreived a page to locate and store the token, then sent it back with the data it was attempting to propegate.

Posted in /blog/2006/mar/php-architect-march-2006-edition.

Tue, 21 Mar 2006 at 11:28:00: Link

This would be much easier if Opera & FireFox didn't block attempts to use XMLHttpRequest Open like that:

Error: uncaught exception: Permission denied to call method XMLHttpRequest.open

Inline script thread

Error:

name: Error

message: Security violation

Posted in /blog/2006/mar/php-architect-march-2006-edition.

Mon, 20 Mar 2006 at 19:52:12: Link

I'd love to come down for the New York PHP conference but I've got a wedding in Spain to attend that week.

I've thought about submitting a proposal for OsCon, but even after the talks I've already given or will give before then, OsCon seems a little more intimidating than the places i've been.

Posted in /blog/2006/feb/oscon-and-nyphpcon-call-for-papers.

Sat, 11 Feb 2006 at 00:05:34: Link