At the suggestion of my buddy Lee Springer, I hung out with the PHP geeks at the SF PHP Meetup in the CNET building last Thursday night. A couple of Zend guys talked about version 1.5 of Zend Framework. It was good to get a view into what they are up to, although in many ways they are making a super robust version of the techniques I was implementing about 10 years ago.
Oh man! It just hit me that it was about 10 years ago that I started writing the first edition of Core PHP Programming! Yikes!
There were about 50 people who showed up. That’s impressive based on my experience from years ago with the old PHP users group that dwindled into nothing. A guy named Mariano Peterson came up to me and recognized me as the author of Core PHP. That was cool! Michael Tougeron also made a point to say hello to me. He’s looking to get me to talk at some point, but I’m not feeling like a something significant to talk about.
The most remarkable part of the session was when someone asked if the new Zend Forms code filtered input for SQL injection attacks. Terry Chay spoke up about this, saying quite correctly that you should prepare data with escaping at the moment you send the data out. If it’s going to the browser, convert special characters to entities. If it’s going to the database, escape the special characters right before you assemble the query. You don’t want the mess we had many years ago with magic quotes.
Then, Terry made what seemed like a nonsequitur. After explaining how you would protect you Zend Framework app from SQL injection, he declared “I hate Zend Framework, but that’s how you’d do it.” That made me smile. He later clarified that he hates all frameworks. I can appreciate that attitude. I know I sometimes feel like frameworks are a solution looking for a problem. I’m not even sure if FreeEnergy is a true framework or just a set of idioms.
Anyway, I’m sure I’ll be showing up to the meetups now. Next time I’ll plan on staying later and chatting with more people.