Wherein I recap the things I’ve done and learned this year as a software developer (mainly at work). I’ve fixed many bugs and uttered many curses. Through it all I’ve constantly strived to make the code a better place. Amazon Web Services Video encoding instances Launch/Start when there’s a backlog, and Stop/Terminate when there’s not. Said goodbye to Amazon SQS for job queues, and hello to Redis. Hello consistency and speed.
Continue reading

In the PHP world, solely relying upon PHP’s strip_tags() function to protect your web application from JavaScript injections is a bad idea. If you do, you may be vulnerable in even the most recent browsers (I tested in Chrome 17.0.963.83, Firefox 9.0.1 and Internet Explorer 9). There may be parallels in other languages too, so beware. You’ll be vulnerable if the following are true: You’ve got a webapp that accepts user input You use strip_tags() or similar to sanitize fields You don’t explicitly remove less-than or greater-than characters from those fields (PHP’s strip_tags won’t remove a partial “<script” tag) Values from two or more of these fields are printed close to each other in the output HTML, with little or no markup between them The fourth item is tricky … The markup between the field values must not contain any quotes (the quotes would prematurely close the script tag injection attempt).
Continue reading