A Web Developer's Diary

Pro-tip: when to avoid addslashes() in PHP

6/29/2012

2 Comments

 
When peer reviewing PHP code, I often find dangerous uses of addslashes(). It is often believed this is a safe way of escaping user input before passing it to e.g. a SQL query, but in fact it's unsafe. If you find yourself using addslashes(), think twice if you are using it safely:
  • In a MySQL context, use mysql_real_escape_string() instead.
  • MySQLi has an identical mysqli_real_escape_string().
  • PDO provides it's own escape method PDO::quote().
  • PostgreSQL has a wide variety of escape functions: pg_escape_literal() for values, pg_escape_bytea() for columns of type bytea, pg_escape_identifier() is used for escaping identifiers (e.g. table, field names).
  • When trying to pass user input to the command line, use escapeshellarg() and escapeshellcmd() to escape the input.
  • When displaying non-HTML user input anywhere on a webpage, always use htmlentities() or htmlspecialchars().
  • This one is a little awkward, but I've seen it before so I thought it's worth mentioning: when including user input in URLs, use urlencode() instead of addslashes()!

If you have more suggestions for safe escaping, please leave them in the comments below. Happy safe coding!
2 Comments

Add an SPF DNS record to your Google Apps domain

6/29/2012

0 Comments

 
Adding an SPF TXT-record to your domain's DNS settings helps fighting spam. However, often there is a webserver that also wants to send mail using your domain as sender. Google's suggested SPF setting is not sufficient for this. Add (or replace if it already exists) this DNS TXT-record to your domain's DNS:
v=spf1 a include:_spf.google.com ~all
The only difference with the default value suggested by Google is the extra "a" after "v=spf1". Read Google's original instructions here. This extra "a" means that all IPs in the A-records of the domain are allowed to send mail. That should include your web server because your web server its IP is set in an A-record.
0 Comments

Minifying, Combining and Caching CSS and JS with Code Ingiter

6/29/2012

0 Comments

 
So you realised all these HTTP requests are taking up a lot of page load time? No worries! You'll be up to speed in no-time.

First download the improved version of the CI plugin Carabiner from github (or download zip), originally written by Tony Dewan and now maintained by Mike Funk. Copy the config and libraries folder into your CI installation by putting them in: application/third_party/carabiner/ and add the package to application/config/autoload.php by adjusting the auto loaded packages:
 $autoload['packages'] = array(APPPATH.'third_party/carabiner'); 
Make sure the application/third_party/carabiner/config/carabiner.php configuration file is set properly (e.g. make sure the cache path exists and is writeable) and you can test your first Minify/Combine/Cache experience using this example controller:
  
class TestCarabiner extends CI_Controller {
public function index() {
$this->load->library('carabiner');
$this->carabiner->css('file1.css');
$this->carabiner->css('file2.css');
$this->carabiner->js('file1.js');
$this->carabiner->js('file2.js');
$this->carabiner->display(); // output html which loads cached files
}
}
Besides using $this->carabiner->display() you can also use $this->carabiner->display_string() to get the HTML as a string instead of outputting it directly to the browser (e.g. so you can use it in a template). You can also call carabiner directly from a Code Igniter view using $this->carabiner->display(). Another useful function call is $this->carabiner->empty_cache('both', 'yesterday') which cleans up old cache files. Full documentation is available at this page.
0 Comments

Loading webfonts of Amazon CloudFront the right way

6/29/2012

21 Comments

 
When loading webfonts of Amazon's CDN Cloudfront, a problem arises in FF and IE9. The fonts are not rendered! This is because a header is missing and these browsers refuse to render them due to security reasons. The fix is really easy, add these lines to your .htaccess file:
 <FilesMatch "\.(ttf|otf|eot|woff|svg)$">
  <IfModule mod_headers.c>
    Header set Access-Control-Allow-Origin "*"
  </IfModule>
</FilesMatch>
Then the next step is to invalidate the font files that are cached on the CDN (you can do this through the AWS control panel). Wait until CloudFront refreshes the files and voila, it will serve the webfonts with the Access-Control-Allow-Origin header set and FF and IE9 will render them normally!
21 Comments
Forward>>

    Author

    Blog about random challenges of a web developer.

    Archives

    April 2015
    May 2013
    January 2013
    July 2012
    June 2012

    Categories

    All
    Aws
    Cdn
    Code Igniter
    Css
    H2database
    Jamp
    Java
    Javascript
    Magento
    Maven
    Mysql
    Opencl
    Php
    Play-framework
    Quercus
    Scala
    Ubuntu

    RSS Feed

Powered by Create your own unique website with customizable templates.