On Monday, the Zend Framework team announced the first production release of its open source, community-driven framework. I’ve watched this framework grow since version 0.2.0 and many many things have changed. I have actually been using the framework in production since version 0.6.0. Well, I shouldn’t say I’ve been using the whole framework. There are pieces of it which have proven very useful since almost its conception. For instance, we’ve already relied heavily on its front controller, session handling, authentication, and several other components. So far though, we’ve been hesitant to rely too much on the framework as a whole, due to the fact that it has been somewhat of a moving target. Now that the framework is officially released, the developers have an obligation to keep a stable API, so we’ll likely be integrating it into our projects quite a bit more. I imagine that for those same reasons, other companies will start using it as well. This means we’ll likely see more (or at least better) documentation, tutorials, and innovation surrounding this framework.

The thing I’ve always loved about this framework is that it doesn’t lock you into using more than you want to. For instance, I’ve never cared for the framework’s input validation components, but since the framework is so loosely coupled, it is trivial for me to use a home-baked solution. The same goes for its mail component. I have been a happy swiftmailer user for almost a year now, and I don’t plan on abandoning it simply because my framework has its own mail component. Luckily, this framework doesn’t make me!

Andi Gutmans (co-founder of Zend) has written a blog post regarding the release as well, and I imagine he has significantly more beneficial information, so be sure to check that out.

You can download the new release or even help with a future one at the framework’s homepage. Oh, and happy Zend Frameworking!

I spend a good deal of time reading about PHP security over at the PHP Developer’s Network forums. In one of the many discussions I have had over there, I recall one in particular that really opened my eyes to how easy it can be to overlook a very serious security issue. As you may know, there is a predefined array of server-related variables in PHP, aptly named $_SERVER. For years I used a certain element “PHP_SELF” within this array in instances where I needed to output what page I was currently working within. One of the most common of such instances is when you need to tell a form to post back to itself (a very common practice in PHP).
(more…)

HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist, it will also make sure your documents are standards compliant, something only achievable with a comprehensive knowledge of W3C’s specifications.

HTML Purifier allows for developers to accept HTML and output it on their web sites without the worry of cross-site scripting attacks. Not only that, but it also outputs standards compliant xhtml. This is a major innovation, considering it will allow developers to create wysiwig editors for their clients and still have websites that validate. 

More to come on this soon, but for now, check out the html purifier website and the demo page. Also if you like this library and would like to help promote it, you can vote for it at DZone, Reddit, Digg and/or del.icio.us. You may also sport this sexy HTML Purifier icon on your website!

<a href="http://htmlpurifier.org/"><img
src="http://htmlpurifier.org/live/art/powered.png"
alt="Powered by HTML Purifier" border="0" /></a>

As I’ve grown familiar with Miva Merchant, I’ve become very wary of Miva SMT entities. SMT entities are basically to Miva Merchant what variables are to any other language. If you have developed anything in PHP, you are likely aware of the security implications of having register_globals turned on. In Miva Merchant, the same sort of implications exist because Miva Merchant converts all CGI environment variables into SMT entities (variables) upon startup.
(more…)

Zend, the company behind the insanely popular PHP scripting language has announced a new podcast specifically for PHP developers. It’s called “PHP Abstract” and so far, it’s provided some pretty useful tips. The episodes I’ve heard so far definitely seem to be geared towards security and good practices for PHP newcomers or those who are not particularly up to speed on PHP security issues. To quote Cal Evans at devzone.zend.com,

We will be covering a broad range of topics. From security to project planning and hiring good developers and much more.

(more…)

I think we all know that security on the internet, as well as anywhere else, is a big deal. As a web developer, it is your job to protect your users’ data from identity thieves and ill-intentioned e-villains. One thing you’d be wise to remember though, is that generally a user’s biggest enemy is himself. It is all too easy to forget that not everybody takes security as seriously as you do. Most people won’t even consider security until it bites them in the arse, and when it does, guess who they’re going to blame.

(more…)

While perusing various web forums, I see the subject of clean urls come up quite often and it seems there is quite a bit of hype and misunderstanding surrounding this topic. In this article, I’d like to nail down precisely what clean urls are and why you should or should not use them for your particilar situation.

(more…)

I recently discovered an amazing javascript library called jQuery by John Resig. It is so well written that it makes even those who hate Javascript (like myself) enjoy writing it. It’s philosophy is “Find things, do stuff”, and it couldn’t possibly be more true to that statement. What I love so much about it is that it can do in five lines what would have normally taken twenty.

jQuery uses the dollar sign as a function name, followed by a “query” used to “find things” to “do stuff” to. The problem with this is that other widely used javascript libraries use the dollar sign for their function names as well. One such library is Prototype. Prototype uses the dollar sign as a shortcut to document.getElementById. So, when I need to use both JQuery and Prototype, what do I do? Well, jQuery has provided a handly little method called noConflict() to deal with just such an issue. To remedy an issue where the dollar sign function names conflict, you simply assign Jquery.noConflict() to something such as $j and then use that instead of the dollar sign.
(more…)