• Search:



Planet eZ publish




derick rethans

› Xdebug 2.3: Moar var_dump()

Xdebug 2.3: Moar var_dump()

This is the first article in a series about the new features in Xdebug 2.3, which was first released on February 22nd.

One of the new features relates to one of the first things that I added in the original Xdebug: making the var_dump() output "pretty". Xdebug replaces PHP's standard var_dump() function with its own version, as long as the xdebug.overload_var_dump setting is not set to 0.

Which means that instead of:

array(4) { [0]=> int(42) [1]=> string(6) "string" [2]=> bool(true) [3]=> float(3.1415926535898) }

You get:

Nothing new so far.

Xdebug 2.3 enhances the overloading of var_dump() with the inclusion of the file name and line number where var_dump() is called at. This has been a long standing feature request.

You can include this information, by setting xdebug.overload_var_dump to 2. If the xdebug.overload_var_dump setting is set to 2, the overloaded var_dump() output now looks like:

As you can see, the file name and line number of where var_dump() were called are prepended to the output.

An already existing setting, xdebug.file_link_format, allows you to format file name and line number information so that Xdebug generates a link. This same setting is also respected by the inclusion of the file name and line number in the enhanced var_dump() output. Setting xdebug.file_link_format to xdebug://%f:%l will then link the file name to xdebug:///home/httpd/html/test/xdebug/overload-var-dump.php:4. If we look at this as an image, we will see:

In a future version of Xdebug, it is likely that I will either wrap in the file name/line number information in the overloaded var_dump(), or change the default value of the setting to 2.

27/02/2015 9:57 am (UTC)   Derick Rethans   View entry   Digg!  digg it!   del.icio.us  del.icio.us

ez publish community gateway

› Digital marketing tips for business owners

An article about marketing news.

26/02/2015 12:29 pm (UTC)   http://share.ez.no   View entry   Digg!  digg it!   del.icio.us  del.icio.us

ez publish community gateway

› Announcing The eZ Publish Show iTunes Podcast

The eZ Publish Show is a live hangout covering all the topics concerning the eZ Publish since 2012. So far 23 episodes have been aired, featuring many known eZ experts and a few special guests. Geoff Bentley was the original host, and I took over starting with the episode 12.

13/02/2015 4:21 pm (UTC)   http://share.ez.no   View entry   Digg!  digg it!   del.icio.us  del.icio.us

netgen

› Announcing The eZ Publish Show iTunes Podcast

The eZ Publish Show is a live hangout covering all the topics concerning the eZ Publish since 2012. So far 23 episodes have been aired, featuring many known eZ experts and a few special guests. Geoff Bentley was the original host, and our colleague Ivo took over starting with the episode 12.

13/02/2015 3:27 pm (UTC)   http://www.netgenlabs.com/Blog   View entry   Digg!  digg it!   del.icio.us  del.icio.us

netgen

› January @ Netgen

After giving the 2014 a proper send-off, we started the new 2015 in a good rhythm. So, what did we do this January?

05/02/2015 3:37 pm (UTC)   http://www.netgenlabs.com/Blog   View entry   Digg!  digg it!   del.icio.us  del.icio.us

netgen

› The eZ Publish Show #23: Chunky Content

I had a very special guest this week’s in the last episode of The eZ Publish Show. Karen McGrane, one of the thought leaders in the content strategy domain, joined the hangout. She regularly holds lectures at the conferences and her latest book is “Content strategy for mobile”, really a star in the content field :). It was also great to have my colleague Igor Vrdoljak on the hangout as he is very passionate about all things related to content. Read on.

30/01/2015 5:53 pm (UTC)   http://www.netgenlabs.com/Blog   View entry   Digg!  digg it!   del.icio.us  del.icio.us

mugo web

› Tracking individual users in Google Analytics

Google Analytics is the most popular tool for understanding how people are finding and using your site. In addition to its standard reports, you can use its User ID feature to get more fine-grained reporting about registered users. This enables you to better measure, anticipate, and meet or exceed your users' needs.

27/01/2015 10:17 pm (UTC)   Mugo Web   View entry   Digg!  digg it!   del.icio.us  del.icio.us

ez publish community gateway

› Tracking individual users in Google Analytics

Google Analytics is the most popular tool for understanding how people are finding and using your site. In addition to its standard reports, you can use its User ID feature to get more fine-grained reporting about registered users. This enables you to better measure, anticipate, and meet or exceed your users' needs.

27/01/2015 5:05 pm (UTC)   http://share.ez.no   View entry   Digg!  digg it!   del.icio.us  del.icio.us

derick rethans

› Questions from the Field: Should I Escape My Input, And If So, How?

Questions from the Field: Should I Escape My Input, And If So, How?

At last weekend's PHP Benelux I gave a tutorial titled "From SQL to NoSQL". Large parts of the tutorial covered using MongoDB—how to use it from PHP, schema design, etc. I ran a little short of time, and since then I've been getting some questions. One of them being: "Should I escape my input, and if so, how?". Instead of trying to cram my answer in 140 characters on Twitter, I thought it'd be wise to reply with this blog post.

The short answer is: yes, you do need to escape.

The longer answer is a bit more complicated.

Unlike with SQL, inserting, updating and deleting data, as well as querying data, does not require the creation of strings in MongoDB. All data is always used as a variable or a constant. Take for example:

demo->col;
$c->insert( [ 'name' => $_GET['name'] ] );
?>

Because we don't need to create a string with the full insert statement, there is need to escape with ' to prevent issues like SQL injections. The context in which variables are used is immediately clear.

But be aware that PHP's request parameters (GET, POST, COOKIE, and others) allow you to send not only scalar values, but also arrays. If we take the example code from above in mind, and request the URL http://localhost/script.php?name[first]=Derick&name[last]=Rethans, we end up inserting the following document into the collection:

[ 'name' => [
        'first' => 'Derick',
        'last' => 'Rethans'
] ]

And this is probably not what you had in mind.

The same trick is possible when doing queries. Look at this code:

demo->col;

$r = $c->findOne( [
        'user_id' => $_GET['uid'],
        'password' => $_GET['password']
] );
?>

If we now would request the URL http://localhost/script.php?uid=3&password[$neq]=foo we end up doing the following query:

demo->col;

$r = $c->findOne( [
        'user_id' => '3',
        'password' => [ '$neq' => 'foo' ]
] );
?>

The password clause in that query, will likely always match. Of course, if you are not storing passwords as a hash, you have other problems too! This is just a simple example to illustrate the problem.

This same example highlights the second issue - that is that all request parameters are always represented by strings in PHP. Hence my use of '3' instead of 3 in the above example. MongoDB treats '3' and 3 differently while matching, and searching for 'user_id' => '3' will not find documents where 3 is stored as a number. I wrote more extensively about that before.

So although MongoDB's query language does not require you to build strings, and hence "escape" input, it is required that you either make sure that the data is of the correct data type. For example you can do:

demo->col;

$r = $c->findOne( [
        'user_id' => (int) $_GET['uid'],
        'password' => (string) $_GET['password']
] );
?>

For scalar values, often a cast like I've done above, is the easiest, but you might end up converting an array to the string 'Array' or the number 1.

In most cases, it means that if you want to do things right, you will need to check the data types of GET/POST/COOKIE parameters, and cast, convert, or bail out as appropriate.

27/01/2015 10:03 am (UTC)   Derick Rethans   View entry   Digg!  digg it!   del.icio.us  del.icio.us

ez publish community gateway

› How to detect element’s CSS transition end time with JavaScript?

In this blog post I’m going to share with you some knowledge on how to detect when the CSS animation/transition/transformation completes using capabilities of JavaScript.

26/01/2015 3:22 pm (UTC)   http://share.ez.no   View entry   Digg!  digg it!   del.icio.us  del.icio.us