Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

DZone.com:
Hardening PHP: SQL injection - Complete walkthrough
Aug 12, 2011 @ 14:20:13

On DZone.com today there's a new post from Krzysztof Kotowicz sharing a presentation of his about protecting your application from SQL injection.

The materials teach how to use prepared statements, how to escape and write secure stored procedures. Many PHP projects are covered - PDO, Propel, Doctrine, Zend Framework and MDB2. Multiple gotchas and caveats are included. I discuss why escaping is usually the wrong choice, which practices to avoid or follow and how stored procedures sometimes offer no protection at all.

The presentation (as posted to Slideshare) starts with some of the basics - what SQL injection is and an example of how it could be used to bypass security. He covers how to use prepared statements in each of the technologies (with code snippets), methods for escaping data and how to create stored procedures that are protected from the same threats.

tagged: harden application sqlinjection pdo doctrine zendframework mdb2 presentation

Link:

DZone.com:
Hardening PHP: How to securely include remote code (part 1)
Jun 10, 2011 @ 15:28:26

On the PHP on Windows blog from DZone.com Krzysztof Kotowicz has a new post - part one in a series on securing your PHP application - a look at securely including remote code from a source outside of your application.

First post of the series discussing various methods of including remote PHP code in your application - from security standpoint. In this post we discuss the history of remote code execution vulnerabilities in PHP apps and ways to prevent them. We finish off by presenting an unsecure method of including a remote code and describe what is the problem with that method.

He looks at the insecurity of a standard include/require, the allow_url_include php.ini setting and the issues with using hardcoded locations (like incorrect DNS records pointing to the wrong host).

tagged: harden application include remote code security

Link:

PHPFreaks.com:
Hardening PHP with Suhosin
May 28, 2008 @ 13:47:22

PHPFreaks.com has a new tutorial posted that looks to help you protect you and your application with an even greater level of security by using the Suhosin patch.

Suhosin is a great and simple way of increasing your security without having a large impact on overall performance. In this tutorial I will cover the installation and configuration of Suhosin on both debian etch and centos 5. I may cover mod_security in a later tutorial.

They apt-get the packages needed for the patch in examples for two different distributions - Debian (etch) and CentOS. They also show how to set up some basic configuration to get the patch installed and working with your PHP installation.

tagged: harden patch suhosin install tutorial debian centos

Link:

Lars Strojny's Blog:
Security "to go"?
May 21, 2008 @ 17:53:55

In this new post to his blog today, Lars Strojny looks to clear up some of the confusion that might be forming around the term "intrusion detection", more specifically, related to projects like PHP-IDS.

PHP-IDS is an intrusion detection tool on the application level. Application firewalls know about a certain protocol and its structure (e.g. HTTP) and inspect the protocol to detect attack patterns. Some of them are even capable of learning from usual request signatures and enforcing rules based on the learned data. There are various commercial products to achieve application firewalling. PHP-IDS does the same for free and sits directly on the webserver in the scope of the application.

He recommends it as a good supplement to the hardening you've already done for your server (you have hardened it, haven't you?) to help keep you and your data safe from prying eyes.

tagged: security application level phpids protect harden

Link:

HowTo Forge:
How To Harden PHP5 With Suhosin On Fedora 7
Jul 27, 2007 @ 13:49:00

The HowTo Forge site has a new tutorial posted today for Fedora 7 users looking to keep their PHP installations a bit safer by installing the Suhosin patch from the Hardened-PHP Project.

I will install both Suhosin parts in this tutorial, the Suhosin patch (for which we need to recompile PHP5) and the Suhosin PHP extension. To see what Suhosin can do, please refer to http://www.hardened-php.net/suhosin/a_feature_list.html. The features of the Suhosin patch are listed under Engine Protection (only with patch); all the other features come with the Suhosin extension.

It's (technically) a three step process, but there's lots of smaller steps under each one. There's also some screenshots of a phpinfo() page to show the results of each of the steps.

tagged: php5 harden suhosin patch fedora install tutorial php5 harden suhosin patch fedora install tutorial

Link:

HowTo Forge:
How To Harden PHP5 With Suhosin On Fedora 7
Jul 27, 2007 @ 13:49:00

The HowTo Forge site has a new tutorial posted today for Fedora 7 users looking to keep their PHP installations a bit safer by installing the Suhosin patch from the Hardened-PHP Project.

I will install both Suhosin parts in this tutorial, the Suhosin patch (for which we need to recompile PHP5) and the Suhosin PHP extension. To see what Suhosin can do, please refer to http://www.hardened-php.net/suhosin/a_feature_list.html. The features of the Suhosin patch are listed under Engine Protection (only with patch); all the other features come with the Suhosin extension.

It's (technically) a three step process, but there's lots of smaller steps under each one. There's also some screenshots of a phpinfo() page to show the results of each of the steps.

tagged: php5 harden suhosin patch fedora install tutorial php5 harden suhosin patch fedora install tutorial

Link:


Trending Topics: