News Feed
Sections




News Archive
feed this:

Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Anthony Ferrara:
Preventing CSRF Attacks
February 20, 2013 @ 09:36:41

Anthony Ferrara has written up a new post to his site looking at efective use of CSRF tokens and a few different strategies for generating them.

There's been a bit of noise in the past week about the proper way to prevent Cross-Site-Request-Forgery (CSRF) attacks. It seemed to have started with this post. There's been discussion in the comments, and on Twitter about it, and there seems to be several opposing viewpoints on the matter. I want to start off by saying that I agree completely with the post in question. But I figured I'd write a post to explain WHY I agree with it.

He starts with an overview of a few of the common types of request forgery including from a javascript injection, a Man-in-the-Middle attack and a replay attack. He then breaks up the "lines of defense" part of the post into three different sections - adding a hidden token field to forms, changing the token for each request and using random numbers when regenrating them.

0 comments voice your opinion now!
csrf attack prevention overview token generation tutorial


Infosec Institute:
SQL Injection through HTTP Headers
April 04, 2012 @ 10:17:08

While not specific to PHP, security is something that all developers need to think about in their applications. To that end, the Infosec Institute has published this guide to helping you prevent SQL injection attacks that could come in via the HTTP headers of requests to your site.

During vulnerability assessment or penetration testing, identifying the input vectors of the target application is a primordial step. Sometimes, when dealing with Web application testing, verification routines related to SQL injection flaws discovery are restricted to the GET and POST variables as the unique inputs vectors ever. What about other HTTP header parameters? Aren't they potential input vectors for SQL injection attacks? How can one test all these HTTP parameters and which vulnerability scanners to use in order to avoid leaving vulnerabilities undiscovered in parts of the application?

They start by describing the different kinds of headers that the attacks could come in on - GET, POST, cookies and the other HTTP headers. According to some results, the HTTP headers option is the least protected in most common applications. He includes some good examples of headers that might contain malicious data such as:

  • X-Forwarded-For
  • User-agent
  • Referer

Techniques are also included showing you tools and methods to help test your own applications including some in-browser tools and external applications (like Sqlmap, Nessus, WebInspect, SkipFish and Wapiti) with some average scores from running them on various coverage scores.

0 comments voice your opinion now!
sql injection http headers security prevention scanner


PHPClasses.org:
Lately in PHP Podcast Episode 21 - Is PHP Source Quality Really Good?
March 01, 2012 @ 10:17:08

On PHPClasses.org today they've posted their latest "Lately in PHP" podcast - episode 21, "Is PHP Source Quality really Good or is it still Insecure?".

A study from Coverity claims that the source code of Open Source projects such as PHP has a low defect rate. Meanwhile, a few weeks ago, the security expert Stefan Esser claims that PHP source security bug prevention has a lot to be desired because PHP core developers do not have the habit of using source code auditing tools to prevent security bugs. The matter of the PHP source code quality and security bug prevention was one of the main topics discussed by Manuel Lemos and Ernani Joppert in episode 21 of the Lately in PHP podcast.

You can listen to this latest episode either via the in-page player or by downloading the mp3 directly. You can also subscribe to their feed to get this episode automatically (and past/future ones too).

0 comments voice your opinion now!
latelyinphp podcast code quality language secure bug prevention


Dave Marshall's Blog:
Defending against Cache Stampedes
January 13, 2012 @ 13:13:08

Dave Marshall has a new post to his blog showing one method for defending against cache stampedes from assaulting your caching servers and (possibly) bringing them down.

I've recently had a problem with a rather large operation (that could probably be optimised considerably, but nevermind), where by if the cached result of the operation expired, several web server threads would attempt the operation, causing some major headaches for our database and web servers. This is something I've come across before, and is commonly(?) known as a Cache Stampede. This is bad, this post describes the basics of what I've done to deal with it.

His example uses a Zend_Cache interface to Memecache, but it could be applied in other places too. His method uses a binary semaphore to check and see if there's a "lock" and sleep for a bit before checking again. Sample code is included showing how to create this system and how to refresh the data with a new expiration on a cache miss.

0 comments voice your opinion now!
cache stampede zendcache tutorial binary semaphore miss prevention


Dublish.com:
Captcha - Spam preventing images
May 31, 2006 @ 14:24:30

When it comes to limiting the spam that comes through on your site (usually on the open comments), a CAPTCHA can do some of the best work. It provides a good alternative to convoluted techniques for restricting the commenting system of your site, and does it in a simple, easy for a human to use, kind of system. Implementing them, however, can be a bit tricky, so this new article on Dublish.com is here to help.

Captcha is the name for the images with random letters and some distortion that appears on each and every forum these days and even here on dublish. The purpose is to prevent the sites from spam.

Now I'm going to show you how to do this random picture generator in PHP. I assume that you have some basic PHP skillz before doing this. Before you start you need the GD library that allows you to create graphics in php.

The article steps you through the creation of the single-script functionality to generate the image. It's an image with a series of random characters on a gradient background created with the GD libraries. The code used in the CAPTCHA is stored in a session variable for validation later. He adds a few graphical touches to make it look a bit nicer, and finishes off with an example of its use.

1 comment voice your opinion now!
captcha tutorial spam prevention gd graphics captcha tutorial spam prevention gd graphics



Community Events





Don't see your event here?
Let us know!


language library deployment laravel tips zendserver podcast symfony list interview package framework community release api opinion series introduction update install

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework