News Feed
Sections




News Archive
Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Jani Hartikainen:
Library author Don't provide an exploitable interface
September 02, 2013 @ 11:18:05

Jani Hartikainen has shared a recommendations to library authors out there - don't make your library exploitable. That is, don't make it, by default, open to common attacks like SQL injection or cross-site scripting.

SQL injection is a pretty big deal. Its cousin shell injection is also a common issue, demonstrated quite well by a recent post to the PHP reddit. Although some suspect it was a troll, I heard echos from a variety of people who had seen pretty much exactly the same vulnerability in production.

This got me thinking: People writing libraries for doing things like shell commands, SQL, etc., don't actually have to provide an interface that can be easily mis-used. An interface like this could just as easily be based on some other data type besides a plain string, completely side stepping issues caused by concatenation. "What on earth are you talking about?" - Let me explain...

He goes on to talk about more specifically about SQL injection issues (it is still first on the OWASP list after all) and makes a few suggestions to a better API. He points out a lot of it is about little or no education on security-related topics. He also suggests a "SafeSQL" kind of interface that would help prevent some of these common issues using something like Haskell.

0 comments voice your opinion now!
sqlinjection sqli exploit library haskell

Link: http://codeutopia.net/blog/2013/08/31/library-author-dont-provide-an-exploitable-interface/

blog comments powered by Disqus

Similar Posts

Stuart Herbert's Blog: Introducing phix

Scott Johnson's Blog: Podcast : PHP Theory 1

KomunitasWeb.com: Ultimate Collection of PHP Libraries

Kevin Schroeder's Blog: New Zend Server Job Queue Library

Padraic Brady's Blog: Google roll out OAuth Authorisation to all Google Data APIs


Community Events





Don't see your event here?
Let us know!


version tool voicesoftheelephpant community conference security introduction release language interview opinion symfony list library framework artisanfiles composer series laravel podcast

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework