Menu

Snippets

Yet another programmer blogging about code

Posts tagged “php”

Stop turning off CURLOPT_SSL_VERIFYPEER and fix your PHP config

As Pádraic Brady points out in a recent article about PHP security, there’s a whole lot of misinformation about how to deal with the error “SSL certificate problem, verify that the CA cert is OK” from curl. Nearly everyone advises that you turn CURLOPT_SSL_VERIFYPEER off (in fact, countless comments on the PHP manual page for curl_setopt tell you this). This is bad, because it allows your nice, encrypted stream of confidential data to be silently highjacked by a bad guy. Don’t do that! Instead, just fix your PHP installation so that it doesn’t get that error.

PHP Security: Default Vulnerabilities, Security Omissions and Framing Programmers?

Pádraic Brady has written a must-read article on some of the silly defaults in PHP that put the lie to the old adage, “what you don’t know won’t hurt you”. Clearly, some of this stuff could hurt you/your clients very easily. And I have to put my hand up to failing on the SSL/TLS and XML injection attack vulnerabilities…

PHP Security: Default Vulnerabilities, Security Omissions and Framing Programmers?

How to hack a WordPress plugin that doesn’t have the filters you want

The best thing about WordPress, besides the fact that nearly anyone can edit a website built with it, is hooks. Filter and action hooks allow developers like me to customise a WordPress website in myriad ways. Many good plugins provide hooks too. But inevitably, you’ll run up against a problem where you’d like a plugin to have a hook that it just doesn’t have. You can ask the plugin author nicely to add that hook, and maybe they’ll add it sometime soon, maybe even on time for your deadline. But what if your deadline comes before they add it?

Filter invalid characters from XMLReader input files

I just ran into a problem reading XML data exported from a Microsoft Access database. For whatever reason, Access has written VT (vertical tab) characters in the XML, which PHP’s XMLReader baulks at. To be able to handle that on each data load without requiring the user to edit their XML, I wrote a simple PHP stream filter that replaces each VT character with a LF (line feed).

Cleaning up WordPress plugin script and stylesheet loads over SSL

It’s quite common to use WordPress as the host for an online shop, and that often means having an order page that needs to be encrypted via SSL. You don’t want your customers providing credit card details or other sensitive information over an unencrypted connection! But many WordPress plugins don’t take SSL into account, and merrily load scripts and stylesheets without encryption. Here’s a couple of ways to fix this problem.

Events Manager conditional placeholders for custom attributes

The Events Manager plugin for WordPress is pretty flexible, allowing you to easily add custom attributes to your event posts. It also has conditional placeholders that allow you to display or hide information conditionally. There is a nice tutorial on the plugin website showing you how to add your own conditional placeholders. Lets bring this all together with a conditional placeholder for a custom attribute.