The “security guys” have been talking about the problems with FireFox’s password manager and I got curious. It turns out that javascript can access saved passwords in your password manager simply by creating a login form and capturing the input field’s contents. While this isn’t necessarily a vulnerability in FireFox, it does suck! The biggest attack vector is websites that allow user submitted content that have script injection holes. Basically, if a third party can... (more…)

A lot of weird things have been happening ever since we introduced a new error handler at (“the triangle”). First of all, it took down our whole site for a good portion of time (oops!), then it created a large project for us to review our code. Turns out a lot of the errors were just weird little things that we ignored. However, there were a few times where the @ operator php.net/language.operators.errorcontrol.php was a... (more…)

After listening to a javascript internals optimization talk, I wanted to see how these concepts could relate to PHP. The biggest thing that stuck out to me was the order of the for loops in javascript. According to the talk, loops written backwards (or using the deincrement operator instead of the increment one…) was a lot faster. They said comparing a value to zero was faster than comparing a value to another value. With the... (more…)

Everyone knows that standard SVN has its list of 6 or 8 standard hooks - but what if you’re 1) lazy, 2) busy, 3) don’t have access to the SVN server? Using one of the popular win32 shell integrated svn clients, TortoiseSVN, we can still force commit log messages easily: (more…)

Be careful! Those of you who are trying to emulate a symbolic link in windows have probably come across the Windows Resource Kit tool linkd.exe. This creates junction points on the file system. However, before you have to find out the hard way, here’s my reminder… junction points are more akin to hardlinks than symbolic links: if you delete a junction point, it deletes the target as well! (more…)

I was looking at some code I had written about 3 years ago - how sad! I was creating a PDF of my resume using PHP to grab my qualifications out of a database. Unfortunately, I never researched into the header php command, so I made my job harder. Instead of writing it with a php file, I made a php file, and renamed it as a .pdf file. I modified my .htaccess file to... (more…)

Arrays, return variables, expressions, OH MY! I recently learned a lesson about array functions in PHP not returning what I thought they would. I had a function that returned the value of array_shift()… and then used it in another function. Unfortunately, this generated a strict error and was causing some issues… As usual, I put together a proof of concept. Lets check out the code example, the error, and then why: (more…)

PHP developers, raise your hand if you run an explain on each MySQL statement you write and use in your apps! Anyone? Ok… 1… 2… that’s it? Yah, I tend to forget that too, but luckily PHP allows us to cheat. Thanks PHP! (more…)

Most of my development in Eclipse PDT with the results tested outside of it - using firefox. PDT has a few options in the Run… menu: (more…)

When researching for my live error reporting posting, I tried running some exec and passthru command tests by starting up calc.exe. While they executed the command correctly, I got some weird results in my script … which I suppose now make sense. Lets see how we can start programs in Windows, and not run into the same issues that I did. (more…)