On PHPMaster.com today there's a new tutorial for the Twig templating users out there showing you how to extend your templates via inheritance, filters and functions - all abilities already built in to the tool.

When working within an MVC architecture, it's common to use a template library to populate the dynamic content of our views. There are dozens of such libraries available for PHP, but Twig is one of the standouts because of the ability to extend core features with custom implementations. In this article we'll explore how Twig templates can be extended using template inheritance, filters, and functions.

He starts first with some of the common limitations of templating frameworks (extension) and how Twig gets around this. He shows the use of the "extends" keyword and the "block"/"endblock" for splitting up the page into reusable chunks. He also shows how to use filters and functions in your Twig tags, allowing for more customized content and functionality for your output.

Ulrich Kautz has recently taken a look at validation and sanitization of data in PHP applications. He talks about several different methods - both in core PHP and in various frameworks.

Validation and sanitization are extremely important topics, any developer should be aware of. Especially with powerful, modern frameworks, people seem to forget about the underlying concepts and wrongly assume it's already solved somehow. Correctly used and early on integrated, both play the central role in defending against attacks on your application.

He talks a bit about why you should care about the topic, some of the common issues/threats that could come up because of it and some general information on what validation and sanitization are. He looks at implementation with the filter extension and touches on functionality from Symfony 2, Laravel 3, CakePHP 2 and shares his own data filtering module with examples of its use.

On the MaltBlue blog Matt Setter has a new post introducing you to using FilterIterators for data traversal:

There's load of ways to traverse data, especially in PHP where there are a variety of loops available; including while, do while, for and foreach. These are fine for normal structures, such as scalar and associative arrays. But what if you want to get a bit more fancy?

He includes a bit of code showing the typical looping approach that a lot of developers take and how, using a FilterIterator, you can extend the default and make a custom "accept" method to remove certain matching items from the data set.

David Müller has a new post to his site today showing why validating URLs with filter_var is a good thing for the security of your application.

Since PHP 5.2 brought us the filter_var function, the time of such [regular expressions-based] monsters was over. [With] the simple, yet effective syntax [and] with a third parameter, filter flags can be passed, [...] 4 flags are available [for URL filtering].

He shows how to use it to filter out a simple XSS issue (a "script" tag in the URL) and some examples of issues that the filter_var function doesn't prevent - like injection of other schemes (like "php://" or "javascript://"). He recommends adding a wrapper around the method to check for the correct scheme (ex. "http" or "https" for URLs) and reminds you that filter_var is not multibyte capable.

NetTuts.com has posted the latest in their series about the Laravel framework with this new post, a look at creating filters, validators and working with files.

In this Nettuts+ mini-series, we'll build a web application from scratch, while diving into a great new PHP framework that's rapidly picking up steam, called Laravel. In this lesson, we'll be learning about some very useful Laravel features: filters, and both the validation and files libraries.

They continue improving their sample application ("Instapics") and show you how to:

• Create a filter to run before or after the request is handled
• Apply a set of validation rules to a given dataset
• Handle custom error messaging
• Work with local files and uploads

They then take all of this and apply it to their application, creating an "auth" filter and login form, creating a form and doing some validation on its results and letting the user upload an image file.

Thomas Weinert has a new post to his site showing some of the things that iterators can do for you (including working with arrays and aggregation).

Basically Iterators provide a list interface for an object. Like all interfaces they are a contract how something can be used. If you use an interface it is not relevant how it is implemented - the implementation logic is encapsulated. It is of course relevant on the integration level. A bad implementation can impact the performance of you application. Even an good implementation may need special resources (like a database). But all this does not impact how you use it. Your code using the object with the Iterator interface stays the same.

He shows how to use the IteratorAggregate, ArrayIterator, FilterIterator and how to create a custom Iterator that you can extend in your own code.

On PHPMaster.com today there's a good tutorial that gives you some methods to do one of the most important things in any application - validating input. Their examples show how to use some of PHP's own filter functions to accomplish this.

Filter functions in PHP might not be sexy, but they can improve the stability, security, and even maintainability of your code if you learn how to use them correctly. In this article I'll explain why input validation is important, why using PHPs built-in functions for performing input validation is important, and then throw together some examples (namely using filter_input() and filter_var()), discuss some potential pitfalls, and finish with a nice, juicy call to action.

He talks about why validation is important to protect your application (and users) from malicious things like cross-site scripting. He emphasizes the use of PHP's own filter methods because they are established and, well, included in the language - no additional libraries needed. Example code is included showing how to use them to filter email addresses and check that something is an integer.

You can find out more about these functions on their manual pages: filter_input, filter_var.

In this recent post to Reddit.com, the question of application security is asked - the poster wants recommendations on how he should keep his app safe from would-be attackers:

I can code fairly well in PHP these days, but my security isn't so hot. Is there a tutorial or plugin you guys can recommend as to how I should be protecting my php pages/inputs? I want to avoid common attacks like XSS, inputs with NULL or DROP TABLE etc?

Responses on the post include recommendations related to:

• Using the Chorizo scanner to find common issues in your code
• Using PDO for database connections (with bound parameters)
• Not trusting "$_SERVER"
• Data sanitization

There's also links to a few other resources with more details.

PHPMaster.com has a new tutorial posted today (by George Fekete) about preventing cross-site scripting attacks in your PHP-based applications.

Unfortunately, cross-site scripting attacks occurs mostly, because developers are failing to deliver secure code. Every PHP programmer has the responsibility to understand how attacks can be carried out against their PHP scripts to exploit possible security vulnerabilities. Reading this article, you'll find out more about cross-site scripting attacks and how to prevent them in your code.

Included in the tutorial is an example with a simple form and definitions of different types of XSS attacks - reflected XSS, persistent XSS and three ways to prevent them: data filtering, output filtering and data validation. He also links to a few "cheatsheets" to help even more (including this guide and a Zend Framework set of XSS test data.

In this new post to his blog Joshua Thijssen describes something that can help when processing large amounts of data (like, in his example, the text of a book) to search through the information and find if a certain piece of data is in the set - a bloom filter.

Most of my co-workers never really heard of bloom filters, and I'm continuously need to explain what they are, what their purpose is and why it's a better solution than other ones. So let's do an introduction on bloom filters. [...] Bloom filters have the property of being exceptionally fast AND exceptionally small compared to other structures but it comes with a price: it MIGHT be possible that our bloom filter thinks that an element is inside our set, when it really isn't. Luckily, the reverse is not possible: when a bloom filter says something is NOT in the set, you are 100% sure that it isn't part of the set.

He explains how the filter works, noting how it's better for memory consumption and how it's possible for it to give a "maybe" response instead of ab absolute "yes" or "no". He also points out a PHP extension, bloomy that takes the hard work out of it for you.