Posts tagged: PHP

Does your website contain mail forms that aren’t sanitizing input as aggressively as they should? There seems to have been a recent surge in automated (or semi-automated, it’s hard to tell) probes and exploits of form mail scripts, all revolving around injecting headers into sent mail.

Here’s how it works: Let’s say you have a form that allows the user to enter their email address. The black hat’s exploit script submits a value for that field that includes a newline, followed by whatever email headers they want to insert: Bcc, for example, or even full-blown MIME-encoded parts.

My first little bit of TextMate language grammar hacking: PHP.tmbundle 2.0.1, which has two small enhancements over the stock 2.0:

• HTML code embedded inside <<<HTML … HTML; heredoc delimiters will be colorized as HTML
• Code-folding is enabled for those blocks

Enjoy! Feedback is welcome. Thanks to Textmate author Allan Odgaard for helpful answers to my newbie questions on the TextMate mailing list.

---

ritesh commented on Thu Nov 10 13:03:27 2005:

this is good.

Humor services provider The Onion has moved the back-end of their extensive, and presumably extremely high-traffic, website to Drupal as of August 30th. It’s not clear what they were using before, but I believe it was homebuilt PHP stuff. I’ll miss playing with their old remotely exploitable headline-generating script, but this seems like a good move. One of the developers has posted an interesting overview of the redesign process.

It’s a nice feather in the cap of the Drupal community to have a prominent and busy site adopt their software. My only dig at them is that I figured it out because I saw “/node/” in the URLs!

Sam Newman has posted a useful high-level comparison of Django and Rails on his site. In it, I think he hits on one little-discussed reason why these two projects are grabbing so much mindshare right now:

[Rails and Django] … historically would have ended up being written in Perl or PHP - but ended up being written in Ruby and Python respectively.

When I heard DHH speak at OSCON, he mentioned switching to Ruby after giving up on trying to make PHP do the kind of stuff he wanted to do. Back in July I asked Simon Willison (of the Django team) about PHP; he said that both he and Adrian Holovaty had worked in PHP for years, but it was Python that “gave us the flexibility we needed to pull everything off.”

Making the rounds today is a perceptive mailing list posting from Rasmus Lerdorf explaining how simple Ajax really can be. I particularly like this bit:

Before you blindly install large “AJAX” libraries, have a go at rolling your own functionality so you know exactly how it works and you only make it as complicated as you need.

According to their blog, the Open Source Intiative (OSI) is holding a public meeting at OSCON on Thursday July 3 at 7:30pm. I’ve been wondering what has transpired since they issued their statement on license proliferation back in April:

Interference between different open-source licenses is now perceived as a sufficiently serious problem that OSI has become as a victim of its own earlier success… The day of the open-source license as tribal flag or corporate monument will have to come to a close.

I’ve been on Web Application Framework Safari for the past couple weeks. The new hotness is Ruby on Rails, which has inspired lots of imitators. Not necessarily a bad thing. Because I do so much PHP work I was curious what kind of work had been done to bring this style of development to PHP. I found CakePHP.

I’ll say this for them, they write good enough documentation that I actually had a working mini-site at the end of the first tutorial I tried. Pretty good compared to some of the projects I’ve seen with more high-minded architecture and no usable documentation at all.