While it’s not a great secret, many people still not aware of the alternative syntax for control structures under PHP.

The C-like syntax for control structures are very intuitive but can deal lots of trouble when your code has lot of pages and lots of ifs, fors, while and therefore lots of opening and closing braces.

NOTE: As remembered by jakyra on DZone, if you keep your code tidy you shouldn’t have functions that long and though not having this kind of problem, but this alternative syntax still have good benefits.

The alternative syntax

The alternative syntax consists in changing the opening brace ({) to a colon (:) and each closing brace to its respective closing function: endif;, endfor;, endforeach;, endwhile; and endswitch;.
Read the full article

We are constantly trying to improve our web applications performance to gain speed, lower the load on the clusters and thus being able to attend to even more users but have you ever thought about how these improvements can aid Global Warming?

For years optimization techniques such as Caching in many levels (Disk/Memory), Compression, Clustering and other were developed to acheive greater performance.

Global Warming is there for years and is getting worse every year but it seems that movements under IT has begun in order to create greener solutions. Many hosts such as Dreamhost (which we’re proud of being our hosting company) have already started their effort in reducing or even neutralizing their Carbon Footprint and now developers can help on their side too.
Read the full article

During TISafe‘s Security Officer training this month, while talking about cryptography, the Scytale technique came up.

This was one of the first cryptography method with historical registry, used by the Greeks (Spartans, more specifically) to cypher messages during military campaigns thus not letting the enemy know their moves even if the message carrier gets caught, tortured or killed.
Read the full article

Found that great video at LearnSecurityOnline.com of a presentation by one of its founders, Joseph McCray at Saecur‘s DojoSec (monthly event hosted by Marcus Carey), earlier this year in February.

Joseph speaks in a very well-humorous way about “Advanced SQL Injection” covering from Error-based SQL Injection to Blind SQL Injection, pretty nasty and nice! Gives another good overview under what we developers should look when protecting our code.

Here is the video:

DojoSec Monthly Briefings – February 2009 – Joseph McCray from Marcus Carey on Vimeo.

Don’t forget to check out other DojoSec videos at Marcus Carey‘s Vimeo channel and LearnSecurityOnline.com to great security-related material!

By default, null values are put on top of the query resultset when field is ordered by in ascendant form.

This comes to be a problem in many scenarios, specially when we are ordering by a position field that can contain an integer value for its position on the dataset or null if position is not defined. Rows that have undefined position have lower weight than the specified ones thus coming first.

The following SQL query is from a very common scenario that represents a SELECT to fetch all city registries in “importance” (most common, not in fact important cities – don’t get mad if you live in an odd city) order.

SELECT
  id, city
FROM
  cities
ORDER BY
  position;

This brings us all null-valued position rows first and not null positioned in ascending order, at the bottom.

This happens because our ordering pool will look like the following:
position (integer or null), city field value (string)

So null values are considered smaller than 1 (lowest positive integer) and then comes first in our resultset.
Read the full article

When dealing with very large or very small numbers we can opt by writing them under scientific notation.

Scientific notation, also known as standard form or as exponential notation, is a way of writing numbers that accommodates values too large or small to be conveniently written in standard decimal notation. Scientific notation has a number of useful properties and is often favored by scientists, mathematicians and engineers, who work with such numbers.

Scientific Notation @ Wikipedia

So as we – developers – are part-scientists,part-mathematicians and part-engineers, so I guess this is perfect for us!

We have all seen that on high school and it seemed quite strange but it is quite simple indeed:

Equation

The equation is as it follows in a simplified language:
Simplified number x10number of decimal units

The “Simplified number” is the number in a simplified manner.
Examples:

• 1000000 = 1
• 4230000 = 423

And then we just add in the other hand the number of decimal units that were simpled-out.

• 1000000 becomes 1×10⁶
• 4230000 becomes 423×10⁴

Read the full article

While working with WordPress we always stuck with the HTTP requests issue caused by plugins that appends external JavaScript or CSS files to our page body thus causing more http requests and downgrading our performance benchmark tests and company job standards.

Content minification is a well-known best-practice for bandwidth reduction (saves client’s money) thus giving better page load time (gives client a good smile). Since it removes all unnecessary code (like comments, extra spaces, tabs etc) and join files together, the total of KBs saved even in bandwidth and browser rendering.

Here we always implemented the Minify PHP5 tool from Steve Clay and Ryan Grove because it always worked like a charm and the results are quite amazing.

In wordpress we got problems implementing this because plugins added their own js and css files at will. WP-Minify from Thaya Kareeson came to save our souls but we got some misbehaving plugins that still adding link and script tags by echoing to the page.

Fortunately, this new version preprocesses the output thus gathering any inline style/script reference and adding it to a temporary file that is included in the minification process.

I got tricked there because voting badges and other stuff uses inline script tags to generate the badge. WP-Minify’s preprocessing fufreaked me up because this script tag depended on the_permalink() function from WordPress thus not generating the correct output on the temporary file created. Before I started freaking out I realized that the plugin’s configuration page had an script (and style) blacklist. Just added the src url (without the querystring) and everything worked like a charm!

Nice job Thaya!

Google (and other search engines) treats subdomains as different websites so if you are linked / accessed both via http://www.yourdomain.com and http://yourdomain.com you may get your content classified as duplicate since will be the same on both.

To avoid this simply add a rule to a .htaccess file in your root directory:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_HOST} !^www\.yourdomain\.com [NC]
RewriteRule ^(.*)$ http://www.yourdomain.com/$1 [R=301,L]
</IfModule>

NOTE: You need to have mod_rewrite enabled in your server in order to do this.

When thinking about contact forms in PHP, people use to create a simple form that submits data to a simple script that calls PHP’s mail function.

This function has the following parameters:

mail($recipient, $subject, $message, $headers);

Note the $headers part. Headers are meta information about the message that contains the sender, subject, date sent, CC, BCC, the recipient name and other stuff that the mail deamons (and anti-spam software) puts and uses to track the email path from sender to recipient.

You may have noticed that I’ve put the word vulnerability between quotes. Yes, this is NOT a PHP function vulnerability but it becomes one when misused.

The fact is that as this function doesn’t have a $from parameter, people passes this information via the $header parameter as the following example.

$headers = "From: {$_POST['name']} <{$_POST['email']}>"; // "From: SomeUser <jon@doe.com>"

This is our fail-point: PHP Magic Quotes “protected” people from most XSS input attacks since it escapes quotes and stuff but as headers are separated by newlines (\n), the header can be easily spoofed by inputting:

Buy Viagra <xx@xx.com>\nBcc: email1, email2, email3″

Note that I’ve added a BCC entry and now the email is going to be sent to the email address specified under $recipient parameter at the mail function AND to my BCC entries.

“Congratulations, your e-mail form (and server) is being used now to send my spam”
(Just a quote, Heavyworks’ ethics code would never let me SPAM!)

Solution
Do not forward inputs directly to the header parameter or use a email class like Codeworx’s PHPMailer.

NOTE: Learn more about e-mail headers at Wikipedia

There is a Brazillian portuguese version of this vulnerability at Bruno’s Blog

Ubuntu is indeed responsible for the huge growth of Linux home-users due its simplicity of out-of-the-box use. As a brief retrospective, the emerging (in past) Linux distributions were always known to their difficulty on setting up the propper drivers and essential software. If you were installing on a laptop, things turned out to be a nightmare. At this point, only IT people used Linux because home-users were scared away (I think it coincided with the ugly GTK 1.x interfaces – under Gnome).

Ubuntu emerged to aid home-users and be more user-friendly, having and startup installation that would recognize and install all your drivers and give you a starting setup of the most common used tools like e-mail clients, IM clients, web browser and an office suite.
Read the full article