Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Paragon Initiative:
Everything [About] Preventing Cross-Site Scripting Vulnerabilities in PHP
Jun 17, 2015 @ 12:19:29

The Paragon Initiative has posted a new tutorial that wants to provide you with everything you need to know about preventing cross-site scripting in PHP applications.

Cross-Site Scripting (abbreviated as XSS) is a class of security vulnerability whereby an attacker manages to use a website to deliver a potentially malicious JavaScript payload to an end user. XSS vulnerabilities are very common in web applications. They're a special case of code injection attack; except where SQL injection, local/remote file inclusion, and OS command injection target the server, XSS exclusively targets the users of a website.

[...] Cross-Site Scripting represents an asymmetric in the security landscape. They're incredibly easy for attackers to exploit, but XSS mitigation can become a rabbit hole of complexity depending on your project's requirements.

He introduces the concept of cross-site scripting (XSS) for those new to the term and provides a brief "mitigation guide" for those wanting to jump to the end. He then gets into some examples of what a XSS vulnerability could look like, both stored and reflected and provides the "quick and dirty" method for preventing them. He also mentions some tips in implementing your solution including avoiding HTML in your data if at all possible. He goes on to talk about the use of HTMLPurifier to prevent attacks, context-sensitive escaping (HTML vs JS vs CSS) and some of the browser-level features that help prevent XSS for the user.

tagged: prevent xss crosssitescripting security prevent vulnerability context browser

Link: https://paragonie.com/blog/2015/06/preventing-xss-vulnerabilities-in-php-everything-you-need-know

PHP DebugBar - In-browser Profiling Data for PHP Applications
Aug 13, 2013 @ 12:32:44

There's a handy feature in the Symfony framework that provides a "debug bar" with information about the execution of your application. But what if you don't use Symfony for your development? Enter PHP DebugBar. This handy tool is easily installable via Composer and has lots of useful features including:

  • Output of messages to the (Javascript-based) console
  • Viewing exceptions
  • Profiling database requests
  • Showing an execution timeline
  • Outputting the contents of the "request" (like superglobals)

It does all this completely independent of any other tool, so it's ready to drop into your application and go. You can find out more about the tool on the main project site or, if you'd like to contribute, you can find the project on Github.

tagged: debug browser interface project tool

Link: http://phpdebugbar.com

Trying out PHP Refactoring Browser
Apr 22, 2013 @ 10:03:35

On DZone.com Giorgio Sironi has written up a post about some testing he's done with the ""PHP Refactoring Browser" (more on that here) on some basic code examples.

IDE proponents love, in fact, an Integrated Development Environment that provides all the functionalities you need while writing and editing code; the followers of the Unix way typically write code in Vim while augmenting it via plugins where feasible and leveraging external tools that do one thing, and do it well. [...] Automated refactorings in PHP were out of the league of Vim and Unix users; thanks to Qafoo, however, a new open source tool is able to edit code with predefined refactoring recipes: PHP Refactoring Browser.

He goes through some of the basic features and functionality of the browser, setting expectations a bit. He shows how to get it installed (via Composer) and the results of some of his testing. Rather than including them all in the post, he opted to make actual commits on github of the changes.

tagged: refactoring browser trial commits github example

Link: http://css.dzone.com/articles/trying-out-php-refactoring

PHP Refactoring Browser Alpha Release
Apr 08, 2013 @ 09:49:33

On the QaFoo blog today the company is introducing a new tool to help PHP developers write better, more optimized code - the PHP Refactoring Browser (written in PHP too).

Without continuous refactoring, code maintainability and extensibility will start to decrease fast, even if it has tests. Until now, only IDEs contained functionality to perform automated refactorings. And then even only PHPStorm contains the most important refactorings such as "extract method". Today we release the PHP Refactoring Browser, a refactoring tool written completely in PHP. It is based on several outstanding open-source libraries.

The browser currently supports multiple refactoring methods including the extract method, renaming of local variables and converting a local variable to an instance. They include some example code and the result from the execution of the tool. The output shows where refactoring would work best with some color coding and formatting.

You can find more about this new tool over on its github repository.

tagged: refactoring browser tool alpha release components

Link: http://qafoo.com/blog/041_refactoring_browser.html

Gareth Heyes:
Bypassing XSS Auditor
Feb 20, 2013 @ 11:21:29

Gareth Heyes has posted about some bypasses that he's found for getting around the XSS Auditor functionality in some browsers:

I had a look at XSS Auditor for a bit of fun because Mario said it’s getting harder to bypass. Hmmm I don’t agree. I seem to remember the same flaws are present from the last time I checked it with a little variation. It is also a very limited XSS filter not supporting detection of script based attacks (very common).

He includes three of his own bypasses - using a "formaction" on the submit input in a form, using "target" to override the iframe external resource restriction and the injection of a specially placed anchor tag. Each of these comes with a proof-of-concept example and another is also included courtesy of Mario Heiderich.

tagged: bypass xssauditor browser xss protection proofofconcept poc


Code Review Tool
Nov 05, 2012 @ 09:41:16

On the QaFoo site they've shared a tool they use for doing code reviews in a new post to their blog. The tool, just called review, lets you run several different metrics on the code including the PHP "mess detector", PDepend and PHPCPD (copy & paste detector).

We, at Qafoo, do Code Reviews quite often together with our customers. This often focusses on dicussing metrics, browsing the associated code and discussing solutions for the issues found. We started using a bunch of shell scripts for that, like everyone else, but at some point we came up with a webinterface to do this in a more comfortable way. Now we want to share this tool with you.

Included in the post are several screenshots showing the results of the different types of evaluations - the ones mentioned above as well as things like "methods per class", cyclomatic complexity and NPath complexity. There's also a source code browser and a visual class structure generation tool (UML). It's under a AGPLv3 license and can be found on their site.

tagged: code review tool metrics browser uml github


How to Use Selenium 2 With PHPUnit
Oct 15, 2012 @ 09:40:01

NetTuts.com has continued their look at testing in PHP applications with this new screencast showing how to combine one of the most popular PHP unit testing tools, PHPUnit, with the Selenium frontend testing tool for automated application testing.

In this lesson, we will learn how to work with Selenium 2 directly within PHPUnit. For those unfamiliar, Selenium gives us an easy way to automate the browser. This makes it perfect for writing user acceptances tests.

You can download the source for the files and tests that they use in the demo. You can find links to the other articles in their testing series here (covering things like TDD, basic PHPUnit testing and definitions of some of the most common testing terms).

tagged: screencast selenium2 browser testing phpunit tutorial


Henry Hayes' Blog:
Zend Framework UserAgent Browscap Implementation
Jun 20, 2012 @ 10:55:32

Henry Hayes has a recent post to his blog looking at a the change for the user agent support for the browser detection functionality in the Zend Framework.

Recently it has come to light that Zend Framework are dropping support for the WurflApi Features Adapter in the Zend_Http_UserAgent component. This is due to licensing issues. As of version 1.12 Zend_Http_UserAgent_Mobile constant DEFAULT_FEATURES_ADAPTER_CLASSNAME now specifies that Zend_Http_UserAgent_Features_Adapter_Browscap is now the default mobile adapter.

He shows you how to get the browscap support set up and configured for your PHP installation and what needs to be done to a pre-1.12 ZF release application (using this library) and in a post-1.12 application (almost nothing).

tagged: zendframework browscap browser detection mobile update


Oliver John Tibi's Blog:
Mobile-ize Your CakePHP Application
Dec 20, 2011 @ 09:11:10

In a new post to his blog, Oliver John Tibi has the first part of a series looking at mobile-izing your CakePHP application, making it mobile friendly when a mobile browser is detected.

I'll be writing a short series of posts on how to create a mobile version of your CakePHP app. I've always been bragging to my peers how awesome CakePHP is, and so now I'm writing a short tutorial on how to create a mobile-friendly version of a CakePHP app. I promise to make this as easy as possible.

In this first part of the series he helps you do two things - set up some custom routes for the mobile version of the site ("/m") and add in browser detection using the RequestHandler's "isMobile()" method.

tagged: mobile browser detect tutorial series cakephp framework


Lately in PHP podcast episode 17 - PHP 5.4 & PHP-GTK in the Browser
Oct 31, 2011 @ 12:50:53

On PHPClasses.org today they've released their latest episode of their "Lately In PHP" podcast - episode #17. In this new episode Manuel and Ernani talk about PHP-GTK in a web browser and the proposed PHP 5.4 release date.

PHP 5.4 beta 2 was just released, so the final version of 5.4.0 is coming soon. Many PHP Developers want to know when it will be the final PHP 5.4 release date. Manuel Lemos and Ernani Joppert talk about this and other interesting PHP related topics in episode 17 of the Lately in PHP podcast.

You can listen to this latest episode either through the in-page player, by downloading the full mp3 or by subscribing to their feed to get this and past episodes (including ones about MODX and PHPFog).

tagged: phpgtk browser podcast latelyinphp release date