March 2010

PHP Security Guide & Checklist for Websites and Web Applications – Bottom Line for Every Good PHP Developer

It’s not easy to become a great PHP developer which may very well take years of training and practice, but this doesn’t mean you shouldn’t do your best to not be a bad one that undermines every project he’s involved in. Based on the project experiences of my team and some recent researches done on …

PHP Security Guide & Checklist for Websites and Web Applications – Bottom Line for Every Good PHP Developer Read More »

Web Application Security Books (PHP, MySQL, Apache), the Best at Amazon

Security may not make you but it sure can break you. As modern web applications become more and more complexed puzzles and filled with thousands of features catering to a spectrum of user preferences and tastes, the developers are burdened with ever-going responsibilities to keep them sound and safe. There are people (crackers) out there …

Web Application Security Books (PHP, MySQL, Apache), the Best at Amazon Read More »

Use Relative Protocol URL Address to Automatically Determine Web Address Protocol (HTTP or HTTPS)

Here’s a really interesting bit about how you can omit the protocol part of a web address in your web pages. The predominant belief is that an HTTP:// or an HTTPS:// has got to be prefixed to a URL or it won’t work, truth is, it will. Try the following link: Click Me! View the …

Use Relative Protocol URL Address to Automatically Determine Web Address Protocol (HTTP or HTTPS) Read More »

HTML: Make Content Editable in Element / Tags without JavaScript

It’s not well known but this feature was invented by Microsoft and has been implemented across all major modern browsers ever since IE 5.5. Adding an attribute of contenteditable and assign a value of “true” to it makes the content value / inner text of that element editable by a single click: <blockquote contenteditable="true">Click to …

HTML: Make Content Editable in Element / Tags without JavaScript Read More »

PHP: setcookie() with HttpOnly Option to Reduce XSS (Cross Site Scripting) Attacks by Preventing JavaScript from Reading Cookies

It may considerably reduce XSS attack possibilities if not completely eradicate it. XSS, or Cross Site Scripting, is probably the most common security problems in web applications that engage in heavy user input. If you’ve ever tried to build a web application that users can input data in a lot of different venues, chances are …

PHP: setcookie() with HttpOnly Option to Reduce XSS (Cross Site Scripting) Attacks by Preventing JavaScript from Reading Cookies Read More »

Just Hashing is Far from Enough for Storing Passwords – How to Position against Dictionary and Rainbow Table Attacks

It goes without saying that sensitive information such as passwords or pass phrases should never be stored in plain text in the database in the first place. The common practice is to hash the user password and store the resulted hash string. When the user tries to log in and supplies his password, it is …

Just Hashing is Far from Enough for Storing Passwords – How to Position against Dictionary and Rainbow Table Attacks Read More »

PHP: How to distinguish values in $_POST or $_GET that are sent via HTTP requests and those that are set / assigned in the code

To send parameters to a PHP script, you can either fabricate a form and post a few variables by the POST method or simply send a request of a URL full of GET value pairs. This way, in the server side PHP script code, you can retrieve these parameters sent from the client in $_POST …

PHP: How to distinguish values in $_POST or $_GET that are sent via HTTP requests and those that are set / assigned in the code Read More »

PHP: Check or Validate URL and Email Addresses – an Easier Way than Regular Expressions, the filter_var() Function

To check if a URL or an email address is valid, the common solution is regular expressions. For instance, to validate an email address in PHP, I would use: if (preg_match(‘|^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$|i’, $email)) { // $email is valid } A simpler and more forgiving one would be: |^\S+@\S+\.\S+$| Which is usually quite enough for signup forms …

PHP: Check or Validate URL and Email Addresses – an Easier Way than Regular Expressions, the filter_var() Function Read More »

PHP: How to detect / get the real client IP address of website visitors?

It may seem simple at first because most of us should be relying on the server side environmental variable REMOTE_ADDR solely for client IP addresses: echo $_SERVER[‘REMOTE_ADDR’]; Yet it’s barely enough to get the real IP for a variety of circumstances such as when the user is visiting your website from a proxy server. To …

PHP: How to detect / get the real client IP address of website visitors? Read More »

How to define multiple CSS rules / properties in jQuery?

The simplest way to define a CSS rule in jQuery might be: $(".sth").css("color", "#f00"); To define more than one CSS rule in a single jQuery line: $(".sth").css("color", "#f00").css("font-style", "italic").css("text-decoration", "underline"); Which simply doesn’t look that good, especially if you intend to add more. A better way to specify multiple CSS rules or properties with jQuery …

How to define multiple CSS rules / properties in jQuery? Read More »

It’s not your business, it’s who you are

With a Quantcast world traffic rank of less than 1000, Stack Overflow has become the most visited website for developers and software engineers. It doesn’t require a genius to figure out that the site is raking in tremendous advertisement revenues while the full potential of its monetizing capacity hasn’t been unleashed yet because the creators …

It’s not your business, it’s who you are Read More »

PayPal Account Access Limitation after Closing Browser Window and Opening It Again

If you were like me who accidentally closed the browser window of his PayPal account AND immediately tried to reopen it by typing in www.paypal.com in the browser address bar, chances are your PayPal account is instantly limited. It was really weird at first but soon it makes sense. This is to prevent session hijacking …

PayPal Account Access Limitation after Closing Browser Window and Opening It Again Read More »

Scroll to Top