News Feed
Sections




News Archive
feed this:

Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Code Yellow Blog:
What Your Framework Never Told You About SQL Injection Protection
May 23, 2014 @ 13:51:20

The Code Yellow site has recently posted an article pointing out an issue that's all too common in PHP frameworks, more specifically those that bundle some kind of ORM into their functionality. They wonder if your framework is telling you everything about what they're doing to prevent SQL injection.

We've discovered that SQL injection is to this day not a fully solved problem, even in most popular frameworks. In this post, we'll explain how these frameworks fail at escaping parts of a query, culminating in the discovery of a critical vulnerability in the popular Laravel framework which affects a large percentage of applications.

He starts with an illustration using the FuelPHP framework and the protection it offers from garden variety SQL injection attempts. Unfortunately, things start to break down when it gets much past this typical case. They found this same issue to be a wide-spread problem in many PHP frameworks and tools including the Laravel, CodeIgniter and CakePHP frameworks, each with their own ORMs. He also talks about issues with blacklisting and whitelisting and how, sadly, most of the frameworks just don't support it for model data filtering. There's a mention of some of the work they've done to help try and fix the issue (including patches and contacting authors) and some recommendations of how to correctly quote identifiers in SQL statements.

0 comments voice your opinion now!
sqlinjection framework whitelist blacklist identifiers escape prepared statements

Link: http://www.codeyellow.nl/identifier-sqli.html

Jani Hartikainen:
Library author Don't provide an exploitable interface
September 02, 2013 @ 11:18:05

Jani Hartikainen has shared a recommendations to library authors out there - don't make your library exploitable. That is, don't make it, by default, open to common attacks like SQL injection or cross-site scripting.

SQL injection is a pretty big deal. Its cousin shell injection is also a common issue, demonstrated quite well by a recent post to the PHP reddit. Although some suspect it was a troll, I heard echos from a variety of people who had seen pretty much exactly the same vulnerability in production.

This got me thinking: People writing libraries for doing things like shell commands, SQL, etc., don't actually have to provide an interface that can be easily mis-used. An interface like this could just as easily be based on some other data type besides a plain string, completely side stepping issues caused by concatenation. "What on earth are you talking about?" - Let me explain...

He goes on to talk about more specifically about SQL injection issues (it is still first on the OWASP list after all) and makes a few suggestions to a better API. He points out a lot of it is about little or no education on security-related topics. He also suggests a "SafeSQL" kind of interface that would help prevent some of these common issues using something like Haskell.

0 comments voice your opinion now!
sqlinjection sqli exploit library haskell

Link: http://codeutopia.net/blog/2013/08/31/library-author-dont-provide-an-exploitable-interface/

PHPMaster.com:
8 Practices to Secure Your Web App
February 04, 2013 @ 12:56:40

PHPMaster.com has posted a new article with some high level security tips and reminders for PHP developers when wanting to help prevent issues with their applications. The article provides eight tips, each with a brief description.

When it comes to application security, in addition to securing your hardware and platform, you also need to write your code securely. This article will explain how to keep your application secure and less vulnerable to hacking.

The good practices they recommend include input data validation, protecting against XSS attacks, preventing SQL injections, protecting session data, proper error handling and protecting included files. There's some good reminders here, but it barely scratches the surface of effectively protecting your application. These tips are the "low hanging fruit" for securing your app, so be aware that there's more things to worry about than just these eight.

0 comments voice your opinion now!
secure application tips xss csrf sqlinjection file session error include


Ulf Wendel:
Not only SQL injection I don't trust you!
September 26, 2012 @ 08:34:59

On his site today Ulf Wendel talks about SQL injection and some comments that came up during a recent webinar about common MySQL mistakes PHP developers make.

Never trust user input! Injection is a threat . You are the new web developer, aren't you?. Never trust user input is the first rule I had to learn as a web developer in anchient times. Injection can happen whenever user input is interpreted or used to compose new data. A quick recap of the #3 mistake from todays Top 10 MySQL Tips and Mistakes for PHP Developers web presentation. A webinar recording should be available in a couple of days.

He points out a few "don't" things to avoid - like directly injecting superglobal values into your query and to remember that not all SQL injections are because of escaping issues. The real key? Validating input - be sure you're putting values into your query that are of the correct type and contain what you expect.

0 comments voice your opinion now!
sqlinjection mysql webinar common mistake


Anson Cheung:
Top 6 security attacks in PHP
August 09, 2012 @ 17:03:55

Anson Cheung has posted about some security attacks (six of them) that you need to watch out for when developing your apps.

Be aware of the most common security threats to PHP applications is the important step to secure your PHP scripts may not be immune. Here, the article is going to go over top 6 common security threads in PHP scripts. You may familiar with this, if not, this is a good time for you to read and keep in mind.

The top six on his list are:

  • SQL Injection
  • Cross-Site Scripting (XSS)
  • Session fixation
  • Session capturing/hijacking
  • Cross-Site Request Forgeries (CSRF)
  • Code Injection

For each item, he includes a bit of explanation as to what the issue is and a common solution as to how to prevent it.

0 comments voice your opinion now!
security attack xss csrf session sqlinjection code


Developer Drive Blog:
How to Prevent a SQL Injection Attack
October 14, 2011 @ 09:25:12

From the Developer Drive blog there's a recent post with some suggestions on how you can help to prevent SQL injections in your PHP application and make it that much harder for would-be attackers to do what they shouldn't.

Why do SQL injections happen so often? The shortest answer is that SQL injections are so popular because of poor programming. Hackers know about the potential of a successful SQL injection attack and they search for vulnerabilities. Unfortunately, very often they don't have to search hard - vulnerabilities pop right in their face. [...] The good news is that fortunately, SQL injections are also relatively easy to prevent.

They list nine easy things you can do to help prevent the attacks:

  • Patch your SQL server regularly
  • Limit the use of dynamic queries
  • Escape user input
  • Store database credentials in a separate file
  • Use the principle of least privilege
  • Turn magic quotes off
  • Disable shells
  • Disable any other DB functionality you don't need
  • Test your code
0 comments voice your opinion now!
sqlinjection security sql prevent tips attack


DZone.com:
Hardening PHP SQL injection - Complete walkthrough
August 12, 2011 @ 09:20:13

On DZone.com today there's a new post from Krzysztof Kotowicz sharing a presentation of his about protecting your application from SQL injection.

The materials teach how to use prepared statements, how to escape and write secure stored procedures. Many PHP projects are covered - PDO, Propel, Doctrine, Zend Framework and MDB2. Multiple gotchas and caveats are included. I discuss why escaping is usually the wrong choice, which practices to avoid or follow and how stored procedures sometimes offer no protection at all.

The presentation (as posted to Slideshare) starts with some of the basics - what SQL injection is and an example of how it could be used to bypass security. He covers how to use prepared statements in each of the technologies (with code snippets), methods for escaping data and how to create stored procedures that are protected from the same threats.

0 comments voice your opinion now!
harden application sqlinjection pdo doctrine zendframework mdb2 presentation


Advanced PHP Tutorial:
7 Useful functions to tighten the security in PHP
October 08, 2010 @ 12:28:38

On the Advanced PHP Tutorial site there's a recent post that suggests a few useful functions that can get you started on security and protecting your application from possible exploits. These aren't the only way to prevent these issues, but they're a start in the right direction.

Security is a very important aspect of programming. In PHP, there are few useful functions which is very handy for preventing your website from various attacks like SQL Injection Attack , XSS attack etc.Let's check few useful functions available in PHP to tighten the security in your project. But note that this is not a complete list, it just list of functions which I found useful for using in your project.

The functions include mysql_real_escape_string for database query handling, htmlentities to filter user input for HTML and two hashing functions to create hashes you can validate from - md5 and sha1.

1 comment voice your opinion now!
security function xss sqlinjection application


NETTUTS.com:
Can You Hack Your Own Site? A Look at Some Essential Security Considerations
July 22, 2008 @ 12:57:07

On the NETTUTS.com website, there's a great article with some "essential security considerations" that you can use to see just how hackable your site could be.

This article walks through the brainstorming stage of planning for what is in this instance, a hypothetical user-centric web application. Although you won't be left with a complete project '" nor a market ready framework, my hope is that each of you, when faced with future workloads, may muse on the better practices described. So, without further ado...Are you sitting comfortably?

The tutorial is broken up into a few sections based around an example with a few points of failure (about book information). They work through the thought process behind the code, using the $_REQUEST variables correctly, preventing SQL injections, filtering the HTML output and a sample code download for you to see how it's all tied together.

0 comments voice your opinion now!
security consideration hack tutorial sqlinjection filter output input


php|architect:
New Free Issue of php|architect
August 16, 2007 @ 10:07:00

The folks over at php|architect magazine has updated the free issue they're offering to anyone looking to get a taste of the great content inside each issue. Sean Coates writes:

We've recently updated our web site to offer a new free issue of php|architect magazine! The May 2007 edition of php|architect has proven to be extremely popular, and with PHP 6 on the horizon, we thought everyone should read the cover article on Unicode, so we're releasing it completely free (and without obligation) to registered users of our web site.

Other topics covered in the issue include working with server/client-side validation, preventing SQL injections, a look at the Model View Controller design pattern and dictionary attacks.

You can grab this free issue directly from the php|architect website.

0 comments voice your opinion now!
phparchitect free issue unicode validation sqlinjection mvc designpattern disctionary phparchitect free issue unicode validation sqlinjection mvc designpattern disctionary



Community Events





Don't see your event here?
Let us know!


refactor language testing developer introduction series framework podcast laravel install configure release community opinion code threedevsandamaybe list experience interview unittest

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework