<form method="post" action="<?php print $_SERVER['PHP_SELF"]; ?>">

Looks pretty harmless doesn’t it, but it is a pretty dangerous shortcut to use. Imagin I get a user to visit the page the form is on by following this link, maybe hiding it in a short url:

http://example.com/formpage.php?"><script>alert(document.cookie);</script>

where I’ve added some html into the url which contains a script tag.

I could use this method to grab all your cookies and log in as you, or send ajax requests back to the site on your behalf. All very frightening. The quick solution is to turn html characters into their harmless entities using the php function htmlspecialchars. So the code would be

<form method="post" action="<?php print htmlspecialchars($_SERVER['PHP_SELF']); ?>">

But wait! The best way to submit to the same page with a form is to use and empty action attribute. It’s valid and it works.

<form method="post" action="">

Don’t believe me? Go tell Jesse. He also wrote about empty action attributes.

The steps to creating a simple locally run php Coda plugin:

You must have php installed and running locally.
Start the plugin file with theses lines:

#!/usr/bin/php -q
<?php

(no space between < and ?php)

Where /use/bin/php is the path to you local php install

This is an example of replacing a text string with an imaginary tag ‘harry’ around it.

#!/usr/bin/php
<?php
 
/* a coda plugin */
 
$input = "";
 
$fp = fopen("php://stdin", "r");
while ( $line = fgets($fp, 1024) )
{
	$input .= $line;
}
 
fclose($fp);
 
 
// so now we have input text in $input
 
print '<harry>' . $input . '</harry>';
 
?>

For much more information:
http://www.panic.com/coda/developer/howto/plugins.php

Well the wiki article is quite large but misses a few points I thought it worth noting…

1) You need to escape all forward slashes with a backslash

In the regexp / always needs to be submitted as \/

2) The url they match again is the full callback url you submitted for your app not the canvas url

You aren’t matching just the file names, you can match back down the folders.
So if you use a folder called myapp/ for your index page then your url regexp could be ‘myapp\/$’ for the home page
You could then do ‘myapp\/anotherpage\.php$ for a different file and ‘myapp\/folder\/$ for another folder

3) Whatever keys you use in the submitted array are used as the new $_POST var keys

They take your array key ‘user_app_friends’ below and append ‘fb_sig_’ to it. The final key would be ‘fb_sig_user_app_friends’ in this case

4) You can submit multiple matches in one api request

Although the examples only show:

$fetch = array(
	'user_app_friends' => array(
				'pattern' => 'myapp\/$', 
				'query' => 'SELECT uid FROM user WHERE has_added_app=1 and uid IN (SELECT uid2 FROM friend WHERE uid1 = {*user*})')
		);
$facebook->api_client->admin_setAppProperties(array('preload_fql' => json_encode($fetch)));

You could submit:

$fetch = array(
	'user_app_friends' => array(
				'pattern' => 'myapp\/$', 
				'query' => 'SELECT uid FROM user WHERE has_added_app=1 and uid IN (SELECT uid2 FROM friend WHERE uid1 = {*user*})'),
	'user_friends' => array(
				'pattern' => 'myapp\/.+$',
				'query' => 'SELECT uid2 FROM friend WHERE uid1 = {*user*}'
				)
	);
$facebook->api_client->admin_setAppProperties(array('preload_fql' => json_encode($fetch)));

5) The easiest way to get data back from the new $_POST variables in json_decode

Stick the $_POST variable into json_decode(); and then use var_dump to see what you get. It’s usually pretty obvious.

$user_app_friends = json_decode($_POST['fb_sig_user_app_friends']);
var_dump($user_app_friends);

$var = $_COOKIE['cookie.name.with.dots'];

You can set them with dots using Javascript, but when you go to access them, the dots magically become underscores [ _ ]

The reason for all this faffing is that terrible setting called Register Globals, which takes all $_POST, $_GET, $_COOKIE vars and sets them to real variable names. For example…

$_COOKIE['my_name']

Would be accessible with

$my_name

when register globals is turned on. It is a massive security issue and should be turned off at all times.

Register globals means that all cookie, post, get etc variables must meet php variable naming guidelines, which don’t include dots.

So there you go. Turn register globals off and only use underscores to separate words in cookie names.

Until now…

It’s a simple fix. Add ‘ORDER BY’ to your SQL select. It doesn’t matter if you are just getting back items where the order doesn’t matter, use an order by clause in your select and you will always get the number of rows back successfully.

1) Enable virtual hosts by uncommenting the line

Include /private/etc/apache2/extra/httpd-vhosts.conf

in httpd.conf

2) Add the line

NameVirtualHost 127.0.0.1

to httpd.conf. I put it under the line

Listen 80

for now.

then…

3) Add my new hosts to the bottom of the httpd-vhosts.conf file:

<virtualhost mylocalsite.hjb>
	DocumentRoot /Volumes/Drive/Sites/mylocalsite
	ServerName mylocalsite.hjb
	ServerAlias *.mylocalsite.hjb
</virtualhost>

4) Add the sites as new lines to the /private/etc/hosts file as

127.0.0.1 mylocalsite.hjb

You can also do this with subdomains if you like. subdomain.mylocalsite.hjb

The first step for me was to set up a new subdomain in cPanel (a control panel my affordable host includes). This allows me to only send (or pipe) specific email to the script and means I can run a catch-all wildcard forwarder on all emails to that subdomain.

In cPanel I created the subdomain in the normal way. Then I navigated to ‘Email Management Tools -> Default E-mail account’, chose the new subdomain from the dropdown list, clicked ‘Advanced Options’ and selected the radio button for ‘Pipe to a Program’.
In the textbox I added the name of the file that would be used to process the emails. In my case catcher.php which I had already created in the root of my site (not in public_html).

Cpanel is clever enough to add your sites root folder to the name you specify, so will be altered to something like ‘/home/youraccount/catcher.php’

The next step was to prepare catcher.php to deal with the emails being piped to it. Open the file and change the contents to something along the lines of:

#!/usr/bin/php -q
<?php
 
// read from stdin
$fd = fopen("php://stdin", "r");
$email = "";
while (!feof($fd))
{
	$email .= fread($fd, 1024);
}
fclose($fd);
 
 
mail('you@yoursite.com','From my email pipe!','"' . $email . '"');
 
?>

The first line of the script is very important and will tell the email pipe to use php. If your php install is not found at the location show, change it so it is. The -q part tells the pipe not to bounce an email back to the sender. A good thing as we can do that manually in the script.

Make sure you change the permissions of the script to be executable by the email pipe. chmod 755 should do fine.

The script itself will grab the emails contents using fopen on php://stdin which is where the email is temporarily stored. You can then manipulate it using such functions as preg_match to grab the parts you want.

The beauty of this method is it will catch all email to that subdomain, so you can create addresses which include the users id and a hash which can be temporary:

1294710241-w98fqwfhi3ho2ih3f@emailin.mysite.com

which you can use to ensure you only act on emails from the intended user.

Note: If you are using -q but still getting bounces, be sure the script is not outputting any data. That means once you have tested it, no print, no echo, no var_dump. When you run the script directly you should see a blank screen and the source code should be empty.

After sanity checking everything I realised it’s because I was doing some string replacement on the file after calculating the filesize.

Sending the wrong filesize / string length when you spit a file results in either the browser waiting for content that will never load or cutting the content short.

If you tweak a file before splitting it, be sure to use strlen on your file just before you print to browser.

Another one of those lessons learned

• Only runs if magic quotes are turned on
• Much faster than anything I have used before
• Clean and tidy

	if (get_magic_quotes_gpc())
	{
		$in = array(&$_GET, &$_POST, &$_COOKIE);
		while (list($k,$v) = each($in))
		{
			foreach ($v as $key => $val)
			{
				if (!is_array($val))
				{
					$in[$k][$key] = stripslashes($val);
					continue;
				}
				$in[] =& $in[$k][$key];
			}
		}
		unset($in);
	}

hosts

The hosts file is used to point domains at an i.p although in most cases it will just be a list of 127.0.0.1 and a domain name such as mysite.local or mysite.hjb in my case.
For < 10.5 you used to use netinfo manager to add extra domains and didn't really use the host file, although in 10.5 (and probably later) you do use the host file.

locations:

/private/etc/

httpd.conf

The main apache config file. This is where all the setting for apache are stored. After making changed you need to restart web sharing in system preferences sharing for them to have an effect.

locations:

/private/etc/httpd/

php.ini

The main php config file. This is where all the setting for php are stored. After making changed you need to restart web sharing in system preferences sharing for them to have an effect.

locations:

/usr/local/php[4|5]/lib/

Sites folder

This is where your actual site files are stored and depends on if you are using the default osx install or a 3rd party install. I strongly suggest Marc Liyanage’s help here as it deals with plenty of plugins too including the always useful gd2 image library.

locations:

/Users/[username]/Sites/
/Library/Webserver/Documents/