PHPDeveloper.org

PHP Discovery Blog: Dangers of Remote Execution

Wed, 21 Nov 2007 13:48:00 -0600

On the PHP Discovery blog, there's a new post reminding PHP developers of some of the more dangerous ways that remote execution could effect your site and some of the common entry points it can have.

PHP has numerous ways to execute raw PHP code unless you the programmer stops it. Best way in preventing these methods is making sure you check the input of what your users are inputting, and making sure you escape all malicious actions that a hacker,cracker, kiddy scripter might want to do to your website.

He summarizes four of the things from the Pro PHP Security book from Apress (by Chris Snyder and Michael Southwell) that can leave holes in you application for would-be explots - preg_replace, shell_exec/exec, eval (which we all know is only one letter from "evil" anyway) and require/include.

Ivo Jansch's Blog: The danger of Fluent interfaces

Fri, 30 Dec 2005 07:07:45 -0600

Ivo Jansch

fluent interfaces.

After Martin, Mike and Paul have demonstrated the usefulness of Fluent Interfaces, I'd like to take a look at the downside.

Ironically, Martin's original example already demonstrates the problem. (In the example) newOrder could be implemented in two ways: Create an order and return that new order, and Add an order to this customer and return the customer.

This can lead to confusion; the 'with()' method employs method b. If you think that newOrder returns an Order, and hence 'with()' is a method of the Order class, look at 'skippable'. Martin states that order lines are skippable. So what's in front of skippable() is an OrderItem. That means that with() must have returned an OrderItem. If that is true, then with() is a method of OrderLine too!

Confused yet? Well, be sure to check out his examples - they help to clear up at least the items mentioned above. His point is that, while the fluent interface does make it more readable, it can also make it more confusing - taking things down to such a simple level can sometimes eliminate some needed complexity to make things work properly (or as the user percieves "properly" to be)...