PHPDeveloper: PHP News, Views and Community

	News Feed
	Jobs Feed

Sections

Tutorials

Books

Events

Talks

Jobs

Recent Jobs

Dave Marshall's Blog: Competition: PHP Job Hunters Handbook up for grabs

Job Posting: LIVESTRONG.com/Demand Media Inc. Seeks Senior PHP Software Developer (Santa Monica, CA)

Job Posting: Children's Hospital Boston Seeks Open Source Web Developer (Boston, MA)

Job Posting: eReleases Seeks Zend/PHP Developer (Baltimore, MD)

Job Posting: Chegg Seeks Senior PHP Developer (Santa Clara, CA)

Job Posting: TEKSystems (Recruiter) Seeks PHP Web Application Developers (Tampa, FL)

Job Posting: Quinstreet, Inc. Seeks Sr. PHP Developer (Foster City, CA)

Job Posting: WideEye Interactive/Moroch Advertising Seeks Web Developer (Dallas, TX)

Job Posting: Project People Ltd (Recruiter) Seeks PHP Developer (Paris, France)

Job Posting: Snelling (Recruiter) Seeks Web Programmer (Boston, MA)

News Archive

ElePHPant World Tour: The Elephpant World Tour 2008 is done!

Ralph Schinder's Blog: The Semi-Official Zend Framework Pear Channel

Michael Caplan's Blog: Don't Forget to Flush

Sameer Borate's Blog: Finding if an array is ordered

Etienne Kneuss' Blog: SplObjectStorage for a fast and secure object dictionary

Matthew Turland's Blog: php|tek 2009 Hackathon

Tobias Schlitt's Blog: Webdav authentication, authorization and locking

Evert Pot's Blog: Devshed article about SQL Injection

Site News: Blast from the Past - One Year Ago in PHP

Community News: phpGG Frontend Special

feed this:

Paul Reinheimer's Blog:
Stop Messing up CSRF Protection

by Chris Cornutt November 10, 2008 @ 08:47:53

In his latest post Paul Reinheimer looks at cross-site request forgeries and, despite the best efforts of the PHP security community, how developers still just miss the point in protecting their own code.

So, cross site request forgeries are a pretty common topic these days; they're in almost every security talk, book, site etc. This is okay; they're important [...] Most of the sites, and all of the books I've read demonstrate things correctly, but when it comes to actual implementation, time and time again, I see code that's just wrong.

He looks at two of the "essentials" when it comes to protecting you and your application - comparison (not taking other values of variables into account) and the unpredictable token (not making tokens, like md5 hashes of information, random enough).

0 comments voice your opinion now!
crosssite request forgery csrf comparison unpredictable token random

Community Events

Don't see your event here?
Let us know!

All content copyright, 2009 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework