In his latest entry, Marco Tabini talks about some of the security issues surrounding PHP that have been going around lately, and his take on the situation.

If you happen to keep a tab on the various posts in the community, you have undoubtedly noted a variety of opinions on the subject—I think that security doesn't belong in the language, Chris has made his point clear and Harry sort-of responded to both of us.

As a community, we are all tasked with ensuring that PHP becomes a better product. And by "community" I really mean everyone—individuals, OSS groups and commercial entities. I think that finally, after so many false starts, we are beginning to do a good job of it, too.

The post continues on, talking more about the ever-growing trend towards PHP5 and a push forward towards applications written with it with better security and less issues overall...

In his latest entry, Marco Tabini talks about some of the security issues surrounding PHP that have been going around lately, and his take on the situation.

If you happen to keep a tab on the various posts in the community, you have undoubtedly noted a variety of opinions on the subject—I think that security doesn't belong in the language, Chris has made his point clear and Harry sort-of responded to both of us.

As a community, we are all tasked with ensuring that PHP becomes a better product. And by "community" I really mean everyone—individuals, OSS groups and commercial entities. I think that finally, after so many false starts, we are beginning to do a good job of it, too.

The post continues on, talking more about the ever-growing trend towards PHP5 and a push forward towards applications written with it with better security and less issues overall...

Chris Shiflett has this post today about the partnership between php|architect and the Pro PHP Podcast.

You've probably heard the good news about the Pro PHP Podcast. The guys behind the show (Marcus Whitney and Chris Cornutt) are joining forces with php|architect in what should be a good thing for all of us.

So, I was very happy to hear about the partnership with php|architect, because I know this will let Marcus focus on the show. There are also regular newscasts planned, and Chris is asking, What do you want out of your news?

Always good to see community support behind a project...and remember, the first show of this new partnership is happening January 27th, an interview with Andi Gutmans that will be broadcast live. Click here to sign up...

Chris Shiflett has this post today about the partnership between php|architect and the Pro PHP Podcast.

You've probably heard the good news about the Pro PHP Podcast. The guys behind the show (Marcus Whitney and Chris Cornutt) are joining forces with php|architect in what should be a good thing for all of us.

So, I was very happy to hear about the partnership with php|architect, because I know this will let Marcus focus on the show. There are also regular newscasts planned, and Chris is asking, What do you want out of your news?

Always good to see community support behind a project...and remember, the first show of this new partnership is happening January 27th, an interview with Andi Gutmans that will be broadcast live. Click here to sign up...

Chris Shiflett has posted this new item on his blog today with his look back at his year in 2005 - both personal and community related.

In the tradition of my 2003 and 2004 highlights, I'm posting my personal highlights of 2005. As in years past, this is mainly for my own benefit. I hope everyone has a wonderful 2006.

Some of the more memorable things on his list include:

• the launch of the PHP Security Consortium
• the launch of his consulting company, BrainBulb
• made numerous speeches
• completed his second book, PHPDecurity.org, a companion to it

Overall, a great year...he also includes some of the things that he'd like to do in the next year as well (speak at fewer conferences, contribute more to open source, etc).

Chris Shiflett has posted this new item on his blog today with his look back at his year in 2005 - both personal and community related.

In the tradition of my 2003 and 2004 highlights, I'm posting my personal highlights of 2005. As in years past, this is mainly for my own benefit. I hope everyone has a wonderful 2006.

Some of the more memorable things on his list include:

• the launch of the PHP Security Consortium
• the launch of his consulting company, BrainBulb
• made numerous speeches
• completed his second book, PHPDecurity.org, a companion to it

Overall, a great year...he also includes some of the things that he'd like to do in the next year as well (speak at fewer conferences, contribute more to open source, etc).

Chris Shiflett has a new post on his blog today that points to a sample chapter of his book, "Essential PHP Security", that's been posted over on MySQL's Developer Zone.

The sample chapter of Essential PHP Security for MySQL's Developer Zone is now available: Chapter 2, Forms and URLs.

This chapter discusses form processing and the most common types of attacks that you need to be aware of when dealing with data from forms and URLs. You will learn about attacks such as cross-site scripting (XSS) and cross-site request forgeries (CSRF), as well as how to spoof forms and raw HTTP requests manually. By the end of the chapter, you will not only see examples of these attacks, but also what practices you can employ to help prevent them.

If you haven't gotten a chance to check out the book, you definitely should. It's recieved greate reviews by people all over the community, and thought smaller, contains a lion's share of information about PHP security matters...

Chris Shiflett has a new post on his blog today that points to a sample chapter of his book, "Essential PHP Security", that's been posted over on MySQL's Developer Zone.

The sample chapter of Essential PHP Security for MySQL's Developer Zone is now available: Chapter 2, Forms and URLs.

This chapter discusses form processing and the most common types of attacks that you need to be aware of when dealing with data from forms and URLs. You will learn about attacks such as cross-site scripting (XSS) and cross-site request forgeries (CSRF), as well as how to spoof forms and raw HTTP requests manually. By the end of the chapter, you will not only see examples of these attacks, but also what practices you can employ to help prevent them.

If you haven't gotten a chance to check out the book, you definitely should. It's recieved greate reviews by people all over the community, and thought smaller, contains a lion's share of information about PHP security matters...

On his blog today, Chris Shiflett has two posts about a problem with Google and a Cross-site Scripting attack that it's vulnerable to.

From this post: The recent cross-site scripting (XSS) vulnerability discovered in Google perfectly illustrates why character encoding matters. This example demonstrates how to use PHP's htmlentities() with the optional third argument that indicates the character encoding.

By way of demonstration, he provides a little PHP script that makes a request in a different character encoding than Google can handle. Coupled with the small response from Google, a UTF-7 character sent to certain browsers could be interpreted and executed.

In this second post, he answers a question from the comments - "how will this effect my site?"

Rather than offer another vague answer, I decided to provide a very simple proof of concept that demonstrates how character encoding inconsistencies can bite you. Google's vulnerability has of course been fixed, but with a simple PHP script, we can reproduce the situation.

The script, though escaped, still causes a Javascript popup box to show when the page is loaded - all due to a lack of improper character encoding handling...

On his blog today, Chris Shiflett has two posts about a problem with Google and a Cross-site Scripting attack that it's vulnerable to.

From this post: The recent cross-site scripting (XSS) vulnerability discovered in Google perfectly illustrates why character encoding matters. This example demonstrates how to use PHP's htmlentities() with the optional third argument that indicates the character encoding.

By way of demonstration, he provides a little PHP script that makes a request in a different character encoding than Google can handle. Coupled with the small response from Google, a UTF-7 character sent to certain browsers could be interpreted and executed.

In this second post, he answers a question from the comments - "how will this effect my site?"

Rather than offer another vague answer, I decided to provide a very simple proof of concept that demonstrates how character encoding inconsistencies can bite you. Google's vulnerability has of course been fixed, but with a simple PHP script, we can reproduce the situation.

The script, though escaped, still causes a Javascript popup box to show when the page is loaded - all due to a lack of improper character encoding handling...