Javascript type conversion  Tags: programming, webdevelopment.
I used to have a lot of problems with Javascript on this back when I was just starting to program and had no experience coding besides writing HTML. Nowadays I don't have any trouble with this anymore, especially since the discovery that you can see the errors, but only now I think I can guess right 100% of the time.

Let's do a show-by-example, but try to guess for before clicking the button!

var n

CSRF: It's not trivial  Tags: security, webdevelopment, websites.
In the past few weeks I've found two websites with CSRF vulnerabilities. I wasn't really looking for it, but when they don't require me to enter my current password to change the password (or e-mail address, by which the password can be reset), it raises flags.

So what can you do with a CSRF vulnerability?
In one case, I could easily have gained myself admin permissions on a website with thousands of visitors a day.
The other, I'm not entirely sure what the extent was, but certainly get myself access to FTP accounts from websites.

CSRF stands for Cross-Site Request Forgery. It works like this:

Why didn't they tell me this during driving lessons?  Tags: real life, other.
There is a "too long; didn't read" at the bottom of this post. In the first paragraph I already get to one of the two points I want to make, but they're both summed up at the end.
---

In the category 'good to know': Don't start a car, drive 10 meters, and switch off the engine again (for example to get it out of the way for something). If you do, you might have some trouble starting it next time. It's especially annoying when you want to rob a bank, but on the other hand it can be advantageous against car thieves.

Invalid JSON  Tags: webdevelopment, programming.
I've written about XML versus JSON before, praising JSON far above XML. I still stand by this, but I must say that there is an incredible lot of invalid JSON out there.

Most applications using JSON are client-server setups where the client downloads data from the server. Since JSON is native Javascript, you can just throw it in there along with any sort of Javscript instructions, and it'll work. Yeah, for you application only that is.

For example for my website playbylyrics.com I wanted to enable users to download the MP3 of what they were listening.

PHP functions to be disabled on shared hosting  Tags: webhosting, security.
There are plenty of websites giving you advice on which PHP functions to disable in a shared hosting environment. Trying like 15 blogs and websites, all of them got it wrong, including (to my surprise) the Security Stack Exchange**.

I don't know who or when, but someone once posted a list with PHP functions to be disabled and everyone copied it. There are roughly 3 variants on this, which block random functions like mysql_pconnect (but not mysql_connect or sockets themselves), FTP functions, or even string manipulation functions which are obviously totally benign.
Time to set things right.