If you happen to keep a tab on the various posts in the community, you have undoubtedly noted a variety of opinions on the subject-I think that security doesn't belong in the language, Chris has made his point clear and Harry sort-of responded to both of us.

As a community, we are all tasked with ensuring that PHP becomes a better product. And by "community" I really mean everyone-individuals, OSS groups and commercial entities. I think that finally, after so many false starts, we are beginning to do a good job of it, too.

The post continues on, talking more about the ever-growing trend towards PHP5 and a push forward towards applications written with it with better security and less issues overall...]]> Fri, 03 Feb 2006 06:36:09 -0600 http://www.phpdeveloper.org/news/4687 http://www.phpdeveloper.org/news/4687 Chris Shiflett has this post today about the partnership between php|architect and the Pro PHP Podcast.

You've probably heard the good news about the Pro PHP Podcast. The guys behind the show (Marcus Whitney and Chris Cornutt) are joining forces with php|architect in what should be a good thing for all of us.

So, I was very happy to hear about the partnership with php|architect, because I know this will let Marcus focus on the show. There are also regular newscasts planned, and Chris is asking, What do you want out of your news?

Always good to see community support behind a project...and remember, the first show of this new partnership is happening January 27th, an interview with Andi Gutmans that will be broadcast live. Click here to sign up...]]> Thu, 19 Jan 2006 06:38:32 -0600 http://www.phpdeveloper.org/news/4654 http://www.phpdeveloper.org/news/4654 Chris Shiflett has posted this new item on his blog today with his look back at his year in 2005 - both personal and community related.

In the tradition of my 2003 and 2004 highlights, I'm posting my personal highlights of 2005. As in years past, this is mainly for my own benefit. I hope everyone has a wonderful 2006.

Some of the more memorable things on his list include:

• the launch of the PHP Security Consortium
• the launch of his consulting company, BrainBulb
• made numerous speeches
• completed his second book, PHPDecurity.org, a companion to it

Overall, a great year...he also includes some of the things that he'd like to do in the next year as well (speak at fewer conferences, contribute more to open source, etc). ]]> Fri, 13 Jan 2006 06:45:52 -0600 http://www.phpdeveloper.org/news/4549 http://www.phpdeveloper.org/news/4549 Chris Shiflett has a new post on his blog today that points to a sample chapter of his book, "Essential PHP Security", that's been posted over on MySQL's Developer Zone.

The sample chapter of Essential PHP Security for MySQL's Developer Zone is now available: Chapter 2, Forms and URLs.

This chapter discusses form processing and the most common types of attacks that you need to be aware of when dealing with data from forms and URLs. You will learn about attacks such as cross-site scripting (XSS) and cross-site request forgeries (CSRF), as well as how to spoof forms and raw HTTP requests manually. By the end of the chapter, you will not only see examples of these attacks, but also what practices you can employ to help prevent them.

If you haven't gotten a chance to check out the book, you definitely should. It's recieved greate reviews by people all over the community, and thought smaller, contains a lion's share of information about PHP security matters...]]> Thu, 22 Dec 2005 11:00:47 -0600 http://www.phpdeveloper.org/news/4540 http://www.phpdeveloper.org/news/4540 Chris Shiflett has two posts about a problem with Google and a Cross-site Scripting attack that it's vulnerable to.

From this post: The recent cross-site scripting (XSS) vulnerability discovered in Google perfectly illustrates why character encoding matters. This example demonstrates how to use PHP's htmlentities() with the optional third argument that indicates the character encoding.

By way of demonstration, he provides a little PHP script that makes a request in a different character encoding than Google can handle. Coupled with the small response from Google, a UTF-7 character sent to certain browsers could be interpreted and executed.

In this second post, he answers a question from the comments - "how will this effect my site?"

Rather than offer another vague answer, I decided to provide a very simple proof of concept that demonstrates how character encoding inconsistencies can bite you. Google's vulnerability has of course been fixed, but with a simple PHP script, we can reproduce the situation.

The script, though escaped, still causes a Javascript popup box to show when the page is loaded - all due to a lack of improper character encoding handling...]]> Thu, 22 Dec 2005 06:19:39 -0600 http://www.phpdeveloper.org/news/4533 http://www.phpdeveloper.org/news/4533 his latest post today, John Cox takes a look at one of the latest posts from the SitePoint PHP blog - the Top 7 PHP Security Blunders.

This morning I read the Top 7 PHP Security Blunders which contained (at least in my mind) a few questionable comments about PHP security. Luckily for the early readers of the article, there was a very long comment by comments were a very nice critique of the article which also corrects a few obvious mistakes within the article itself.

The comments have now been pushed off the main article to the forum, (which is a shame) but as a developer, you would be doing yourself a disservice by not also taking the time to read the counter-point. They are insightful without being inflammatory.

The comments by Chris that he makes reference to can be found here in the SitePoint forums...]]> Wed, 21 Dec 2005 07:08:07 -0600 http://www.phpdeveloper.org/news/4503 http://www.phpdeveloper.org/news/4503 this new post with an interview with the author of Essential PHP Security, Chris Shiflett.

This is the third in a series of interviews we're making available to the CodeSnipers community. We have been working to track down people who we thought had something valuable to say about the software development community, tools, practices, or direction. Some of the names you will recognize immediately, others you've probably never heard of, but all of them have made an impact in one way or another. Without further delay... we have Chris Shiflett author of Essential PHP Security.

As Chris notes in his blog entry, they talk about everything - from his book to his involvement in the PHP community...]]> Thu, 15 Dec 2005 06:45:45 -0600 http://www.phpdeveloper.org/news/4450 http://www.phpdeveloper.org/news/4450 Chris Shiflett has created a companion site for his O'Reilly book "Essential PHP Security" - PHPSecurity.org.

PHPSecurity.org, the companion web site for my new book, Essential PHP Security, is now online. Many thanks to Amy Hoy for the excellent design!

I've included the table of contents, the (unfortunate) errata, some reviews, and the code repository.

He also notes that, while there are partial examples in the book, there is no complete example that could be used to do anything malicious (the parts are there, obviously, but just not in once place). Overall, though, he says that the book has been doing well, and has gotten a very warm reception from the community - hence the expansion out to the new site...]]> Wed, 07 Dec 2005 07:03:43 -0600 http://www.phpdeveloper.org/news/4295 http://www.phpdeveloper.org/news/4295 Davey Shafik has this review of Chris Shiflett's Essential PHP Security guide from O'Reilly.

I was fortunate enough to receive a copy of Chris Shiflett's book, Essential PHP Security published by O'Reilly.

Chris does an excellent job dissecting and explaining each of the 8 major security topics he covers in his book, first outlines what exactly the problem is, how easily it is to fall into the trap of making your code vulnerable to it, and how it is generally exploited. He then goes on to tell you how you can be sure that you are not vulnerable in the future.

He also notes that the "Essential" in the name is quite appropriate, and that if you purchase one PHP security book, make this the one...]]> Mon, 14 Nov 2005 06:11:34 -0600