It’s true, I’m jumping on board the “escape input, filter output” bandwagon. This mantra, coined by Chris Shiflett of Brainbulb, and made oh-so-popular by my pal Ben Ramsey.

Here’s how I do it in my most recent PHP project, using PHP’s PEAR DB library (because it was MySQL, and now it’s postgreSQL):

For escaping:

PEAR DB’s escapeSimple will perform the equivalent of mysql_real_escape_string() or whatever db implementation you’ve got. Also, the prepare statement is pretty robust, ensuring that whatever gets plopped in is a value, and not just inserted into the statement using PHP’s “.” concatentation.

For filtering:

Which whips out, among a few other things (on arrays and single pieces of data):

I’m also using Smarty Template Engine for every piece of displayed code, which serves as a great variable modifier and “filterer” of bad-ness. Also, I’ve got my templates locked away from the html doc root, and apache/nobody/httpd does not own them.

Locked down? Somewhat. She’s getting there.

From the php mailing list (ala Ben Ramsey):

Atlanta PHP September Meeting
Thursday, September 1, 2005, 7pm
New Horizons, Tucker, GA

The September meeting of Atlanta PHP will be a free-form Q & A session. If you’re new to PHP and LAMP, come with your questions. If you’ve been programming in PHP or related technologies for years, come to offer your knowledge and answer a few questions. All are guaranteed to learn something and benefit from the discussion.

Towards the end of the meeting, we’ll take a few minutes to cover some business and ask for future topic ideas and presentation volunteers. If there’s a topic you want to know more about, please speak up and we’ll see what we can put together.

Afterwards, we’ll go to the Mellow Mushroom for some drinks and food.

Come expecting great networking opportunities and chances to learn what other PHP developers are doing in the Atlanta area!

For details and directions, go here: http://www.atlphp.org/node/79

Those who know me well, may have had to put up with my non-specific rambling about what it is that I do for a living. Many of you have probably heard me describe in a non-articulating kind of way, something about a top-secret super-stealth-mode startup project, and I do apologize for being so general. Very soon we’ll be unveiling the elusive “beta.” So fear not, as we will launch our little baby out into the open, allowing for some hard-core beta testing from our core group of users — p.s. that’s you, if you’re reading this blog.

It’s been a crazy, hectic few months (actually, a year in total if you’ll count the formulating, thinking, tinkering, and taking-the-plunge) trying to gear this puppy up and get her ready for not only beta, but the long road ahead. Our goal is very noble, and if I must say, quite revolutionary.

In the mean-time, I will give you a little bit of a teaser, because it does relate to our concept–our model–if you will….
(more…)

I’m trying to perform validation on serial #s on a PocketPC PDA/phone device — the Siemens SX66, also branded under SprintPCS and Verizon as a different device, but still the same puppy.

The file is huge. 14,000 serial #s, thus a very large XML. I hate XML files that are that long — just think of the wasted space in those tags — the cost to pay for meta-data.

The xml file looks like:

The code looks like:

Oh, but man is that slow on the phone with a sufficiently large dataset. The poor little arm processor can’t build that primary key in under 5 minutes. Just sits there, and at the end actually errors out (throwing an exception), but then goes on to let me validate very quickly (the select statements) all the #s I tried.

Anyone know of any quick data structures (hash buckets, etc.) that a dinky little ARM processor might be able to handle?

In the meantime, I may migrate it over to a Web Service, but that’s a lot of overhead for a quick serial # scan from a barcode scanner, then a call to a web-service, even if it’s over the SprintPCS network. Wifi, maybe?

gentoo linux is my new favorite linux distro. What a sweet little system. I’ve used many distros, and often times wondered, just what is this install process doing, or what does this rpm do — it’s nice to finally see a linux distro that doesn’t hide anything!

I just recently setup from scratch a 1U Dell PowerEdge 1550 (see previous post) with Gentoo to serve up a source code repository using subversion (webdav over ssl), and the amazing Edge Software’s Trac System — a soure code manager and project management wiki-style site.

Really makes me want to migrate my little laptop over to Gentoo — but if it works, don’t fix it, right?

My brother Kevin IMed me the other day:

busted: http://www.ganet.org/gbi/sorsch.cgi?id=2250&fullinfo=y

Looks just like me too!

She’s up — on a Dell Poweredge 1550. The only snafu I found was that booting the universal CD with the doscsi option loaded up a bunch of scsi drivers (necessary for accessing the SCSI drive), but when compiling the kernel (with default options), they were not built in, but rather loaded as modules. So when I booted up the newly configured kernel, the modules to load the scsi drive were on the scsi drive! A chicken-and-egg problem, indeed.

So, compiling the Adaptec AIC7xxx drivers into the kernel as well as the MegaRAID (both old and new for safety), she booted up like a champ!

If you’ve stumbled upon this, and having similar problems:

Now, select -> SCSI low-level drivers, and go to town, building them in (*) and not as (M) modules.

use dmesg’s output to help….

I’m running kernel 2.6.12-gentoo-r6 kernel, now. Hope this helps someone!

Thanks Tung (where’s the blog?) for the del.icio.us link to: What Business Can Learn from Open Source.

Excellent article coming out of some talks from OSCON. Wish I was there — I’m so jealous.

From the article:

Anyone who knows me, may know that this is truly something I believe in, and am a product of: my current “employer,” whom I find myself referring to as my “sponsor” more often, has this arrangement with me. I can attest that the “projects” I am involved with for my sponsor have been more wildly successful than we both could have imagined. Why is that? Why did I stay up crazy nights and weekends working on an end-to-end mobile-app running on Windows Mobile Smartphones, using Secure XML Web Services to a custom built app-server? Why am I spending the weekends hacking linux kernels, assembling teams and scoping projects, working, and researching web development? Because I love it and want to work on it!

In all serious-ness, any coder/hacker would love to hear this — and to play devil’s advocate for just one second, there has to be a happy medium where too much freedom (or too much responsibility) can cause these kinds of relationships to fail. I, personally believe that without having experienced a “corporate” job, to have a comparison and see what “billable hours” really means, or a well-rounded education (read: difficult, abstract, how-to-learn versus learn-one-thing-well) this wouldn’t have worked. But it is working!

And if you’ll excuse me, I’ve got to back “work.” I’ve got shareholders and myself to please….

I got an e-mail just a second ago:

This is why I love her!

In other news, Jameson (and Paris) made the news.