Using the Twitter API with Zend Part 1: Setting up your environment

September 10th, 2009 § 0

Twitter API with Zend Part 1.  Post Moved to ReinforceMedia.com

Sphere: Related Content

This is not form validation — and how to fix it

August 31st, 2009 § 0

I was working on a site and noticed something that concerned me.  This is fodder for TheDailyWTF and makes me worry for the fate of any person who receives the results of forms with [non-]“validation” like this.

The form element:

  1. <select name="favorite-color">
  2.  <option>Favorite Color – Choose One</option>
  3.  <option value="blue">Blue</option>
  4.  <option value="red">Red</option>
  5.  <option value="orange">Orange</option>
  6.  <option value="green">Green</option>
  7.  <option value="black">Black</option>
  8. </select>

Here is what was in the processing script:

  1. switch ($_POST["favorite-color"])
  2. {
  3.  case "blue":
  4.  case "red":
  5.  case "orange":
  6.  case "green":
  7.  case "black":
  8.   $data["favorite-color"] = $_POST["favorite-color"];
  9.   break;
  10. }
  12. //data is appended to a string – matt's comment not a "real" comment in the script
  13. $string .= $data['favorite-color'];

So… What is wrong with this? OMG what isn’t wrong with it?

  1. The select element has an “option” with no value
  2. The $data array is never initialized (I didn’t show this, but are you suprised?)
  3. The no value option is not accounted for in the processing: i.e.
    If no value is passed, then $data['favorite-color'] is never set
  4. The variable that would be set in processing, is then used in a string. If there is no value, PHP throws an error for accessing an array index that does not exist
  5. It is assumed that ONLY the values in the select will ever be passed to the processing and completely ignores the null value.
  6. Why in the hell would you want to type every single possible option that could be passed in the processing script? Especially when you are just going to append it to a string!!
  7. The string concatenation assumes that the variable being concatenated is already set.

So, how do we fix this?
Actually, it is not all that hard.

First, you have a choice. You can choose to add a value to the first option element, or you can handle the fact that it has no value in the processing, or you can do both (I suggest this one).

  1. <!– You can output processing errors here –>
  2. <select name="favorite-color">
  3.  <option value="0">Favorite Color – Choose One</option>
  4.  <option value="blue">Blue</option>
  5.  <option value="red">Red</option>
  6.  <option value="orange">Orange</option>
  7.  <option value="green">Green</option>
  8.  <option value="black">Black</option>
  9. </select>

Now handle the processing:

  1. //initialize the $data array
  2. $data = array():
  3. //initialize the $string variable
  4. $string = '';
  6. /**
  7.   * This code will handle the processing of the field
  8.   * It looks to see if the value is set, and not empty. It will use the non-empty value or it
  9.   * will set an empty string
  10.   */
  11. if (isset($_POST['favorite-color']) && !empty($_POST['favorite-color'])) {
  12.  $data['favorite-color'] = $_POST['favorite-color'];
  13.  /**
  14.   * if you were going to do a mysql db insert instead of string concatenation you
  15.   * would do something like:
  16.   * $data['favorite-color'] = mysql_real_escape_string($_POST['favorite-color']);
  17.   */
  18. } else {
  19.  //This is what was forgotten before
  20.  $data['favorite-color'] = ''; // or $data['favorite-color'] = null;
  21.  /**
  22.    * you could also set an error variable, which could be passed back to the form output
  23.    * to show the user what they missed or did wrong.
  24.    */
  25. }

Now that you set up your “validation” – which is really just a way to initialize the variable you will be writing to the string into the $data array.

So, all that is left is to concatenate the value to the string. You can do one of two things. The first is to just concatenate the string, since you know it has already been initialized properly:

  1. // you could add checks right here to see if there are errors and redirect back to the form before creating the string
  3. //concatenate the value to the string
  4. $string .= $data['favorite-color'];

The second way is to use a ternary operator (READ: inline if statement) to append the string:

  1. // you could add checks right here to see if there are errors and redirect back to the form before creating the string
  3. //append the string if it has a length greater than zero, otherwise append empty string
  4. $string .= (strlen($data['favorite-color']) > 0 ? $data['favorite-color'] : '');

This method of handling form elements takes a little more time, requires a little more effort up front, but it will save you WAY more trouble later on. You will not see the PHP errors that you saw before and if you are inserting the data into a DB you will prevent your users from being able to use SQL injection attacks on you.

Sphere: Related Content

Username URLs just like Twitter

August 14th, 2009 § 0

In your .htaccess just do this:

  1. RewriteEngine on
  2. RewriteRule ^([A-za-z0-9]+)/?$ user.php?name=$1

This will ignore php files, and any files that are requested deeper into the site like JS or CSS.

Sphere: Related Content

The AOL logo and the Genius form error are a little confusing

February 7th, 2009 § 0

I was setting up Genius in Itunes tonight and I got to the form below, and didnt fill out the second input because it looked like they wanted AOL credentials.  Then, when the error came up, the red arrow and the blue triangle point to the same place, kind of confusing.

Now, I know that if I would have just paid more attention, I would have gotten this from the start.  Even so, I sometimes stop paying attention and hope that the interface will be intuitive enough that I can just use it without thinking. I know, lame right?  Not necessarily, I have found that this is a good way to test out user functionality.

If you have to stop and think about how to make the interface work, then there is something wrong.  The idea is that you want the users who pay full attention to find things that are especially for them, and for the other users you want them to be able skate by.

The AOL logo makes this form less than intuitive.

The AOL logo makes this form less than intuitive.

Sphere: Related Content

Trim, I love your service, but please sanitize your inputs!!

February 5th, 2009 § 0

I was replying to a friend on Twitter using trim, and I had a <script> tag in the post.  I realized when I submitted that the tag made everything after it in my tweet dissapear. If you want to see the actual tweets, you can find them in my twitter feed here: Matt Bernier’s Twitter Feed

First thougt was, “No Way!”.  Second thought was, “What Else Can I do?”.

So, I tried basic HTML with this tweet:

  1. <h2>Testing whether HTML breaks tr.im</h2> B/c my
  2. <script> tag did earlier</script>
  3. <span style="color:blue;"> ScreenShot coming</script>

This got me this result:

Just HTML in the Tweet

Just HTML in the Tweet

Then I tried an alert:

  1. <script type="text/javascript">
  2. alert('does this work?');
  3. </script>

That got me this result:

Javascript Alert in a tweet

Javascript Alert in a tweet

Then lastly, I tried a little more JS, pay attention though. To make it fit, I used a tr.im URL!!

  1. <script type="text/javascript">
  2. document.body.select('img').each(function(e){e.src="http://tr.im/evmz"});
  3. alert('check the images')
  4. </script>

Which got me this result:

Replaced Tr.im's images with Google's!

Replaced Tr.im's images with Google's!

I have submitted this information to tr.im. I did very mundane, topical things to the page I was looking at, and did not even attempt anything more dangerous. My hope is that you will see the humor in this, urge tr.im to fix this issue and to continue the amazing job that they do.

UPDATE: The Tr.im developers are quick to read their emails, respond, and fix issues. It took all of twenty minutes from when I sent the email to them, for a response saying that this issue was fixed.

Sphere: Related Content

Services

January 18th, 2009 § 0

I currently provide a range of services in the area of web development and business consulting. If you are interested in these services, please visit my “Services” page.

My current services include:

  • Web Development
  • Proposal Consulting
  • Website Consulting
  • SEO Consulting

Contact me if you would like to talk to me about the services I can provide your company.

Sphere: Related Content

Where Am I?

You are currently browsing the Development category at Matt Bernier.