Think $ in regex means end of string? Wrong – it also matches a
trailing newline, and this misunderstanding can easily create a security hole.
Use \z or the D modifier to save yourself.
Loading a megabyte-sized framework for a two-page website is madness. But I'm a lazy programmer who wants Tracy, Latte, and routing even on a tiny site with a single index.php. Nette as a micro framework solves that – and then I realize I'm actually using 90% of the framework anyway.
Swapping “gifts” and “sifts” sounds trivial — until str_replace shows you exactly why it doesn't work. A guide to the treacherous pitfalls of string replacement in PHP: collisions during multiple replacements, the savior called strtr, and the escaping trap in preg_replace that every decent programmer falls into at least once.
DI solves problems and introduces new ones. If the original ones don't bother you, you have a problem you don't know about yet. A little zen koan about object-oriented design – enlightenment will come when it comes.
Developers whining about changing requirements are crying over their own incompetence. A client who changes requirements is a client who thinks — and most importantly, one who'll come back with more work. The problem isn't on their side, it's on yours.
Six rules for designing namespaces so you don't end up with a 97-character class
name like Zend. Because renaming sfForm to
Symfony\Component\Form\Form isn't automatically progress –
sometimes it's just a longer path to the same destination.
Trailing slash, capital letters, www, or query parameter order – small details that users overlook, but search engines can go crazy over. Bing can't tell an acid from a database transaction, and most search engines can't index similar URLs as different pages. A practical breakdown of where SEO traps lurk and how to avoid them.
PCRE functions in PHP silently swallow errors, return inconsistent values, and preg_last_error lies when you need it the most. I break down all the pitfalls of both compilation and execution and show how to get out of it — ideally through exceptions and without losing your sanity.
XSS is everywhere, most experts flounder when it comes to escaping, and the most critical security point is handled by a coder without the necessary expertise. The solution? Latte templates in Nette Framework escape automatically and context-aware – a killer feature that no competing PHP framework has to this day.
Half of all websites are full of holes because of something that is fundamentally a trivial character substitution. I've written the definitive overview of escaping for all contexts – HTML, SQL, JavaScript, CSS, URL – because the confusion around this simple thing is an immortal evergreen.
That's all. More articles are on the way.