Simon Willison’s Weblog

csrf_protect.php. A PHP class for applying CSRF protection to existing PHP applications, using output buffering to rewrite any POST forms on a page. Heavily inspired by Django’s CSRF middleware. Tell me if you spot any bugs! # 24th September 2008, 2:52 pm

End of Life for PHP 4. Apparently 8/8/8 marks the end of the line for PHP 4—no new releases, no support, not even security patches. # 8th August 2008, 11:32 pm

Facelift Image Replacement. Like sIFR but with JavaScript and a PHP text rendering component. I question the need for the JavaScript if you’re already generating the images on the server, but the actual generation script is nicely done—it makes smart use of ImageMagick and caches the generated images. # 5th August 2008, 6:36 pm

php: rfc: closures (via) I never thought I’d see the day, but a patch adding closures to PHP has been both proposed and accepted! Looks like a solid implementation—the syntax is similar to JavaScript but makes explicit which variables are to be captured. As with much of PHP, values are copied in to the closure by default but you can use an ampersand to specify JavaScript-style pass-by-reference instead. # 19th July 2008, 10:58 pm

Spicing Up Embedded JavaScript. John Resig collects the various ways in which a JavaScript interpreter can be hosted by Python, PHP, Perl, Ruby and Java. There are full JS implementations in PHP, Perl and Java; Ruby and Python both have modules that use an embedded SpiderMonkey. # 15th June 2008, 11:32 am

Facebook Open Platform. Facebook have open-sourced (under a modified MPL, does it still fit the OSI definition?) the code for the Facebook Platform, including their implementations of FBML, FQL and FBJS. This is no small release; the tarball weighs in at 40MB and includes libfbml, which depends on Firefox 2.0.0.4 for its HTML parser! # 3rd June 2008, 12:21 am

On-board vs. Off-board Comet. Useful distinction. On-board comet runs on the same server as the rest of your application; Off-board comet is served from a separate server (generally a subdomain) and a separate stack. If you want to stick with PHP, Rails or Django for the rest of your site off-board comet looks like the way to go. # 22nd May 2008, 5:02 pm

Windows Live ID Delegated Authentication. Would make life a lot simpler if they just supported OAuth, but at least they include sample code in Python, Ruby and PHP. # 8th March 2008, 3:19 pm

Symfonians (via) Similar concept to Django People but for Symfony developers—coincidentally launched within the past week as well. # 25th January 2008, 4:15 pm

Hacky holidays on OS X. Jeremy Keith documents how to get PHP 5 and Apache 2 virtual hosts running on Leopard. # 29th December 2007, 11:49 am

The backdooring of SquirrelMail. A SquirrelMail developer’s account was compromised and used to insert a backdoor: the other developers initially missed the hole because it used $_SERVER[’HTTP_BASE_PATH’], which can be set with a Base-Path: HTTP header. # 28th December 2007, 11:40 pm

Cruciforum (via) Stuart’s new PHP forum—single script, stores threads as static HTML on the filesystem (no database), installation is a one-step process. # 16th October 2007, 9:08 am

Becoming PHP 6 Compatible. According to this article, I’ve been writing PHP 6 compatible code since about 2002. # 24th September 2007, 12:13 pm

7 reasons I switched back to PHP after 2 years on Rails. After two years working on a Rails rewrite of CD Baby, Derek Sivers scrapped it and instead rewrote the PHP version using Rails-inspired design principles. Derek would still use Rails for a greenfield project though. # 23rd September 2007, 8:49 am

J4P5: Javascript For PHP 5 (via) “J4P5 is a JavaScript interpreter written in PHP 5, that allows to run untrusted scripts in a sandbox on your server. It aims to implement most of Ecma-262 3rd edition.” # 12th July 2007, 10:24 pm

GoPHP5.org. A campaign to encourage a mass switchover from PHP 4 to PHP 5 on February 8th 2008, by co-ordinating both hosting companies and PHP projects. # 8th July 2007, 10:08 am

Index of /drupal/modules/openid. Drupal’s OpenID implementation in CVS. # 26th June 2007, 12:26 am

Drupal 6 and OpenID. “The implementation is all Drupal native code—no third party libraries were used.” # 26th June 2007, 12:26 am

Python 3000 Status Update. Doesn’t look like we’ll get multiline lambdas, but the other stuff looks great. I’m not looking forward to years of Python 2 and Python 3 co-existing and splitting the community though (ala PHP 4 and 5). # 19th June 2007, 1:49 pm

Unsettling. Sounds like there might be a massive scripted hack going on against out of date WordPress installs on Dreamhost. Check your site. See also discussion in the comments attached to this post. # 5th June 2007, 9:16 pm

A brief unofficial history about register_globals in PHP. It’s been more than five years since register_globals was disabled by default in PHP 4.2.0. # 30th April 2007, 8:20 am

phpbb-openid first beta. A fully functional OpenID consumer for phpBB 2.0, implemented as a set of patches. # 29th April 2007, 8:27 pm

Quercus: PHP in Java (via) A “fast, open-source, 100% Java implementation of the PHP language”, built to run on top of Resin. Claims to be compatibly with MediaWiki, Drupal, Wordpress, Gallery2 and DocuWiki. # 12th April 2007, 4:25 pm

phpsh. An interactive shell for PHP, developed at Facebook and written mostly in Python. Facebook are really pushing their open-source stuff at the moment. # 3rd April 2007, 9:43 am

ANN: PHP OpenID 1.2.2 released. Includes a fix to a bug that was causing some consumers to be incompatible with the WordPress.com OpenID provider. If you’re using this in a PHP OpenID consumer you should upgrade now. # 23rd March 2007, 8:33 pm

OmniTI_OpenID. OmniTI’s PHP OpenID 1.1 consumer library. Much less full featured than the JanRain library, but it’s good to have more than one. # 18th March 2007, 1:15 am

PHP 4 phpinfo() XSS Vulnerability. Another reason not to run an open phpinfo() page on your server. # 4th March 2007, 9:24 pm

PHP and “OpenID authentication failed: Bad signature”. If you’re seeing a “Bad signature” error in your PHP OpenID application it could be down to a miscompiled GMP library. # 15th February 2007, 10:02 am