Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Gonzalo Ayuso's Blog:
How to protect from SQL Injection with PHP
Feb 08, 2012 @ 08:07:05

In a recent post to his blog, Gonzalo Ayuso shares a few tips on preventing SQL injection attacks on your applications.

Security is a part of our work as developers. We need to ensure our applications against malicious attacks. SQL Injection is one of the most common possible attacks. Basically SQL Injection is one kind of attack that happens when someone injects SQL statements in our application. You can find a lot of info about SQL Injection attack. Basically you need to follow the security golden rule: "Filter input, Escape output".

He advocates the use of the PDO abstraction layer to filter out a lot of the issues. Using its prepared statements, you can easily strip out things that just adding slashes to user input wouldn't prevent. He also includes a reminder about database permissions - allowing only certain users the ability to, for example, delete can help provide one more level of security (in other words, don't use a "super user" in production).

tagged: sql injection pdo protect database permissions tutorial

Link:

NetTuts.com:
Wrangling with the Facebook Graph API
Dec 02, 2011 @ 13:37:09

On the NetTuts.com site today they have a (very complete) guide to help you wrangle the Facebook Graph API and make it useful for your application. It makes use of the official Facebook PHP SDK to interface with the Graph API.

Have you ever wanted to learn how to make your applications more social with Facebook? It’s much easier than you think! In this tutorial, we’ll be building an application that reads and publishes data to and from Facebook using Facebook’s Graph API.

The tutorial helps you get signed up on the Facebook developer site, create a first sample application, set up the SDK and make a simple page (with an added bonus of using the Twitter Boostrap for look/feed). There's a section covering permissions, what kind of data you can expect publicly for both users and posts. They wrap it up with an example of posting back to Facebook though the API and updating the status on your account. The complete code for the tutorial is also available for download.

tagged: facebook graph api tutorial sdk permissions

Link:

DevShed:
File Security and Resources with PHP
Nov 23, 2011 @ 16:23:27

In the fourth part of their series looking at working with the filesystem in PHP, DevShed has posted a new tutorial focusing on security and permission handling for files/resources.

These days, security is paramount to any server installation, large or small. Most modern operating systems have embraced the concept of the separation of file rights via a user/group ownership paradigm, which, when properly configured, offers a wonderfully convenient and powerful means for securing data. In this section, you'll learn how to use PHP's built-in functionality to review and manage these permissions.

They introduce functions like:

Sample code is also included to show how to open and close a file.

tagged: file security resource permissions function tutorial

Link:

NETTUTS.com:
How to Use CakePHP's Access Control Lists
Jul 30, 2010 @ 15:13:20

On NETTUTS.com today there's a new detailed tutorial on how to use the access control list functionality that comes with the CakePHP framework.

If you’re building a CMS, you'll probably need different user roles—superusers, admins, users - with different permission levels. Too complicated to code? Enter CakePHP's ACL (Access Control Lists). With the right setup, you’ll be checking user permissions with just one line.

They talk about what "access control lists" are but shows you an example of one including the database tables and the full scripts for the Users controller, a model to hook into the database and the view for output to the user. They include methods for denying access, checking permissions, and modifying a user's permissions.

tagged: cakephp framework acl accesscontrollist permissions

Link:

Brandon Savage's Blog:
Controlling Access: Zend_Navigation and Zend_Acl
Apr 02, 2010 @ 08:59:55

In the next part of his Zend_Navigation series Brandon Savage takes a look at integrating it with Zend_Acl to add permissions/roles into the mix, showing certain things for certain users.

What happens when you have special areas of your site, say for subscribers or administrators? Controlling access is something that all web developers must do at some point. This is where integration between Zend_Navigation and Zend_Acl comes in.

He shows how to set up the access control levels for an "Admin" section in an example navigation array. It uses the "resource" and "privilege" attributes to define the group and role that has access to that navigation item. Then, with a "setAcl" call you can pull that information in and the two lines of code to output it.

tagged: zendnavigation aendacl permissions access

Link:

Justin's Blog:
How to secure your wordpress blog - part 2
Apr 15, 2009 @ 11:19:47

Justin had written up a previous article with a few quick ways to secure your WordPress blog and he's come back with a few more helpful hints on how to keep you and your blog safe.

The following is a list of some additional changes that you can make to improve the security of your wordpress installation (Backup wp-config.php and your db tables before trying the following).

Here's his new list of recommendations:

  • Change the default table prefix
  • Install WP-Scanner
  • Change permissions on the WordPress to only be writable by you and root
tagged: secure wordpress blog table prefix permissions wpscanner

Link:

Nessa's Blog:
Working with Permissions in PHP
Dec 24, 2007 @ 09:22:00

On her blog Nessa has a brief look at working with permissions with PHP via three functions - chown, chgrp and chmod.

PHP uses the same command as *nix systems when dealing with changing permissions for files. These commands are particularly useful in situations where PHP runs as a different user on the system, which is common when PHP is compiled as an Apache user.

She includes a basic syntax for each of them and how one (chmod) could be used in an example of file creation.

tagged: permissions chmod chgrp chown function file permissions chmod chgrp chown function file

Link:

Nessa's Blog:
Working with Permissions in PHP
Dec 24, 2007 @ 09:22:00

On her blog Nessa has a brief look at working with permissions with PHP via three functions - chown, chgrp and chmod.

PHP uses the same command as *nix systems when dealing with changing permissions for files. These commands are particularly useful in situations where PHP runs as a different user on the system, which is common when PHP is compiled as an Apache user.

She includes a basic syntax for each of them and how one (chmod) could be used in an example of file creation.

tagged: permissions chmod chgrp chown function file permissions chmod chgrp chown function file

Link:

Rob Thompson's Blog:
PHP and Solaris - getcwd() Behavior
Nov 12, 2007 @ 13:47:00

Rob Thompson passed along some information that PHP users running on Solaris might want to check out - the slightly buggy behavior of the PHP getcwd function on the platform.

Many functions within the PHP codebase relied upon a universally working getcwd() [C] call to expand paths and to find out where a script is being executed. In particular, Solaris does not assume that getcwd() is a privilege that should be granted to users in directories that don't have 'r' (read) permission, even if it has 'x' (execute) permissions. [...] Under Linux, getcwd() behaves normally but under Solaris, getcwd() does not work with the --x restrictive permissions.

He does note, happily, that this issue is cleared up with an upgrade to PHP 5.2.5 as soon as possible. He had code snippets included in the post so you can test your installation for the problem too.

tagged: solaris getcwd behavoir update php5 permissions solaris getcwd behavoir update php5 permissions

Link:

Rob Thompson's Blog:
PHP and Solaris - getcwd() Behavior
Nov 12, 2007 @ 13:47:00

Rob Thompson passed along some information that PHP users running on Solaris might want to check out - the slightly buggy behavior of the PHP getcwd function on the platform.

Many functions within the PHP codebase relied upon a universally working getcwd() [C] call to expand paths and to find out where a script is being executed. In particular, Solaris does not assume that getcwd() is a privilege that should be granted to users in directories that don't have 'r' (read) permission, even if it has 'x' (execute) permissions. [...] Under Linux, getcwd() behaves normally but under Solaris, getcwd() does not work with the --x restrictive permissions.

He does note, happily, that this issue is cleared up with an upgrade to PHP 5.2.5 as soon as possible. He had code snippets included in the post so you can test your installation for the problem too.

tagged: solaris getcwd behavoir update php5 permissions solaris getcwd behavoir update php5 permissions

Link: