I can code fairly well in PHP these days, but my security isn't so hot. Is there a tutorial or plugin you guys can recommend as to how I should be protecting my php pages/inputs? I want to avoid common attacks like XSS, inputs with NULL or DROP TABLE etc?

Responses on the post include recommendations related to:

• Using the Chorizo scanner to find common issues in your code
• Using PDO for database connections (with bound parameters)
• Not trusting "$_SERVER"
• Data sanitization

There's also links to a few other resources with more details.

Unfortunately, cross-site scripting attacks occurs mostly, because developers are failing to deliver secure code. Every PHP programmer has the responsibility to understand how attacks can be carried out against their PHP scripts to exploit possible security vulnerabilities. Reading this article, you'll find out more about cross-site scripting attacks and how to prevent them in your code.

Included in the tutorial is an example with a simple form and definitions of different types of XSS attacks - reflected XSS, persistent XSS and three ways to prevent them: data filtering, output filtering and data validation. He also links to a few "cheatsheets" to help even more (including this guide and a Zend Framework set of XSS test data.

Most of my co-workers never really heard of bloom filters, and I'm continuously need to explain what they are, what their purpose is and why it's a better solution than other ones. So let's do an introduction on bloom filters. [...] Bloom filters have the property of being exceptionally fast AND exceptionally small compared to other structures but it comes with a price: it MIGHT be possible that our bloom filter thinks that an element is inside our set, when it really isn't. Luckily, the reverse is not possible: when a bloom filter says something is NOT in the set, you are 100% sure that it isn't part of the set.

He explains how the filter works, noting how it's better for memory consumption and how it's possible for it to give a "maybe" response instead of ab absolute "yes" or "no". He also points out a PHP extension, bloomy that takes the hard work out of it for you.

PHP comes bundled with GD (GIF Draw/Graphics Draw), which is a library for the dynamic creation of images. It can be used for simpler image operation, such as resizing, cropping, adding watermarks, creating thumbnails (Jeffrey wrote about it), applying basic photo filters - you've probably used it before. Unfortunately, if you want to create something more complex with GD, like Instagram effects, you can't. Luckily, though, we have ImageMagick!

He starts off by comparing the two graphics libraries and talks briefly about how to downliad and install Imagemagick on your development platform. Included is a PHP class to help you use it, coming complete with functions for changing the color tone of the image, adding a border and adding a vignette to the image. Also included are some "presets" represented in a few simple functions:

• Gotham
• Toaster
• Nashville
• Lomo
• Kelvin

There's also a few links to other resources you can use to find out more details on what Imagemagick has to offer.

Ok, so you're pretty comfortable with using the Zend Framework, specifically the use of Forms. Along with that, you have a good working knowledge of how to combine a host of standard validators [...] but what do you do when a situation arises that's outside the scope of the pre-packaged validators and filters? Let's say you want to guard against users uploading files that contain viruses, for example. You would have to write a custom validator that checks the uploads aren't infected.

You'll need to install the ClamAV extension on your loal machine for the feature to work. Once it's there, though, it's as simple as setting up the validator (based on Zend_Validate_Abstract) and calling the "cl_scanfile" method on the uploaded file. Also included is the code for a sample controller with a Zend_Form instance and an upload file field to help prove it's working.

The Filter Iterator is probably my second favorite iterator, next to Directory Iterator. There are many great use cases for the Filter Iterator, and when you do filter the original data is left untouched. A Filter Iterator is really simple to use, create a class that extends FilterIterator and adjust the accept method to meet your criteria. This is great and all, but having the ability to create filter iterators on the fly, ones that won't be used application wide, without having to create a class is even better.

He includes a bit of code defining a FilterCallbackIterator class with a "callback" parameter passed into the constructor (in his case, a closure). Also included is some sample code of it in use - handling an array (well, ArrayIterator) with a simple true/false check on the current array value. You can find out more about this functionality in the PHP manual.

I am developing some software for my high school using HTML, CSS, MySQL, and most importantly PHP. [...] So I pose this question, what is YOUR favorite way to sanitize input for inserting, updating, or selecting from a database? Also, is there any way you prefer to verify that input is of a certain type, and only of that type ie, if you're expecting an int or a string, how would you make sure you are receiving one?

Answers on the post touch on things like:

• parametrised queries for databases
• filter_var/filter_types
• Sanitized versus "database-safe"
• using PDO
• avoiding the false sense of security things like mysql_escape_string and mysql_real_escape_string

Despite the high expectations placed on them at times, developers are human. They were the last time we checked anyways. As humans, we are bound to make mistakes from time to time. And simple, common mistakes often slip past our filters the more comfortable we become with something. [...] But knowing what these common mistakes are and how to avoid them can really help speed up the development process and keep our clients smiling.

His list includes three big ones that, if forgotten, could end up being detrimental to your application (sooner or later) - poor housekeeping/organization of code, forgetting punctuation and forgetting to validate input from users.

This little fable describes the most common vulnerability found in web sites, the Cross Site Scripting (XSS) attack. According to a report from WhiteHat Security 83 percent of websites they tested have had at least one serious vulnerability and 66 percent of all websites with vulnerabilities are susceptible to XSS attacks making it the most common vulnerability web developers face. To fix this, it takes 67 days on average. Tools like WebScarab and Paros Proxy can be used to scan sites for possible vulnerabilities.

They offer two simple pieces of advice that it's all too easy to forget when developing applications - validate all user input to ensure it's what it should be and escape any untrusted output (even sometimes your own!) before pushing it out to the page.

What do pictures in an online photo album, email attachments in a web-based mail client, and data files submitted to an online application for batch processing all have in common? They all rely on the ability to upload files across the Internet from the user's web browser. Indeed, uploading files is an important feature of many of the sites and web-based applications we use on a daily basis. In this post, I show you how to add support for file uploads to your site using PHP.

He starts with the changes you might need to make to your php.ini configuration file (for allowing uploads and setting a temporary directory) and a basic "form" tag with the necessary "enctype" setting. The sample form includes a "file" type field that submits the file data to a waiting PHP script on the backend. The script looks for the submit (in the $_FILES superglobal) and, after doing some filtering on the name and content type, moves it to a new directory.