Using PHP_SELF Safely and submitting forms to the same page

I’ve lost count of the number of times i’ve seen this bit of HTML / PHP:

">

Looks pretty harmless doesn’t it, but it is a pretty dangerous shortcut to use. Imagin I get a user to visit the page the form is on by following this link, maybe hiding it in a short url:

http://example.com/formpage.php?">

where I’ve added some html into the url which contains a script tag.

I could use this method to grab all your cookies and log in as you, or send ajax requests back to the site on your behalf. All very frightening. The quick solution is to turn html characters into their harmless entities using the php function htmlspecialchars. So the code would be

But wait! The best way to submit to the same page with a form is to use and empty action attribute. It’s valid and it works.

Don’t believe me? Go tell Jesse. He also wrote about empty action attributes.

[carousel keywords=”php” tag=”fetchit-21″]

Backup Postbox email profile

To backup your Postbox email profile browse to

Mac:
/Users/[username]/Library/Application Support/Postbox/Profiles

Vista:
Users\[username]\AppData\Roaming\Postbox

XP:
Documents and Settings\[username]\Application Data\Postbox

And copy the folders named xxxxxx.default to your backup location.
If you have created a new profile then your folder may also be called xxxxx.yourprofilename.

If you just want to backup your email and not your preferences or settings then go into your profile folders and backup the Imap, Mail and sometimes Local Mail folders.

Postbox reply header text

You can easily change ‘Harry wrote:’ to ‘On 25/09/09 15:34 Harry Bailey replied with:’ by following these simple steps.

Close Postbox. That’s right, shut it down before you carry on.

Backup and then open your prefs.js profile file which can be found here:

Mac OS X: ~/Library/Application Support/Postbox
Vista: Users\username\AppData\Roaming\Postbox
WinXP: Documents and Settings\username\Application Data\Postbox

You backed it up? No? Do it now and then carry on.

Now search for the string ‘mailnews.reply_header_type’. Found it? Edit it to the following. Not found it? Add the following…

// Change the reply header
// 0 - No Reply-Text
// 1 - "[Author] wrote:"
// 2 - "On [date] [author] wrote:"
// 3 - User-defined reply header. Use the prefs below in conjunction with this:
user_pref("mailnews.reply_header_type", 3);

// If you set 3 for the pref above then you may set the following prefs.
user_pref("mailnews.reply_header_authorwrote", "%s replied with");
user_pref("mailnews.reply_header_ondate", "On %s");
user_pref("mailnews.reply_header_separator", " ");
user_pref("mailnews.reply_header_colon", ":"); 
// The end result will be [authorwrote][separator][ondate][colon]

Now you can go crazy with funny reply header text whenever you feel the need.

[carousel keywords=”mac tips” tag=”fetchit-21″]

OS X Hotkeys

Increased productivity comes in many flavours, but a favourite of mine is learning new hotkeys which save me time. There is also nothing quite like the reaction you get from a person who has been doing something the hard way and you show them a hotkey to jump right to it.

Continue reading →

Playing Your Spotify Top list

When you first open Spotify you are offered two tabs ‘What’s new’ and ‘Top lists’. If you select ‘Top lists’ you are then shown two columns which contain a list of the top rated artists, albums and tracks for everywhere, your country or just you.

So you can select to see what tracks, albums or artist you listen to most, or see what are the most popular with others.

As far as the tracks list goes, you can also play it. Choose ‘Tracks’ from the drop down menu on the left, and choose ‘everywhere’ from the drop down menu on the right. You now have a list of Spotify’s top tracks for the whole world. There is no simple ‘play’ button, but these steps aren’t too taxing…

Continue reading →