The sample chapter of Essential PHP Security for MySQL's Developer Zone is now available:

• Chapter 2, Forms and URLs

This chapter discusses form processing and the most common types of attacks that you need to be aware of when dealing with data from forms and URLs. You will learn about attacks such as cross-site scripting (XSS) and cross-site request forgeries (CSRF), as well as how to spoof forms and raw HTTP requests manually. By the end of the chapter, you will not only see examples of these attacks, but also what practices you can employ to help …

First let me say I'm not a prude, but neither do I have a mouth like a toilet. But I do find the acronym RTFM incredibly offensive, it may be that some people using it don't actually know what it means and it can be said the F stands for something other than the obvious but either way I don't like it. I've nothing wrong with acronyms but what I don't like about it is the idea that you're swearing at somebody you don't even know, who in their ignorance for one reason or other didn't read a manual. Would you for example say to somebody who asks you the time "Buy a ******* watch". The other problem is often people don't actually tell you which manual it is your supposed to go and ******* read.

Anyway the point of this little rant was to tell you to go and read a manual. Well not just any manual but the MySQL Reference manual. From time to time I'll have a browse to see what's in there and from time to time I pickup some great tips. For …

Somebody recently asked a question about warnings in the MySQL Stored Procedure forum, the question its self was pretty easy but it raised another issue.

The question was "How can I see warnings when MySQL reports them". The easy answer is to simply type "SHOW WARNINGS;" on the MySQL command line, however the show warnings command only shows the last error message, thats fine if you actually type "SHOW WARNINGS;" immediately after the statement that had the problem but if you make a mistake or wait for something else to go wrong then the warning message is removed and replaced by something else.

The answer of course is not to make a mistake, but for people like me who come from a different background, in my case Oracle, the commands are different. I'm forever typing "SHO WARNINGS;" or "SHOW ERROR;" both of which result in another error and hence I lose the original message.

But here's a tip I used when …

I’ve been accepted to present at the MySQL Users Conference 2006 held in Santa Clara, California next year. My paper will be particularly targeting Oracle Developers, and will be combined with another presentation targeting Oracle DBA’s.

I’ll also be developing demonstrations with the upcoming MySQL Sakila Test Database by Mike Hillyer from MySQL AB.

So, Qcodo. I've seen a tiny bit of "wow" and a lot of "hadn't heard of that". It's clearly not on the buzz radar... maybe because it's for PHP 5 only, and many people haven't yet taken the step to run it (please do, it's good stuff!)

Anyway, I've been told about Qcodo is that it's like rails for PHP: very rapid web development, and with MySQL schema, app and queries automatically built based on the data model you design (which is where development starts). That's definitely the right order of development! ;-)

I'd say, take a look over the holidays, write/blog/scream about it... could be very very cool stuff. Perhaps drop me a comment or msg to tell me about your experience. I'm just curious.

So, Qcodo. I've seen a tiny bit of "wow" and a lot of "hadn't heard of that". It's clearly not on the buzz radar... maybe because it's for PHP 5 only, and many people haven't yet taken the step to run it (please do, it's good stuff!)

Anyway, I've been told about Qcodo is that it's like rails for PHP: very rapid web development, and with MySQL schema, app and queries automatically built based on the data model you design (which is where development starts). That's definitely the right order of development! ;-)

I'd say, take a look over the holidays, write/blog/scream about it... could be very very cool stuff. Perhaps drop me a comment or msg to tell me about your experience. I'm just curious.

The virtual doors have just opened -- sign up before early registration ends on March 6 and save up to $200.

2006 MySQL Users Conference is April 24-27, 2006 in Santa Clara, California.

Lots of detail there and via Planet MySQL.

The virtual doors have just opened -- sign up before early registration ends on March 6 and save up to $200.

2006 MySQL Users Conference is April 24-27, 2006 in Santa Clara, California.

Lots of detail there and via Planet MySQL.

I spend a fair amount of time on the MySQL forums and also over on the Quest Pipelines answering questions. I've mentioned on a few occasions about how I think this benefits me as much as the person asking questions, but one thing I've noticed a lot recently is the amount of, for the want of a better word, bad questions.

In reality there are no bad or wrong questions, we all have to start somewhere, but what appears to be a problem is people only putting in the minimum of effort when asking, which often results in an equal amount of effort when people answer. Despite the rewarding nature of answering, a person is far more likely to help if they can answer the question easily or at least is given enough information to be able to answer fully. One of the problems with forums is that it doesn't lend its self to a conversational style, especially given the international nature of the web, I'm often dealing with questions from people …

Related: Google XSS Example

I'm sure this will be getting some attention, because everything Google does gets attention. :-)

The recent cross-site scripting (XSS) vulnerability discovered in Google perfectly illustrates why character encoding matters. This example demonstrates how to use PHP's htmlentities() with the optional third argument that indicates the character encoding:

<?php 
 
$html = array(); 
 
$html['username'] = htmlentities($clean['username'], 
                    ENT_QUOTES, 'UTF-8'); 
 
echo "

Welcome back, {$html['username']}.

";

?>

The example uses UTF-8, so this should be indicated in the Content-Type header:

Content-Type: text/html; charset=UTF-8

Researchers at …