Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Robert Basic:
CLI command to whitelist Composer packages
Dec 04, 2017 @ 15:35:37

Robert Basic has shared a quick tip for the Composer users out there (you do use Composer, right?) showing how to exclude certain packages from updates without having to whitelist packages all the time.

Given that Composer has no --exclude flag or similar, the only other option is to create a list of packages we allow to be updated, excluding the ones we don’t want to be updated. We need to create a whitelist.

Creating it manually would be a PITA though, especially if there’s a lot of packages to include or exclude. CLI to the rescue!

He includes a command that grabs the packages from the current composer info listing (using grep, sed, cut and paste). He walks through the command showing how it works to pull the package information out. With the help of the -v option for grep it's easy to remove certain items from the list (blacklist) and to provide a string back to composer that can then be used to update only the remaining packages.

tagged: composer package commandline cli whitelist blacklist

Link: https://robertbasic.com/blog/cli-command-to-whitelist-composer-packages/

Code Yellow Blog:
What Your Framework Never Told You About SQL Injection Protection
May 23, 2014 @ 18:51:20

The Code Yellow site has recently posted an article pointing out an issue that's all too common in PHP frameworks, more specifically those that bundle some kind of ORM into their functionality. They wonder if your framework is telling you everything about what they're doing to prevent SQL injection.

We've discovered that SQL injection is to this day not a fully solved problem, even in most popular frameworks. In this post, we'll explain how these frameworks fail at escaping parts of a query, culminating in the discovery of a critical vulnerability in the popular Laravel framework which affects a large percentage of applications.

He starts with an illustration using the FuelPHP framework and the protection it offers from garden variety SQL injection attempts. Unfortunately, things start to break down when it gets much past this typical case. They found this same issue to be a wide-spread problem in many PHP frameworks and tools including the Laravel, CodeIgniter and CakePHP frameworks, each with their own ORMs. He also talks about issues with blacklisting and whitelisting and how, sadly, most of the frameworks just don't support it for model data filtering. There's a mention of some of the work they've done to help try and fix the issue (including patches and contacting authors) and some recommendations of how to correctly quote identifiers in SQL statements.

tagged: sqlinjection framework whitelist blacklist identifiers escape prepared statements

Link: http://www.codeyellow.nl/identifier-sqli.html

Mike Lively's Blog:
Improved PHPUnit Filters
Feb 03, 2009 @ 15:32:26

In a recent post to his blog Mike Lively looks at some improvements that he's worked up for the popular PHP unit testing software - PHPUnit - in regards to its filters.

I have finally gotten some time to do some long awaited work on PHPUnit. The first on my agenda was a small improvement to filtering. This was related to ticket #526. Essentially I added the ability to do both white list and black list filtering.

Besides the Include methods you can add to the data set's filtering, you can also add in Exclude filters to remove the data you don't want in the set. They can also be combined to customize your data set to your heart's content.

tagged: input filter phpunit include exclude whitelist blacklist

Link:

NETTUTS.com:
The Best Ways to Fight Spam
Oct 06, 2008 @ 14:30:28

Spam is a constant burden for anyone on the web, be it through email or via something like comments on a website. The NETTUTS site can't help so much with the first one, but they've come up with a new tutorial that can help with the second with a few methods.

Deciding on the best method of spam prevention on your blogs, forums, or even contact forms can be difficult. In this article we will take a look at a service called Akismet and how it can help. We will also look at why some other methods of fighting spam fail.

They give a few ways to waylay the spammers including:

  • Disallowing multiple consecutive submissions
  • Keyword Blacklist
  • CAPTCHA
  • and a service called Akismet

They go into a bit more detail on this last one, even going so far as to included code (this class) and examples of how to let the Akismet service see if something is spam or not. Links to libraries for other languages are included too.

tagged: fight spam captcha consecutive keyword blacklist akismet tutorial

Link:

Sebastian Nohn's Blog:
Using Net_DNSBL and Nagios to check if your SMTP server is listed in a RBL
Oct 05, 2007 @ 15:22:00

Sebastian Nohn has created a handy little script using PEAR packages to work with a Nagios installation to perform an automatic check - validating that your domain isn't listed with the given black lists.

RBLs are a great way to get rid of a lot of SPAM (if you choose the right ones). On the other hand you (and users of your mail server) get in big trouble if your SMTP server gets listed on a common RBL.

Checking this manually is a job that sucks a lot, checking this automatically is an easy job with Nagios, PHP, Net_DNSBL and Console_Getopt.

He includes the parts you'll need - grabbing the PEAR package, the PHP script to make the request and the changes you'll need to make to the configuration files to make it all work together.

tagged: netdnsbl nagios smtp blacklist check pear package netdnsbl nagios smtp blacklist check pear package

Link:

Sebastian Nohn's Blog:
Using Net_DNSBL and Nagios to check if your SMTP server is listed in a RBL
Oct 05, 2007 @ 15:22:00

Sebastian Nohn has created a handy little script using PEAR packages to work with a Nagios installation to perform an automatic check - validating that your domain isn't listed with the given black lists.

RBLs are a great way to get rid of a lot of SPAM (if you choose the right ones). On the other hand you (and users of your mail server) get in big trouble if your SMTP server gets listed on a common RBL.

Checking this manually is a job that sucks a lot, checking this automatically is an easy job with Nagios, PHP, Net_DNSBL and Console_Getopt.

He includes the parts you'll need - grabbing the PEAR package, the PHP script to make the request and the changes you'll need to make to the configuration files to make it all work together.

tagged: netdnsbl nagios smtp blacklist check pear package netdnsbl nagios smtp blacklist check pear package

Link:

DevShed:
Creating an Administration Area for a Simple Threaded Discussion Forum
Oct 23, 2006 @ 17:12:00

DevShed continues their look at creating a simple treaded discussion foum with part two in the series, a focus on creating the administrator panel to help you manage users and the topics/comments they make.

This article, the second of two parts, will show you how to set up an administration area for a threaded discussion forum, and some of the functions you might want an administrator to manage.

Included is the functionality to get a listing of all of the topics, delete topics quickly, start a new topics, and manage a "blacklist" of bad words to keep out of the discussions. Of course, the code is all there and they explain each piece of it. They keep it simple though - the code is pretty procedural with only functions dividing up the functionality into the pieces.

tagged: administration forum simple tutorial threaded blacklist topics function administration forum simple tutorial threaded blacklist topics function

Link:

DevShed:
Creating an Administration Area for a Simple Threaded Discussion Forum
Oct 23, 2006 @ 17:12:00

DevShed continues their look at creating a simple treaded discussion foum with part two in the series, a focus on creating the administrator panel to help you manage users and the topics/comments they make.

This article, the second of two parts, will show you how to set up an administration area for a threaded discussion forum, and some of the functions you might want an administrator to manage.

Included is the functionality to get a listing of all of the topics, delete topics quickly, start a new topics, and manage a "blacklist" of bad words to keep out of the discussions. Of course, the code is all there and they explain each piece of it. They keep it simple though - the code is pretty procedural with only functions dividing up the functionality into the pieces.

tagged: administration forum simple tutorial threaded blacklist topics function administration forum simple tutorial threaded blacklist topics function

Link:

SitePoint PHP Blog:
Zend_Filter Reviewed, Blacklist / Whitelist Filters
Mar 29, 2006 @ 00:20:37

The Zend Framework has definitely made a huge splash in the PHP community, and everyone is picking their piece of it to cover. In this new post from the SitePoint PHP blog, Maarten Manders highlights the Zend_Filter module.

I like Zend Framework's Zend_Filter class. It's basically a set of methods for validating untrusted data. Although the two arguably most important features isEmail() and isUri() (the latter can be worked around with Zend_Uri) are still missing, the whole thing looks promising already.

He starts with a few of his thoughts on the package ("Clean up the code of isHostname", "International support for isPhone") and some code to show how it can be implemented - filtering for use in a regular expression, validation of a string by a character whitelist as well as blacklisting, and using the Zend_Filter module for a more flexible isName.

tagged: zend framework zend_filter whitelist blacklist zend framework zend_filter whitelist blacklist

Link:

SitePoint PHP Blog:
Zend_Filter Reviewed, Blacklist / Whitelist Filters
Mar 29, 2006 @ 00:20:37

The Zend Framework has definitely made a huge splash in the PHP community, and everyone is picking their piece of it to cover. In this new post from the SitePoint PHP blog, Maarten Manders highlights the Zend_Filter module.

I like Zend Framework's Zend_Filter class. It's basically a set of methods for validating untrusted data. Although the two arguably most important features isEmail() and isUri() (the latter can be worked around with Zend_Uri) are still missing, the whole thing looks promising already.

He starts with a few of his thoughts on the package ("Clean up the code of isHostname", "International support for isPhone") and some code to show how it can be implemented - filtering for use in a regular expression, validation of a string by a character whitelist as well as blacklisting, and using the Zend_Filter module for a more flexible isName.

tagged: zend framework zend_filter whitelist blacklist zend framework zend_filter whitelist blacklist

Link:


Trending Topics: