Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Paul Reinheimer's Blog:
The Danger of Hooks
Jan 12, 2012 @ 15:12:18

Paul Reinheimer has a recent post to his blog talking about the danger of "hooks" in your development - the functionality several frameworks and other tools come with to allow you to add functionality to the core without having to change the main source.

I ran into hooks rather simultaneously with two very different frameworks: Code Igniter and Lithium. In both cases I was using a rather nifty hook to handle ensuring that users were properly authenticated and authorized before accessing a page. [...] One day, while messing around, I accidentally turned off the hook configuration within Code Igniter (actually I clobbered a file, and restored the wrong one). Then, things came crashing down in a horrible cacophony of... actually they didn't. Everything kept working: that was the problem.

He shows two solutions he came up with to be sure that his hooks were executed - one for Lithium and the other for CodeIgniter. The Lithium one uses a "_remap" method and the CodeIgniter example uses the magic "__invoke" method to check for an "AUTH_CHECKED" constant that's only defined as a part of his hooks.

I'm no longer entirely dependent on one configuration option or file for my security to function. Should it fail, I've got a secondary check in place; this example of defence in depth allows me to be comfortable with the hooks security system once more.
tagged: danger hook framework codeigniter lithium failure

Link:

Giorgio Sironi's Blog:
The dangers of Late Static Bindings
Apr 14, 2010 @ 12:06:41

Giorgio Sironi has a new post that warns you of the dangers that could come from the use of a technology just recently introduced to PHP - late static binding.

There's a lot of (justified) excitement about PHP 5.3 new features, such as the support of namespaces and anonymous functions. Though, some glittering capabilities of the language are definitely not gold: the goto statement is probably the most debated example, but also the long-awaited Late Static Bindings support is an hammer which may hurt your fingers...

He talks about how two of the characteristics of late static binding - the fact that it involves something being static and that there's a sort of hierarchy involved. He gives a code example of how it could be used and notes that static functions should be used sparingly since they are a more procedural way of doing things.

The post also includes a good example - an abstract Factory method - and a bad example - Active Record that doesn't evolve towards a Repository pattern being used.

tagged: latestaticbinding danger procedural static hierarchy

Link:

PHP Discovery Blog:
Dangers of Remote Execution
Nov 21, 2007 @ 19:48:00

On the PHP Discovery blog, there's a new post reminding PHP developers of some of the more dangerous ways that remote execution could effect your site and some of the common entry points it can have.

PHP has numerous ways to execute raw PHP code unless you the programmer stops it. Best way in preventing these methods is making sure you check the input of what your users are inputting, and making sure you escape all malicious actions that a hacker,cracker, kiddy scripter might want to do to your website.

He summarizes four of the things from the Pro PHP Security book from Apress (by Chris Snyder and Michael Southwell) that can leave holes in you application for would-be explots - preg_replace, shell_exec/exec, eval (which we all know is only one letter from "evil" anyway) and require/include.

tagged: danger remote execution pregreplace include eval shellexec exec require danger remote execution pregreplace include eval shellexec exec require

Link:

PHP Discovery Blog:
Dangers of Remote Execution
Nov 21, 2007 @ 19:48:00

On the PHP Discovery blog, there's a new post reminding PHP developers of some of the more dangerous ways that remote execution could effect your site and some of the common entry points it can have.

PHP has numerous ways to execute raw PHP code unless you the programmer stops it. Best way in preventing these methods is making sure you check the input of what your users are inputting, and making sure you escape all malicious actions that a hacker,cracker, kiddy scripter might want to do to your website.

He summarizes four of the things from the Pro PHP Security book from Apress (by Chris Snyder and Michael Southwell) that can leave holes in you application for would-be explots - preg_replace, shell_exec/exec, eval (which we all know is only one letter from "evil" anyway) and require/include.

tagged: danger remote execution pregreplace include eval shellexec exec require danger remote execution pregreplace include eval shellexec exec require

Link:




Trending Topics: