PHP Security, the oxymoron

Well now that some of you have met me from OSCON, you are probably thinking to yourself, “What’s the deal with your blog? There is no PHP in there, you poser.”

How true.

I better start writing some stuff, before they kick me out of the “all-star PHP line up”.¹

I think that when most people hear “PHP” and “security” used in the same sentence, it seems about as out-of-place as, say, putting “Rasmus” and “Terry” in the same sentence. Basically this thread summarizes how most people view PHP security.

I suppose the first thing I need to do in order to defend the honor of PHP is say that these losers have their own agenda: foisting Java or dotNet as “real” and “enterprise”², or perhaps they’re just sore because PHP book sales are going up at their expense.

Nothing works better than a good ad hominem, I always say.

Well I suppose for the three of you left unsatisfied with my deconstruction, I should go through the tedious task of addressing the actual complaint which boils down to:

“PHP has the worst security history of any language.”
“PHP shoves a mess of shit into the global namespace” (or other assorted digs on register globals).
“PHP doesn’t have the concept of a prepared statement.”
“PHP security cures (magic quotes, safe mode, stripslashes) are sometimes worse than the disease.”

Continue reading →

Posted on August 10, 2005 by tychay 37

Non-Intuit(ive) UI

Dear Intuit,

Wonder why so many mac users hate you? Here it is in a single screen shot:

Continue reading →

Posted on June 29, 2005 by tychay 4

HTML Overlays are bollix

Dru pointed out HTML Overlays which are the application of XUL Overlays (for Firefox and Thunderbird) to HTML.

Basically the idea is to break up a document into two groups:

The parts that change.
The parts that don’t (like the template).

The first group is actually delivered in the requested document. The second group is dynamically inserted by Javascript. The idea is that the script and the static parts will be cached on the browser, greatly reducing bandwidth and the load of the server.
Continue reading →

Posted on June 16, 2005 by tychay 1

Sparklines

Bill mentioned that Edward Tufte has posted a chapter from his new book, Information Design about how good information design can distill multiple parameters into immediately comprehensible and intuitive information (sounds like his other two books).

<blockquote

“Also check-out Page 6, where he displays the win/loss record for an entire season for the Baltimore Orioles (162 games) inline with the text. Also notice how he uses just one additional color (red) to highlight unique data. This is great stuff.”
—Bill Tani
Continue reading →

Posted on June 15, 2005 by tychay 0

“God’s Own” AppleScript?

About a year ago, when Tiger was in Public Beta, Thies told me to check out Automator. I didn’t get around to it because Thies is in the habit of saying things like, “Skype is God’s Own phone.” When everything is “God’s Own” X, then saying something like, “Automator is cool” isn’t going to get me jumping onto BitTorrent, especially since I never grokked AppleScript.

Earlier this year, I gave a talk in Vancouver. After Cal, the lead developer of Flickr, complimented me on it, I decided to see his talk. Okay, so his doesn’t have cool Keynote transitions like mine, but in terms of content, it totally rocks. What he and Ludicorp were able to do building Flickr is textbook case of why LAMP rules in the right hands. Go see his talk! I was impressed.

I registered for Flickr.

Continue reading →

Posted on June 15, 2005 by tychay 7

OSCON 2k5: PHP talks announced.

Chris Shiflett has a nice overview of the “talks that made the cut” for OSCON 2k5 (complete list) and I’m happy that I made the list (and thankfully they’ve only taken one of my talks).

Now if I follow my previous modus operandi, I can expect to finish the talk about 5 minutes before I have to give it.¹ But it’ll be good so you better come see it!
Continue reading →

Posted on May 23, 2005 by tychay 2

T-Mobile's web security

It made all the websites yesterday that Paris Hilton’s T-Mobile Sidekick got hacked leading to a public viewing of her cell phone pictures (some on the pornographic side) and hundreds of crank phone calls to famous people who had the misfortune of being in her address book.

I remember the first time this happened it led to an amusing sound bite:

“It became obvious to her what was going on. She was pretty upset about it. It’s one thing to have people looking at your sex tapes, but having people reading your personal e-mails¹ is a real invasion of privacy.”

But since I work for a company whose whole business is managing people’s customer data, I am more curious about the security hole that lead to the hack. Continue reading →

Posted on February 23, 2005 by tychay 1

Another (PHP) Framework

Last month I read Adam’s call OSCON papers. I mention this today because I have to submit something this weekend, but I remember reading something funny.

As usual, they’re desperate for PHP papers. In fact, the only thing they won’t take is a paper about your database abstraction layer or “Yet-Another-CMS“. I find this amusing and true. There are way too many PHP Frameworks out there. Sure PHP-Nuke/PostNuke/XOOPS are great for making a website if you don’t know PHP or have design sense, but knowing any PHP is worse than useless—the more PHP you know, the more offensive they become.

Continue reading →

Posted on February 12, 2005 by tychay 8

The Woodwork

You tell that other boy, not to touch the woodwork

The Woodwork

Category: web development

PHP Security, the oxymoron

Non-Intuit(ive) UI

HTML Overlays are bollix

Sparklines

“God’s Own” AppleScript?

OSCON 2k5: PHP talks announced.

T-Mobile's web security

Another (PHP) Framework