Posts tagged: PHP

Form hijacking

Does your website contain mail forms that aren’t sanitizing input as aggressively as they should? There seems to have been a recent surge in automated (or semi-automated, it’s hard to tell) probes and exploits of form mail scripts, all revolving around injecting headers into sent mail. Here’s how it works: Let’s say you have a form that allows the user to enter their email address. The black hat’s exploit script submits a value for that field that includes a newline, followed by whatever email headers they want to insert: Bcc, for example, or even full-blown MIME-encoded parts.

PHP/HTML enhancements for TextMate

My first little bit of TextMate language grammar hacking: PHP.tmbundle 2.0.1, which has two small enhancements over the stock 2.0: HTML code embedded inside <<<HTML … HTML; heredoc delimiters will be colorized as HTML Code-folding is enabled for those blocks Enjoy! Feedback is welcome. Thanks to Textmate author Allan Odgaard for helpful answers to my newbie questions on the TextMate mailing list. ritesh commented on Thu Nov 10 13:03:27 2005:

The Onion moves to Drupal

Humor services provider The Onion has moved the back-end of their extensive, and presumably extremely high-traffic, website to Drupal as of August 30th. It’s not clear what they were using before, but I believe it was homebuilt PHP stuff. I’ll miss playing with their old remotely exploitable headline-generating script, but this seems like a good move. One of the developers has posted an interesting overview of the redesign process. It’s a nice feather in the cap of the Drupal community to have a prominent and busy site adopt their software.

Django, Rails, and PHP

Sam Newman has posted a useful high-level comparison of Django and Rails on his site. In it, I think he hits on one little-discussed reason why these two projects are grabbing so much mindshare right now: [Rails and Django] … historically would have ended up being written in Perl or PHP - but ended up being written in Ruby and Python respectively. When I heard DHH speak at OSCON, he mentioned switching to Ruby after giving up on trying to make PHP do the kind of stuff he wanted to do.

Rasmus on Ajax

Making the rounds today is a perceptive mailing list posting from Rasmus Lerdorf explaining how simple Ajax really can be. I particularly like this bit: Before you blindly install large “AJAX” libraries, have a go at rolling your own functionality so you know exactly how it works and you only make it as complicated as you need.

Open Source Initiative at OSCON

According to their blog, the Open Source Intiative (OSI) is holding a public meeting at OSCON on Thursday July 3 at 7:30pm. I’ve been wondering what has transpired since they issued their statement on license proliferation back in April: Interference between different open-source licenses is now perceived as a sufficiently serious problem that OSI has become as a victim of its own earlier success… The day of the open-source license as tribal flag or corporate monument will have to come to a close.

Cake

I’ve been on Web Application Framework Safari for the past couple weeks. The new hotness is Ruby on Rails, which has inspired lots of imitators. Not necessarily a bad thing. Because I do so much PHP work I was curious what kind of work had been done to bring this style of development to PHP. I found CakePHP. I’ll say this for them, they write good enough documentation that I actually had a working mini-site at the end of the first tutorial I tried.