Sameer has posted about a list generated by CWE/SANS of what they consider to be the twenty-five most dangers errors you can commit in your application development (PHP related or not):

The document lists the most common and significant programming errors which can lead to serious software vulnerabilities. [...] The 25 vulnerabilities are divided into three main categories: Insecure Interaction Between Components, Risky Resource Management and Porous Defenses, details of which are listed below.

Some of the items in the list include:

• Insecure Interaction Between Components - Failure to Preserve SQL Query Structure ('SQL Injection')
• Risky Resource Management - External Control of Critical State Data
• Porous Defenses - Execution with Unnecessary Privileges
• Insecure Interaction Between Components - Cross-Site Request Forgery (CSRF)
• Porous Defenses - Use of a Broken or Risky Cryptographic Algorithm

You can see the full list here, including explanations for each.

Ed Finkler has pointed out a handy resource for those trying to cope with using the UTF-8 support included in several of PHP's functions - this page on the Web Application Component Toolkit wiki.

This page is intended as a reference for functionality PHP provides which can either help with handling UTF-8 or should be regarded as a risk when used in conjunction with UTF-8 encoded strings. Further information can be found on the Internationalization (I18N) and Character Sets / Character Encoding Issues pages.

It talks about the "dangerous" functionality PHP has (issues that the language has in current functions) when using things like the PCRE extension, the string extension, the array methods, handling variables, the XML extensions (DOM and SAX), image manipulation, and URL parsing functionality.

The International PHP Magazine has posted the results from their latest poll, this time asking which one of their options is the most dangerous kind of problem an application can have.

Options included "remote code execution", "SQL injections", and "file system attacks". Topping the charts, and almost typing for first place are "remote code execution" and "SQL injection", with SQL edging out the remote code.

The majority believes that 'SQL Injection' is the most common PHP attack as it garnered 33.6% of the votes. The PHP attack 'Remote Code Execution' scored 30.9% of the votes. The options 'File system attacks' and 'Cross-site Scripting' bagged 10.9% and 8.2% respectively. Not many people seem to consider the existence of any other PHP attack as the option 'Others' polled a dismal 0.9%.

Their latest poll goes with a different subject, asking readers to vote on which of their options is the best way to speed up a site. Check it out and cast your vote today!

The International PHP Magazine has posted the results from their latest poll, this time asking which one of their options is the most dangerous kind of problem an application can have.

Options included "remote code execution", "SQL injections", and "file system attacks". Topping the charts, and almost typing for first place are "remote code execution" and "SQL injection", with SQL edging out the remote code.

The majority believes that 'SQL Injection' is the most common PHP attack as it garnered 33.6% of the votes. The PHP attack 'Remote Code Execution' scored 30.9% of the votes. The options 'File system attacks' and 'Cross-site Scripting' bagged 10.9% and 8.2% respectively. Not many people seem to consider the existence of any other PHP attack as the option 'Others' polled a dismal 0.9%.

Their latest poll goes with a different subject, asking readers to vote on which of their options is the best way to speed up a site. Check it out and cast your vote today!