• Search:



Planet eZ publish




mugo web

› Tracking individual users in Google Analytics

Google Analytics is the most popular tool for understanding how people are finding and using your site. In addition to its standard reports, you can use its User ID feature to get more fine-grained reporting about registered users. This enables you to better measure, anticipate, and meet or exceed your users' needs.

27/01/2015 10:17 pm (UTC)   Mugo Web   View entry   Digg!  digg it!   del.icio.us  del.icio.us

ez publish community gateway

› Tracking individual users in Google Analytics

Google Analytics is the most popular tool for understanding how people are finding and using your site. In addition to its standard reports, you can use its User ID feature to get more fine-grained reporting about registered users. This enables you to better measure, anticipate, and meet or exceed your users' needs.

27/01/2015 5:05 pm (UTC)   http://share.ez.no   View entry   Digg!  digg it!   del.icio.us  del.icio.us

derick rethans

› Questions from the Field: Should I Escape My Input, And If So, How?

Questions from the Field: Should I Escape My Input, And If So, How?

At last weekend's PHP Benelux I gave a tutorial titled "From SQL to NoSQL". Large parts of the tutorial covered using MongoDB—how to use it from PHP, schema design, etc. I ran a little short of time, and since then I've been getting some questions. One of them being: "Should I escape my input, and if so, how?". Instead of trying to cram my answer in 140 characters on Twitter, I thought it'd be wise to reply with this blog post.

The short answer is: yes, you do need to escape.

The longer answer is a bit more complicated.

Unlike with SQL, inserting, updating and deleting data, as well as querying data, does not require the creation of strings in MongoDB. All data is always used as a variable or a constant. Take for example:

demo->col;
$c->insert( [ 'name' => $_GET['name'] ] );
?>

Because we don't need to create a string with the full insert statement, there is need to escape with ' to prevent issues like SQL injections. The context in which variables are used is immediately clear.

But be aware that PHP's request parameters (GET, POST, COOKIE, and others) allow you to send not only scalar values, but also arrays. If we take the example code from above in mind, and request the URL http://localhost/script.php?name[first]=Derick&name[last]=Rethans, we end up inserting the following document into the collection:

[ 'name' => [
        'first' => 'Derick',
        'last' => 'Rethans'
] ]

And this is probably not what you had in mind.

The same trick is possible when doing queries. Look at this code:

demo->col;

$r = $c->findOne( [
        'user_id' => $_GET['uid'],
        'password' => $_GET['password']
] );
?>

If we now would request the URL http://localhost/script.php?uid=3&password[$neq]=foo we end up doing the following query:

demo->col;

$r = $c->findOne( [
        'user_id' => '3',
        'password' => [ '$neq' => 'foo' ]
] );
?>

The password clause in that query, will likely always match. Of course, if you are not storing passwords as a hash, you have other problems too! This is just a simple example to illustrate the problem.

This same example highlights the second issue - that is that all request parameters are always represented by strings in PHP. Hence my use of '3' instead of 3 in the above example. MongoDB treats '3' and 3 differently while matching, and searching for 'user_id' => '3' will not find documents where 3 is stored as a number. I wrote more extensively about that before.

So although MongoDB's query language does not require you to build strings, and hence "escape" input, it is required that you either make sure that the data is of the correct data type. For example you can do:

demo->col;

$r = $c->findOne( [
        'user_id' => (int) $_GET['uid'],
        'password' => (string) $_GET['password']
] );
?>

For scalar values, often a cast like I've done above, is the easiest, but you might end up converting an array to the string 'Array' or the number 1.

In most cases, it means that if you want to do things right, you will need to check the data types of GET/POST/COOKIE parameters, and cast, convert, or bail out as appropriate.

27/01/2015 10:03 am (UTC)   Derick Rethans   View entry   Digg!  digg it!   del.icio.us  del.icio.us

ez publish community gateway

› How to detect element’s CSS transition end time with JavaScript?

In this blog post I’m going to share with you some knowledge on how to detect when the CSS animation/transition/transformation completes using capabilities of JavaScript.

26/01/2015 3:22 pm (UTC)   http://share.ez.no   View entry   Digg!  digg it!   del.icio.us  del.icio.us

ez publish community gateway

› Next episode of The eZ Publish Show: Chunky Content

Dear eZ Community,

Next episode of The eZ Publish Show will be aired on Tuesday, January 27th at 16:30 CET (10:30 ET). Our topic will be a non-technical one, more into domain of content strategy, but still very relevant to eZ Publish CMS.

21/01/2015 5:46 pm (UTC)   http://share.ez.no   View entry   Digg!  digg it!   del.icio.us  del.icio.us

ez publish community gateway

› On automation and contribution

Last thursday I had the opportunity to speak at the eZ Meetup in Lyon where I showcased the tools and techniques we use at Heliopsis to speed up eZPublish 5 site development. 

21/01/2015 12:44 pm (UTC)   http://share.ez.no   View entry   Digg!  digg it!   del.icio.us  del.icio.us

netgen

› 2014! The baseline for a great future

So another year has passed. It has passed so quickly probably because we have been so busy. Each year the Netgen team surprises me with all the things achieved and this year was the best so far. New year has started so it’s time for a short recap, just like for the last 3 years: 2011, 2012, 2013.

12/01/2015 6:20 pm (UTC)   http://www.netgenlabs.com/Blog   View entry   Digg!  digg it!   del.icio.us  del.icio.us

damien pobel

› État des lieux et meetups autour d'eZ Publish PlatformUI

États des lieux de PlatformUI pour eZ Publish Platform

J'ai publié la semaine dernière PlatformUI December 2014 status sur le blog de l‘équipe d’ingéniérie d'eZ Systems. Comme son titre l‘indique, ce billet détaille l’état actuel du PlatformUIBundle ainsi que les plans à plus ou moins court terme concernant le développement de ce bundle qui, je le rappelle, fournira l‘interface éditoriale et d’administration des prochaines versions d‘eZ Publish Platform. À cette occasion, j’ai enregistré un screencast de ce qu'il est possible de faire actuellement :

Meetups autour d'eZ Publish PlatformUI

eZ Publish PlatformUI sera le sujet principal des deux prochains meetups eZ organisés à Lyon et à Paris. Je serai donc présent à Lyon le 15 janvier et également à Paris le 20 janvier pour présenter ce projet et répondre à toutes vos questions. Comme pour le précédent meetup, n‘hésitez pas à vous inscrire, nous serons évidemment ravi de discuter de notre produit autour d’un verre et de répondre à toutes vos questions.

12/01/2015 8:07 am (UTC)   Damien Pobel   View entry   Digg!  digg it!   del.icio.us  del.icio.us

ez publish community gateway

› JavaScript and CSS in eZ Publish 5

A key component of a content management system or web application is the handling of JavaScript and CSS files, specifically around loading, combining, and minifying them. Loading fewer files and a smaller amount of data in each file leads to both server-side and client-side performance improvements. In eZ Publish 4 / legacy, this was handled nicely with an extension called ezjscore. Now in the eZ Publish 5 new stack, we have a Symfony tool called Assetic. In this post we'll introduce how Assetic works in eZ Publish 5.0 through 5.4.

07/01/2015 8:26 pm (UTC)   http://share.ez.no   View entry   Digg!  digg it!   del.icio.us  del.icio.us

ez publish community gateway

› PBEBaseBundle got released

I finally released PBEBaseBundle, a webpage helper bundle for the eZ Publish 5 Platform.

07/01/2015 6:35 pm (UTC)   http://share.ez.no   View entry   Digg!  digg it!   del.icio.us  del.icio.us