Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Robert Basic:
CLI command to whitelist Composer packages
Dec 04, 2017 @ 15:35:37

Robert Basic has shared a quick tip for the Composer users out there (you do use Composer, right?) showing how to exclude certain packages from updates without having to whitelist packages all the time.

Given that Composer has no --exclude flag or similar, the only other option is to create a list of packages we allow to be updated, excluding the ones we don’t want to be updated. We need to create a whitelist.

Creating it manually would be a PITA though, especially if there’s a lot of packages to include or exclude. CLI to the rescue!

He includes a command that grabs the packages from the current composer info listing (using grep, sed, cut and paste). He walks through the command showing how it works to pull the package information out. With the help of the -v option for grep it's easy to remove certain items from the list (blacklist) and to provide a string back to composer that can then be used to update only the remaining packages.

tagged: composer package commandline cli whitelist blacklist

Link: https://robertbasic.com/blog/cli-command-to-whitelist-composer-packages/

NetTuts.com:
Building Advanced Email Features With IMAP and PHP
Oct 21, 2014 @ 17:19:47

On the NetTuts.com site they've posted a tutorial showing you how to build advanced features with IMAP and PHP. He bases it on the SimplifyEmail project and incldues examples of three different features to get you started.

Analysis of my own email showed I was receiving email from more than 230 automated senders, far fewer actual people. I was tired of constructing filters in Gmail and filling in a myriad of unsubscribe forms. I wanted to have more control over managing my email and simplifying my life. Finally, this past year, I decided to build the features I needed. The result is Simplify Email (SE), a small web app you can host yourself which offers a variety of cool new email features all of which you can check out on the project website. The coolest thing about SE is that it's a platform for reading, analyzing, routing and managing your email - the possibilities abound. Simplify Email is essentially a programmable playground for "hacking" your own email.

His three examples show you how to:

  • Checking your inbox and filter messages
  • Implement a Whitelist challenge to unknown senders
  • Reporting unanswered email

Each of these comes with plenty of code examples, screenshots and output examples (as well as some places where you might need to change some SE configuration values).

tagged: advanced email imap tutorial feature simpleemail filter whitelist reporting

Link: http://code.tutsplus.com/tutorials/building-advanced-email-features-with-imap-and-php--cms-22059

Code Yellow Blog:
What Your Framework Never Told You About SQL Injection Protection
May 23, 2014 @ 18:51:20

The Code Yellow site has recently posted an article pointing out an issue that's all too common in PHP frameworks, more specifically those that bundle some kind of ORM into their functionality. They wonder if your framework is telling you everything about what they're doing to prevent SQL injection.

We've discovered that SQL injection is to this day not a fully solved problem, even in most popular frameworks. In this post, we'll explain how these frameworks fail at escaping parts of a query, culminating in the discovery of a critical vulnerability in the popular Laravel framework which affects a large percentage of applications.

He starts with an illustration using the FuelPHP framework and the protection it offers from garden variety SQL injection attempts. Unfortunately, things start to break down when it gets much past this typical case. They found this same issue to be a wide-spread problem in many PHP frameworks and tools including the Laravel, CodeIgniter and CakePHP frameworks, each with their own ORMs. He also talks about issues with blacklisting and whitelisting and how, sadly, most of the frameworks just don't support it for model data filtering. There's a mention of some of the work they've done to help try and fix the issue (including patches and contacting authors) and some recommendations of how to correctly quote identifiers in SQL statements.

tagged: sqlinjection framework whitelist blacklist identifiers escape prepared statements

Link: http://www.codeyellow.nl/identifier-sqli.html

Mike Lively's Blog:
Improved PHPUnit Filters
Feb 03, 2009 @ 15:32:26

In a recent post to his blog Mike Lively looks at some improvements that he's worked up for the popular PHP unit testing software - PHPUnit - in regards to its filters.

I have finally gotten some time to do some long awaited work on PHPUnit. The first on my agenda was a small improvement to filtering. This was related to ticket #526. Essentially I added the ability to do both white list and black list filtering.

Besides the Include methods you can add to the data set's filtering, you can also add in Exclude filters to remove the data you don't want in the set. They can also be combined to customize your data set to your heart's content.

tagged: input filter phpunit include exclude whitelist blacklist

Link:

Zend Developer Zone:
Security Tips #17 & #18 (When to Secure & File Uploads)
Mar 28, 2007 @ 22:19:49

The Zend Developer Zone continues their great series of security tips with two new posts - one talking about when to focus on security and the other about file uploads.

From the first, top 17:

Application security should not be a "when all else fails" situation. It's not something you can "put in later". As we've mentioned before, there is no single silver bullet to solve your application security issues. Security is something that should be rolling around in the back of your dead in the design phase, the coding phase, the testing phase, even after you've rolled your code into production.

And, from tip #18:

When you allow users to upload files, your system may be at risk. Always restrict the file types that you allow. Don't rely on a blacklist approach. [...] Be careful with file uploads and make sure you protect them with a whitelist policy instead. Make sure that the file that has been uploaded is of the type that you want to allow.
tagged: securitytip consider security integrate file upload whitelist securitytip consider security integrate file upload whitelist

Link:

Zend Developer Zone:
Security Tips #17 & #18 (When to Secure & File Uploads)
Mar 28, 2007 @ 22:19:49

The Zend Developer Zone continues their great series of security tips with two new posts - one talking about when to focus on security and the other about file uploads.

From the first, top 17:

Application security should not be a "when all else fails" situation. It's not something you can "put in later". As we've mentioned before, there is no single silver bullet to solve your application security issues. Security is something that should be rolling around in the back of your dead in the design phase, the coding phase, the testing phase, even after you've rolled your code into production.

And, from tip #18:

When you allow users to upload files, your system may be at risk. Always restrict the file types that you allow. Don't rely on a blacklist approach. [...] Be careful with file uploads and make sure you protect them with a whitelist policy instead. Make sure that the file that has been uploaded is of the type that you want to allow.
tagged: securitytip consider security integrate file upload whitelist securitytip consider security integrate file upload whitelist

Link:

SitePoint PHP Blog:
Zend_Filter Reviewed, Blacklist / Whitelist Filters
Mar 29, 2006 @ 00:20:37

The Zend Framework has definitely made a huge splash in the PHP community, and everyone is picking their piece of it to cover. In this new post from the SitePoint PHP blog, Maarten Manders highlights the Zend_Filter module.

I like Zend Framework's Zend_Filter class. It's basically a set of methods for validating untrusted data. Although the two arguably most important features isEmail() and isUri() (the latter can be worked around with Zend_Uri) are still missing, the whole thing looks promising already.

He starts with a few of his thoughts on the package ("Clean up the code of isHostname", "International support for isPhone") and some code to show how it can be implemented - filtering for use in a regular expression, validation of a string by a character whitelist as well as blacklisting, and using the Zend_Filter module for a more flexible isName.

tagged: zend framework zend_filter whitelist blacklist zend framework zend_filter whitelist blacklist

Link:

SitePoint PHP Blog:
Zend_Filter Reviewed, Blacklist / Whitelist Filters
Mar 29, 2006 @ 00:20:37

The Zend Framework has definitely made a huge splash in the PHP community, and everyone is picking their piece of it to cover. In this new post from the SitePoint PHP blog, Maarten Manders highlights the Zend_Filter module.

I like Zend Framework's Zend_Filter class. It's basically a set of methods for validating untrusted data. Although the two arguably most important features isEmail() and isUri() (the latter can be worked around with Zend_Uri) are still missing, the whole thing looks promising already.

He starts with a few of his thoughts on the package ("Clean up the code of isHostname", "International support for isPhone") and some code to show how it can be implemented - filtering for use in a regular expression, validation of a string by a character whitelist as well as blacklisting, and using the Zend_Filter module for a more flexible isName.

tagged: zend framework zend_filter whitelist blacklist zend framework zend_filter whitelist blacklist

Link:


Trending Topics: