Musings of a code slave

My Next Book: Dreamweaver CS5.5 for Mobile

Posted on 11 April 2011 by David Powers

I’ve been burning the midnight oil since the beginning of this year, working on my next book—Adobe Dreamweaver CS5.5 for Mobile with jQuery, HTML5, and CSS3: Studio Techniques. The book is now complete, and is scheduled to go live on Safari Online Library and Creative Edge as soon as Dreamweaver CS5.5 is released (the actual date has not yet been made public). The printed book—published by Adobe Press—should be available in early June.

The book guides you through the main new features in Dreamweaver CS5.5 with the help of three case studies. The first one centers on redesigning a website for display on desktops, tablets, and smartphones using HTML5, CSS3, and media queries. The second takes a cut-down version of the same site, and builds a dedicated mobile version using jQuery Mobile, a sophisticated JavaScript and CSS framework designed to work consistently in all major mobile platforms. The final case study uses Dreamweaver CS5.5′s PhoneGap integration to develop a simple app that stores information in a database, accesses a mobile phone’s GPS sensor, and displays a map.

More details later.

Posted in Books, CSS, Dreamweaver | 7 Comments

Dreamweaver CS5.5—More Than a Point Release

Posted on 11 April 2011 by David Powers

Finally, I can reveal details of the version of Dreamweaver that I’ve been experimenting with for the past few months. Officially, it’s called Dreamweaver CS5.5, which makes it sound as though it has a couple of extra features, but not quite enough to justify calling it Dreamweaver CS6. Nothing could be further from the truth.

This is a major upgrade. Here’s what it contains:

Full support for jQuery Mobile, including more than a dozen jQuery Mobile widgets.
PhoneGap integration to create native apps for Android and iOS using HTML, CSS, and JavaScript.
Code hinting for jQuery.
New tools for creating CSS3 rounded corners and drop shadows.
Support for web fonts.
Full support for all CSS3 selectors.
The ability to see what pages will look like at different screen resolutions without leaving the Document window.
Support for FTPS.

The emphasis in this new version is firmly on development for multiple screen resolutions and for mobile devices. The New Document dialog box contains starter pages for jQuery Mobile that enable you to build in minutes a simple web application that works consistently in all major mobile platforms. All you need to do is to replace the placeholder text with content of your own. Of course, to create more than just a boilerplate application, you need to do your own coding. But Dreamweaver CS5.5 has full code hinting for both jQuery core and jQuery Mobile, speeding up the development process.

The PhoneGap integration is particularly impressive. At the moment, Dreamweaver supports the development of native apps only for Android and iOS, but there are plans to expand this later to other mobile operating systems. Developing for iOS requires Mac OS X 10.6, but Android is supported on both the Windows and Mac versions of Dreamweaver. If don’t already have the Android SDK (software development kit) installed, Dreamweaver does it for you with just a single click. Having gone through the pain of the manual installation process on both Windows and Mac, I can honestly say that Dreamweaver’s automated installation is a real godsend. After developing your web app with HTML, CSS, and JavaScript, Dreamweaver runs PhoneGap to build the native version and installs it into a simulator.

Smaller, but nonetheless important enhancements that I particularly like are the tools for creating image-less drop shadows and rounded corners with CSS3. Using them in combination with Live view lets you see the effect of your style definition immediately. No constant toing and froing between the style sheet and a browser. Dreamweaver also now has support for rgba() and hsla() colour formats, simplifying the addition of transparent effects to your web pages.

Is there anything not to like? Yes. Bringing out this new version only a year after CS5 and about eight months after the 11.0.3 updater means there are a few rough edges. For example, you need to be careful where your insertion point is when you add a jQuery Mobile widget. Normally, Dreamweaver recognizes if you’re inside a paragraph or other block element and either moves outside the element or splits it. However, with jQuery Mobile widgets, it just puts the new code wherever you happen to be. It’s more of a minor irritation than a major failing; but anyone who doesn’t understand the code that’s being created will end up with a complete mess.

Dreamweaver’s implementation of HTML5 also has some way to go. But then, so has HTML5 itself. There’s full code hinting for HTML5 elements and attributes, but there’s no easy way to insert HTML5 elements except through hand-coding in Code view.

In spite of the shortcomings, I’m really enjoying working with Dreamweaver CS5.5, and hate going back to earlier versions. I strongly recommend that you give it a try when it’s released. I think you’ll like it.

Posted in CSS, Dreamweaver | 17 Comments

Missing file for PHP Solutions, Second Edition

Posted on 5 January 2011 by David Powers

A couple of readers have reported that download.php was missing from the ch07 folder of the download files for PHP Solutions, Second Edition. The zip file on the friends of ED download page has now been updated. If you downloaded the zip file before 4 January, please download the updated version. Many apologies for the inconvenience.

While checking the reports of the missing file, I discovered a mistake in the code on page 211 of the book. A closing curly brace is missing at the bottom of the script. Details are on the book’s corrections page.

Posted in Books, PHP | 51 Comments

Preventing email header injection

Posted on 31 December 2010 by David Powers

More than five years have passed since New York PHP published an extremely useful article warning developers of the dangers of email header injection, and providing detailed instructions of how to prevent it. Yet barely a week goes by without PHP newcomers posting requests for help with email scripts that still contain this vulnerability. Unfortunately, many beginners seem to use outdated scripts or tutorials that ignore basic security, and have never heard of email header injection. When they’re told about it, the NYPHP article is too technical for them to understand. So, this is an attempt to make it simple.

What is email header injection?

The PHP mail() function takes up to five arguments, the first three of which are required: the address(es) the mail is being sent to, the subject line, and the body of the message. The fourth argument allows you to specify additional headers, such as From, Reply-to, Cc, and Bcc. Email header injection usually targets weaknesses in the way this fourth argument is handled to insert bogus headers to turn your online form into a spam relay.

One of the most common uses of the fourth argument is to insert the user’s email address into the From or Reply-to header. It’s extremely convenient, because it allows you to reply directly to an email received from an online form just by clicking the Reply button in your email program. It’s also extremely convenient for an attacker. All that’s necessary is to add a string of spurious headers into the email field of your contact form, and your website becomes an instant spam relay—unless, of course, you take suitable precautions.

Preventing email header injection

The data filters introduced in PHP 5.2 make it easy to check that the value submitted through the email field of an online form contains a single email address and nothing else. So, if you want to put the user’s email address in a Reply-to header, you can check it like this (assuming the input field is named “email”):

$validemail = filter_input(INPUT_POST, 'email', FILTER_VALIDATE_EMAIL); if ($validemail) { $headers .= "Reply-to: $validemail\r\n"; }

Note that INPUT_POST and FILTER_VALIDATE_EMAIL are PHP constants, and must be in uppercase.

Using filter_input() like this is a simple, and effective way to prevent the email field of a contact form being exploited for header injection. Of course, you would probably want to take further action if the email address fails validation (the filter checks only that it’s in a valid format—it doesn’t check whether it’s a genuine address), such as redisplaying the form with an error message. This blog post is concerned only with basic prevention.

Is that all that’s needed?

Although the email field of a contact form is the main target, you also need to be careful about allowing user input in the first and second arguments to mail(): the address the message is being sent to, and the subject line. If both values are hard-coded in your script, there’s nothing to worry about. However, if your form allows the user to select from a choice of destination addresses, or insert a custom subject line, you need to sanitize those values before passing them to mail(). Don’t be fooled by thinking that a drop-down menu in your form limits the values that can be entered. It’s very easy for an attacker to bypass your preselected values.

One way of handling the destination addresses is to create an array of valid addresses, and use in_array() to check that the submitted value is among them.

$destinations = array('me@example.com', 'you@example.com'); if (in_array($_POST['to'], $destinations) { // the address is OK to use } else { // don't send the mail }

You can do the same with a choice of subjects. But if you want to allow the user to enter a custom subject line, you need to check that it doesn’t contain newline characters or common headers. The following code uses a regular expression to detect characters and values likely to be used in an attack:

$pattern = '/[\r\n]|Content-Type:|Bcc:|Cc:/i'; if (preg_match($pattern, $_POST['subject'])) { // reject the post, as it's most likely an attack }

I go into much more detail in my books, but hopefully this help PHP newcomers to adopt more secure coding practices with mail().

Posted in PHP | 6 Comments

Understanding PHP variable variables

Posted on 18 December 2010 by David Powers

A few days ago, I was contacted by a reader of PHP Solutions, who was confused by the following line of code in the mail-processing script:

${$key} = $temp;

He wanted to know why I had wrapped a variable in curly braces and preceded it with a dollar sign. The answer is that it’s a variable variable. No, that’s not a mistake. The repetition is deliberate. As the PHP Manual explains, it’s sometimes convenient to have variable variable names. Strictly speaking, the curly braces aren’t required. I could have used $$key instead of ${$key}, but the addition of the braces indicates that the double dollar sign is deliberate, and it makes it easier to identify a variable variable within a block of code.

So, what is a variable variable, and why did I use it in this case?

Simply put, a variable variable creates a new variable and uses the value of an existing variable as the new variable’s name. Still confused? Let me explain how it’s used in the mail-processing script.

The script uses a foreach loop to process the contents of the $_POST array, assigning the key and value of each element to $key and $value like this:

foreach($_POST as $key => $value) {
Let’s say the first element in the $_POST array is $_POST['name'] and its value is “David”, $key is “name” and $value is “David”. Inside the loop, $value is subjected to some processing, and the result is stored as $temp. Since $key is “name”, ${$key} becomes $name, and it’s assigned the value of $temp (“David”).

If the next element in the array is $_POST['country'], ${$key} becomes $country, and it is assigned the value that was originally stored in $_POST['country']. In other words, this is a simple way of converting $_POST array elements into simple variables. HOWEVER, it’s extremely insecure to use this technique on its own.

You must verify the name of each $_POST array element before using it as a variable variable. The simple way to do this is to create an array listing the name of each input element in your form, for example:

$expected = array('name', 'email', 'comments');

Then, before creating the variable variable, check that the name is in the $expected array:

if (in_array($key, $expected)) { ${$key} = $temp; }

This prevents an attacker from injecting spurious variables into your code. If $key is not in the $expected array, the variable variable is not used.

The code in PHP Solutions also uses two other arrays, $required and $missing, to check if required fields have been completed. The full code looks like this:

$expected = array('name', 'email', 'comments'); $required = array('name', 'comments'); $missing = array(); foreach ($_POST as $key => $value) { // assign to temporary variable and strip whitespace if not an array $temp = is_array($value) ? $value : trim($value); // if empty and required, add to $missing array if (empty($temp) && in_array($key, $required)) { $missing[] = $key; } elseif (in_array($key, $expected)) { // otherwise, assign to a variable of the same name as $key ${$key} = $temp; } }

When using this technique, if you add extra fields to your form, don’t forget to add their names to the $expected array. It’s also important to validate the values stored in the simple variables before using them.

Posted in Books, PHP | 25 Comments

Files for Kindle version of Dreamweaver CS5 with PHP

Posted on 16 December 2010 by David Powers

The files accompanying Dreamweaver CS5 with PHP: Training from the Source are on the CD-ROM at the back of the printed book. So, what do you do if you have bought the Kindle version and there’s no CD-ROM? Depending on when you bought it, look at the beginning, just after the title page, or the end on the penultimate page of the book, where you’ll find details of how to obtain the files. The files are also available in the book’s Extras tab in Safari Books Online or Creative Edge.

Posted in Books, Dreamweaver, PHP | 28 Comments

PHP Solutions second edition now available

Posted on 27 November 2010 by David Powers

It’s almost exactly four years since PHP Solutions: Dynamic Web Design Made Easy was first published. The book has proved extremely popular, but a lot has happened in PHP since it was first published. Support for PHP 4 was abandoned in August 2008, and major improvements were made to PHP in versions 5.2 and 5.3. So, it was time to dust off the code, and bring it up to date.

I spent most of the summer going through every chapter and all the code line by line, correcting errors and making the code more efficient. The result is a major rewrite, PHP Solutions: Dynamic Web Design Made Easy, Second Edition, which is now in stock at Amazon in the United States, and should be available elsewhere soon. It’s also available in electronic form as a Kindle version, or as a PDF from the friends of ED website.

There’s a detailed description of what the book covers and how it differs from the first edition elsewhere on this site. If you have recently bought the first edition, don’t worry. There’s nothing actually wrong with the original code, but do make sure you check the updates on my site, as well as the corrections on the friends of ED site.

When downloading the accompanying files from friends of ED, make sure you get the files for the correct edition:

Posted in Books, MySQL, PHP, phpMyAdmin | 57 Comments

Get the best out of the DW Server Behavior Builder

Posted on 4 August 2010 by David Powers

The Server Behavior Builder (SBB) has been part of Dreamweaver for a long time, but few people seem to realize just how useful it can be in speeding up development with PHP or other server-side languages. What makes the SBB so powerful is its ability to insert commonly used blocks of code simultaneously in different parts of the page. Just add placeholders for values that will be different each time, and Dreamweaver automatically builds a dialog box for you to fill in.

The beauty of the Server Behavior Builder is that it’s not dependent on Dreamweaver’s built-in server behaviors. You can use it with your own code or in conjunction with a third-party PHP library, such as the Zend Framework.

I’m thrilled to have been chosen to present a hands-on demonstration of using the SBB at Adobe MAX in Los Angeles at 3:30pm on Tuesday, 26 October. It’s a BYOL (bring your own laptop) Lab. I’ll be showing how to create several useful tools to speed up PHP development, and I’ll also show you how to package your server behaviors as Dreamweaver extensions, so you can move them quickly to another computer or share them with friends and colleagues.

Even if you’ve learned about the SBB from my books, this session will go into greater detail, and will be based on new material. All the necessary files will be provided. Just bring yourself and a laptop. So, register for Adobe MAX 2010 and sign up for my BYOL Lab. See you in LA!

Posted in Dreamweaver, PHP | 8 Comments

DW CS5 with PHP book on Rough Cuts

Posted on 3 May 2010 by David Powers

If you would like to get early access to my next book “Adobe Dreamweaver CS5 with PHP: Training from the Source”, the first six chapters (of 12) are now available as Rough Cuts in Creative Edge and Safari Books Online.

If you have a Safari Library subscription, you can view the chapters free of charge, and see new ones as they’re added. Without a subscription, you can get access to the book in PDF format for $34.99, including the finished ebook version when the book is complete. You can also opt for the Rough Cuts PDF and Print bundle for $67.48. The print version is expected to be released in early August.

The chapters currently available are Lessons 1-3 and 4-7, covering the following subjects:

An in-depth look at all the PHP features in Dreamweaver CS5
Instructions for setting up a local PHP development environment
A quick PHP crash course (or refresher)
Creating your own database in MySQL
Using Dreamweaver server behaviors for automatic code generation
Building a robust user registration system with Zend_Validate and Zend_Db

Chapters still to come concentrate heavily on using selected modules of the Zend Framework for sending email, uploading files, and building a content management system. (To avoid any misunderstanding, the book does not use the MVC design pattern—it follows what the ZF documentation calls “use at will” design, making use of individual components.)

Posted in Books, Dreamweaver, MySQL, PHP | 35 Comments

New extension to convert colours to RGBA

Posted on 30 April 2010 by David Powers

CSS3 offers a new way to define colours: RGBA. This extends the RGB (red, green, blue) colour model to include alpha transparency. Unfortunately, RGBA does not accept hexadecimal values for colours. So, I have created a free Dreamweaver extension that converts from hexadecimal (or the 17 named colours) to RGBA. It’s free, and can be downloaded from the Tools page on this site.

Posted in CSS, Dreamweaver | 13 Comments