News Feed
Sections




News Archive
Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Jani Hartikainen:
Library author Don't provide an exploitable interface
September 02, 2013 @ 11:18:05

Jani Hartikainen has shared a recommendations to library authors out there - don't make your library exploitable. That is, don't make it, by default, open to common attacks like SQL injection or cross-site scripting.

SQL injection is a pretty big deal. Its cousin shell injection is also a common issue, demonstrated quite well by a recent post to the PHP reddit. Although some suspect it was a troll, I heard echos from a variety of people who had seen pretty much exactly the same vulnerability in production.

This got me thinking: People writing libraries for doing things like shell commands, SQL, etc., don't actually have to provide an interface that can be easily mis-used. An interface like this could just as easily be based on some other data type besides a plain string, completely side stepping issues caused by concatenation. "What on earth are you talking about?" - Let me explain...

He goes on to talk about more specifically about SQL injection issues (it is still first on the OWASP list after all) and makes a few suggestions to a better API. He points out a lot of it is about little or no education on security-related topics. He also suggests a "SafeSQL" kind of interface that would help prevent some of these common issues using something like Haskell.

0 comments voice your opinion now!
sqlinjection sqli exploit library haskell

Link: http://codeutopia.net/blog/2013/08/31/library-author-dont-provide-an-exploitable-interface/

blog comments powered by Disqus

Similar Posts

SitePoint PHP Blog: Using Solarium with SOLR for Search - Setup

DeveloperTutorials.com: Create a Facebook Application With PHP

Ozh\'s Blog: PHP and GD - Emulate Gradient Fill

NETTUTS.com: Twitter Emulation Using MooTools 1.2 and PHP

IBM developerWorks: Build Ajax-based Web sites with PHP


Community Events





Don't see your event here?
Let us know!


deployment library introduction unittest series community update bugfix package interview zendserver laravel framework podcast version api release language opinion symfony

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework