On DevShed today, there's a new tutorial on showing how to create a simple application to use one of the simpler protocols - FTP.

PHP has many functions that help us to implement Internet and/or networking protocols. In this article, we will look at how to implement some of those protocols using PHP.

They introduce the FTP functions for PHP (a basic list, PHP manual style) and include the code - the CSS to make it easier to use and the PHP code to make the FTP connection and grab the remote file listing. A screenshot is included to give you an idea of the end result.

Ed Finkler, a long-time user of SFTPDrive on his Windows machine, has noticed something a bit odd lately when using the new Zend Studio (Eclipse):

For some reason, ZSfE just doesn't show me my '�k:'� drive (the SFTP mount) when browsing for a project directory. This throws a real wrench in my usual workflow '" ZS 5.5 had built-in SFTP support, and I could also use the local mount if I wanted.

Finding nothing in the traditional places, he's made this blog post hoping someone might have the answer. Turns out that the fix (as provided by Josh Johnston) is to create a new project around a new Remote Folder.

Demian Turner has posted about the latest version of the Seagull framework (0.6.3) and an update to correct a remote file disclosure issue (up to version 0.6.4).

Well it took a bit of time but after quite a few months a new release of Seagull is finally out, 0.6.3 (0.6.4). Things have been keeping pretty busy with the startup I'm working on, but it's been a great opportunity to refine some features of the framework and optimize the performance. The early indications are good, after less than 10 weeks of going live Kindo users are creating up to 20k profiles/day and the server load is staying comfortably below 0.5.

The update is a different download that helps correct an issue with the framework allowing user-inputted values from the GET string. Be sure and update your version to keep this security issue under wraps.

Chris Hartjes has a quick post (but complete with code) about moving files around a bit differently than the norm - it's his method for using a HTTP-PUT to push a file out.

A work project is getting close to 0.1 status. Pretty underwhelming, I know. One of the last 'milestones' for 0.1 is taking these wonderful XML documents that my web app creates and sends them to an internal web service. This web service will accept documents via an HTTP PUT [...] so I dug around a bit on the web and put together some code.

The code is a generic "publish" method that opens a stream to the remote server and, in a binary format, pushes the contents of a local file and parses out the response.

The Developer Tutorials site has posted a new article covering the creation of a small application that can help you scrape content from a remote page and pull it into your script.

In this tutorial you will learn how to build a PHP script that scrapes links from any web page.

You'll learn to use cURL, the DOM functions, XPath and a bit of MySQL to get the job done. It's nice to see that they also include a section looking at one of the more touchy aspects of web page scraping - "is it legal?"

Gareth Heyes has an example of yet another way he's seen developers incorrectly handle incoming connections and the information inside. This time, he focuses on the remote IP coming from the client.

Developers place too much trust in everything, they assume that certain data cannot be faked and therefore these pieces of data can be used as a Trojan horse. Lets take the REMOTE IP of a user, it seems a trusted source because of the TCP/IP connection between the user and the server.

He points out the difference between HTTP_X_FORWARDED_FOR and REMOTE_ADDR and how, despite them being the same almost all of the time, shouldn't be trusted since they could be spoofed. He even includes an example script showing how it could be done (and how a bit of Javascript can even be inserted).

The Ubuntu linux group has released an update for their PHP packages to help protect their users from issues like security bypass and remote exploits.

This fixes a weakness and some vulnerabilities, where some have unknown impacts and others can be exploited by malicious, local users to bypass certain security restrictions and by malicious users to bypass certain security restrictions.

Packages can either be downloaded manually or via the linux distro's package manager. This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu.

On the PHP Discovery blog, there's a new post reminding PHP developers of some of the more dangerous ways that remote execution could effect your site and some of the common entry points it can have.

PHP has numerous ways to execute raw PHP code unless you the programmer stops it. Best way in preventing these methods is making sure you check the input of what your users are inputting, and making sure you escape all malicious actions that a hacker,cracker, kiddy scripter might want to do to your website.

He summarizes four of the things from the Pro PHP Security book from Apress (by Chris Snyder and Michael Southwell) that can leave holes in you application for would-be explots - preg_replace, shell_exec/exec, eval (which we all know is only one letter from "evil" anyway) and require/include.

Jonathan Street has a tip for those developers out there that have no other choice than scraping content from a remote site - don't make it obvious. He also includes a suggestion on how to make it a little less obvious.

A couple of hours ago I was playing around scraping some content from a website. All was going well until suddenly I couldn't get my script to fetch meaningful content. [...] The first thing I did was stop visiting the site for 15 minutes or so and then increase the time between requests. It briefly worked again but quickly stopped.

One simple change to his user agent string in his php.ini made the problem evaporate pointing to a user agent filtering happening on the remote side. His helpful hint involves two methods - one in just PHP and the other in cURL - to change the user agent that your scripts are sending. An even better sort of solution might be some sort of rotating array that would alternate between four or five strings to make things even more random.

rPath linux has issued an update to their packages for PHP, PHP-MySQL and PHP-PGSql to correct issues that could make it possible for a remote user to gain unauthorized access.

his fixes some vulnerabilities, where some have unknown impacts and others can be exploited by malicious users to bypass certain security restrictions or by malicious people to potentially compromise a vulnerable system.

References and links to the update information can be found in their original advisory.