When thinking about security, validation and filtering data, we have two options: either decide what to allow or what to prohibit.
On the one hand, you can use a filter to prevent XSS attacks that are based on finding a regular expression searching javascript code (either script tags or attributes onload, onclick, onmouseover...). This would be blacklist that is, put code that is unusable.
On the other hand, you can grant HTML tags type b, i, u... and eliminate all the other tags. That would be whitelist, which is, limit the user what it can do.
What is preferable?
Using a blacklist you have to think of every possible "attacks" which may accrue. This is a risk, since if we attacker thinks a method which we didn't think, we would have a huge problem. But if instead, we use a whitelist, the user could access only if he fills our standard permitted, that should be much less probable to let an attack succeed.
The whitelist disadvantage, on the other hand, is that we can filter or not to allow some information that is really valid.
Then, with a blacklist we most likely to be victims of attacks by malicious hackers, while using a whitelist can leave users without the possibility of correct entries.
Personally, I think the second option the best, because its consequences are less severe.
Tuesday, November 27, 2007
Thursday, November 22, 2007
Mixing array with objects
The SPL extension allows us to use objects as array. One way to do this is to use the class predefined ArrayObject. Another way is to implement an interface ArrayAccess to access our data as if they were an array. An example of this
class MyArray implements ArrayAccess {
private $data;
public function __construct($array = array())
{
$this->data = $array;
}
public function offsetGet($key)
{
return $this->data[$key];
}
public function offsetSet($key, $value)
{
return $this->data[$key] = $value;
}
public function offsetExists($key)
{
return isset($this->data[$key]);
}
public function offsetUnset($key)
{
unset($this->data[$key]);
}
public function avg()
{
if (count($this->data) > 0)
{
return array_sum($this->data) / count($this->data);
}
}
}
//echo 0xFACEB00C >> 2;
$array = new MyArray(array(1, 2, 3, 4));
echo (int)isset($array[0]);
echo $array[0];
unset($array[1]);
echo (int)isset($array[1]); //throw an ugly notice
echo $array[1];
$array[1] = 4;
echo (int)isset($array[1]);
echo $array[1];
echo $array->avg();
class MyArray implements ArrayAccess {
private $data;
public function __construct($array = array())
{
$this->data = $array;
}
public function offsetGet($key)
{
return $this->data[$key];
}
public function offsetSet($key, $value)
{
return $this->data[$key] = $value;
}
public function offsetExists($key)
{
return isset($this->data[$key]);
}
public function offsetUnset($key)
{
unset($this->data[$key]);
}
public function avg()
{
if (count($this->data) > 0)
{
return array_sum($this->data) / count($this->data);
}
}
}
//echo 0xFACEB00C >> 2;
$array = new MyArray(array(1, 2, 3, 4));
echo (int)isset($array[0]);
echo $array[0];
unset($array[1]);
echo (int)isset($array[1]); //throw an ugly notice
echo $array[1];
$array[1] = 4;
echo (int)isset($array[1]);
echo $array[1];
echo $array->avg();
Tuesday, November 13, 2007
Find out if a function was called with a parameter default value
A function can have optional arguments. They are determined to give it a default value defined. For example
function test ($key, $value = null)
But how can we differentiate whether this function is called with only one parameter, or if it is called using two but the second is equal to the default?
The solution is nested but not difficult... We simply need to find how many arguments were passed to the function when called
Function test ($key, $value = null)
{
If (func_num_args ()> 1) {
Echo '$value is sent';
}
}
test('1', null);
test('1');
function test ($key, $value = null)
But how can we differentiate whether this function is called with only one parameter, or if it is called using two but the second is equal to the default?
The solution is nested but not difficult... We simply need to find how many arguments were passed to the function when called
Function test ($key, $value = null)
{
If (func_num_args ()> 1) {
Echo '$value is sent';
}
}
test('1', null);
test('1');
Thursday, November 8, 2007
Naming dates (not in english)
It is very common to the problem of wanting to put "November 8, 2007" in a language different from english... In general, a switch is used to translate the name of the month, but there is a much simpler way to do it. PHP brings the ability to configure the location, and then select "regional" settings like language, currency, numbers.
To do so, we must first set the region with setlocale and then we can use the date format with strftime
Example
setlocale(LC_ALL, 'sp');
echo strftime('%d de %B de %Y');
?>
To do so, we must first set the region with setlocale and then we can use the date format with strftime
Example
setlocale(LC_ALL, 'sp');
echo strftime('%d de %B de %Y');
?>
Monday, November 5, 2007
States game
Game:
Take the names of two U.S. States, mix them all together, then rearrange the letters to form the names of two other U.S. States.
My solution
Any suggestion?
Take the names of two U.S. States, mix them all together, then rearrange the letters to form the names of two other U.S. States.
My solution
Any suggestion?
Subscribe to:
Posts (Atom)
