DevShed continues their series focusing on the security of your web application in this fifth part of the series. This time they look at preventing attacks on your app via correct authentication.

You will probably recall from the last article that I mentioned the existence of two methods of authentication and discussed the first one, which is through an HTML form. In this article, the fifth one in an eight-part series, we'll start with the second method of authentication. We'll also discuss how attackers may gain access to your system.

This authentication method uses a simple form to let the user pass in their credentials. Unfortunately, because of its simplicity, this also opens it up to three kinds of attacks - password sniffing, reply attacks and brute force attacks.

A new release of the Zip PECL package has been made according to this post on Pierre-Alain Joye's blog today. The main update in this release is to counteract a Windows bug that's interfering with binary file opens.

The issue is actually a windows bug. No matter if I give or not the "b" flag to fopen, the write operations are not binary safe. It seems to be a known issue as many projects use the same trick.

The problem comes up when PHP forces the binary mode in SAPI and CLI, making the binary writes to a file non-binary safe no matter what. Pierre is also asking for help from anyone out there with any information/bug reports/references about this issue that would yield something useful.

The more PHP the better. Or, is it? Would it perhaps take some deeper PHP knowledge to develop real world web applications with it? Or maybe having a good sense about web application security is actually needed? Maybe!

So starts Leendert Brouwer's latest post today - a look at creating secure web applications in PHP. He covers some of the more common pitfalls and seldom mentioned issues that could cause you and your script big headaches later on.

He breaks up the post into fourteen different sections that include:

• The Evil User
• XSS Attacks
• Dynamic File Inclusion Attacks
• Incorrect Session Usage
• Filesystem corruption

Of course, there's code where it's needed, and plenty of explaination and examples to make sure you know what's going on. There's also a "just to be sure" section at the end that shares a few other parting bits of wisdom - database permissions, the importance of backups, and a note to do just what your mom always told you to do - clean up your (development) mess when you're through.