D-talk

In this blog post I'd like to talk a bit about some "Did you know's". With these "Did you know" blog posts I want to tell you a few things that I came across along the way and hopefully you know some I don't know yet! Some DYK's are directly code related, others are just here to give you insight and some are just to let you know of it's existence (Afteral you don't search for what you don't know about.)

So here they come in random/chaotic order:

Writable directories

Not so PHP specific, but often miss-used is checking for writable directories/paths. Directories don't have to be readable to be used for writing, but they do have to be writable and executable.

So a check like this, is simply incomplete:

Form name attribute character conversions

Due to legacy PHP versions and to my understanding mostly due the register_globals feature, some HTML form name attribute characters are translated. The idea behind it makes sense, however it's applied in a strange way.

For example <input type="text" name="fu.bar" value="" > in a form with post method, get's translated (even in the current PHP 6 roadmap) into: $_POST['fu_bar']. This happens with the "." and " " characters. But not with '-'  which seems weird, because $fu-bar isn't a valid variable, but '-' is a valid HTML input name attribute character. You probably never need it, but I had situation recently where I was flabbergasted of why array key's where different from their HTML counterparts and I completely forgot about this behavior.