Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Zend Developer Zone:
Security Tip: Use a Database Abstraction Layer to help prevent SQL Injection
Apr 11, 2007 @ 11:39:00

Matthew Weir O'Phinney has posted one of his own security tips to the Zend Developer Zone today involving the use of a database abstraction layer to help prevent SQL injections in your application.

SQL injections are a common vulnerability in web-based applications that use databases. [...] There are several methods to prevent this type of attack.

He gives three helpful hints for SQL injection prevention:

  • Use your database extension's quoting mechanism to quote values prior to executing a query
  • Use PDO's prepared statements support
  • Use a database abstraction layer (DAL), such as AdoDB, PEAR::MDB2, or Zend_Db.

tagged: securitytip sqlinjection prevent database abstraction layer securitytip sqlinjection prevent database abstraction layer

Link:

Zend Developer Zone:
Security Tip: Use a Database Abstraction Layer to help prevent SQL Injection
Apr 11, 2007 @ 11:39:00

Matthew Weir O'Phinney has posted one of his own security tips to the Zend Developer Zone today involving the use of a database abstraction layer to help prevent SQL injections in your application.

SQL injections are a common vulnerability in web-based applications that use databases. [...] There are several methods to prevent this type of attack.

He gives three helpful hints for SQL injection prevention:

  • Use your database extension's quoting mechanism to quote values prior to executing a query
  • Use PDO's prepared statements support
  • Use a database abstraction layer (DAL), such as AdoDB, PEAR::MDB2, or Zend_Db.

tagged: securitytip sqlinjection prevent database abstraction layer securitytip sqlinjection prevent database abstraction layer

Link:

Zend Developer Zone:
Security Tip #21 (Subscribe to BugTraq)
Apr 03, 2007 @ 11:20:00

The latest Security Tip has been posted on the Zend Developer Zone about the importance of the SecurityFocus newsletter.

Today’s PHP security tip is short, sweet and easily actionable. It fits in well with the theme of the last one, to stay vigilant. Here’s another resource for you to consider: If you are not already subscribed, you should subscribe to the Security Focus newsletter.

He links to their signup page and points out the most useful of their offerings - the BugTraq list.

BugTraq is a full disclosure moderated mailing list for the detailed discussion and announcement of computer security vulnerabilities: what they are, how to exploit them, and how to fix them.
tagged: securitytip subscribe mailinglist bugtraq securityfocus securitytip subscribe mailinglist bugtraq securityfocus

Link:

Zend Developer Zone:
Security Tip #21 (Subscribe to BugTraq)
Apr 03, 2007 @ 11:20:00

The latest Security Tip has been posted on the Zend Developer Zone about the importance of the SecurityFocus newsletter.

Today’s PHP security tip is short, sweet and easily actionable. It fits in well with the theme of the last one, to stay vigilant. Here’s another resource for you to consider: If you are not already subscribed, you should subscribe to the Security Focus newsletter.

He links to their signup page and points out the most useful of their offerings - the BugTraq list.

BugTraq is a full disclosure moderated mailing list for the detailed discussion and announcement of computer security vulnerabilities: what they are, how to exploit them, and how to fix them.
tagged: securitytip subscribe mailinglist bugtraq securityfocus securitytip subscribe mailinglist bugtraq securityfocus

Link:

Zend Developer Zone:
PHP Security Tip #20 (Resources)
Apr 02, 2007 @ 10:49:00

The Zend Developer Zone has posted yet another in their running series of security tips to help you safeguard your applications - Tip #20 concerning security resources to check into.

To paraphrase an American Patriot "The price of security is eternal vigilance". You have to keep watch over your system but you also have to keep learning. Today's security tip is a list of resources to help you keep your security knowledge up to date. I've gathered together several resources for you to consider when looking for PHP Security information.

Resources Cal recommends include Chris Shiflett's book "Essential PHP Security", the APress "Pro PHP Security" from Chris Snyder, and more. Of course, he also recommends their own Security Tips series for helpful hints as well.

tagged: resource book magazine securitytip phparchitect resource book magazine securitytip phparchitect

Link:

Zend Developer Zone:
PHP Security Tip #20 (Resources)
Apr 02, 2007 @ 10:49:00

The Zend Developer Zone has posted yet another in their running series of security tips to help you safeguard your applications - Tip #20 concerning security resources to check into.

To paraphrase an American Patriot "The price of security is eternal vigilance". You have to keep watch over your system but you also have to keep learning. Today's security tip is a list of resources to help you keep your security knowledge up to date. I've gathered together several resources for you to consider when looking for PHP Security information.

Resources Cal recommends include Chris Shiflett's book "Essential PHP Security", the APress "Pro PHP Security" from Chris Snyder, and more. Of course, he also recommends their own Security Tips series for helpful hints as well.

tagged: resource book magazine securitytip phparchitect resource book magazine securitytip phparchitect

Link:

Zend Developer Zone:
PHP Security Tip #19 (Securing Your Connection)
Mar 29, 2007 @ 12:36:00

The Zend Developer Zone has posted their latest security tip today - this time dealing with the actual connection your application sits on (from Chris Hartjes).

The most secure application is one with no connection to the outside world.

As we've covered, you can't really disconnect the network from your web server if you are building web applications. You can however, carefully consider which servers need to be connected to the outside world and which can be inside your firewall. Beyond that, you can also evaluate how those servers that have to remain outside your firewall communicate with the ones inside.

No, his suggestion is not to take your application "off the grip" but more to limit access to things like database servers to help protect the data that lives inside it.

tagged: securitytip application secure outside database firewall server securitytip application secure outside database firewall server

Link:

Zend Developer Zone:
PHP Security Tip #19 (Securing Your Connection)
Mar 29, 2007 @ 12:36:00

The Zend Developer Zone has posted their latest security tip today - this time dealing with the actual connection your application sits on (from Chris Hartjes).

The most secure application is one with no connection to the outside world.

As we've covered, you can't really disconnect the network from your web server if you are building web applications. You can however, carefully consider which servers need to be connected to the outside world and which can be inside your firewall. Beyond that, you can also evaluate how those servers that have to remain outside your firewall communicate with the ones inside.

No, his suggestion is not to take your application "off the grip" but more to limit access to things like database servers to help protect the data that lives inside it.

tagged: securitytip application secure outside database firewall server securitytip application secure outside database firewall server

Link:

Zend Developer Zone:
Security Tips #17 & #18 (When to Secure & File Uploads)
Mar 28, 2007 @ 17:19:49

The Zend Developer Zone continues their great series of security tips with two new posts - one talking about when to focus on security and the other about file uploads.

From the first, top 17:

Application security should not be a "when all else fails" situation. It's not something you can "put in later". As we've mentioned before, there is no single silver bullet to solve your application security issues. Security is something that should be rolling around in the back of your dead in the design phase, the coding phase, the testing phase, even after you've rolled your code into production.

And, from tip #18:

When you allow users to upload files, your system may be at risk. Always restrict the file types that you allow. Don't rely on a blacklist approach. [...] Be careful with file uploads and make sure you protect them with a whitelist policy instead. Make sure that the file that has been uploaded is of the type that you want to allow.
tagged: securitytip consider security integrate file upload whitelist securitytip consider security integrate file upload whitelist

Link:

Zend Developer Zone:
Security Tips #17 & #18 (When to Secure & File Uploads)
Mar 28, 2007 @ 17:19:49

The Zend Developer Zone continues their great series of security tips with two new posts - one talking about when to focus on security and the other about file uploads.

From the first, top 17:

Application security should not be a "when all else fails" situation. It's not something you can "put in later". As we've mentioned before, there is no single silver bullet to solve your application security issues. Security is something that should be rolling around in the back of your dead in the design phase, the coding phase, the testing phase, even after you've rolled your code into production.

And, from tip #18:

When you allow users to upload files, your system may be at risk. Always restrict the file types that you allow. Don't rely on a blacklist approach. [...] Be careful with file uploads and make sure you protect them with a whitelist policy instead. Make sure that the file that has been uploaded is of the type that you want to allow.
tagged: securitytip consider security integrate file upload whitelist securitytip consider security integrate file upload whitelist

Link: