oEmbed is an open standard that allows you to pass a url to an oEmbed provider and get back information about that resource.
i.e. Pass a hulu url to hulu’s oEmbed service: http://www.hulu.com/api/oembed.xml?url=http%3A//www.hulu.com/watch/20807/late-night-with-conan-obrien-wed-may-21-2008 and you’ll get back a json object with details of the video (thumbnail size and url, etc..) and on some oembed services the html needed to embed the video.
For more information, check out this page: http://www.oembed.com/
At work Shawn Lonas sent this out to all of us, it’s a really good concise overview of some html5 features.
http://apirocks.com/html5/html5.html
WAMP gives you everything you need to serve websites (with php and mysql) from your desktop while developing. Just download it, install it, and run it. Once it is running, click on the system tray icon and select “Start All Services”. If something isn’t working, stop Skype first and then start the services. Also note, that windows is not case sensitivie with respect to file names and linux is, so if you script works fine one your desktop but your host says a file is missing, check the case. Make sure it is exactly the same (Using extensive use of copy and paste eleminates this as a source of trouble.)
SQL injection is bad… There are a number of causes, put most simply it is when you don’t use sql properly. How do you prevent it? There are several approaches, the absolute easiest is to configure your database to never allow more than one query per call. Most hosting poviders do this already. The other is to use an ORM and never ever compose sql queries from user input without using bind paramaters… (While using an ORM isn’t required to prevent sql injection using one makes the whole world go round better, so just bite the learning curve bullet and use one. Your productivity will go up atleast 100%)
xkcd has a wonderful commic that illustrates how sql injection takes place: http://xkcd.com/327/
XSS means “Cross Site Scripting”. XSS Attacks happen whenever a user of a website posts malicious content that gets executed by other users as javascript. Pretty simple huh? How do you avoid it? It is a piece of cake. HTML entity encode ALL user generated content before presenting it to a user. It’s that simple. How do I do that you ask? Keep reading.
First, an example. You run a simple blog. When a user posts comments, you store the users nickname, and display it next to their comment… A malicious user enters the following for his nickname “<script src=”http://lolcatz/hack.js”></script>” Now, obviously that isn’t his nickname. Instead, it is an html tag that tells a web browser to load and run the script contained at http://lolcatz.com/hacks/getacheezeburger.js. What does this script do?? This script can do anything on your site that a logged in user can do. So Bob creates the malicious comment, and then jimmy comes by your site, views your article, and his browser gets Bob’s malicious script tag. Now, the script can do anything it wants on your site while pretending to be jimmy, not Bob.
In php, just enclose the variable you are printing with echo with: htmlentities($nickname); This converts <’s to < and “‘s to &qt; . This defangs the malicious content. Instead of your users browser seeing a script tag, it just sees html that when rendered appears to the user as a script tag, but doesn’t do anything. You need to do this each and EVERY time you print user generated content. The other option is to find some script that will parse through any user generated content and strip out any script tags, but I prefer just html encoding everything.
Remember the good old days of the internet? HTML just hit 2.0, making a site cross browser compatible meant putting Comment tags around javascript code… XSS didn’t exist. PERL was your only CGI option. There was a wonderful site back then called htmlgoodies.com. Articles were written to be humerous yet informative. And every article started with “So, you want (insert html / javascript thing here) huh?” Then something happened. Someone bought htmlgoodies.com (Either that or the Author got hi) and the quality went down the tubes. The site got ugly. I mean UGLY. Well, a lot has happened since then. The technologies eveolved rapidly. So much so, that today, to leverage the web, it isn’t so much about knowing the ins and outs of each technology, but rather knowing about patters, and available building blocks that you can plug-in where you want to achieve your goals. This site is dedicated to showing you some of these building blocks and how to use them.
