PHP Security, the oxymoron

Well now that some of you have met me from OSCON, you are probably thinking to yourself, “What’s the deal with your blog? There is no PHP in there, you poser.”

How true.

I better start writing some stuff, before they kick me out of the “all-star PHP line up”.1

I think that when most people hear “PHP” and “security” used in the same sentence, it seems about as out-of-place as, say, putting “Rasmus” and “Terry” in the same sentence. Basically this thread summarizes how most people view PHP security.

I suppose the first thing I need to do in order to defend the honor of PHP is say that these losers have their own agenda: foisting Java or dotNet as “real” and “enterprise”2, or perhaps they’re just sore because PHP book sales are going up at their expense.

Nothing works better than a good ad hominem, I always say.

Well I suppose for the three of you left unsatisfied with my deconstruction, I should go through the tedious task of addressing the actual complaint which boils down to:

  1. “PHP has the worst security history of any language.”
  2. “PHP shoves a mess of shit into the global namespace” (or other assorted digs on register globals).
  3. “PHP doesn’t have the concept of a prepared statement.”
  4. “PHP security cures (magic quotes, safe mode, stripslashes) are sometimes worse than the disease.”

Continue reading

HTML Overlays are bollix

Dru pointed out HTML Overlays which are the application of XUL Overlays (for Firefox and Thunderbird) to HTML.

Basically the idea is to break up a document into two groups:

  1. The parts that change.
  2. The parts that don’t (like the template).

The first group is actually delivered in the requested document. The second group is dynamically inserted by Javascript. The idea is that the script and the static parts will be cached on the browser, greatly reducing bandwidth and the load of the server.
Continue reading

Sparklines

Sparklines

Bill mentioned that Edward Tufte has posted a chapter from his new book, Information Design about how good information design can distill multiple parameters into immediately comprehensible and intuitive information (sounds like his other two books).

<blockquote

“Also check-out Page 6, where he displays the win/loss record for an entire season for the Baltimore Orioles (162 games) inline with the text. Also notice how he uses just one additional color (red) to highlight unique data. This is great stuff.”
—Bill Tani
Continue reading

“God’s Own” AppleScript?

AutomatorAbout a year ago, when Tiger was in Public Beta, Thies told me to check out Automator. I didn’t get around to it because Thies is in the habit of saying things like, “Skype is God’s Own phone.” When everything is “God’s Own” X, then saying something like, “Automator is cool” isn’t going to get me jumping onto BitTorrent, especially since I never grokked AppleScript.

Earlier this year, I gave a talk in Vancouver. After Cal, the lead developer of Flickr, complimented me on it, I decided to see his talk. Okay, so his doesn’t have cool Keynote transitions like mine, but in terms of content, it totally rocks. What he and Ludicorp were able to do building Flickr is textbook case of why LAMP rules in the right hands. Go see his talk! I was impressed.

I registered for Flickr.

Continue reading

T-Mobile's web security

It made all the websites yesterday that Paris Hilton’s T-Mobile Sidekick got hacked leading to a public viewing of her cell phone pictures (some on the pornographic side) and hundreds of crank phone calls to famous people who had the misfortune of being in her address book.

I remember the first time this happened it led to an amusing sound bite:

“It became obvious to her what was going on. She was pretty upset about it. It’s one thing to have people looking at your sex tapes, but having people reading your personal e-mails1 is a real invasion of privacy.”

But since I work for a company whose whole business is managing people’s customer data, I am more curious about the security hole that lead to the hack. Continue reading

Another (PHP) Framework

Last month I read Adam’s call OSCON papers. I mention this today because I have to submit something this weekend, but I remember reading something funny.

As usual, they’re desperate for PHP papers. In fact, the only thing they won’t take is a paper about your database abstraction layer or “Yet-Another-CMS“. I find this amusing and true. There are way too many PHP Frameworks out there. Sure PHP-Nuke/PostNuke/XOOPS are great for making a website if you don’t know PHP or have design sense, but knowing any PHP is worse than useless—the more PHP you know, the more offensive they become.

Continue reading