Swiftlet 3.0

Posted on January 26, 2012

Three years ago I released an early version of Swiftlet, a light-weight PHP framework built for speed and security. Over time however, a lot of functionality was added and started to suffer from feature creep. My original intention of creating a maintainable framework that was easy to pick up was a bit lost.

Last Sunday I had a spur of inspiration and decided to start over. With a slightly different vision, a better understanding of MVC and experience gained with the project I managed to finish it the same day. The result is about 150kB of code including documentation.

If you’re unfamiliar with the model-view-controller approach to programming Swiftlet might be a good starting point. The code is quite simple and hopefully the documentation makes the concept understandable.

Source code

Swiftlet on GitHub

Swiftlet is released under the GNU Public License.

Free transform plugin for Raphaël JS

Posted on December 04, 2011

After doing some research for work involving client-side image manipulation I decided to dive into Raphaël, a JavaScript library that simplifies working with vector graphics on the web.

One thing I struggled with was applying multiple transformations to an element. When rotating an object the coordinate plane rotates with it which means dragging no longer works as one might expect (e.g. right becomes up). Raphaël’s creator Dmitri Baranovskiy indicated this is the correct behavior.

I worked out a solution and released it as a plugin. It supports snap-to-grid dragging, scaling and rotating and handles sets. Like Raphaël itself, the plugin is licensed under the MIT license.

Source code

Raphaël.FreeTransform on GitHub

Demo

elbertf.com/raphael/free_transform/

See also…

These are a couple of other plugins I created recently.

Raphaël.JSON

Serialize Raphaël elements and back.

Raphaël.Export

Cross-browser solution to export Raphaël elements to SVG, works in Internet Explorer 6, 7 and 8. Can be used to convert Raphaël drawings to PNG or PDF server-side using ImageMagick or Batik.

Resolve scoping issues in jQuery with anonymous functions

Posted on May 21, 2011

I had a bit of a head-scratching moment recently when I was using jQuery to bind event handlers to elements in a loop. Usually I would just use jQuery’s .each() method but in this specific case that wasn’t an option. Consider the following (simplified) code:

1
2
3
4
5
6
7
8
9
10
11
12
13
<ul>
	<li id="item-1">Item 1</li>
	<li id="item-2">Item 2</li>
	<li id="item-3">Item 3</li>
</ul>
 
<script type="text/javascript">
	for ( var i = 1; i <= 3; i ++ ) {
		$('#item-' + i).click(function() {
			alert('You clicked item ' + i);
		});
	}
</script>

Against my intuition, clicking any of the three li elements would return return “You clicked item 4”. I then realized that i was being read after the for-loop had finished. To solve this, wrap the function in another anonymous function passing i as an argument:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<ul>
	<li id="item-1">Item 1</li>
	<li id="item-2">Item 2</li>
	<li id="item-3">Item 3</li>
</ul>
 
<script type="text/javascript">
	for ( var i = 1; i <= 3; i ++ ) {
		(function(i) {
			$('#item-' + i).click(function() {
				alert('You clicked item ' + i);
			});
		}(i));
	}
</script>

This way the second i lives in the same scope as the alert() function which will now return the correct value.

Escaping and sanitizing user input in PHP

Posted on July 23, 2010

I recently answered a question on Quora, a questions and answers website that I frequent. The poster asked “what are best practices for escaping or sanitizing user input in PHP?” People seemed to appreciate the answer I wrote so I’ll post it here and elaborate on it a bit more.

Why is it important to sanitize user input?

If you’re not careful with user input your website might be open to code injection, directory traversal or similar attacks. Information supplied by users can never be assumed safe.

Examples of user input are submitted forms (e.g. comments), URL parameters (?q=example) and server-side scripts pulling in third-party data, such as an RSS feed importer.

Read more…

Install Firefox 3.6 add-ons in Firefox 4 beta, disable compatibility check

Posted on June 30, 2010

Update (March 22, 2011): this post also applies to Firefox 4 final. Just use extensions.checkCompatibility.4.0 instead of extensions.checkCompatibility.4.0b.

Firefox 4 beta is available. I installed the 64bit version on Linux today, it’s notably faster than previous versions and includes several other improvements such as tabs on top. Now, I don’t want to go back to 3.6.

As usual the only thing holding me back from upgrading is add-on compatibility. Luckily it’s possible to disable the compatibility check so Firefox 4 will let you install add-ons built for older versions, I found that many add-ons work just fine in Firefox 4.

Disable compatibility check

If you’re willing to take your chances, navigate to about:config in your browser, promise not to break anything and right to window click to add a new boolean. In the preference name field, add extensions.checkCompatibility.4.0b and set the value to false. Firefox will now let you install any add-on.

If anything breaks, try disabling add-ons or delete them completely. You can always go back to 3.6 if nothing works, and wait for a new stable release.

I’ve tested it with AdBlock Plus, Firebug, Flashblock and Wappalyzer.

Launching reversegif.com

Posted on June 06, 2010

Animated GIFs are better in reverse. For me this was reason enough to spend a weekend coding and avoid doing anything useful. I created a simple service where you can upload animated GIF images and it will reverse them. To my surprise the domain name reversegif.com was still available so I quickly grabbed it and today I put the website up.

A few examples:

Enjoy!

How to store passwords safely with PHP and MySQL

Posted on January 31, 2010

First, let me tell you how not to store passwords and why.

Do not store password as plain text

This should be obvious. If someone gains access to your database then all user accounts are compromised. And not only that, people tend to use the same password on different sites so those accounts will be compromised as well. Your site doesn’t even need to be hacked; a system administrator could easily browse your database.

Do not try to invent your own password security

Chances are that you’re no security expert. You’re better off using a solution that has been proven to work instead of coming up with something yourself.

Do not encrypt passwords

Encryption may seem like a good idea but the process is reversible. Anyone with access to your code would have no trouble transforming the passwords back to their originals. Security through obscurity is not sufficient!

Read more…

Swiftlet 1.1 Stable

Posted on January 05, 2010

I released a new stable version of Swiftlet a few days ago together with a new web page at swiftlet.org. Swiftlet is a light-weight framework written in PHP aimed to make website development faster and easier.

Version 1.1 comes with a few new plugins that bring CMS-like features to Swiftlet. See the changelog for the full list of changes.

The documentation has also been updated and can now be found at swiftlet.org/docs. If you need support or have any requests, feel free to start a thread at swiftlet.org/community.

Safer web forms with security tokens

Posted on November 15, 2009

A common issue with many web applications is their vulnerability for Cross-Site Request Forgery, or XSRF. It allows a hacker to send a malicious request to a website with an other user’s privileges. Here’s how it works:

  • A hacker creates a page with a form that submits data to example.com.
  • An administrator from example.com is tricked into visiting the page, the form is submitted using JavaScript.
  • The data is handled by example.com as if it came from the administrator (because it did).

This allows a hacker to perform administrative tasks on example.com like editing pages or deleting users.

Read more…

Using Internet Explorer 8 for IE6 and IE7 testing

Posted on October 02, 2009

I personally don’t care what my websites look like in IE6 or 7 (or 8) but for those who do there is neat little trick to test your site for these browsers.

The hard way

If you’re on Windows XP or older you can use a standalone version of IE6. If you’re on Windows 7 (not the beta though), you can use Microsoft’s free “IE Application Compatibility VPC Image” to run XP with IE6 or 7 in a virtual machine. If you’re on any other operating system (Windows Vista, Mac OS, Linux) and have a Windows XP license you can run it using a VM like VirtualBox.

The easy way

If you’re already running IE8 there is an easier way. Compatibility View will render pages as IE7, and a missing doctype will cause pages to be rendered as IE6 in quirks mode.

You can simply remove the doctype from your pages when you’re testing for IE6 or ― if you’re using PHP ― add a simple switch:

1
2
3
4
<?php if ( !isset($_GET['ie6']) ): ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-
strict.dtd">
<?php endif ?>

Now you can simply add “?ie6” to the URL in IE8 to see what your page looks like in IE6. You can even keep several tabs open to make sure it works with all versions.

Fork me on GitHub