News Feed
Sections




News Archive
feed this:

Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Code Yellow Blog:
What Your Framework Never Told You About SQL Injection Protection
May 23, 2014 @ 13:51:20

The Code Yellow site has recently posted an article pointing out an issue that's all too common in PHP frameworks, more specifically those that bundle some kind of ORM into their functionality. They wonder if your framework is telling you everything about what they're doing to prevent SQL injection.

We've discovered that SQL injection is to this day not a fully solved problem, even in most popular frameworks. In this post, we'll explain how these frameworks fail at escaping parts of a query, culminating in the discovery of a critical vulnerability in the popular Laravel framework which affects a large percentage of applications.

He starts with an illustration using the FuelPHP framework and the protection it offers from garden variety SQL injection attempts. Unfortunately, things start to break down when it gets much past this typical case. They found this same issue to be a wide-spread problem in many PHP frameworks and tools including the Laravel, CodeIgniter and CakePHP frameworks, each with their own ORMs. He also talks about issues with blacklisting and whitelisting and how, sadly, most of the frameworks just don't support it for model data filtering. There's a mention of some of the work they've done to help try and fix the issue (including patches and contacting authors) and some recommendations of how to correctly quote identifiers in SQL statements.

0 comments voice your opinion now!
sqlinjection framework whitelist blacklist identifiers escape prepared statements

Link: http://www.codeyellow.nl/identifier-sqli.html

Dougal Campbell:
mysql vs mysqli in WordPress
March 07, 2014 @ 10:59:52

In his latest post Dougal Campbell shares his findings from a bug he was having with a plugin in WordPress. It revolved around the use of mysql or mysqli and errors being thrown to his logs.

The plugin had previously worked fine (it generates a sidebar widget), and I wasn't actively working on my site, so I wasn't really sure when it had quit working. In the course of debugging the problem, I discovered that the plugin was throwing warnings in my PHP error log regarding the mysql_real_escape_string() function. As a quick fix, I simply replaced all of those calls with WordPress' esc_sql() function. Voila, problem fixed.

He was interested in why this worked, though, and went digging in the code. As it turns out, the WordPress code tries to determine which mysql extension you have support for. As it turns out, his installation fit the "mysqli profile" so the "mysql_real_escape_string" wasn't available. To the WordPress users out there, he suggests esc_sql or $wpdb->prepare() instead.

0 comments voice your opinion now!
mysql mysqli wordpress escape string extmysql

Link: http://dougal.gunters.org/blog/2014/03/06/mysql-vs-mysqli-wordpress

Pádraic Brady's Blog:
Automatic Output Escaping In PHP & The Real Future Of Preventing XSS
June 18, 2012 @ 11:58:22

Pádraic Brady has a new post to his blog about the state of output escaping in PHP and the steps that need to be taken to help prevent and protect applications from the real threat of cross-site scripting.

Automatic escaping has a certain appeal given its goal of removing the need to type escape() all over your templates. Funny thing, though, is that this is basically its one and only advantage. The second claimed goal is to remove a factor of human error (i.e. forgetting to type escape() somewhere), however, this hasn't posed an issue for me in the past where simple analysis of templates can quickly locate such omissions. And no, using automatic escaping does not remove the need to analyse templates for security issues - that's still needed regardless.

He goes on to define what "automatic escaping" is and isn't and how it relates to the context of the information (the same data may not always be filtered the same way in every place). He talks about scope-limited escaping, context-aware escaping and an idea that could help make life easier - a content security policy defining how the client should behave when interpreting HTML.

0 comments voice your opinion now!
escape automatic xss crosssitescripting security content policy


Working Software Blog:
Escaping single and double quotes for use with XPath queries in PHP
August 19, 2011 @ 13:50:14

On the Working Software blog there's a new post showing a solution to a issue with escaping quotes in XPath queries that's not just an issue in PHP.

I've been working with the Basecamp API to plugin our IRC bot that we use for time tracking and I'm astounded to learn that escaping single and/or double quotes for XPath queries in PHP does not have a well documented, best practices solution. In fact, it seems as though this is not peculiar to PHP. I took a look around and found this excellent article by "Kushal": http://kushalm.com/the-perils-of-xpath-expressions-specifically-escaping-quotes.

He's put together his own (PHP) solution to the problem - running the entire XPath query through a filtering method that splits it up, replaces the quote characters and combines it back down to a single string.

0 comments voice your opinion now!
escape quote double single xpath query tutorial


Alan Skorkin's Blog:
How To Fix The WP-Syntax Special Character Escaping Issue
March 11, 2010 @ 09:15:21

Alan Skorkin has a recent post to his blog about a trouble that many WordPress users have come across in working with their content and the WP-Syntax plugin (for displaying code) - a special character escaping bug that escapes characters that don't need it.

Suffice to say, [WP-Syntax] does the job fine except for one very annoying issue. Whenever you have any kind of special characters in your code (which you inevitably do e.g. <, >, & etc.), these always render as their escaped representations.

It only happens with the WYSIWYG editor for writing content (which the tool's FAQ recommends turning off) but there's a better solution that Alan found - change a line of code in the plugin to use the htmlspecialchars_decode function to rid your install of this pesky escaping bug.

0 comments voice your opinion now!
wpsyntax wordpress special character escape


PHPBuilder.com:
Mitigate the Security Risks of PHP System Command Execution
January 29, 2010 @ 09:47:19

PHPBuilder.com has a new article from Jason Gilmore on security in command-line applications posted today and what you can do to help protect your scripts from unwanted system command access.

In this tutorial, I'll show you how to securely execute a variety of system-based commands via a PHP script, demonstrating how to build web applications that can tightly integrate with both the operating system and third-party software.

He mentions the proper filtering of input strings (user input), how it can protect your and your application as well as a few examples of using the PHP execution functions (like exec or passthru) and how to apply the shell escaping commands (like escapeshellarg) as a first layer of security.

0 comments voice your opinion now!
system command execution security escape filter


Lorna Mitchell's Blog:
Stopping CodeIgniter from Escaping SQL
January 28, 2010 @ 13:39:45

In a project she's been working on Lorna Mitchell was frustrated with something the CodeIgniter framework does natively - escape SQL statements done through the databaase layer's "select()" method. Thankfully, there was a simple fix to turn this behavior off.

I've been getting increasingly impatient with its tendency to try to escape my SQL code for me - this is a really useful default feature but it seems to assume I don't know what I'm doing and so it puts backticks all over perfectly acceptable SQL code, very annoying!

Thanks to a reply on twitter from damiangostomski to her frustrations she found the optional second parameter you can give the "select()" method, a boolean that tells it whether or not to escape the query (it's mentioned here) for those that were wondering.

2 comments voice your opinion now!
codeigniter escape sql optional parameter


Keith Casey's Blog:
The First Rule for Software Development
May 05, 2009 @ 10:25:25

Keith Casey has a suggestion for budding (PHP) developers out there looking to jump head first into their first project: "Don't trust the users."

Recently I taught a class of bright-eyed, bushy-tailed PHP'ers just getting their start in the world. They haven't done their first production application and we were working in the "safe" confines of a classroom, but there was one concept that I pounded into their heads: Don't Trust the Users.

Generally, as Keith mentions, users aren't malicious/incompetent/ignorant 99 percent of the time, but there's always that off chance that they are and you need to protect you and your application from it by filtering input and escaping all output to prevent any mishaps.

0 comments voice your opinion now!
xss filter input escape output software development trust user


NETTUTS.com:
Are You Making These 10 PHP Mistakes?
February 04, 2009 @ 09:33:51

All of you developers out there, NETTUTS.com has a question for you - are you making any of these ten PHP mistakes in your day to day development? Which ones, you ask? Read on...

Here are 10 PHP mistakes that any programmer, regardless of skill level, might make at any given time. Some of the mistakes are very basic, but trip up even the best PHP programmer. Other mistakes are hard to spot (even with strict error reporting). But all of these mistakes have one thing in common: They're easy to avoid.

Here's the list (as Glen Stanberry sees it):

  • Single quotes, double quotes
  • Semicolon after a While
  • NOT Using database caching
  • Missing Semicolon After a Break or a Continue
  • Not Using E_ALL Reporting
  • Not Setting Time Limits On PHP Scripts
  • Not Protecting Session ID's
  • Not Validating Cookie Data
  • Not Escaping Entities
  • Using Wrong Comparison Operators
0 comments voice your opinion now!
mistakes list common quotes semicolon error session cookie escape


Mark Kimsal's Blog:
Addslashes() don't call it a comeback
June 12, 2008 @ 13:36:20

As Michael Kimsal points out, there's a new posting on his brother Mark's blog talking about alternatives to addslashes() in your applications.

I've seen a lot of people talking about mysql_real_escape_string() vs addslashes() vs addcslashes(). There seems to be a lot of real confusion about what these functions do (even with the php.net manual around), especially when it comes to character sets. [...] So, I've decided to lay it all out in a few charts so there is no confusion about what each function does and how each can help protect against SQL injection attacks.

He ran some tests based on what the function does to see if it helps with certain things like "escapes with single quotes instead of backslash" and "prevents multi-byte attacks". He compares the speed and testability of the functions as well as provides a multi-byte breakdown oh how the mysql_real_escape_string function works with different character sets.

0 comments voice your opinion now!
addslashes compare escape string mysql addcslashes multibyte



Community Events





Don't see your event here?
Let us know!


framework project library developer release wordpress podcast series api list application laravel language bugfix threedevsandamaybe community code interview configure introduction

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework