Do you know what is all the rage for bloggers? Top ten lists. Surfers love to read them and bloggers love to give surfers what they desire. Based on this assumption I set out to make a list of my own. Being a professional web developer working for a classy outfit like lifeBLUE Media, it’s logical that my list should be technical in nature. A list of my top ten oatmeal toppings might be fascinating and all - but is kind of irrelevant. Maybe next time around I’ll explore my breakfast habits in detail but for my first top ten list ever, let me introduce you to some products that every developer should know about.

Nick’s top ten web developer products:

10. Smarty
The world’s leading caching and templating engine. I have seen Smarty deployed on projects ranging from a few hundred dollar hobby sites to multi-million dollar enterprise applications. Implementation of this project provides unlimited scalability and enforces clear separation between application layers. Smarty is extremely well documented and a feature rich. Adding plugins is a snap, plus it comes standard with a range of powerful plugins and modifiers. Providing even more power is the fact that any standard PHP function can be tacked right on to your template variables. Read more about this world class open source PHP template engine in Smarty’s Crash Course.

9. Wimpy
I love multimedia. Without streaming audio and video, the Internet would be about as popular as your neighborhood branch library. Over the years I have tried numerous media players and the undeniable best quality for the price is this awesome little flash player known as Wimpy. I would be hard pressed to find a product in existence with more skins available or a more convenient way to make your own. With great documentation, it’s a simple product that is easy to scale and deploy. It’s something of a treat every time I get to recommend this feisty little media player. Have a peek at some great examples.

8. XSPF Player
When thirty dollars is too serious an investment or for developers who are all about the open source, the XSPF player is an open source super lightweight flash player and the leading XML playlist format for audio. It is a standard that developers should at least be aware of. What RSS is to news, XSPF is to playlists. Like most standards that rise to the top of the open sourced fray - this one is rock solid in it’s simplicity.

7. jQuery
In the web development world Javascript is something of a prodigal son. It’s practically impossible to develop a rich user experience without it (unless using Flash), but there is a learning curve. Over the last five years some incredible javascript frameworks have been taking the Internet by storm. As the availability of products such as YUI and prototype increase, the end-user distrust of Javascript has been decreasing. Out of these numerous Javascript frameworks emerging, my product of choice is this css selector styled library known as jQuery. The initial attraction is it’s filesize. Once minified and gzipped the core library is a very lightweight 18kb. At that size why not include it everytime? Also, it’s syntax and chaining abilities just make sense. Experienced developers clearly remember the gyrations and acrobatics required when armed with only getElementbyId(); jQuery takes the guess work out. Page effects that would have required many a sleepless night filled with frustration are being accomplished in five seconds when taking advantage of many user-created jQuery plugins available online. If you are a developer, odds are you are all ready using this. And know how much it rocks.

6. class.upload.php
I wanted to have at least one PHP class in this list. And the first one that comes to mind is this feature rich image manipulation script. The convenience and power of this script makes it a pleasure to work with. Simply instantiate it with the file pointer and it’s ready to go. Besides the basic ability to move files, this free class allows you to apply filters, borders, text, watermarks, etc and convert, resize or crop your images. The only server side requirement is GD2 which is standard on any new PHP deployment. Writing those functions on your own is not super complex, but why bother when this script exists? Obviously using class.upload.php would be overkill for simply uploading files - but next time your project calls for batch processing of images, keep this jewel in mind. Read more about it here.

5. WAMP / XAMP
What can I say, my job would much more difficult without WAMP. Yes, I am a Windows user. At some point aren’t we all? But I am also a developer who wants a lamp stack running locally and deploying Linux can be a major pain in the gnads. That’s where WAMP steps in. It takes about five minutes to install and setup - and just like that you are literally running a virtual server inside Windows. You localhost is Apache, mysql is running and is accessible through the included phpMyAdmin. I at least get a warm fuzzy feeling of security and freedom being able to build and test at home. Granted if you are a developer and reading this, odds are you’re totally familiar with this product all ready. But on the off chance you came this far without using it, be joyful cause this free application rocks the Kasbah.

4. Ultraedit
What kind of developer tools list would be complete without mentioning my favorite code editor? I have tried most of the popular editors out there and keep coming back to good old UE. It has all the regular goodies you might expect such as code folding, macros, smart color coding, and built in FTP. Plus, it also has some really slick regex search functionality and though a minor thing, the ability to switch tabs with your search box open makes me happy. If I had to choose one editor to work with between Zend IDE ($300.00 for a one year license), Dreamweaver ($400.00) and Ultraedit ($39.99), I would choose the most lightweight of those three, Ultraedit.

3. AgentRansack
I think we can all agree that the Windows Search isn’t that great. Simply searching for files by name can bog down or even lock up your system and it’s not even worth trying to search inside the actual files for text. And then I discovered the beauty of Agent Ransack. It can parse every file type known to man, including graphics, and does so with blazing speed and low overhead. This free application has helped me solve many a programming mystery as I trace variables or functions back to their source. The only thing that could make this app better is if it also had search and replace functionality. But for what it does, it’s the best one on the block.

2. CSDiff
Another free tool great for uncovering developer mysteries, CSDiff simply compares files or directories and walks you through variances in a convenient and simple manner. Like all good programs, it has a very small footprint and works like a champ. It’s surprising how often this tool comes in handy during debugging or troubleshooting. When knowing the difference between two scripts, documents or directories is required this app is the de facto standard.

1. Subversion
Subversion is a next generation versioning control software. I never really used CVS, which was the standard, therefore it’s impossible for me to really compare the two. I do however know Subversion, and will gladly call it perfect in it’s simplicity and crazy useful. It has the obvious benefits of enabling collaboration and protecting developers from stepping on each other’s toes as well as the security of being able to revert changes regardless of how much time has passed or how many changes are made. But the convenience of keeping your code centralized too is a real pleasure. With a publicly accessible Subversion server I can work on the same project from four different computers without the need for a zip drive or trying to merge changes on my own.
Deploying the server can be a pain in the neck - but hey, that’s what your server admin gets paid to do right?
A word of advise, commit often and commit early.

I hope you have found this list helpful. There are many tools and products out there and just as many opinions about each. What are your “must have” tools?

In circles outside of Redmond, Washington a person can go a while without hearing positive comments about the planet’s leading operating system manufacturer, Microsoft. This company famous for having the world’s richest man as their founder has released so much software and technology that it’s inevitable the occasional problem will arise with a product. It’s these bumps that users and techies alike typically spend most time focused on. Then there’s the debate between open source vs. closed design or Technology for the sake of knowledge vs. technology as a vehicle to profits.

Meanwhile Macintosh (another corporate juggernaut) has spentmillions of marketing dollars to characterize the PC embodied through Microsoft, as being both uncool and ultimately unreliable. In the web development world both developers and designer alike often rebuke this company for consistently releasing a browser that doesn’t adhere to w3c standards, CSS specifications and has a clearly inferior JavaScript engine to the open sourced (browser) counterpart known as Firefox.

Whether it’s system lockups, blue screens of death, term papers lost or simple confusion regarding how to operate a product, most computer users have some reluctance about loving Microsoft. I have heard this company described as an evil empire, a claim not helped by the numerous international anti-trust lawsuits or even more numerous lawsuits over patent rights that the apparently top notch Microsoft legal team has dealt with over the last two decades.

Really what’s not to love?

The other side of this coin is that Microsoft has brought us so many incredible things that perhaps we are failing to see those trees through the forest. Browsing the Microsoft Developer Network, I discovered approximately 235 software products in existence under this company’s brand. The most popular Microsoft products are Windows Vista, Outlook or Visual Studio. There are many lesser known, yet still huge products such as Sharepoint, MS Project or Visio. There are more obscure products, such as Groove 2007, ProClarity, Point of Sale, Robotics Studio, or Small Business Server. While Google Earth is currently more popular, Microsoft blazed the way for satellite imaging years before with Virtual Earth in conjunction with their then exciting-at-the-time Terraserver.

Regardless of the multitude of markets Microsoft manages to dominate; Windows operating system is where it all begins and ends. Here are  some of the high points in that journey.

Windows 95
This piece of software is arguably the most prolific application ever released. Computers were in use for nearly 40 years prior to the arrival of that flag logo flying across of a background of cloud covered blue skies. Without Windows 95′ it’s entirely possible the technology revolution would have never occurred. The Internet might have never caught on and PC’s in the home could still be the stuff of science fiction. Possibly some one else could have played that role. But would the outcome have been the same?

Windows 98, Windows NT
It’s fair to mention Windows 98′ because it was a substantial upgrade to it’s predecessor.
The stability and improved performance really did make it a treat to install 98′ back in the day.
During this time, Unix users were fond of comparing their favorite operating system’s reliability to that of the world’s most popular, and even the most die-hard ‘nix users, though grudgingly, will typically admit Windows NT was a rock solid operating system which was tough to crash.

Windows XP
In my opinion the greatest operating system to date released by Microsoft. They took the successful elements of Windows NT and applied a slick veneer to it. Best of all, they finally delivered on their long time promise of true plug and play, which is a prolific accomplishment in the technology universe.

This feature is something younger computer user’s will completely take for granted, but it wasn’t so long ago that setting up a new computer meant undergoing an arduous process of installing drivers, dealing with resource conflicts, discovering poorly documented incompatibilities, and compounding frustration.

Soak up that sweet goodness which is plug and play and next time you are having a beer pour a little on the curb for those fellows at Microsoft who made such a thing reality.

(You may notice I did not mention Windows Vista. Personally I am not sold on it’s advantages over XP.)

In conclusion, for all it’s warts Microsoft is an extremely integral part of this industry that I love and have dedicated most of my adult life to. Regardless of their motivations people such as Bill Gates and Steve Ballmer have fought their way onto that corporate Mount Olympus and thereby advanced global technology in the process. Though I may not be a fan of Internet Explorer - I do still respect, admire and appreciate the company that created it. What are your thoughts on Microsoft? Revered or Relived?

It’s true, there’s so much more…

For most, Firefox is just another web browser. As long as it allows you to surf the web, play online games, search for a local salon and check your email, who cares what it’s called. It’s yet another browser to add to the list of browser icons already on our desktop. And what’s the difference in the blue “e” with a Saturn-like ring around it, the compass thing, and the earthly fox anyway? Who knows and who cares, right?

Well for a web developer, these browsers are much more of a big deal to us than to our parents or neighbors. Not only does the abundance of browsers provide chaos in our everyday lives when it comes to getting our sites to look great in all of them equally, but there are also some other features that differ them as well. And as a web developer, I can speak for all of us when saying that we all “choose sides” and tend to favor one over the others. I personally think that Firefox should take over the world and leave all the others to be forgotten. But I don’t own the internets, therefore won’t be implementing this any time soon.

Among all other elements that are important when designing and developing websites, such as, making sure it looks right, all the code is doing what it’s supposed to, and images are showing properly, Firefox also opens up many doors for web developers in our constant struggle of having some assistance every once in a while. In addition to being the greatest and most compatible, user-friendly browser out there, Firefox also offers several “add-ons” to help us along the way. They are free, easy to download and use, and right at your finger-tips, if you just only knew they existed.

Here is my fave-5 personal recommendations to use as a good starting point in your addiction with Firefox add-ons:

	Web Developer Tools – A must have for web developers, this adds a toolbar to your browser that gives you such options as editing CSS, testing forms, resizing your window to different resolutions, and a slue of others. You will become reliable on the tools this add-on has to offer.
	MeasureIt – A nifty ruler to get pixel width and height of elements on a webpage. See a blank area on the page that needs an image? Use this handy tool to see how much real estate you have to work with to crop your image just the right size to fit. This tool can also be used to see how much space you have when working with columned layouts.
	Safari View & IE View – I’m grouping this as one because they serve the same purpose. Although we, as developers, would love to just have to test in one browser, we can’t forget about the others. With these tools, all you have to do is right click the webpage you are currently on and it will open the same page in another browser. Simple as that!
	ColorZilla – Wondering what color that site is using, or needing to match up colors with a design? Use this color picker to rollover a websites colors and get the RGB values, and hexadecimals. No more print screening and taking into Photoshop, you can get what you need directly from your browser.
	CSS Validator – Can’t quite pinpoint a problem? This add-on will validate any page you’re on using the W3C CSS Validator. Stop spending hours trying to figure out what’s wrong with your code, when in less than 5 seconds you can receive a list of fixes to be made. Now that’s convenient!

This is only a select few of my everday-use add-ons, out of the bazillions that Firefox actually has to offer. Whether you’re a web developer or not, the endless amounts of Firefox add-ons will have something for everyone.

Anyone who has spent more than two minutes looking into creating a web presence has at least heard about Open Source Software, or OSS.  Technologies like PHP, MySQL, and others have pushed this once obscure and often nerdy software model out of obscurity.  Many of the greatest web innovations have been fueled by this movement.

What is Open Source Software?  In short it’s software that is developed, published, and maintained for the benefit of the general public.  In its most common form, it is free to use, share with others, and change as you see fit.  The most unique characteristic, and the one that gives OSS its title, is that anyone who wants to can look “under the hood” at the source code.  Most commercially available software does not allow the general public to do that.  If you want all the nerdy details, see this Wikipedia article.

So does open source have anything non-nerdy to offer?  Sure!  For starters there is Firefox, the second most popular browser out there, GIMP, a free alternative to Photoshop, and many more.  Even big boy Microsoft has introduced an “open” product: a new Office file format, called Open XML.  While open source isn’t yet as sexy as a Carlie Beck photo, it has gained some press over the last few years.

For non-nerds here is what Open Source Software can do for you.

1. OSS can cost less.  While you still have to pay for development and deployment, you can save some green by using OSS because you don’t have to pay any software licensing fees.
2. OSS is frequently on the cutting edge.  In web circles, OSS is often either ahead of the curve or setting the standard.  Just look at projects like jQuery, Drupal, and Google Chrome (yep, this new browser is an OSS project run by Google).
3. OSS can be completely customized for your use.  As long as you have the know how or the resources to hire someone who does, you can customize OSS to fit your specific needs.
4. You don’t need to re-invent the wheel.  If there is an OSS solution that does what you want, why take the time to create another one?  You can simply customize an OSS solution for your needs and cut back on development costs.

Interestingly enough, OSS and proprietary software can often work together nicely (such as the content manager Umbraco, which uses Microsoft’s proprietary .NET framework).  Because of this, you can often cherry pick solutions in such a way as to provide the most impact for the least pain.

Here at lifeBLUE Media we use the power of OSS alongside other solutions to augment and enhance our development efforts.  This creates a better product for our customers and reduces development time for us.  It’s win-win.

lifeBLUE does not exclusively use OSS.  We have some very talented .NET developers and we are not opposed to purchasing a proprietary solution if it is the best option.  We use all the tools available to us to create customized solutions to our customers.  As with everything, we choose OSS or other options in order to provide our customers with the best possible product.

This is one of the most exciting political periods in our time. Many Americans have found within themselves a renewed interest in politics, and it’s got me thinking about the recent candidates in terms of programming languages. So, in no particular order…

Hillary Clinton is Javascript.

Before I offend anyone that thinks I’m relegating her to a small and insignificant language, think about Javascript. It’s loosely based off of a programming monster, Java (aka Bill Clinton). It’s the heart and soul of a lot of stuff you see on the web today, like AJAX or JQuery. A lot of those fancy things you love about sites like Flickr or Facebook are filled with Javascript. And, just like Javascript, she’s got the backing of a lot of big players and the pedigree of a respected and well-tested precursor.

Mitt Romney is .NET

Romney is one of the more well-funded candidates on the campaign trail. Like Romney, deep-pocketed Microsoft’s .NET languages have features that are admired by many, but its colleagues seem to be growing tired of its rhetoric, and often team up against it much like the candidates at the New Hampshire debates teamed up against Romney. It’s losing ground to open-source, grass roots languages like PHP and Ruby on Rails, but .NET still holds significance to many people.

Mike Huckabee is PHP.

If only for the reason that Huckabee has Chuck Norris as his biggest “Hollywood” supporter, Huckabee is the tough and no-nonsense PHP. Like its conservative counterpart, PHP is known for providing a solid set of tools and having a vocal group of ardent supporters. It’s relatively extendable, easy to like, and performs well in public–just look at Facebook for PHP in action.

Fred Thompson is Flash.

If Flash had a counterpart in the political realm, it would be one-time senator and part-time actor, Fred Thompson. Granted, Mr. Thompson himself isn’t all that flashy, but Hollywood is. And you can compare Flash’s ActionScript with Thompson’s turn in “action thrillers” like Die Hard 2 and The Hunt for Red October. Like Flash, Thompson has his niche, and even though he didn’t win the race, he is still useful and interesting nonetheless.

John McCain is Perl.

Perl is your dad’s pocket knife that’s been handed down for a few generations. It’s seen a lot, been in a few scrapes, and is always better for the wear. Perl as McCain is old and slowly losing its effectiveness, but provides those who know how to use it a vast amount of influence and power. Aging well, it shows that no matter who or what steps forward as a new leader, Perl will always be around as a stalwart alternative.

Barak Obama is Ruby on Rails.

If you’ve been programming for anytime at all, you’ve heard about the Rails framework. And whether you wanted to or not, you’ve noticed Barak Obama as well. Obama’s splash came at the 2004 Democratic National Convention, when the relative newcomer burst onto the scene as the keynote speaker, enamoring a section of voters that had become tired of the typical political monotony. Rails, too, was announced in 2004, and has quickly emerged as a leading contender because of its ease of use, youthful loyal following, and ability to combine old programming styles with newer streamlined methods. Who doesn’t like the apps from 37signals, which are done with RoR?

Rudy Giuliani is Visual Basic.

What is Giuliani–a conservative Democrat or liberal Republican? What is Visual Basic? A Windows-based application language or an internet VBScript language? I’ve always had a fondness for Basic, since it was my first programming language, and Visual Basic was always intriguing to me because I could easily build usable Windows apps. In a similar way, most of the nation developed a fondness for Giuliani during the immediate aftermath of 9/11, and he’s hoping they still love him when he decides to run for an office again.

Dennis Kucinich is Smalltalk.

Look, I don’t know anything about Smalltalk, but this joke just writes itself.

A somewhat obscure hack has emerged recently that is an offshoot of the now-infamous XSS. It is known as Cross-Site Request Forgery, or XSRF for short. XSRF is a form of temporary identity theft that can cause your computer to initiate banking transactions, send emails or text messages, or even change account info on your favorite site… without your ever realizing it!

THE GOOD NEWS

Before we get started on the doom and gloom, you should know that XSRF, while potentially very devastating, is actually very easy to defend against. Also, many modern sites employ anti- XSS and XSRF techniques (such as the ones listed at the bottom of this article) so that even if somebody tried to pull an XSRF attack on your account, it would not work.

THE SETUP

As an example of XSRF in action, suppose your favorite bank has a website that uses $_GET to pass account transaction data. So if you wanted to transfer $100 from account 1002 to account 1004, you’d go to: http://myawesomebank.com/transfer.php?from=1002&to=1004&amt=100At this point, you are probably thinking, “there’s something REALLY wrong with that!” And you’re right. But no problem… even if somebody tried to go to this URL to make a quick $100, he’d still have to be logged in to do it, right? Wrong. So our intrepid hacker goes to your favorite forum site, and creates a post with an image tag in it. But instead of a valid image file, he gives it a nasty uri: <img src="http://myawesomebank.com/transfer.php?from=1002&to=1004&amt=100" />

THE HAPLESS VICTIM

Now for the fun part. Let’s say you were recently visiting myawesomebank.com to check your account balance. Let’s also say that, like most normal people, you didn’t log out of your account before closing the browser window. Tsk Tsk. You notice that there’s a new post on your favorite forum site, so you go look at it. Oddly, there’s an image on there, but it won’t show up. You refresh the page 4 or 5 times, but you can’t see the picture. You give up and go to bed. The next day, when you go to check your account balance, you’re short $500!

WHAT HAPPENED?

When you opened the page that contained the XSRF code, your browser saw an IMG tag and sent a request for the src of that image as part of loading the page. Never mind that the src didn’t end with a valid image extension; that’s actually fairly common, as many sites will use a PHP (or other server-side) script to fetch images from a database or outside the server’s document root. So your browser sent the request, and it got a response, namely myawesomebank.com’s “transaction complete” page. Of course, this wasn’t valid image data, so your browser didn’t show you anything. “But,” you might insist, “I wasn’t on my bank’s website when I loaded the XSRF code!” Maybe you THOUGHT you weren’t, but according to your bank, since your session cookie was linked to an unexpired session, you actually were STILL LOGGED IN! Which means that any requests that got sent to your bank’s server were processed, even though you didn’t type the location into your address bar!

HOW TO PROTECT YOURSELF

• ALWAYS log out of any site that you log into before closing your browser window or going to a different site.
• If an image isn’t loading (ESPECIALLY on a ‘public-writable’ site such as a forum or mailing list, DON’T REFRESH THE PAGE! Right-click on the image and select ‘Propertes’ (on IE or FireFox), or ‘Copy Image Address’ (on Safari) and VERIFY THAT THE FILE IS AN IMAGE.
• If you think you are a victim of XSRF, TAKE ACTION IMMEDIATELY! Contact the administrator of the site that was targeted and get the damage undone!
• If you think someone has posted XSRF code on a forum or other site, inform the site administrator IMMEDIATELY so that he can remove the code and ban the offender!

HOW TO SECURE YOUR SITE AGAINST XSRF

• NEVER pass sensitive data via URL variables. Use POST as much as you can.
• Check the referring page (via $_SESSION[’HTTP_REFERER’]) before executing any backend code! If the domain doesn’t match yours, DON’T PROCESS THE REQUEST!
• Enforce session timeout. When the User hasn’t submitted any requests for a period of time, his session should automatically expire.

APPENDIX A: ENFORCING SESSION TIMEOUT

You ever notice how on some sites, if you leave the computer for awhile and then come back, when you click on a link, the site will ask you to log in again because “your session timed out due to inactivity”. How do they do that? Well, you can’t really use a ‘timer’ because the web doesn’t work that way. You don’t know when the User will click on a link… or even if he’s still on your site! Instead, you have to do sort of a ‘reverse timer’. Instead of counting down from a static ‘amount of time until expiration’, you compare the timeout variable to the current time and then store the new timeout value. Expressed in code: When the User logs in, set his initial timeout value. Traditionally, the User gets 15 minutes of inactivity before his session becomes invalid. Of course, depending on the nature of your site, you may choose to use a different value. // When you log the User in, set his timeout: define('SESSION_TIMEOUT', 15); $_SESSION['timeout'] = (time() + (SESSION_TIMEOUT * 60)); Then put this code at the top of every page that requires the User to be logged in: session_start(); // Check to make sure the User is logged in. if(! checkToSeeIfUserIsLoggedIn(yourCodeGoesHere)) { . . . } // Check to see if the current time is AFTER the session is marked for timeout. if(time() > $_SESSION['timeout']) { // User's session has expired. Go back to the login screen. header('Location: login.php?message=timeout'); exit; } You may also want to extend the User’s timeout even when he is using the non-secured pages on your site: if(isset($_SESSION['timeout'])) $_SESSION['timeout'] = (time() + (SESSION_TIMEOUT * 60));

And finally.  What is S.S. ESSESSES?  It is the name of the ship in “Hot Shots”  the movie, although I cannot remember whether it is the first or second one…silly me.

As a application development specialist for lifeBLUE Media. I see a lot of different coding styles. Some are organized and very readable; others look like raw fettucine with extra alfredo sauce. But one habit that I’ve seen numerous times, often among relatively inexperienced programmers, is the dependence on PHP’s register_globals directive.

register_globals was introduced as a way of making it more convenient to access User input. For example, instead of having to type: echo ‘Hello, ‘, $_GET[’username’], ‘!’; With register_globals turned on, $username would automatically be assigned the value of $_GET[’username’], so all you would have to do is: echo ‘Hello, ‘, $username, ‘!’; Wow, what a timesaver!

So why are they getting rid of register_globals in PHP 6 if it’s so helpful? I believe not even Sherlock Holmes could figure this one out. The problem, interestingly, is not that register_globals is bad; rather, the problem is that register_globals encourages very bad security habits. Let’s break out the magnifying glass and our trusty pipe to take a look at a fictitous banking site. One of the pages on this site, transfer.php, provides an interface for the User to transfer funds between two accounts. Without register_globals, the code might look something like this: $_sql = ” UPDATE `accounts` SET `balance` = `balance` - {$_POST[’amount’]} WHERE `accountid` = {$_POST[’transFrom’]} LIMIT 1″; $db->execute($_sql); $_sql = ” UPDATE `accounts` SET `balance` = `balance` + {$_POST[’amount’]} WHERE `accountid` = {$_POST[’transTo’]} LIMIT 1″: $db->execute($_sql); Simple enough. Now here’s what it would look like using register_globals: $_sql = ” UPDATE `accounts` SET `balance` = `balance` - {$amount} WHERE `accountid` = {$transFrom} LIMIT 1″; $db->execute($_sql); $_sql = ” UPDATE `accounts` SET `balance` = `balance` + {$amount} WHERE `accountid` = {$transTo} LIMIT 1″: $db->execute($_sql); This begs the question, “How does PHP know where these variables are coming from?” The answer is: It doesn’t.register_globals looks in $_GET, $_POST, $_COOKIE and $_SESSION, so if there’s a matching index in *any* of these superglobals, your code would have no way of knowing which value is the ‘correct’ one. For example, suppose you created a cookie whose name is ‘amount’. An incorrectly-configured php.ini might cause the cookie to overrule the amount that the User specified in the form! And by (inadvertently) allowing the User to specify these variables in the URL, you open your site up to XSS attacks.

It was for this reason that the default value for register_globals went from ON to OFF in PHP 4.2.0. But many programmers merely shrugged their shoulders and went on with their normal lives: $amount = $_POST[’amount’]; $transFrom = $_POST[’transFrom’]; $transTo = $_POST[’transTo’]; $_sql = ” UPDATE `accounts` SET `balance` = `balance` - {$amount} WHERE `accountid` = {$transFrom} LIMIT 1″; $db->execute($_sql); $_sql = ” UPDATE `accounts` SET `balance` = `balance` + {$amount} WHERE `accountid` = {$transTo} LIMIT 1″: $db->execute($_sql); But this is really not much of an improvement. True, the code does now examine where the variables are coming from, but it’s not validating the values. To use a rather dramatic example, suppose a (somewhat less-than-reputable) request comes in, and the value of $_POST[’transFrom’] is “0 OR TRUE”. Now the first SQL query looks like this: $_sql = ” UPDATE `accounts` SET `balance` = `balance` - 500000 WHERE `accountid` = 0 OR TRUE LIMIT 1″; $db->execute($_sql); Here’s a hint: you’ll be getting a LOT of angry phone calls VERY soon! How would you protect yourself from such an irresponsible act (also known as an SQL Injection Attack)? Rather easily, as it turns out: $amount = (float) $_POST[’amount’]; $transFrom = (int) $_POST[’transFrom’]; $transTo = (int) $_POST[’transTo’]; Not even 20 characters later, your code is completely SQL-Injection-proof!

There are many, many opinions out there on the best way to validate User input. Certainly *some* kind of validation that makes sense is always better than none, and that is the purpose of this article…or is it?

In the Nerd Matrix,  you will find numerous posts regarding coding, programs and application development, and other insightful information for all of us nerds out there. Read topics about common prgramming errors, new standards of coding, or just good, clean technical information that you or someone else you know could benefit from. Please contribute by posting quality and clean comments, or just give a shout out comment to the rest of us fellers in the nerd community.

As nerds we should be proud that we can boldly go where the average person cannot. And those are the easy ones, lets not blow any brain cells with our in-depth knowledge of .NET frameworks, hypertext markup language, or the latest w3c output. Just like Budweiser’s Real Men (and women) of Genius, we salute you Mr. Programmer Rocket Scientist Nerd Guy. This blog is for you!