Sometimes you want to let your users express themselves and style their input—whether it be comments, stories, or whatever else—with a few HTML tags. The trick is doing this without letting through all sorts of bad mojo. Now there are many ways to do this, some more complicated than others. I’ve devised a fool-proof accomplish this. While this can work with any tag, (i.e. making [b] into <b>), in this example I’ll be selectively letting through actual HTML tags, rather than aliases. I like to think that by letting users use real HTML tags I might one day help a computer semi-literate learn the fundamentals of HTML. Who knows?
(more…)

Input sensitization can be a tricky thing. None (or too little) and you can find yourself a victim of the notorious SQL injection attack. Databases wiped out, system penetrated… that is not the place you want to see yourself, as you data is highly valuable and any leak can represent a major catastrophy–and possibly even lead to you losing your precious job. Too little and you’ll be faced with over-slashing, where escaped characters get escaped a second time, along with that escaping slash. It looks messy and poorly-coded.

that's cool – Original input
that\'s cool – First sensitization (single apostrophe escaped)
that\\\'s cool – Second sanitization (single apostrophe and backslash both escaped)

It only gets worse from here.

Doing input sensitization on a per-line basis is sloppy and inefficient. It is asking for you to slip up and forget to sanitize. After all, you are only human. So why not save yourself the trouble and do a universal sensitization of all user input at the beginning of your code? Use this follow PHP code at the very beginning of your script to save yourself a lot of trouble.
(more…)

What?

Hide the .php extension of your PHP files in the URL of your site address.

Instead of:
http://www.example.com/page.php
Visitors to your site will see:
http://www.example.com/page/

Why?

There are actually quite a few reasons to do this.

• Make your URLs cleaner and easier to remember for visitors
• Make dynamic pages appear static for SEO
• Security by obscurity (albeit very weakly so)—visitors cannot tell as easily that you are using PHP
• For fun (yay!)

(more…)