funkatron.com

I’ve uploaded the 0.3 release of Inspekt, the input filtering and validation library for PHP4 and 5. With this release, Inspekt completes the goals of the original specification for the OWASP SpoC007 project . I believe it is ready for “real-world” use.

Along with this release, there are new support and install options:

• Brand new user documentation - written by an actual human (well, me, so close enough)
• Updated API documentation generated with phpDocumentor
• A PEAR channel (pear.funkatron.com) for quick packaged installs
• A discussion group/mailing list for support, suggestions and discussion

What’s new in this release:

• Automated filtered via external config files
• Cleanup and fixes to docblocks
• More example code
• A fruity logo

What’s in the future:

• Interact with developers to get feedback and implement suggestions
• Add new options for URI, email, phone # validators
• Work with framework developers to integrate Inspekt with their platforms
• Better support the special requirements of session data
• Integration with PHP5’s filtering API when available
• Integration with other filtering and escaping systems like PHPIDS and HTML Purifier

If you are interested in contributing to Inspekt in any way, I highly encourage you to join the mailing list. I’m especially looking for development assistance and “real-world” feedback.

Maintaining focus has never been one of my strong suits, but I’ve been doing a fairly bad job of it lately even for me. So, I’m finally posting the slides from my two talks a DC PHP:

• Securing the PHP Environment with PHPSecInfo
• Secure PHP Development with Inspekt

I think my talks went okay, but not great. Definitely could have been more prepared and presented more useful information, especially in the Inspekt talk. It’s the first time I’ve done a talk on that project, so I still am feeling that one out a bit, whereas I’ve talked about PHPSecInfo a few times before this.

The DC PHP Conference was a nice surprise. It was clearly still in the learning stages, but everyone was friendly and happy to help, and the organizers definitely seemed interested in sorting out what worked and what didn’t. I believe they said the next one will be in July 2008; I hope to be there!

An interview I did with Jacqui Cheng of ArsTechnica about Spaz has been posted tonight. We get kinda in-depth on the origins of Spaz and the security issues with rich internet applications.

• “Twitter with Spaz.AIR: Interview with developer Ed Finkler”
• Digg the interview

php|works 2007 was last week, and it was a great experience for me. Here are the slides and code from the presentations I gave:

• Introduction to CodeIgniter
  • Example app used in talk — includes CodeIgniter and ZendFramework
• Securing the PHP Environment With PHPSecInfo

I really enjoyed my trip to Atlanta and the conference experience. Much like php|tek this year in Chicago, ‘works was filled with lots of great content, smart people, and a casual, comfortable atmosphere that makes the whole thing a lot of fun. The php|architect conferences lack pretension, and that’s really nice — it’s about the people and sharing knowledge. And this one was really special for me because it’s the first time I’ve given a presentation to my colleagues in the community. I was very nervous, but it all turned out well.

I’m too lazy busy to write out an extended journal of the whole experience, but here are some memorable moments:

• Being sick just two days before I was about to leave, and getting better just in time to go
• Having my first flight cancelled, giving me time to mostly finish my CodeIgniter talk before I left the Indy airport
• Getting to the hotel just in time to catch Chris Shiflett’s funny PHP4 is Dead keynote
• Discovering the hotel room had a flat-panel TV. Unfortunately, no HD content
• Catching up with Lucas Nealan, and getting an unexpected phonecall with great news
• The fact that there were about 7,000 iPhones on-hand
• The Paul Reinheimer quad-core drinking demo (sponsored by Microsoft)
• Ramblecast: the loudest, drunkest, least productive group podcasting experiment ever
• Learning a lot more about the Filter extension from Derick Rethans, and seeing how it compares to Inspekt
• Losing power in the middle of my PHPSecInfo talk, and Paul M. Jones resuscitating the projector
• Terry Chay’s software architecture talk. I didn’t agree with everything he said, but I laughed my ass off
• Meeting people who have actually heard of me and used tools I’ve made. Weird
• Good conversations with too many people to name

This Friday, I’ll be giving two talks at php|works Atlanta: one on the CodeIgniter framework, and one on PhpSecInfo.

Intro to CodeIgniter

September 14, 2007 @ 1:15 – 2:15pm

CodeIgniter is an open-source web application framework written in PHP. Created by EllisLab, CI is descended from the ExpressionEngine CMS system, and therefore has a focus on real-world needs and solutions for PHP developers. CI is easy to deploy, and works with a wide variety of environments (even FTP-only shared hosting accounts). It offers powerful features like MVC and ActiveRecord without requiring the developer to adhere to strict coding guidelines. It’s easy to extend, and plays well with other code libraries like PEAR and Zend Framework.

In this talk we’ll go over the basics of CI: how to deploy it and writing a simple application. As time allows, we’ll discuss how to extend the framework with other libraries.

• Audio preview of the session

Securing the PHP Environment With PhpSecInfo

September 14, 2007 @ 4:30 – 5:30pm

PhpSecInfo is an easy to use security auditing tool for the PHP Environment. We’ll discuss how to use PhpSecInfo as part of your web app security toolkit, and how to customize and extend it for your specific needs, including using the Zend_Environment_Security module from the Zend Framework.

• Audio preview of the session

Hope to see you there!