I've seen a lot of people talking about mysql_real_escape_string() vs addslashes() vs addcslashes(). There seems to be a lot of real confusion about what these functions do (even with the php.net manual around), especially when it comes to character sets. [...] So, I've decided to lay it all out in a few charts so there is no confusion about what each function does and how each can help protect against SQL injection attacks.

He ran some tests based on what the function does to see if it helps with certain things like "escapes with single quotes instead of backslash" and "prevents multi-byte attacks". He compares the speed and testability of the functions as well as provides a multi-byte breakdown oh how the mysql_real_escape_string function works with different character sets.

Escaping quotes or other meta characters in SQL can be painful unless you get lucky with your quoting style. [...] Even with PHP's "Heredoc" syntax something will need escaping, but with PHP 5.3's new "Nowdoc" syntax no escaping is needed.

The only difference between HEREDOC and NOWDOC is that the initial keyword (like the first END in this statement: <<<'END' text here END;) that can make worrying about complex quoting rules a thing of the past.

One of my biggest issues with using PHP as the templating engine in View scripts is that the easiest way to echo a variable is the least secure. [...] So, I decided to leverage a post by Mike Naberezny from a while ago about streams. The idea is all his; I just modified it to work with Zend Framework's Zend_View the way I wanted it to.

His method uses a slightly different output format - instead of using a normal echo statement to push out the escaped output, it uses a special syntax using the "@" sign as a shortcut to the call to escape(). He includes the code you'll need to make it work in your ZF install and explain it a bit (including where the real key lies - in stream_popen).

The idea itself is simple. When data comes into your application, it must be filtered prior to it actually being used for any reason. This means all data. Form values, URL values, and yes, even the values in the forever useful $_SERVER superglobal. [...] Before leaving your application, data should be properly escaped with the specific output medium in mind.

Previously he showed how, using an interceptor method in PHP5, you could build "collections of data". He uses the same sort of method here, appling custom filters to the data based on the output call. Code is included for both the filtering interface and two example filters - one for SQL and the other for HTML.

You can also grab the code if you just want to play with that.

Coming in at number one by an overwhelming lead was "Not escaping entities and SQL input" (a definite problem indeed) with the next highest option, "Not using a Framework" a full twenty percent lower. The next two options were closer (descending) - "Using old PHP versions" and "No or little use of Object Orientation".

There's a new poll this week for your consideration - this time asking which stage, of the five options, should come first in the development cycle of a typical content management system. Head on over and cast your vote today!

Seeing the number of problems and mistakes PHP coders encounter repeatedly I set out to make this list of the 10 most common problems and mistakes done by PHP coders.

Included on the list are some of the usual suspects:

• Not escaping entities
• Not Escaping SQL input
• Requiring and including files using untrusted data
• Syntax errors

Inspired by this article I started to play around a bit to integrate the Smarty template engine into the Zend Framework. My ambition was to minimize the required code in the controller actions but stay close to the given Zend_View API. I also wanted to integrate the Smarty caching feature. Here is the code I came up with.

He sets up a directory under his Zend library include path for the templates to live in and starts writing code. The first step is a class that's based off the Zend_View_Abstract class to set the initial Smarty variables. He follows this up with serveral methods - __run, assign, and escape before displaying the results with output().

Finally, he gives an example of how to use the class he's created to spit out a Smarty template with all of the data nicely in place.

More information on the Zend Framework can be found at framework.zend.com, and information on Smarty at smarty.php.net]]> Wed, 05 Apr 2006 07:22:43 -0500 http://www.phpdeveloper.org/news/4671 http://www.phpdeveloper.org/news/4671 a basic look at some of the PHP security concerns developers should pay attention to when working up their scripts.

Security in PHP has become one of the most popular topics in the PHP community lately, especially with an increased number of exploits and security problems. In this day and age, you must make sure your PHP scripts are airtight, and that they don't have any security problems.

To make sure the security in your PHP scripts are okay, you have to start with the basics: filter input, and escape output. If you haven't got that working properly, your scripts will always be open to security problems. Read this article to learn how to properly do these two things.

While it's a very basic step to security in your scripts, these two considerations for the data entering/leaving could help protect you from some of the more heinous security issues...]]> Mon, 16 Jan 2006 07:11:27 -0600