PHPNews

stop writing your own strip tags

@devnuhl sent this one to us via a Gist earlier today; Some background he gave us: Honestly just stumbled onto this while updating the codebase. Oddly enough, it seems like the only usage of this function is in another function in the same file, which is being added to the gist now. Having gotten rid of some …

Continue reading »

Written by CSI: PHP - - Aggregated on Monday May 2, 2016


Everyone ALWAYS has JavaScript enabled right?

A JavaScript redirect is a fairly simple technique to easily redirect your users to a new location. Within the confines of a PHP application if you need the parent window’s URL, JavaScript is the easiest way to grab that info. We have a PHP application that has a checkIfUserIsLoggedIn function and an $user_logged_i…

Continue reading »

Written by CSI: PHP - - Aggregated on Friday April 8, 2016


Shortcuts Are Bad

Friend of mine asked me to take a look at his PHP script. The original scope was to call this script via ajax, posting an email address to get saved to a database. Here is the original code 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43…

Continue reading »

Written by CSI: PHP - - Aggregated on Friday April 8, 2016


No Way That's Real

I thought that Graham was the most devious PHP code troll I’d ever met . Turns out I was wrong. Dead wrong. This tweet: Tweet could not be processed led me to this post: “Creating a user from the web problem” , which includes this code: 1 shell_exec("sudo useradd -p $encpass -g groupname -s …

Continue reading »

Written by CSI: PHP - - Aggregated on Tuesday August 27, 2013


Artisan Level Code Trolling

WARNING: The code you’re about to view is intended for mature audiences and may not be suitable for all readers. I saw this horrifying code snippet in my Twitter feed this afternoon. Tweet could not be processed To make this abomination easier to read, I’ve copied and formatted it here. 1 2 3 4 …

Continue reading »

Written by CSI: PHP - - Aggregated on Monday August 19, 2013


I Am Repeating Myself

Today’s entry is a guest post the from world-renowned Michelangelo van Dam , PHP master, community hero, consultant, and all around nice guy. Thanks for the post, Mike! Yes, I’m repeating myself and apparently I need to. A quick search on github today revealed that 86,000+ people still use $_GET in their mysql …

Continue reading »

Written by CSI: PHP - - Aggregated on Monday August 5, 2013


DateTime What?

I’ve seen a lot of crazy, tortured interactions between PHP and databases in my career, but this particular solution to the problem of displaying future dates is one of the most tortured I’ve ever seen. The short story is that the developer in question must have known SQL much better than any scripting …

Continue reading »

Written by CSI: PHP - - Aggregated on Wednesday July 17, 2013


Senior dev invites application destruction

I’m not sure what else you’d call this besides an open invitation to face roll your database. How many times have we discussed SQL injection here at CSI: PHP? I guess we’ll have to discuss it a lot more. I’ll let contributor @dilbert for life explain it in his own words : “Read this today on a developer …

Continue reading »

Written by CSI: PHP - - Aggregated on Monday May 27, 2013


date.timezone WTF?

CSI: PHP Investigator @jsundquist recently forwarded the below incident report: Yesterday a user posted in the php general mailing list asking why he needed to set a default timezone now for php 5.3. It was explained to him why and how. After doing some of his own research he decided to go the route of: …

Continue reading »

Written by CSI: PHP - - Aggregated on Monday May 20, 2013


Words escape me

Look, I know this is going to be tough to read, and I usually try to post short, snappy code snippets, but this is just too good. Or sad. Whatever. Words truly escape me. Take it away anonymous submitter: “Look at all these standalone ternaries for validating form input. What a mess! They’re embedded in what …

Continue reading »

Written by CSI: PHP - - Aggregated on Friday October 12, 2012


Too few DEFINEs for my taste

The Crime It takes a big man to admit when he’s wrong, and @dilbert4life is one of those men. Here’s a snippet of horror that he wrote around a year-and-a-half ago. Too many defines? Nay! I say let the site grow and see just how many we can stuff in there. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18…

Continue reading »

Written by CSI: PHP - - Aggregated on Friday September 28, 2012


What idiot wrote this? Oh, wait, it was me.

Starting with this post, we have a new category here at CSI: PHP. It’s called ‘ mea culpa ’, and it’s criminal code written by yours truly. Behold the awesome that is error() , an unholy concoction of PHP, JavaScript, and HTML. It’s the only function in a file called common.php, which makes perfect sense because …

Continue reading »

Written by CSI: PHP - - Aggregated on Friday September 21, 2012


Stop rolling your own

Seriously. Stop it. Or you’ll end up with garbage like this, in which a developer writes two separate functions for converting JSON to an array, only one of which is compatible with json_decode . Yes, both are in production. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 …

Continue reading »

Written by CSI: PHP - - Aggregated on Friday September 14, 2012


We don't need no stinkin' POST variables

CSI: PHP investigator Duane Gran sent in this horrifying snippet. He explains: I wondered why dumping the $_POST variables before this section didn’t help in debugging. This occurs in a second step of a 3-step form on a GET request. It applies a set of session fields to the $_POST variable for later use. …

Continue reading »

Written by CSI: PHP - - Aggregated on Friday September 7, 2012


I do not think DRY means what you think it means

Perhaps this developer decided it would be better to create convenience methods than to litter their codebase with date format strings. Nothing wrong with trying to DRY up your code, but creating 13 inscrutably named date formatting functions ain’t the way to do it. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 …

Continue reading »

Written by CSI: PHP - - Aggregated on Friday August 31, 2012


Concatenation is not a parser error

CSI: PHP isn’t big on the perp walk , but if your crime is (1) public and (2) licensed with an Attribution-NonCommercial-ShareAlike Creative Commons license, then you kinda perp walked yourself . 1 2 3 4 5 6 7 8 9 <?php // What will this print out in php5? $earth = 'World'; $string1 = "Hello " …

Continue reading »

Written by CSI: PHP - - Aggregated on Thursday February 23, 2012


The Interview

Yes, this really happened. Q: How long have you been working with PHP? A: About 8 years. Q: On a scale of 1 – 10, how would you rate your proficiency with PHP? A: I’d say I’m an expert. Q: Can you tell me the difference between an abstract class and an interface , and when you might use either? …

Continue reading »

Written by CSI: PHP - - Aggregated on Thursday February 9, 2012


For your consideration

This was sent along anonymously, along with the question: “Does this count as horror code or pure evil genius code?” What say you, dear reader? I cut and paste, you decide. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 <?php function cli_parsestr($string, $config, $mainconf, …

Continue reading »

Written by CSI: PHP - - Aggregated on Friday February 3, 2012