In a new post today Stuart Herbert asks the question "is it possible to secure a shared server with PHP and FastCGI installed on it?" His answer follows...

The challenge with securing a shared hosting server is how to secure the website from attack both from the outside and from the inside. PHP has built-in features to help, but ultimately it's the wrong place to address the problem. [...] Before we can look at performance, the first question is: how exactly do we get PHP and FastCGI running as different users on the one web server in the first place?

He follows through on this, giving a little mini-tutorial on getting the environment installed on an Apache web server. He includes some benchmarks on the difference between using the Apache 1.3.x series and Apache 2 (generated using the ab benchmarking tool).

The ThinkPHP blog points out a recorded (German-only) webinar that Stefan Esser did covering the creation of secure LAMP applications.

Unfortunately, this Webinar was in German, but if you understand German you might be interested in the Webinar recording which is now available at MySQL's website.

The webinar looks at previous attack types, things that MySQL already includes to help prevent SQL injections, handling multi-byte caharacters and correct error handling.

Thomas Weidner has posted about a method he's come up with to help protect you and your site when uploading files through the Zend_File_Transfer component from the Zend Framework.

The new Zend_File_Transfer component is growing day for day. As incredible new feature this component allows to use file validators. These are necessary to increase security and allow to define rules for file uploads (and also downloads in future).

He illustrates with a simple Zend_File_Transfer object that uses an addValidators call to limit the size of the upload to 50 KB. Other validation rules include count (the number of files to expect), extension, filessize and imagesize. Using these he makes a "more secure" upload object setting the size to 205KB, to expect five files that are all under 1MB and are of the types gif/jpg/png.

Ed Finkler, not normally a big fan of the WordPress PHP-based blogging system, has pointed out some positive steps that were made in the latest release in the security arena.

Anyone who gets me liquored up knows that I'm not a fan of Wordpress. I think it's great from a user (that is, the person writing the content) standpoint, but it has lagged behind severely in terms of security, and I don't believe its popularity is the sole reason WP has been the subject of dozens of vulnerability reports every year. That being said, the WP 2.5 release appears to offer significant improvements in a couple areas: password hashes and cookie data encryption.

He mentions two things in particular - their addition of salted passwords and secure cookies.

PHPBuilder.com has a new article by Hillel Aftel about his method of choice for securing the data that you send over the GET string when moving things around on your site.

In this article I'm going to show you how you can use PHP to encode your data for transit. Most importantly, it will be done in a way that makes the data decodable, and therefore much more usable, by the receiving page.

His encryption method - sending everything in a single string and modifying the scheme each time - uses static pairs of values (of your choosing) to "encode" the outgoing string. It actually consists of three different files: the script itself, a single-use script that makes the third file, an include file to handle the conversion back from the encoded results.

The MT-Soft blog has posted a (basic but full of great info) new guide on ensuring that your PHP installation is a very secure place for your application to live.

This article shows the basic steps in securing PHP, one of the most popular scripting languages used to create dynamic web pages. In order to avoid repeating information covered in the previous article, only the main differences related to the process of securing Apache will be described.

They've broken it up into a few different sections:

• System they'll be using (operating system, functionality assumed, security assumptions)
• Preparing the software
• Installing PHP
• Chrooting the server
• Configuring PHP
• Protecting against CSS and SQL injection attacks

Check out the full tutorial to fill in the blanks of this outline.

In a new post on his blog, Kore Nordmann takes a look at a feature that's been around a long time (first introduced in a message board application) - BBCodes.

The discussion on my blog post "Do not use regular expressions for parsing" ended in a discussion about BBcodes in general. I just used them as an example to demonstrate why it it is impossible to parse such a language with regular expressions - and mentioned in a subclause, that I don't see any sense in using them at all.

He looks at some of the myths surrounding them and their use (more secure, easier to use, safer than HTML) and gives some reasons for making teh choice of HTML over them.

Charles Rowe shares four reasons/benefits he's come up with that should make you think about choosing MySQLi over the normal MySQL libraries for PHP for your application.

There still seems to be a lot of confusion over the differences between the two extensions despite the length of time that mysqli has been in the wild. I wanted to briefly review the four major benefits of mysqli.

Here's the list

• Prepared Statements
• Secure MySQL connections
• Multi query
• Object Oriented Interface

He also includes a few more links to further information (besides the explanation for each of the topics listed above) including an article from the Zend Developer Zone and a tutorial covering making the switch to MySQLi.

On PHPBuilder.com today, there's a new tutorial that talks about a method to securing data sent via GET requests in your application.

In this article I'm going to show you how you can use PHP to encode your data for transit. Most importantly, it will be done in a way that makes the data decodable, and therefore much more usable, by the receiving page.

They talk about some of the advantages to encryption before getting into how it actually works. Their example script is separated out into three PHP files - the main part of the script, a single-use script that, in turn, creates the third file, include file for the encode/decode functions. With the structure defined, they move on to the code - the generation of the file with the large multi-dimensional array and the two functions to encode and decode the information.

The Zend Developer Zone has posted their latest security tip today - this time dealing with the actual connection your application sits on (from Chris Hartjes).

The most secure application is one with no connection to the outside world.

As we've covered, you can't really disconnect the network from your web server if you are building web applications. You can however, carefully consider which servers need to be connected to the outside world and which can be inside your firewall. Beyond that, you can also evaluate how those servers that have to remain outside your firewall communicate with the ones inside.

No, his suggestion is not to take your application "off the grip" but more to limit access to things like database servers to help protect the data that lives inside it.