News Feed
Sections




News Archive
feed this:

Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Developer Drive Blog:
How to Prevent a SQL Injection Attack
October 14, 2011 @ 09:25:12

From the Developer Drive blog there's a recent post with some suggestions on how you can help to prevent SQL injections in your PHP application and make it that much harder for would-be attackers to do what they shouldn't.

Why do SQL injections happen so often? The shortest answer is that SQL injections are so popular because of poor programming. Hackers know about the potential of a successful SQL injection attack and they search for vulnerabilities. Unfortunately, very often they don't have to search hard - vulnerabilities pop right in their face. [...] The good news is that fortunately, SQL injections are also relatively easy to prevent.

They list nine easy things you can do to help prevent the attacks:

  • Patch your SQL server regularly
  • Limit the use of dynamic queries
  • Escape user input
  • Store database credentials in a separate file
  • Use the principle of least privilege
  • Turn magic quotes off
  • Disable shells
  • Disable any other DB functionality you don't need
  • Test your code
0 comments voice your opinion now!
sqlinjection security sql prevent tips attack


DreamInCode.com:
Preventing PHP Mail(...) Header Injections
April 22, 2011 @ 11:06:23

On the Dream In Code forums there's a recent post showing you how to prevent mail() header injections when taking user input, like from a form.

PHP's mail() function is a very useful and powerful function, even to the point that it is very easy to exploit. A way hackers exploit this function is a method called email header injection. [...] I'm sure most of you can already tell that's not going to be pretty since we didn't check the user input and so forth. PHP provides us with functions such as filter_var which will validate user input and either return false if the validation fails or return the filtered data.

He includes an example of using this filtering methods to check the user input for malicious information - validating that the "to" address is a valid email (FILTER_VALIDATE_EMAIL) and a sanitize() method that removes things like newlines, carriage returns and a few other characters.

1 comment voice your opinion now!
prevent mail header injection tutorial filtervar sanitize


CatsWhoCode.com:
Top 10 ways to stop spam in WordPress
September 03, 2009 @ 09:11:57

In a recent post to the CatsWhoCode.com site Alex Denning takes a look at ten ways you can help stop those dreaded comment spammers on your WordPress blog.

Spam is a nuisance, and as bloggers, we have all experienced a flood of spam every now and then. Not only is it a pain, but it can slow down your blog and use up your resources. In this post we'll look at ten ways to combat spam.

Here's his list of suggestions - some can be combined with others to give you additional protection:

  • Install Akismet
  • reCAPTCHA
  • Ask your readers to do 1+1
  • Stop spam trackbacks
  • Make users login to comment
  • Ban spammers by IP
  • Ban spammers by IP, on a massive scale
  • Deny comment posting to no referrer requests
  • Stop content theives
  • Stop spammers stealing your images
0 comments voice your opinion now!
wordpress spam prevent


Marco Tabini's Blog:
To except is human; to handle is divine.
April 23, 2009 @ 11:17:27

Marco Tabini has taken a different tack on error handling in his latest post. He suggests that developers need to spend a little less time trying to prevent so many errors and a little more time handling the ones that do happen.

When an error occurs, the vast majority of the web-based application code that I see during my reviews performs the software equivalent of running around with its head cut off: the developer spends an inordinate amount of time and resources trying to make the software look like what was essentially a catastrophic failure was nothing more than a small temporary hiccup.

[...] In reality, by the time an error has occurred, there are only two possible outcomes: either you expected the error to occur, in which case you have already written code to handle the failure, or you didn't, in which case your main focus should be to use the error as a learning opportunity.

Marco suggests alternatives to this usual worry and hysteria - spend more time ensuring that (if something does fail) there won't be any more damage, let the IT team know as soon as you find the issue and testing before you fix (reproduce the error before you dig in to try to fix it).

0 comments voice your opinion now!
test reproduce report timely damage prevent handle error


Padraic Brady's Blog:
ZF Blog Tutorial Part 10 Comments, reCAPTCHA and Akismet Filtering
June 05, 2008 @ 09:38:14

Padraic Brady has posted part ten in his series on the construction of a blogging system with the Zend Framework. This part of the series focuses on the commenting system and using a reCAPTCHA and Akismet system on it to prevent spam.

Blogs all have two other features besides actual content. They allow readers to post comments, and they offer XML feeds of their content. With the blog application itself coming along nicely, and with Addendum #2's revised styling, it's a good time to take a peek at adding comments.

He has created a custom Service component for the framework that interfaces directly with the reCAPTCHA service (along with a form helper, view helper and validation methods) so that an element can be added just like anything else in a form. Code of its use is included.

He works this into his comment form, including the Controller and the action that would be called. He shows how to attach an Akismet call to the form too via the framework's own service methods. Finally, he handles the other side of things - the administrative piece and displaying the (hopefully non-spam) comments back out on the post.

15 comments voice your opinion now!
recaptcha akisment comment public spam prevent zendframework


Zend Developer Zone:
Security Tip Use a Database Abstraction Layer to help prevent SQL Injection
April 11, 2007 @ 11:39:00

Matthew Weir O'Phinney has posted one of his own security tips to the Zend Developer Zone today involving the use of a database abstraction layer to help prevent SQL injections in your application.

SQL injections are a common vulnerability in web-based applications that use databases. [...] There are several methods to prevent this type of attack.

He gives three helpful hints for SQL injection prevention:

  • Use your database extension's quoting mechanism to quote values prior to executing a query
  • Use PDO's prepared statements support
  • Use a database abstraction layer (DAL), such as AdoDB, PEAR::MDB2, or Zend_Db.

0 comments voice your opinion now!
securitytip sqlinjection prevent database abstraction layer securitytip sqlinjection prevent database abstraction layer


Chris Shiflett's Blog:
Allowing HTML and Preventing XSS
March 16, 2007 @ 09:23:00

In this new post to his blog, Chris Shiflett helps to solve one of the problems that several web designers face when allowing user input but wanting to protect themselves as well - allowing HTML while preventing a user from including a cross-site scripting issue.

This problem comes up more and more often due to the rise of social networking and other Web 2.0 properties that embolden users. [...] Of course, BBCode inevitably comes up during these types of discussions, but I really hate the idea of using yet another markup language just because I'm too lazy to deal with HTML, especially if the markup language doesn't even try to be user-friendly.

He looks for a good solution, one that doesn't require learning a new markup or becoming overly complex (while avoiding strip_tags). He provides several chunks of code for different aspects of the method - first make the content safe, then move backwards in the translation for the items you want to allow.

0 comments voice your opinion now!
allow html prevent crosssitescript secure user content input allow html prevent crosssitescript secure user content input


Zend Developer Zone:
Preventing Unwanted Access to Your API
January 26, 2007 @ 09:51:00

On the Zend Developer Zone, there's a helpful hint for users out there running a web service to help keep things safe:

Ok, so you've written a cool new Web API and you've written l33t JavaScript to call it from your page. The problem is, anybody who views your source can see how you call your new toy and use it for their own nefarious purposes. Granted, sometimes this is what you want but there are times when you want to keep your toys to yourself. For those times, here is a quick trick you can implement that will help thwart most evil doers.

The quick trick involves the placement of a secret variable into the session after the user has been validated. The sample code to make it work is provided and and example Ajax call illustrates how it's used. Then all the API has to do is check for that value in the data passed along.

0 comments voice your opinion now!
prevent unwanted access web service api session prevent unwanted access web service api session


PHPBuilder.com:
Pro PHP Security / Preventing SQL Injection, Part 3
November 15, 2006 @ 15:01:08

PHPBuilder.com continues their look at preventing SQL injections in your PHP scripts with this new tutorial, the third part of the excerpts from the APress book Pro PHP Security.

They pick up where they left off last time with the creation of an abstraction layer for your application to act as a go-between and filter out possible bad data. They give examples of how to use it to secure a new application, use abstraction libraries like the PearDB functionality, and how to test your application's protection.

0 comments voice your opinion now!
prevent sql injection part3 security abstraction protection prevent sql injection part3 security abstraction protection


Jamroll.co.uk:
Using Lighttpd to Dodge the Digg Effect
June 14, 2006 @ 20:25:34

Everyone that knows of the social news site Digg.com knows the problems that being linked on it can cause. Smaller servers get overloaded and pages can either be very slow loading or completely offline within minutes of being "digged". There's a few out there that have come up with different solutions, but several of them involve mirroring the content somewhere else. In this proposal, however, they combine the power of Lightttpd and PHP to handle the loads.

We host a wide variety of sites, covering everything from converting your garage into a living space to video game addictions. Because we are such a small operation, being hit by a link from a big site such as Digg would be both a blessing and a curse.

In order to place our ads on each page, we use PHP's auto_append_file feature to run our advertisement code. By using PHP's other neato function, auto_prepend_file, I can create a small piece of PHP code to detect when the site is being hit by Digg. In this situation, I have chosen to use Lighttpd to handle the increased loads, because of its proven high performance with large numbers of concurrent connections.

In his example code, he shows how you can detect when a user is coming from a digg.com page and take them to a cached version of the page they've requested (with the .cache extension).

0 comments voice your opinion now!
lighttpd digg effect prevent downtime slow cache lighttpd digg effect prevent downtime slow cache



Community Events





Don't see your event here?
Let us know!


code install list configure series threedevsandamaybe laravel interview community bugfix introduction library api application unittest release podcast developer language wordpress

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework