Error handling and reporting was always a thing that I knew I wasn’t doing it right. Leaded by PHP’s on-the-fly type casting I used to make functions just return false or null but that was not right because I was hurting the return-type integrity of them.
Read the full article
While it’s not a great secret, many people still not aware of the alternative syntax for control structures under PHP.
The C-like syntax for control structures are very intuitive but can deal lots of trouble when your code has lot of pages and lots of ifs, fors, while and therefore lots of opening and closing braces.
NOTE: As remembered by jakyra on DZone, if you keep your code tidy you shouldn’t have functions that long and though not having this kind of problem, but this alternative syntax still have good benefits.
The alternative syntax consists in changing the opening brace ({) to a colon (:) and each closing brace to its respective closing function: endif;, endfor;, endforeach;, endwhile; and endswitch;.
Read the full article
While working with WordPress we always stuck with the HTTP requests issue caused by plugins that appends external JavaScript or CSS files to our page body thus causing more http requests and downgrading our performance benchmark tests and company job standards.
Content minification is a well-known best-practice for bandwidth reduction (saves client’s money) thus giving better page load time (gives client a good smile). Since it removes all unnecessary code (like comments, extra spaces, tabs etc) and join files together, the total of KBs saved even in bandwidth and browser rendering.
Here we always implemented the Minify PHP5 tool from Steve Clay and Ryan Grove because it always worked like a charm and the results are quite amazing.
In wordpress we got problems implementing this because plugins added their own js and css files at will. WP-Minify from Thaya Kareeson came to save our souls but we got some misbehaving plugins that still adding link and script tags by echoing to the page.
Fortunately, this new version preprocesses the output thus gathering any inline style/script reference and adding it to a temporary file that is included in the minification process.
I got tricked there because voting badges and other stuff uses inline script tags to generate the badge. WP-Minify’s preprocessing fufreaked me up because this script tag depended on the_permalink() function from WordPress thus not generating the correct output on the temporary file created. Before I started freaking out I realized that the plugin’s configuration page had an script (and style) blacklist. Just added the src url (without the querystring) and everything worked like a charm!
Nice job Thaya!
When thinking about contact forms in PHP, people use to create a simple form that submits data to a simple script that calls PHP’s mail function.
This function has the following parameters:
mail($recipient, $subject, $message, $headers);
Note the $headers part. Headers are meta information about the message that contains the sender, subject, date sent, CC, BCC, the recipient name and other stuff that the mail deamons (and anti-spam software) puts and uses to track the email path from sender to recipient.
You may have noticed that I’ve put the word vulnerability between quotes. Yes, this is NOT a PHP function vulnerability but it becomes one when misused.
The fact is that as this function doesn’t have a $from parameter, people passes this information via the $header parameter as the following example.
$headers = "From: {$_POST['name']} <{$_POST['email']}>"; // "From: SomeUser <jon@doe.com>"
This is our fail-point: PHP Magic Quotes “protected” people from most XSS input attacks since it escapes quotes and stuff but as headers are separated by newlines (\n), the header can be easily spoofed by inputting:
Buy Viagra <xx@xx.com>\nBcc: email1, email2, email3″
Note that I’ve added a BCC entry and now the email is going to be sent to the email address specified under $recipient parameter at the mail function AND to my BCC entries.
“Congratulations, your e-mail form (and server) is being used now to send my spam”
(Just a quote, Heavyworks’ ethics code would never let me SPAM!)
Solution
Do not forward inputs directly to the header parameter or use a email class like Codeworx’s PHPMailer.
NOTE: Learn more about e-mail headers at Wikipedia
There is a Brazillian portuguese version of this vulnerability at Bruno’s Blog
So you are coding and your transfer your files to your production server via SVN or FTP and then you start getting some “Warning: Cannot modify header information – headers already sent” errors. Well, this is not good indeed.
This errors happens when you send a header command and has already outputted text to your output buffer (generally, the browser). Then you grep your code for misleft debugging prints, echos, print_rs and var_dumps but they are gone or commented.
Oh yeah, somehow some data were added during the transfer somewhere in your source files. Great! Now some cool action!
Read the full article
One of the most common problems of working with email communication between the companies and its clients is that there isn’t a way of proving that user has received the email without making him click on a link to the company site thus confirming the read.
As most webmail and mail applications can read HTML emails (and most companies sends HTML emails anyway), we can take advantage of this to help transparently track the view.
Read the full article
Hello friends.
Sorry for the lack of posting these days. I’ve been working hard on the finishings of the WebTodo project (in Brazillian Portuguese).
This project was a kickstart for my own MVC Framework. As cited in previous article, I was not confortable with the idea of using one of the existing MVC Frameworks because I’m a little paranoid of not having exact (and full) control of my code. The only way to assure quality was from coding every piece.
Read the full article
We’ve all seen the most diverse kind of article of “Best web development ________”, “Applications to aid agile web development”… ahh that word “agile”…
The thing that worries me about all those buzz is that it’s all partial. I’m not crucifying people but its what to expect: If the writer is a Windows user, it’ll provide an article about Windows environment softwares and practices. (You can keep reading, this is not a Windows vs Linux post)