Blog

Escaping and sanitizing user input in PHP

Posted on July 23, 2010

I recently answered a question on Quora, a questions and answers website that I frequent. The poster asked “what are best practices for escaping or sanitizing user input in PHP?” People seemed to appreciate the answer I wrote so I’ll post it here and elaborate on it a bit more.

Why is it important to sanitize user input?

If you’re not careful with user input your website might be open to code injection, directory traversal or similar attacks. Information supplied by users can never be assumed safe.

Examples of user input are submitted forms (e.g. comments), URL parameters (?q=example) and server-side scripts pulling in third-party data, such as an RSS feed importer.

Read more…

Install Firefox 3.6 add-ons in Firefox 4 beta, disable compatibility check

Posted on June 30, 2010

Firefox 4 beta is available. I installed the 64bit version on Linux today, it’s notably faster than previous versions and includes several other improvements such as tabs on top. Now, I don’t want to go back to 3.6.

As usual the only thing holding me back from upgrading is add-on compatibility. Luckily it’s possible to disable the compatibility check so Firefox 4 will let you install add-ons built for older versions, I found that many add-ons work just fine in Firefox 4.

Disable compatibility check

If you’re willing to take your chances, navigate to about:config in your browser, promise not to break anything and right to window click to add a new boolean. In the preference name field, add extensions.checkCompatibility.4.0b and set the value to false. Firefox will now let you install any add-on.

If anything breaks, try disabling add-ons or delete them completely. You can always go back to 3.6 if nothing works, and wait for a new stable release.

I’ve tested it with AdBlock Plus, Firebug, Flashblock and Wappalyzer.

Launching reversegif.com

Posted on June 06, 2010

Animated GIFs are better in reverse. For me this was reason enough to spend a weekend coding and avoid doing anything useful. I created a simple service where you can upload animated GIF images and it will reverse them. To my surprise the domain name reversegif.com was still available so I quickly grabbed it and today I put the website up.

A few examples:

• http://reversegif.com/1
• http://reversegif.com/2
• http://reversegif.com/3

Enjoy!

How to store passwords safely with PHP and MySQL

Posted on January 31, 2010

First, let me tell you how not to store passwords and why.

Do not store password as plain text

This should be obvious. If someone gains access to your database then all user accounts are compromised. And not only that, people tend to use the same password on different sites so those accounts will be compromised as well. Your site doesn’t even need to be hacked; a system administrator could easily browse your database.

Do not try to invent your own password security

Chances are that you’re no security expert. You’re better off using a solution that has been proven to work instead of coming up with something yourself.

Do not encrypt passwords

Encryption may seem like a good idea but the process is reversible. Anyone with access to your code would have no trouble transforming the passwords back to their originals. Security through obscurity is not sufficient!

Read more…

Swiftlet 1.1 Stable

Posted on January 05, 2010

I released a new stable version of Swiftlet a few days ago together with a new web page at swiftlet.org. Swiftlet is a light-weight framework written in PHP aimed to make website development faster and easier.

Version 1.1 comes with a few new plugins that bring CMS-like features to Swiftlet. See the changelog for the full list of changes.

The documentation has also been updated and can now be found at swiftlet.org/docs. If you need support or have any requests, feel free to start a thread at swiftlet.org/community.

Safer web forms with security tokens

Posted on November 15, 2009

A common issue with many web applications is their vulnerability for Cross-Site Request Forgery, or XSRF. It allows a hacker to send a malicious request to a website with an other user’s privileges. Here’s how it works:

• A hacker creates a page with a form that submits data to example.com.
• An administrator from example.com is tricked into visiting the page, the form is submitted using JavaScript.
• The data is handled by example.com as if it came from the administrator (because it did).

This allows a hacker to perform administrative tasks on example.com like editing pages or deleting users.

Read more…

Using Internet Explorer 8 for IE6 and IE7 testing

Posted on October 02, 2009

I personally don’t care what my websites look like in IE6 or 7 (or 8) but for those who do there is neat little trick to test your site for these browsers.

The hard way

If you’re on Windows XP or older you can use a standalone version of IE6. If you’re on Windows 7 (not the beta though), you can use Microsoft’s free “IE Application Compatibility VPC Image” to run XP with IE6 or 7 in a virtual machine. If you’re on any other operating system (Windows Vista, Mac OS, Linux) and have a Windows XP license you can run it using a VM like VirtualBox.

The easy way

If you’re already running IE8 there is an easier way. Compatibility View will render pages as IE7, and a missing doctype will cause pages to be rendered as IE6 in quirks mode.

You can simply remove the doctype from your pages when you’re testing for IE6 or ― if you’re using PHP ― add a simple switch:

1
2
3
4

<?php if ( !isset($_GET['ie6']) ): ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-
strict.dtd">
<?php endif ?>

Now you can simply add “?ie6” to the URL in IE8 to see what your page looks like in IE6. You can even keep several tabs open to make sure it works with all versions.

Swiftlet documentation update

Posted on July 24, 2009

The documentation for Swiftlet 1.0, a light-weight PHP framework I’ve been working on, is now pretty much complete.

I’ve already begun working on Swiftlet 1.1 which is now in Alpha (unstable and not suited for live environments).

Automated direct messages on Twitter

Posted on July 06, 2009

I’m a bit over the amount of spam I receive through Twitter’s messaging system. I get a fair number of direct messages every day and most of them are automated. I do read them all in case someone sends me a genuine message.

It shouldn’t be to hard for Twitter to detect automated messages, they could give me an option to block messages that have been send out more then ten times by a single user (I could create an application to do this myself but simply don’t have the bandwidth to handle that many messages, it would need thousands of active users to be effective).

Instead, I created a Twitter app to report users who send auto DMs to. Just tweet “@stopautodm @username” and they will be placed on the Hall of Shame. Perhaps at some point I could add an option to automatically unfollow the most reported users.

Website: elbertf.com/stopautodm
Twitter: @stopautodm

IE6ify Bookmarklet

Posted on June 26, 2009

Today I created yet another utterly useless (but hopefully mildly entertaining) application; IE6ify.

It’s a bookmarklet that brings the joy of browsing the web with Microsoft Internet Explorer 6 to modern browsers. For almost a decade IE6 has managed to intrigue me by breaking standards-compliant websites in the most unpredictable ways. Whatever you did to fix a problem only made things worst, like an ugly dragon that grows two heads every time you cut one off.

Since it’s not possible to run IE6 natively on Windows Vista or 7 and IE6 in Linux Wine is a nightmare, I figured a lot of you would miss the old days. With IE6ify you can break any website in true IE6 fashion.

Website: elbertf.com/ie6ify.