Posts tagged: PHP

I quietly launched my first production Django site today, a replacement for a mess of legacy third-party PHP code. Unfortunately, it’s a members-only service related to my job and so I don’t have a public URL to share.

A couple interesting points: the new site was developed alongside the still-live legacy PHP apps, using some of the same data – including a user table that’s used for authentication. django-admin.py inspectdb made model creation fairly easy. I also found Scott Hurring’s PHPSerialize module indispensible for working with the highly crufty legacy data.

In November I wrote about rediscovering BASIC Computer Games, a book I had when I was learning programming in the ’80s. Flipping through it recently I came across a simple game called “Reverse”:

The game of REVERSE requires you to arrange a list of numbers in numerical order from left to right. To move, you tell the computer how many numbers (counting from the left) to reverse. For example, if the current list is 2 3 4 5 1 6 7 8 9 and you reverse 4, the result will be 5 4 3 2 1 6 7 8 9. Now if you reverse 5, you win.

Is there a more sophisticated equivalent of urlparse.urlparse() somewhere that knows enough to break out username and password components? Ideally it would return a dict, with keys like ‘scheme’ and ‘host’ and ‘user’, instead of a tuple. Something like PHP’s parse_url().

---

Paul Jimenez commented on Mon Dec 12 13:09:22 2005:

I wrote http://mail.python.org/pipermail/python-dev/2005-November/058301.html about urlparse being broken not too long ago, though I have yet to present my replacement. What kind of API do you think a better urlparse() should have? Keep in mind a good solution should deal with not only http://user:password@host:port/path?query#fragment, but also tel:1-234-567-8910 and news:newsgroup and news:msgid@newsgroup. I suspect the problem with a dict instead of a tuple is standardization of keys. Or maybe that’s fine. I’d be interested in your opinion.

Though I’m doing more and more work in Python, I still write a lot of PHP code, especially for quick one-off web automation tasks.

There is plenty of activity on the other end of the scale in the PHP world now: frameworks like Cake, WASP, Solar, TaniPHP, the forthcoming Zend Framework. All this action is very cool, but doesn’t address the one-page script – and the one-page script is still worth doing right.

Many people come into PHP helter-skelter, not realizing that “Wow, it works!” is not the highest level of achievement possible. I don’t offer myself as a PHP guru, but below are some of the conventions (I dare not call them “patterns”) I use that I think are worth passing along.

Does your website contain mail forms that aren’t sanitizing input as aggressively as they should? There seems to have been a recent surge in automated (or semi-automated, it’s hard to tell) probes and exploits of form mail scripts, all revolving around injecting headers into sent mail.

Here’s how it works: Let’s say you have a form that allows the user to enter their email address. The black hat’s exploit script submits a value for that field that includes a newline, followed by whatever email headers they want to insert: Bcc, for example, or even full-blown MIME-encoded parts.