On his site today Ulf Wendel talks about SQL injection and some comments that came up during a recent webinar about common MySQL mistakes PHP developers make.

Never trust user input! Injection is a threat . You are the new web developer, aren't you?. Never trust user input is the first rule I had to learn as a web developer in anchient times. Injection can happen whenever user input is interpreted or used to compose new data. A quick recap of the #3 mistake from todays Top 10 MySQL Tips and Mistakes for PHP Developers web presentation. A webinar recording should be available in a couple of days.

He points out a few "don't" things to avoid - like directly injecting superglobal values into your query and to remember that not all SQL injections are because of escaping issues. The real key? Validating input - be sure you're putting values into your query that are of the correct type and contain what you expect.

On the DeveloperDrive.com site today, there's a new post with a few reminders for PHP developers out there of things it's easy to forget when writing your applications - some common mistakes to avoid.

Despite the high expectations placed on them at times, developers are human. They were the last time we checked anyways. As humans, we are bound to make mistakes from time to time. And simple, common mistakes often slip past our filters the more comfortable we become with something. [...] But knowing what these common mistakes are and how to avoid them can really help speed up the development process and keep our clients smiling.

His list includes three big ones that, if forgotten, could end up being detrimental to your application (sooner or later) - poor housekeeping/organization of code, forgetting punctuation and forgetting to validate input from users.

On the SitePoint PHP blog today there's a new post from Craig Buckler looking at his top ten MySQL mistakes he as a PHP developer has made over time (and suggests a few things so they can keep from making them again).

database is a fundamental component for most web applications. If you're using PHP, you're probably using MySQL - an integral part of the LAMP stack. PHP is relatively easy and most new developers can write functional code within a few hours. However, building a solid, dependable database takes time and expertise. Here are 10 of the worst MySQL mistakes I've made (some apply to any language/database).

Some of the infamous mistakes that made the list include:

• Using PHP's mysql functions (instead of mysqli)
• Not sanitizing user input
• Not using UTF-8
• Not optimizing your queries
• Using * in SELECT queries

Smashing Magazine has posted an excellent security guide to get you on the road to protecting your site and its data from some of the most common mistakes applications can make. Several of the topics even come with PHP code to illustrate.

Unfortunately, unless we're careful with the code we write, the answer to these questions can often be one we'd rather not hear. We'll skip over denial of service attacks in this article, but take a close look at the other issues. To be more conformant with standard terminology, we'll talk about Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), Phishing, Shell injection and SQL injection. We'll also assume PHP as the language of development, but the problems apply regardless of language, and solutions will be similar in other languages.

For each of the topics, there's a general description of how the attack works and, if applicable, some PHP code showing the right and wrong ways it can be handled. Fir things like Click Jacking or Phishing, the descriptions aren't so much about backend code as they are frontend and personal manipulation.

On the Drupal4Hu.com site there's a recent post with a complaint about the OOP functionality in PHP and how Drupal developers should deal with its limitations.

While I was always complaining of PHP's inability of adding a method run-time, the problem we face is that you can't replace one either. So if you do what I did in the previous post, namely use the hook-alter patten (already an addition to PHP, I must say) to override the classname, that works. However, if two modules try to do this for two different methods, you fail.

He suggests to those Drupal developers out there that, for version 8 of the popular content management system, they drop the "closed crap that in PHP is called OOP" and work to make something better, implemented themselves. Something that would make it simpler for Drupal developers to create hooks into the main system for their plugins. Be sure to read the comments for other opinions on the post.

In a new post to his blog today Sean Coates talks about some of his work with Iterators in PHP and how, despite a bad example in the manual, he solved his issue (and updated the PHP manual too).

In the back end, we have models that connect to CouchDB. These models implement the Iterator pattern to allow easy traversal of a record's keys. [...] Little did I realize that this implementation is very broken. [...] Over the past few years, I've implemented many iterators in this way, using PHP's implicit array manipulation functions (reset(), current(), key(), next()).

He points out some issues with how PHP handles array index tracking and how, in the previous PHP manual example, it incorrectly checked for "false" against the current array value. His updated version doesn't have this issue. You can see it here.

From the SellMix blog today there's a new post with a few "no-nos" and misconceptions when it comes to working with PHP in your applications.

We have all had that moment where we looked back on a script that we wrote years ago and thought "what the hell was I thinking?'". But it is a process. You make mistakes, you learn from those mistakes and then you move on. From my experiences of modifying other people's code, helping people on PHP help forums and making my own (many) mistakes, I hereby present this list.

There's eleven points included in the list, touching on things like:

• Superglobals being referred to inside class functions
• MySQL queries inside loops
• Brackets '" use them.
• Indent, indent, indent!
• Why are you using mysql_fetch_array?

Check out the rest of the post for more tips.

Jani Hartikainen has posted about three simple, but hard to find, mistakes that can cause you endless frustration if you're not looking in the right places.

Here's his list:

• Semicolon after a while - a small problem with big (infinitely looping) consequences)
• empty() and magic __get method - __get will hit first, then empty
• Missing semicolon after break or continue - a classic that can make switches and evaluations difficult to debug

Comments on the post include a few others: working with variables by reference, comparisons with == versus === and strpos finding the first character in a string.

The International PHP Magazine has posted results from their latest PHP community poll as voted on by visitors to their site. The question for this poll asked developers what they thought, of the choices on the list, was the most common mistake that PHP developers make.

Coming in at number one by an overwhelming lead was "Not escaping entities and SQL input" (a definite problem indeed) with the next highest option, "Not using a Framework" a full twenty percent lower. The next two options were closer (descending) - "Using old PHP versions" and "No or little use of Object Orientation".

There's a new poll this week for your consideration - this time asking which stage, of the five options, should come first in the development cycle of a typical content management system. Head on over and cast your vote today!

The results of the latest International PHP Poll are in for the question "Which is the best way to do PHP web testing?" Options included "Use SimpleTest Web tester", "Use element IDs or names to test links, forms and fields", and "Log HTTP requests in the application".

Coming out on top with 22.6 percent of the votes was the first item, though - "Use SimpleTest Web tester". Second was a close race with "All" and "None" only about 1 percent different ("None" being the higher).

Be sure to get your vote in for this week's poll question - "What Is the Top Mistake That PHP Coders Commit?" Options for this poll include "Not escaping entities and SQL input", "Syntax errors", and "Not using a Framework".