Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

PHPMaster.com:
5 More PHP Security Vulnerabilities
Nov 13, 2012 @ 20:42:02

On PHPMaster.com there's a continuance of a previous article about security in PHP applications talking about a few more considerations when trying to make things secure.

In a previous article, I talked about some common security vulnerabilities that can affect your PHP web application. But there are other things besides those ten (okay, seven) attacks to think about when you’re developing. And so, this article offers a compendium of miscellaneous things that are security related; things you should do, things you shouldn’t do, things that other people might try to do, whatever it takes to make an article long enough for my editor to be satisfied with it.

He talks some about the settings that you might need to tweak in your "php.ini" server-side configuration file, some hints on filtering data (like using filter_input) and what to watch out for with error reporting. He also mentions session fixation and the protection of user data and passwords to keep them out of the hands of would-be attackers.

tagged: security vulnerability tutorial phpini filterinput session fixation user

Link:

ServerSide Magazine:
Session Hijacking
Dec 12, 2008 @ 16:23:42

In this recent article from ServerSide Magazine they look at a security issue that can be hard to detect if you're not sure what you're looking for - session hijacking - and how you can help to prevent it on your site.

A must have for the attacker in a session hijack is the Session Identifier so he can impersonate the attack. Let’s presume for example that you have your website hosted on a shared hosting on which PHP is installed as an Apache module, thing that makes session files belong to the web user, in other words: accessible.

He breaks it out into three potential kinds of session hijack methods - prediction, capture and fixation - with definitions for each. He also makes recommendations of some secure practices to follow to help prevent some of these issues (like not trusting users, using $_COOKIE and $_SESSION correctly and using a security token too along with the session ID).

tagged: hijack session predict capture fixation secure practice

Link:

International PHP Magazine:
Which of the Following Ensures Smooth Implementation of PHP Sessions?
May 03, 2007 @ 16:14:00

The results from the latest poll the International PHP Magazine conducted this past week are in. The question they asked developers to respond to was "Which One of the Following Ensures Smooth Implementation of PHP Sessions?".

Options this time were:

  • Don't use underscore in host names
  • Commit your session before it redirects
  • Prevent session fixation
  • Don't expose session_id's
The results were pretty close for all of the options with one coming out on top (committing the session) and two tying for second - preventing session fixation and not exposing session IDs.

Subversion and Symfony users should cast their votes in this week's poll. It asks, of the four options given, which is your favorite "trick" to running the Symfony framework with Subversion.

tagged: pol session implementation commit fixation expose subversion symfony pol session implementation commit fixation expose subversion symfony

Link:

International PHP Magazine:
Which of the Following Ensures Smooth Implementation of PHP Sessions?
May 03, 2007 @ 16:14:00

The results from the latest poll the International PHP Magazine conducted this past week are in. The question they asked developers to respond to was "Which One of the Following Ensures Smooth Implementation of PHP Sessions?".

Options this time were:

  • Don't use underscore in host names
  • Commit your session before it redirects
  • Prevent session fixation
  • Don't expose session_id's
The results were pretty close for all of the options with one coming out on top (committing the session) and two tying for second - preventing session fixation and not exposing session IDs.

Subversion and Symfony users should cast their votes in this week's poll. It asks, of the four options given, which is your favorite "trick" to running the Symfony framework with Subversion.

tagged: pol session implementation commit fixation expose subversion symfony pol session implementation commit fixation expose subversion symfony

Link:

Oscar Merida's Blog:
Avoiding frustration with PHP Sessions
Mar 30, 2007 @ 16:28:00

On his blog, Oscar Merida has a quick new post those just starting out with sessions should take a look at. He gives four quick tips of things to watch out for that can help your development process go smoother.

PHP's support for sessions make adding "state" to your web application super easy. Bus because the illusion of state is maintained by storing a Session ID via a user's cookies, you might find yourself losing potentially productive hours chasing down bizarre client side bugs or opening up a potential security hole. Here are 4 tips to help you avoid wasting your time and securing your site.

Items on the list are:

  • Don't use underscores in host names
  • Commit your sessions before redirects
  • Prevent session fixation (great security tip!)
  • Don't expose session_id's
Check out the comments - there's some good recommendations in there as well.

tagged: frustration session avoid recommend underscore fixation expose frustration session avoid recommend underscore fixation expose

Link:

Oscar Merida's Blog:
Avoiding frustration with PHP Sessions
Mar 30, 2007 @ 16:28:00

On his blog, Oscar Merida has a quick new post those just starting out with sessions should take a look at. He gives four quick tips of things to watch out for that can help your development process go smoother.

PHP's support for sessions make adding "state" to your web application super easy. Bus because the illusion of state is maintained by storing a Session ID via a user's cookies, you might find yourself losing potentially productive hours chasing down bizarre client side bugs or opening up a potential security hole. Here are 4 tips to help you avoid wasting your time and securing your site.

Items on the list are:

  • Don't use underscores in host names
  • Commit your sessions before redirects
  • Prevent session fixation (great security tip!)
  • Don't expose session_id's
Check out the comments - there's some good recommendations in there as well.

tagged: frustration session avoid recommend underscore fixation expose frustration session avoid recommend underscore fixation expose

Link:

Zend Developer Zone:
PHP Security Tips #6 and #7
Mar 12, 2007 @ 16:38:00

Continuing in their security theme for the month of March, the Zend Developer Zone has posted two more Security Tips for PHP developers out there:

  • The first tip (#6 on their list) talks about the benefits of casting all of the values going in to your SQL queries. This helps keep you and your data away from things like nasty SQL injection issues that could result in exposure of valuable data.
  • The second tip (#7) focuses on regeneration of session IDs to help prevent fixation. They give an example of how, without it, you could inadvertently allow in unauthorized users. Thankfully, one quick function call can remedy the situation - session_regenerate_id.

Check out their full list for more great tips.

tagged: security tip session fixation sql injection cast query security tip session fixation sql injection cast query

Link:

Zend Developer Zone:
PHP Security Tips #6 and #7
Mar 12, 2007 @ 16:38:00

Continuing in their security theme for the month of March, the Zend Developer Zone has posted two more Security Tips for PHP developers out there:

  • The first tip (#6 on their list) talks about the benefits of casting all of the values going in to your SQL queries. This helps keep you and your data away from things like nasty SQL injection issues that could result in exposure of valuable data.
  • The second tip (#7) focuses on regeneration of session IDs to help prevent fixation. They give an example of how, without it, you could inadvertently allow in unauthorized users. Thankfully, one quick function call can remedy the situation - session_regenerate_id.

Check out their full list for more great tips.

tagged: security tip session fixation sql injection cast query security tip session fixation sql injection cast query

Link:


Trending Topics: