It’s not easy to become a great PHP developer which takes years of training and practice, but you sure should do your best to not be a bad one that undermines every project he’s involved in. Based on my past project experience and some recent researches done on PHP security issues, I have come up with a list of things you should know and do in your PHP code to achieve this goal. A few of them may be subjective and opinionated but most of them are actually security bottom lines that every self-deemed good PHP developer must definitely adhere to.
click to continue
Security may not make you but it sure can break you. As modern web applications become more and more complexed puzzles and filled with thousands of features catering to a spectrum of user preferences and tastes, the developers are burdened with ever-going responsibilities to keep them sound and safe. There are people (crackers) out there who are trying to make a name by breaking into your backyard or otherwise messing around in any way possible to make your day interesting. Your application or website is potentially vulnerable by simply being online. Everyone including innocent users can mess things up if yours is designed without security awareness. These books of web security are hand selected from Amazon that will get you a strong start on building secure websites applications and avoid being hacked. They are both new (published no more than 5 years ago) and well received (rated no less than 4/5 by the readers).
click to continue
Here’s a really interesting bit about how you can omit the protocol part of a web address in your web pages. The predominant belief is that an HTTP:// or an HTTPS:// has got to be prefixed to a URL or it won’t work, truth is, it will. Try the following link:
click to continue
It’s not well known but this feature was invented by Microsoft and has been implemented across all major modern browsers ever since IE 5.5. Adding an attribute of contenteditable and assign a value of “true” to it makes the content value / inner text of that element editable by a single click:
click to continue
It may considerably reduce XSS attack possibilities if not completely eradicate it. XSS, or Cross Site Scripting, is probably the most common security problems in web applications that engage in heavy user input. If you’ve ever tried to build a web application that users can input data in a lot of different venues, chances are it has a security hole somewhere that allows XSS attacks. Don’t panic though. Most web applications, even the most sophisticated ones developed by the best programmers such as vBulletin and WordPress release patches from time to time to fix XSS holes.
click to continue
It goes without saying that sensitive information such as passwords or pass phrases should never be stored in plain text in the database in the first place. The common practice is to hash the user password and store the resulted hash string. When the user tries to log in and supplies his password, it is used to generate a hash string to be compared to the one stored in database. If they are identical, the password is matched and the user authenticated because the chance of 2 distinct strings having the same hash string is so low that it’s deemed mathematically impossible.
click to continue
To send parameters to a PHP script, you can either fabricate a form and post a few variables by the POST method or simply send a request of a URL full of GET value pairs. This way, in the server side PHP script code, you can retrieve these parameters sent from the client in $_POST or $_GET. The trick is, other than receiving the values from client requests, you can manually assign values to them in your code. For example, click to continue
To check if a URL or an email address is valid, the common solution is regular expressions. For instance, to validate an email address in PHP, I would use:
click to continue
It may seem simple at first because most of us should be relying on the server side environmental variable REMOTE_ADDR solely for client IP addresses:
click to continue
With a Quantcast world traffic rank of less than 1000, Stack Overflow has become the most visited website for developers and software engineers. It doesn’t require a genius to figure out that the site is raking in tremendous advertisement revenues while the full potential of its monetizing capacity hasn’t been unleashed yet because the creators decided that the user experience comes a much higher priority.
click to continue
If you were like me who accidentally closed the browser window of his PayPal account AND immediately tried to reopen it by typing in www.paypal.com in the browser address bar, chances are your PayPal account is instantly limited.
click to continue
A quick post to share with my readers some interesting findings regarding email marketing. Outlined by the ninth bi-annual Email Marketing Metrics Report by MailerMailer, these data is based on 300,000 email messages dispatched over a period of 6 months that ended on December 31, 2008. Here are some key statistic discoveries from the report that can be used to optimize your email marketing campaigns and improve the results.
click to continue
PHP file upload max size is determined by 3 configuration values in php.ini, namely upload_max_filesize, post_max_size and memory_limit. You can get the maximum file size allowed in uploading by this snippet:
click to continue
While you can always use .htaccess and the mod_rewrite module to map SEO friendly URLs to actual PHP parameterized URLs with question marks and ampersands, you can simply put these lines in .htaccess and then rely on PHP entirely to recognize and handle all incoming URL requests of any kind / form:
click to continue
