In this post to his blog, Chris Shiflett talks about some issues surrounding character encoding and the cross-site scripting issues it can open up in your application.

In the post [on Good and Bad PHP Code], he provides a few useful PHP interview questions, including some questions from Yahoo. He explains that good PHP code should be Structured, Consistent, Portable and Secure

In the comments, many additional improvements have been suggested, but there's one that has yet to be mentioned. When using htmlspecialchars() without specifying the character encoding, XSS attacks that use UTF-7 are possible.

Included in the post is an example to illustrate the point as well as a solution, a simple one involving the header() function, to help correct the problem and prevent bad things from happening.

Be sure to check out the comments for more great tips.

Cicso product users should check out this latest issue Secunia has released today - a problem with the htmlentities and htmlspecialchars functions that can lead to buffer overflows.

The vulnerabilities are caused due to boundary errors within the "htmlentities()" and "htmlspecialchars()" functions. If a PHP application uses these functions to process user-supplied input, this can be exploited to cause a heap-based buffer overflow by passing specially crafted data to the affected application.

Successful exploitation may allow execution of arbitrary code, but requires that the UTF-8 character set is selected.

Products affected include the Network Analysis Modules (NAM) for Cisco 6500 switch, Cisco 7600 router/Branch Routers and the CiscoWorks Wireless LAN Solution Engine (WLSE) and CiscoWorks Wireless LAN Solution (among others, check out the advisory for a more complete list).

There are some patches that have been released to correct this issue (like the one for the Cisco Unified Application Environment) but others are still yet to come. They recommend limiting access to only trusted IPs and devices only to reduce the risk of the problem being exploited.

On the SitePoint PHP Blog today, there's a new post from Harry Fuecks with his take on the whole "PHP security" issue that's being tossed around lately.

There's another round of "Is PHP Secure?" debate happening right now. Chris drew attention to it, pointing to a post by Andrew van der Stock (who's a contributor to OWASP): PHP Insecurity: Failure of Leadership.

So the usual denials have been made (see replies to Chris's entry) - "Damn newbies", "Holes in PHP-based app != PHP insecure", etc., all of which I agree with. But...

He also mentions that this kind of talk could do more harm than good, making people that were on the edge lean back and take another look somewhere else. He also gives an example, a short bit of PHP and HTML that shines light on a typical XSS example - and asks if it's the developer's fault for not knowing, or the language's fault for not handling it right? Other topics he touches on as well are short tags and the use of filtering for all user input...