PHP, Zend Framework and Other Crazy Stuff
Archive for September, 2012
Zend Framework ElePHPants Available to Pre-Order - They’re Green!
Sep 25th
Blue PHP ElePHPant plush toys are so yesterday. Ben Scholzen (you might know him as DASPRiD on IRC/Twitter) is now taking pre-orders for green Zend Framework ElePHPants. Yes, they are green. Yes, they have “ZF” printed on them. No, they are not a repository of Zend Framework knowledge. We tried really hard, but Intel insists that magical toys from the future are not real. Thank you for getting my hopes up, Mimzi. Stupid rabbit.
Ben needs to reach a minimum production order of 1000 small ZF ElePHPants and is currently hovering at around 200 after the weekend. If you, your user group, or your pet poodle want one of these, visit Ben’s pre-order page for more information.
The ZF ElePHPant is great for numerous reasons. Once you’ve finished admiring it, you can place it anywhere on your desk. It can sit on your monitor, on a stack of programming books, or dangling from some string to distract the cat which tramples all over your keyboard sending embarrasing emails in search of ear scratching. Cats are easy.
Due to production issues, Gamma Ray exposure will also result in a surplus of large green ZF ElePHPants for those with gigantic desks or pet tigers. We are not responsible for anything that occurs if you anger the ElePHPant.
http://elephpants.dasprids.de/
PHP Escaper RFC: Consistent Escaping Functionality For Killing XSS
Sep 18th
A short time ago today, I submitted a PHP RFC for discussion which proposes adding an SPL Escaper class and, quite possibly, a related set of functions dedicated to escaping data for output to HTML/XML to PHP.
https://wiki.php.net/rfc/escaper
The RFC itself should be a good read if you want to understand why I’m proposing this but the basics are quite simple. Cross-Site Scripting (XSS) is one of the two most common security vulnerabilities in web applications - the other being SQL Injection. Despite this, PHP’s offering of escaping functions is extremely limited. We can escape HTML body output with htmlspecialchars() but this still requires a wrapper function to perfect its security which most programmers don’t bother using. Javascript and CSS escaping is not implemented anywhere in PHP. In fact, there are many ways of escaping Javascript in userland code - I know of at least a dozen variations by now, all of them wrong.
The RFC resolves all of this by proposing the implementation of these escaping strategies in PHP’s core where they can be implemented just once for absolutely everybody in a consistently named fashion. No more userland functions of varying quality and efficacy. No more confusion over how to escape Javascript correctly. No more juggling iconv and mbstring to ensure escaping supports multiple character encodings. No more forgetting to set htmlspecialchars() third parameter because you bought into the Great Ascii Delusion!
Programmers would have one perfect option that clears up the confusion, ignorance and poor practices that are evident throughout PHP’s community.
You’d just have to remember to use it .
Zend Framework 2.0 and Symfony 2′s Twig are already using the userland version of this RFC written in PHP. That’s great if you use those frameworks. Everyone else, including those with far less awareness of good security practices, are better off with a faster core PHP implementation which can be used by every framework, library and application with minimum effort. Let’s make escaping the right way easy.