Secure PHP

So, I took time out from decorating to trawl the Internet, as is my wont. I came across a nice site with Apache Mod_Rewrite cheat sheets which is nerdy, but useful. The same site also has a nice article about Writing Secure PHP which is pretty good – although I have some comments… Continue reading “Secure PHP”

Advertisements
Secure PHP

Eval is Evil

Just read an article on Sitepoint about PHP’s Eval function, and basically, how it is evil.

Eval let’s you ‘run’ a string, as if it were code. Sounds useful, but I can’t say that I’ve ever found a situation where it is a good idea. Quite apart from the security risk highlighted – which is really more a question of user input validation – it seems to me that if you’re writing a programme, you should know what it is supposed to do up front.

If you already know what it is supposed to do, why would you need an eval function at all? Why not just programme it that way. Sure, I can see how eval might be a useful ‘shortcut’, but it just isn’t elegant

Eval is Evil

Capturing Comments in HTML

A friend I work with was asking me today how to match HTML comments using regular expressions. It was an interesting example of some of the pitfalls and design that needs to go into regular expression code.

HTML comments are marked out by <!– and –>, for those who don’t know. For our examples we’ll use the code below, and change the patterns and subjects defined by $pattern and $subject respectively. This is written in PHP, but the same patterns are true for any Perl Compatible regular expression. Continue reading “Capturing Comments in HTML”

Capturing Comments in HTML