PHP is a powerful and easy language to learn. As a developer, you must use that power in a safe and effective manner. While being easy to learn means that it is easy to pick up, it also means that you may not have any experience with writing secure code. Writing secure code is a must, however, if you do not want your server to be compromised, user data stolen, your site destroyed, or quite possibly worse. In this article, you will learn about writing more secure PHP code.
Stuff that is directly related to coding.
Web Forms 2.0
I’ve recently picked up the task of implementing part of the Web Forms 2.0 spec from the WHATWG. So far I’ve got some work done on the RepetitionEvent Model and the RepetitionElement interface.
Well, my initial plans were to use XBL to implement a large portion of the code as per conversations with my co-conspirator Alex. Well, bz brought up an intersting point – XBL isn’t applied to elements that have a CSS property of display:none. Well, seeing as how repetition templates are supposed to be hidden with that CSS property, I couldn’t use XBL.
As a result, I get to test my knowledge of C++. Yey! I’d like to state right now that my skills in C++ are not great. In fact, I have very little expereice with it. I mean, I only have had two classes in C++, and one was a very basic course. I feel it goes without saying that I really have my work cut out for myself.
All is not lost, however. There are some really useful tools that are making this so much easier. For example, lxr lets me easily look at existing code and see how things are done the “right” way. Then, there is always a ton of documentation available on Devmo, XUL Planet, and occasionally Google comes into play. Then of course I always have the wonderful folks on irc in #developers. Folks like biesi, bz, and timeless have helped me countless times, and I am really greatful.
This is going to be a long and and winding road, but it will be very beneficial for me. I’ve already learned a lot, and I’ve got a lot more to learn.
My First Bug
That’s right! My first bug reported for Firefox, bug 331807.
The bug has to deal with a security error that isn’t an error in the current version of Firefox, but is an error in Bon Echo, the alpha release of Firefox 2.0. It’s a good thing that I test these things, as that would have been a big monkey wrench once 2.0 came out. I’ve found a workaround for it, but I fear that the workaround leaves the same security hole open that was patched in Bon Echo.
Regrettably, it also happens to be bug that kills the main feature of my most popular extension, RTSE. It will also kill the main feature in an extension I’ve been planning to make. Can we say ‘Curses’ anyone? Of course, this won’t affect Firefox 1.5.0.*, so those of you who uses the stable builds of Firefox will have nothing to worry about for some time.
I’ll keep updating this in the comments for anyone that is interested.
The a ping Attribute
There has been a recent outcry from many users of Firefox when it was learned that developers implemented the
ping attribute for the
a element. Personally, I think people are overreacting, and I hope to present a list of reasons why this is a good thing as opposed to the ‘evil’ thing that many are portraying it as.
For background information, this attribute is spec’d out by WHATWG, who, as stated on their website, are “a loose unofficial collaboration of Web browser manufacturers and interested parties who wish to develop new technologies designed to allow authors to write and deploy Applications over the World Wide Web.”
ping attribute is supposed to allow tracking of what links a user clicks on. Now, many might say “Woah, I don’t want my clicking to be tracked!” However, I can assure you that many websites already do this. The catch is that they don’t exactly inform you that they are doing it. The idea of this spec is to make this easier for developers to do, but at the same to have User Agents (i.e. browsers) give the user options. The whole spec can be found here, but in summary, the benefits of this attribute to the user are numerous.
- It will allow the user to see the final target location plainly
- It will allow the browser to send the ping when the user isn’t actively loading a page so that the target page loads faster
Maybe it’s just me, but it seems to me that this is a good thing. By making things easier for developers, they’ll probably use it (especially once a few other browsers pick it up), and by doing so give the users more control over their privacy. It seems as though most people just pick out the fact that it is now easier for websites to track where you are going, and are completely overlooking the fact that it gives the user a lot more control. Even with this though, I think most people probably won’t care, but will get the added security of easily knowing when they are being tracked. For me, that is significantly better than the current situation on the web.
Syntax Bug, or Program Bug?
So, while coding today I came across a very strange bug in PHP. It seems as though subtracting two arrays will return null.
However, if I wrap that in the floor() function, it works as expected.
Go figure. Took me 30 minutes to find that annoying bug.