-
Unread tabs Firefox extension (otherwise known as the simplest extension ever). Works. Via Paul
¶ (0)
-
Inversions, by Scott Kim. Very cool. Via John Maeda
¶ (0)
-
Rossi will contest the election in WA (via PoliPundit). Excellent. I'm glad he's not taking this lying down.
¶ (0)
Tags: [Opinions/Politics]
-
VDH's Private Papers::The Disenchanted American (to finish reading), via LGF. "Imagine a world in which there was no United States during the last 15 years." Scary.
¶ (0)
Tags: [Opinions/Politics]
-
Hillary Clinton's Former Campaign Finance Director Indicted. Was this the same guy who recorded donations from a terrorist sympathizer as coming from the "American Museum Council", camouflaging the donations from the "American Muslim Council"?
¶ (0)
Tags: [Opinions/Politics]
-
The Mystery of Britney's Breasts. Boobs ordinarily confuse the minds of men, but Britney's boobs are just plain confusing.
¶ (0)
-
I found out my chosen shortcut for redo is actually in use elsewhere. I discovered purely by accident, out of habit from using it in jEdit, that the shortcut works in Firefox. KWord and other apps do the same thing. Good deal.
¶ (0)
Tags: [Programming]
-
Quitting the Paint Factory, "On the virtues of idleness", by Mark Slouka, via Paul. Entertainingly written. This seems like it'll be a fun thing to read when I have nothing else to do, and am sitting warm, in my rocking chair, in my pajamas, drinking alcohol, next to my fire.
It seems like one of those well-written, extremely earnest essays you read in English 101 and have to respond to that take what might be an interesting position, but one which really doesn't correspond too closely to reality, or give you a useful way to look at the world.
¶
Tags: [Personal]
SQL Injection Attacks by Example, via Joseph[1].
Look. It's really easy:
Escape everything that comes in. Escape everything that goes out.
If you're sticking something into an SQL string and not escaping it, then that's bad -- unless of course you've already confirmed that it's (for instance) numeric, or you're being a fancy pants and using prepared statements.
If you're outputting something (into an HTML stream) and not escaping it, then that's bad. I see so many people using tags in Smarty and outputting variables like {$var}. AFAIK, Smarty doesn't do any automatic escaping, so you're really opening yourself up to XSS attacks, or at least allowing your HTML to be broken. I do almost all my (HTML) output in PHP with the following function:
<?php function e($str){ echo htmlspecialchars($str); }?>
It's even easier than typing echo, except I need parens.
Footnotes:
[1]: I've seen references to the article floating around the web elsewhere, but I don't remember where. Ah, here's one, but I don't remember the other.
You may have gotten the sense that I highly value concise code, what with me making a big deal about wasting a line for a curly brace and quoting my favorite Dijkstra quote all the time.
Just now I took Natalie's time_since() code, which I've been using for a long while to print the English dates on my blogroll (thanks again Nat!), and shortened it a bit. I find it amusing how different it got:
<?php
function time_diff($now, $then){
if(($since = abs($now - $then)) < 60) return '< 1 minute';
$names = array('year','month','week','day','hour','minute');
$intervals = array(
60 * 60 * 24 * 365,
60 * 60 * 24 * 30,
60 * 60 * 24 * 7,
60 * 60 * 24,
60 * 60,
60,
);
$n=0; $c=count($names);
while($n<$c and ($r=floor($since/$intervals[$n])) == 0) $n++;
$print = "$r {$names[$n]}"; if($r > 1) $print .= 's';
if(++$n<$c and $r=(floor(($since - $r*$intervals[$n-1]) / $intervals[$n]))){
$print .= ", $r {$names[$n]}"; if($r > 1) $print .= 's';
}
return $print;
}
?>
Update: I changed $count to $r (for "remainder") so it would fit without wrapping.
Update: Added a line to er, modified (the first line of) the code, see comments for details.
Friday, January 7, 2005
Permalink
new⇒Court rejects death penalty for raping children - Yahoo! News
:)...
Keith: Jul 4, 11:32am