At the suggestion of my buddy Lee Springer, I hung out with the PHP geeks at the SF PHP Meetup in the CNET building last Thursday night. A couple of Zend guys talked about version 1.5 of Zend Framework. It was good to get a view into what they are up to, although in many ways they are making a super robust version of the techniques I was implementing about 10 years ago.
Oh man! It just hit me that it was about 10 years ago that I started writing the first edition of Core PHP Programming! Yikes!
There were about 50 people who showed up. That’s impressive based on my experience from years ago with the old PHP users group that dwindled into nothing. A guy named Mariano Peterson came up to me and recognized me as the author of Core PHP. That was cool! Michael Tougeron also made a point to say hello to me. He’s looking to get me to talk at some point, but I’m not feeling like a something significant to talk about.
The most remarkable part of the session was when someone asked if the new Zend Forms code filtered input for SQL injection attacks. Terry Chay spoke up about this, saying quite correctly that you should prepare data with escaping at the moment you send the data out. If it’s going to the browser, convert special characters to entities. If it’s going to the database, escape the special characters right before you assemble the query. You don’t want the mess we had many years ago with magic quotes.
Then, Terry made what seemed like a nonsequitur. After explaining how you would protect you Zend Framework app from SQL injection, he declared “I hate Zend Framework, but that’s how you’d do it.” That made me smile. He later clarified that he hates all frameworks. I can appreciate that attitude. I know I sometimes feel like frameworks are a solution looking for a problem. I’m not even sure if FreeEnergy is a true framework or just a set of idioms.
Anyway, I’m sure I’ll be showing up to the meetups now. Next time I’ll plan on staying later and chatting with more people.
5 replies on “March 2008 PHP Meetup”
It was nice to meet you at the SF PHP Meetup – I hope to see you at future events. 🙂
It is interesting to hear PHP developers still struggle with the same problems they have been struggling with for so many years now. Nothing has changed. Sucky.
It was great meeting you @ the meetup. 🙂
Between Wil and Terry, that’s exactly what they explained. Perhaps they weren’t as thorough or succinct as you were, Matt. Thanks for responding, and good work on Zend_Form. “Super Robust” is exactly what I’d look for in this type of code.
Not sure how Wil and Brad answered the questions of filtering, but being the lead developer of Zend_Form, I can answer them.
Zend_Form does no escaping on its own (though if you have a filter chain in place, the values will be passed through the filter chain when you retrieve them; the filter chain is primarily for use with validation chains however). That said, the standard decorators all utilize Zend_View helpers, which *do* perform escaping that will prevent XSS and other related UI-level attacks. To prevent SQL injection, the proper methodology in Zend Framework is using Zend_Db — which, if you utilize Zend_Db_Table or the standard query preparation (which are the documented ways to use Zend_Db), your values will be escaped properly to prevent SQL injection (typically through the use of prepared statements at the DB level).