Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Paragon Initiative:
Securing a PHP Application in 2016: The Pocket Guide
Jul 11, 2016 @ 17:45:11

The Paragon Initiative has posted a new tutorial giving you a pocket guide version to securing your PHP application in 2016.

Please set aside most of what you've heard over the years; chances are, most of it just muddies the water. Security is not a product. Security is not a checklist. Security is not an absolute.

Security is a process. Security is an emergent property of a mature mindset in the face of risk.

Perfect security is not possible, but attackers do have budgets. If you raise the cost of attacking a system (your application or the networking infrastructure it depends on) so high that the entities that would be interested in defeating your security are incredibly unlikely to succeed, you'll be incredibly unlikely to be compromised.

The post talks about the "essence of security" and how most prevention methods don't even add much processing overhead or overall development time. He makes four recommendations of things to do in current and future development to help secure your applications:

  • Use PHP 7 in All New Development
  • Use HTTPS Everywhere
  • Use Security Headers
  • Use Trustworthy Reference Material

The post ends with a few other things to think about when building secure applications including raising the "cost" of attacking your system and keeping in mind that your platform may not be the attacker's "end game".

tagged: paragoninitiative secure application pocket guide top4 php7 https headers references

Link: https://paragonie.com/blog/2016/07/securing-php-application-in-2016-pocket-guide

Johannes Schlüter:
More on references
Feb 23, 2016 @ 16:48:31

Johannes Schlüter has continued his series of posts with this second part looking more at reference handling in PHP (how they're handled "behind the scenes" that is).

In a few different places I saw comments about my last blog post about references and performance where commentators noted that my example was pointless. Which of course is true and to some degree the point.

I read a lot of PHP code and from time to time I see people with a non-PHP background (or otherwise influenced) putting references everywhere they pass arrays or such in order to prevent copies. I knew this was a bad practice in PHP 5 and wanted to verify this in PHP 7.

In the post he talks about passing references to methods and how it can lead to less clarity in the resulting code. He also wonders about the situation when you don't actually want to modify the variable passed in and making copies (losing any performance gain). He suggests that using references should only come when you know exactly how the value will be used in the method, not casually or just for performance reasons.

tagged: references php5 clear code php7 copy

Link: http://schlueters.de/blog/archives/181-More-on-references.html

Anthony Ferrara:
Programming With Anthony - References
Dec 06, 2012 @ 16:54:36

Anthony Ferrara has posted the third video in his series on programming over on Youtube. In this new episode, he talks about variable and object references (and the differences between them).

The two other video tutorials he's posted are:

If you like the videos, leave him feedback on what you'd like to see in future videos.

tagged: video tutorial programming references youtube

Link:

Volker Dusch's Blog:
References suck! - Let's fix MySqli prepared statements!
Jun 14, 2011 @ 16:46:55

Volker Dusch has a new post to his blog looking at the use of references in PHP (or lack there of) and what we, as end users of the language, can do about it. His example looks at mysqli prepared statements.

Even so not every PHP Developers knows WHY we don’t use references pretty much every core function and every somewhat modern framework avoids them so people adapted this best practice. The leftovers in the PHP core, like sort() or str_replace(), are exceptions to the rule. So if the common consensus is, or at least 'should be', that we should not use references then maybe we should start looking for places where they hurt and how we could fix them?

He talks about prepared statements and one thing he sees that makes it a "hard sell" to developers needing a good way to query their databases. He points out the difference in code required between the normal MySQL calls and mysqli (hint: it's more) and shows how to use an abstraction layer to make things a bit easier. He points out the downfalls of using this approach, mainly the performance hit you get (from using his fetchAll method).

tagged: references mysqli prepared statement performance abstraction

Link:

Derick Rethans' Blog:
Collecting Garbage: Cleaning Up
Sep 07, 2010 @ 14:56:25

Derick Rethans has continued his series on garbage collection in the PHP internals with this second post of the series with a special look at circular references. You can find the first part here.

In this second part of the three part column on the new garbage collecting mechanism in PHP 5.3, we'll dive into a solution to the problem with circular references. If we look quickly back, we found that by using code like the [first example], an in-request memory leak is created.

He goes on to briefly describe the synchronous algorithm (including a few more helpful graphs to show the flow) and how that has worked its way into the PHP garbage collection methods. He also points out that this collection can be turned off and on via the gc_enable and gc_disable functions. Keep an eye out for the next part of the series where he gets into more detail on how this is all integrated into PHP.

tagged: garabage collection article phparchitect circular references

Link:

Johannes Schluter's Blog:
References and foreach
Aug 20, 2010 @ 17:44:35

To reinforce a point he's made before (references in PHP are bad) Johannes Schluter has posted an example to his blog of a specific instance that causes an (expected) issue with references and foreach loops.

Now there is one use case which leads to an, at first, unexpected behavior which I didn't see as a real live issue when I stumbled over it at first, but then there were a few bug reports about it and recently a friend asked me about it ... so here it goes.

He show a code snippet of looping over an array with two foreaches and a print_r that shows the bug - the array changed from the original for no clearly apparent reason. To understand why this happens, he goes into detail on how variables are handled - complete with graphs.

tagged: references foreach array bug handling variable

Link:

Johannes Schluter's Blog:
Do not use PHP references
Jan 11, 2010 @ 16:50:22

In a new post to his blog Johannes Schluter recommends that you don't use references in your applications, mostly because of some misconceptions about how they work.

Last year I spoke at eight conferences and attended a few more multiple times at most of them I found myself in discussions about references and PHP as many users seem to have wrong understandings about them. Before going to deep into the subject let's start with a quick reminder what references are and clear some confusion about objects which are "passed by reference."

He re-introduces referenced variables and scratches the surface about the confusion they can cause, not only on the user level but also in the internals of the language, and can lead to some unexpected results. He also mentions the "always passed by reference" idea that several PHPers have about PHP5 objects and why it's not entirely correct. He finishes off the post with a look at returning referenced parameters and how it can lead to bad application design.

tagged: references avoid misconception

Link:

Rochak Chauhan's Blog:
Top Ten Security Vulnerabilities in PHP Code
Aug 04, 2008 @ 17:58:10

Rochak Chauhan has come up with a list of ten things, some security problems that could be lurking in your applications waiting to pop up at the worst time. Here's his list:

  • Unvalidated Parameters
  • Broken Access Control
  • Broken Account and Session Management
  • Cross-Site Scripting (XSS) Flaws
  • Buffer Overflows
  • Command Injection Flaws
  • Error Handling Problems
  • Insecure Use of Cryptography
  • Remote Administration Flaws
  • Web and Application Server Misconfiguration

Each item on the list has a bit of detail (and sometimes some code) to help point out the problem. Some of them even have references to external sources and packages to help you solve the problems.

tagged: security vulnerabilities list example references

Link:

Pierre-Alain Joye's Blog:
Little reminder about PHP references and some thoughts about FUDs
Feb 28, 2007 @ 15:17:00

Pierre-Alain Joye has a little reminder posted to his blog today about two posts from planet-debian and Apache that refer to clones/references in PHP4 and PHP5 and some of the misconceptions presented there.

Reading planet-debian and Apache (from Sven and David), I catched two posts about clones and references in php4 and php5. I do not think it is worth to explain again everything here as Sara wrote a very good post already, check it out here.

He mentions his annoyance with articles/posts like these and the impact that it has on PHP as well as the person posting.

I wonder when the OS community in general will be mature enough to stop bitching at each other. And that's valid for PHP developers, gnome-kde and other well established wars.
tagged: references article post planetdebian apache fud clone references article post planetdebian apache fud clone

Link:

Pierre-Alain Joye's Blog:
Little reminder about PHP references and some thoughts about FUDs
Feb 28, 2007 @ 15:17:00

Pierre-Alain Joye has a little reminder posted to his blog today about two posts from planet-debian and Apache that refer to clones/references in PHP4 and PHP5 and some of the misconceptions presented there.

Reading planet-debian and Apache (from Sven and David), I catched two posts about clones and references in php4 and php5. I do not think it is worth to explain again everything here as Sara wrote a very good post already, check it out here.

He mentions his annoyance with articles/posts like these and the impact that it has on PHP as well as the person posting.

I wonder when the OS community in general will be mature enough to stop bitching at each other. And that's valid for PHP developers, gnome-kde and other well established wars.
tagged: references article post planetdebian apache fud clone references article post planetdebian apache fud clone

Link:


Trending Topics: