Unfortunately, this Webinar was in German, but if you understand German you might be interested in the Webinar recording which is now available at MySQL's website.

The webinar looks at previous attack types, things that MySQL already includes to help prevent SQL injections, handling multi-byte caharacters and correct error handling.

The new Zend_File_Transfer component is growing day for day. As incredible new feature this component allows to use file validators. These are necessary to increase security and allow to define rules for file uploads (and also downloads in future).

He illustrates with a simple Zend_File_Transfer object that uses an addValidators call to limit the size of the upload to 50 KB. Other validation rules include count (the number of files to expect), extension, filessize and imagesize. Using these he makes a "more secure" upload object setting the size to 205KB, to expect five files that are all under 1MB and are of the types gif/jpg/png.

Anyone who gets me liquored up knows that I'm not a fan of Wordpress. I think it's great from a user (that is, the person writing the content) standpoint, but it has lagged behind severely in terms of security, and I don't believe its popularity is the sole reason WP has been the subject of dozens of vulnerability reports every year. That being said, the WP 2.5 release appears to offer significant improvements in a couple areas: password hashes and cookie data encryption.

He mentions two things in particular - their addition of salted passwords and secure cookies.

In this article I'm going to show you how you can use PHP to encode your data for transit. Most importantly, it will be done in a way that makes the data decodable, and therefore much more usable, by the receiving page.

His encryption method - sending everything in a single string and modifying the scheme each time - uses static pairs of values (of your choosing) to "encode" the outgoing string. It actually consists of three different files: the script itself, a single-use script that makes the third file, an include file to handle the conversion back from the encoded results.

This article shows the basic steps in securing PHP, one of the most popular scripting languages used to create dynamic web pages. In order to avoid repeating information covered in the previous article, only the main differences related to the process of securing Apache will be described.

They've broken it up into a few different sections:

• System they'll be using (operating system, functionality assumed, security assumptions)
• Preparing the software
• Installing PHP
• Chrooting the server
• Configuring PHP
• Protecting against CSS and SQL injection attacks

Check out the full tutorial to fill in the blanks of this outline.

The discussion on my blog post "Do not use regular expressions for parsing" ended in a discussion about BBcodes in general. I just used them as an example to demonstrate why it it is impossible to parse such a language with regular expressions - and mentioned in a subclause, that I don't see any sense in using them at all.

He looks at some of the myths surrounding them and their use (more secure, easier to use, safer than HTML) and gives some reasons for making teh choice of HTML over them.

There still seems to be a lot of confusion over the differences between the two extensions despite the length of time that mysqli has been in the wild. I wanted to briefly review the four major benefits of mysqli.

Here's the list

• Prepared Statements
• Secure MySQL connections
• Multi query
• Object Oriented Interface

He also includes a few more links to further information (besides the explanation for each of the topics listed above) including an article from the Zend Developer Zone and a tutorial covering making the switch to MySQLi.

In this article I'm going to show you how you can use PHP to encode your data for transit. Most importantly, it will be done in a way that makes the data decodable, and therefore much more usable, by the receiving page.

They talk about some of the advantages to encryption before getting into how it actually works. Their example script is separated out into three PHP files - the main part of the script, a single-use script that, in turn, creates the third file, include file for the encode/decode functions. With the structure defined, they move on to the code - the generation of the file with the large multi-dimensional array and the two functions to encode and decode the information.

The most secure application is one with no connection to the outside world.

As we've covered, you can't really disconnect the network from your web server if you are building web applications. You can however, carefully consider which servers need to be connected to the outside world and which can be inside your firewall. Beyond that, you can also evaluate how those servers that have to remain outside your firewall communicate with the ones inside.

No, his suggestion is not to take your application "off the grip" but more to limit access to things like database servers to help protect the data that lives inside it.

He mentions issues like:

• a header() issue that results from a call to it with an all-whitespace string
• a session issue in PHP5 where an identifier isn't freed correctly
• and an issue with the compress.bzip2 URL wrapper not following safe_mode or open_basedir restrictions (already corrected).