Hackszine.com: PHP Archives

Archive: PHP

May 1, 2008

Server-side Google Analytics

Peter van der Graaf did a little analysis of the URLs that are generated by the Google Analytics Javascript API and put together a very useful tutorial for building Analytics-enabled applications without the use of Javascript.

When you look at the analytics javascript code you see that it combines several sets of data into an image request. This image request sends the right data to Google (not the javascript). When you know what url you should use for the image, you can call the image directly and send the same data. Of course you need to be able to request the image url and that isn't easy from another image, rss feed or pdf. This is why we request it "server side".

You can add the code to the PHP that drives a blog site, for instance, and generate page views when your RSS feed is hit. You can even write a very simple script to proxy images and downloads, which will let you track hit data for all files on your site, not just the html pages viewed by a javascript enabled browser.

Taken a step further, you could even use this on the client side, triggering analytics views from standalone Flash apps or even desktop applications.

The one thing you need to keep in mind is that server-side analytics requests will appear to come from your server, not the client's machine. So while you can track page views and download events this way, you'll loose a lot of the information about your user base. Because of this, it would probably make sense to use a separate tracking ID for the server side events.

Google Analytics Without Javascript

April 29, 2008

Stop XSS attacks with SafeHTML

If you allow user-contributed content in your site, you run into the problem of dealing with user supplied HTML in a safe manner. The most secure way of dealing with things, of course, is to strip or escape all HTML from user input fields. Unfortunately, there are many situations where it would be nice to allow a large subset of HTML input, but block out anything potentially dangerous.

SafeHTML is a lightweight PHP user input sanitizer that does just that. Just run any input field through the SafeHTML filter and any javascript, object tags, or layout breaking tags will be stripped from the supplied text. It also does a reasonable job of correcting any gnarly, malformed code, which is also a common problem with user-contributed data.

Using it is easy. Just instantiate the SafeHTML object and call its parse method:

require_once('classes/safehtml.php'); $safehtml =& new SafeHTML();
if ( isset( $_POST["inputfield"] ) ) { $inputfield=$_POST["inputfield"]; $cleaninput = $safehtml->parse($inputfield); }

This will take the posted "inputfield" parameter, strip any baddies, XHTMLify what's left, and the result will be stored in the $cleaninput variable. It's a simple addition to your code, and a lot more straightforward than trying to roll your own.

My only beef with the package is that it's written with a default allow policy, stripping out tags that are in its deleteTags array, but essentially allowing anything else through. If you'd rather only let through tags that you specifically want to allow, I'd recommend adding an allowTags array and adjusting the _openHandler method, adding the following after the deleteTags check:

if ( ! in_array($name, $this->allowTags)) { return true; }

You'll need to fill allowTags with everything you know to be safe and welcome, and you may miss a few that people will end up wanting to legitimately use, but this is easily corrected and the default deny policy is much safer in the long run.

SafeHTML - an anti-XSS HTML parser, written in PHP

July 6, 2007

Telekinesis - remote control your Mac with an iPhone

Telekinesis is a bundle of small web apps that you can run on your Mac to give the iPhone remote control. You can use it to stream media files to your iPhone, run scripts remotely, and capture images with the iSight.

You can also add your own features by dropping custom PHP applications beneath the Application Support library folder.

Telekinesis Project - Link
Create apps for Telekinesis - Link

June 2, 2007

Update Facebook status with PHP and cURL

Christian Flickinger wanted to be able to sync status updates between his Twitter and Facebook accounts, so that when his status is updated on Twitter, his Facebook status is automatically updated at the same time. Unfortunately, Facebook didn't have an API for setting status, so Christian decided to hack his own using PHP and cURL.

With a few lines of code, his script will authenticate with Facebook account and update its status. It's a simple script you can incorporate into your own project to sync your status to anything - Link.

April 23, 2007

Faster PHP: Profile Your Scripts With Xdebug

Xdebug is a powerful PHP extension that can help you track down bottlenecks in your PHP code. From the Xdebug profiling howto:

The profiler in Xdebug 2 outputs profiling information in the form of a cachegrind compatible file. This allows you to use the excellent KCacheGrind tool (Linux, KDE) to analyse your profiling data. Users of the Windows operating system can use WinCacheGrind.

Shown above is a screenshot of KCacheGrind, which is showing that the particular script is devoting a lot of its time to mysql_query calls. Once you know where your code is chewing up cycles, you'll have a better idea of where to focus any optimization efforts, either by cleaning up ineffecient code and database queries, or by employing a suitable caching strategy.

Faster PHP Apps--Profile Your Code with Xdebug - Link.

Resources: