Important Considerations When Using Feeds

XML feeds provide a great resource of information, but their use is not without its own special considerations. Security and legal concerns go hand in hand whether you are producing or consuming feeds. Consider if you will the implications of going away for the weekend, only to discover that your aggregator has been attacked, your site is now displaying wildly inaccurate information provided by the attacker, and your legal department is fielding not-so-nice phone calls regarding the current content of your homepage. Also consider how often the information in the feed will be updated; frequently updated feeds will require the user to download and parse the document frequently, so the load on the server to create and serve the feed will be much greater still. Finally, a good understanding of XML is required — XML is the structure of which feeds are formed. Don't worry, XML is discussed shortly.

Security

When you include information from an XML feed in your site (regardless of whether or not the information is displayed publicly), you need to remember that all data received from an external source must be filtered. Feeds are at least as vulnerable to a cross-site scripting attack (XSS) as form data, and as such, all data must be examined carefully.

Cross-site scripting attacks are commonly executed when an attacker convinces a site to display his own code on the site. Without any filtering on your site, an attacker could place JavaScript code into a feed you consume, which would then be presented to your users. This JavaScript code would then be executed by your users, where it could send cookie data (such as user information) to remote sites, or even rewrite portions of your pages to accomplish even more nefarious deeds.

Finally, it is likely that the feeds you consume will be stored in a database; just because you expect (or feed specifications require) that certain characters will be escaped, it isn't always the case. SQL Injection attacks can occur in this manner, so ensure all data entered into your database is escaped properly.

Legal Concerns

The existence of a feed does not give one free reign to use it at will. Certain feeds (especially those from commercial sources) may have specific restrictions on their use, commercial or otherwise. Be sure to research the feeds you want to use before going live with any site using them.

Some specific restrictions are mentioned in more detail in Chapter 3, but common restrictions include that information may not be redistributed at all, information may only be redistributed for noncommercial purposes, and (often with either of the previous two restrictions) frequently that appropriate credit must be given to the source. Failing to meet any of these restrictions could result in your attempt to request the feed being blocked or even legal action.

Legal concerns don't stop with consuming feeds; presenting a feed has a few of its own concerns. Most of the concerns (accuracy and timeliness of information) are identical to those of a regular website, so don't forget that. Also remember that regardless of the restrictions you place on your feed, it is likely that it will be consumed by aggregators and presented to others outside the confines of your website (where those disclaimers may not be prominent or even visible). Many people are of the opinion that merely by creating a feed you have tacitly agreed to allow people to aggregate and re-present your content. If selling information (a subscription news site, for example) is a major part of your business, you may want to reconsider offering a feed at all.

Update Frequency

The frequency with which a feed is updated is an important item to consider when writing your code. Do a little background research to determine how often a feed is updated — a feed updated many times an hour may require slightly different handling from a feed updated only a few times per week (or month) on predictable dates.

The level of concurrency you require for your own site may also come into play. Some items, such as product reviews, can probably be updated on a pretty lenient schedule. If the site updates the feed daily, you can update your cached copy once a day as well (rather than many times throughout the day, trying to catch that update as soon as it happens). For some items such as stock prices, you would probably want to update on a more aggressive timeline, regardless of how often the price actually changes.

Be considerate when consuming feeds — read them only as often as is actually necessary because many feed providers have begun to express concern over the amount of bandwidth shifting away from their primary website (and hence money-generating revenue) to their feeds. You may want to consider using a service such as rsscache to reduce the load on the feed provider.

Now that you are aware of the major issues behind using live web feeds, you are almost ready to begin looking at how they are put together in PHP. Before doing so, however, one important topic needs to be discussed first.