News Feed
Sections




News Archive
feed this:

Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

NetTuts.com:
Protecting Your Keys From GitHub
March 05, 2015 @ 12:03:05

On the NetTuts.com site there's a new post talking about protecting your keys when using a public site like GitHub. This relates to an easy thing to forget - removing hard-coded credentials from code before pushing it public.

In December 2014, Slashdot ran an alarming story Bots Scanning GitHub To Steal Amazon EC2 Keys, based on developer and blogger Andrew Hoffman's experience trying out Ruby on Rails on Amazon with AWS S3. He inadvertently committed an application.yml file with his AWS keys. [...] It's an easy mistake and most of us have probably done a similar thing at one point or another. And it's not just AWS keys that are at risk. As our use of cloud-based services increases, the expanding use of a broad variety of service API keys can be leveraged by hackers and spammers alike.

He goes through a solution he's found to help protect those credentials, in this case working with the configuration of a Yii framework-based application. He starts with a mention of .gitignore but points out that it could have unexpected results from "quirks" in its handling. He suggests a different option - using a configuration file that lives someplace outside of the main git directory and can be referenced directly from inside the application. He provides two kinds of examples: one using a PHP-based configuration and another based on an INI file. He finishes the post with a mention about WordPress plugins and the fact that they're (usually) stored in a database and open to exposure if a SQL injection vulnerability is found.

0 comments voice your opinion now!
github protect keys commit public exposure configuration file gitignore

Link: http://code.tutsplus.com/tutorials/protecting-your-keys-from-github--cms-23002

PHP.net:
PHP 5.3.12 and 5.4.2 and the CGI flaw (CVE-2012-1823)
May 07, 2012 @ 09:03:59

The PHP.net site as new post with some supplemental information for those users of the PHP CGI that might be effected by the recently announced bug, the reason for the most recent release. Unfortunately, this patch only fixes some of the cases of the problem, so they've amended their instructions to included a more effective mod_rewrite rule to help protect your applications.

PHP 5.3.12/5.4.2 do not fix all variations of the CGI issues described in CVE-2012-1823. It has also come to our attention that some sites use an insecure cgiwrapper script to run PHP. These scripts will use $* instead of "$@" to pass parameters to php-cgi which causes a number of issues. Again, people using mod_php or php-fpm are not affected.

The rewrite rule is there in the post, ready for copy and pasting into your config. Even if you're running the latest PHP 5.3.12 and 5.4.2., be sure to use this rule as a stop-gap measure for now. Another release is planned for tomorrow to fully correct the CGI flaw.

0 comments voice your opinion now!
cgi flaw bug rewrite rule protect release


Gonzalo Ayuso's Blog:
How to protect from SQL Injection with PHP
February 08, 2012 @ 08:07:05

In a recent post to his blog, Gonzalo Ayuso shares a few tips on preventing SQL injection attacks on your applications.

Security is a part of our work as developers. We need to ensure our applications against malicious attacks. SQL Injection is one of the most common possible attacks. Basically SQL Injection is one kind of attack that happens when someone injects SQL statements in our application. You can find a lot of info about SQL Injection attack. Basically you need to follow the security golden rule: "Filter input, Escape output".

He advocates the use of the PDO abstraction layer to filter out a lot of the issues. Using its prepared statements, you can easily strip out things that just adding slashes to user input wouldn't prevent. He also includes a reminder about database permissions - allowing only certain users the ability to, for example, delete can help provide one more level of security (in other words, don't use a "super user" in production).

0 comments voice your opinion now!
sql injection pdo protect database permissions tutorial


Artur Ejsmont's Blog:
How to properly secure remote API calls over SSL from PHP code
September 19, 2011 @ 13:56:00

Artur Ejsmont has a new post with a passionate call to arms for anyone who thinks that just because their URL has "https" in it, it's secure. He presents his suggestion on how to properly secure SSL API calls for your PHP application.

Lets make something clear from the very start: JUST BECAUSE THERE IS https:// IN THE URL OF THE REMOTE SERVICE IT DOES NOT MEAN THE CONNECTION IS SECURE! I am sorry for the tone of this post but i am enraged by how popular this issue is online. If you ask why i suggest a little experiment [involving changing your hosts file and using a self-signed certificate].

The issue he spotlights is all too common - a server serves up SSL pages but doesn't actually verify the certificate in the process. He gives a bad example of how some scripts handle this issue using the CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST to turn off this verification - a very bad idea. To protect yourself from any kind of man-in-the-middle or DNS hijack issues, you should leave these on.

0 comments voice your opinion now!
ssl certificate api call protect verification


DevShed:
Optimize File Downloading in PHP
July 07, 2011 @ 11:05:50

New on DevShed.com today is a tutorial helping you optimize your file downloading for your web application and provide a way to give users dynamic links to files instead of direct ones.

The true path to the downloadable content can be revealed easily and is not protected, allowing users to bypass web forms and download the content directly using a browser. [...] The Solution: A Secure and Efficient PHP Download Script

This tutorial is actually an update of their previous tutorial looking at a similar subject, with a few differences. Their code provides a way to limit the files a user can download, the number of times they can download it and a script to read the file and push it to the user without them ever knowing the path.

0 comments voice your opinion now!
optimize file download protect tutorial


Script-Tutorials.com:
How to Protect any Site from Spam using Akismet
May 30, 2011 @ 08:10:59

From Script-Tutorials.com there's a new post that wants to help you prevent one of the biggest menaces of the social online world - spam. Their solution uses the Akismet service to detect possible spam and notify you.

What is spam? - this is (usually) any message which not relevant to this page - usually just an advertisement of something (and even with a backward link to another site). Yes, you can put the first line of defense - a captcha, but I think spammers are also ready for this and find ways to avoid the CAPTCHA (or, they even can solve its by self). In today's tutorial I'll show you how to create a second line of defense against spam - using web services - for example akismet.

They include all the code you'll need to create a simple interface to the Akismet system with the help of this library that handles a lot of the connection and messaging for you. They apply it to a comment form and check the POSTed values against the Akismet spam checking. You can download the full package to get started immediately.

0 comments voice your opinion now!
spam protect akismet tutorial


Gonzalo Ayuso's Blog:
Protect files within public folders with mod_rewrite and PHP
November 29, 2010 @ 09:45:43

Gonzalo Ayuso has a new post that can help you protect certain files inside of a public folder by combining mod_rewrite and PHP.

Here's the problem. We have a legacy application (or a WordPress blog for the example) and we want to protect the access to the application according to our corporate single sign on. We can create a plug-in in WordPress to ensure only our single sign-on's session cookie is activated.

In his example, he shows the handling of an uploaded file and a plugin that can be used to protect parts of the site based on session information. Unfortunately, by itself, this doesn't prevent the direct access of the file. His trick is to route all file access back through a central "media.php" script that fetches it from a file location (could even be outside the docroot). The routing to the PHP is handled via mod_rewrite and the code checks the permissions on the current user's session for access.

0 comments voice your opinion now!
modrewrite public folder tutorial protect file wordpress


phpRiot.com:
Protecting Your PHP Source Code With ionCube Encoder
June 08, 2010 @ 09:15:00

In a new post on phpRiot.com Quentin Zervaas shows you how to use ionCube Encoder to help protect the applications you've written and their source code.

One of the issues PHP developers face is that PHP is an interpreted language, meaning PHP source code is readable by anybody who downloads your applications. In this article I will show you how to protect your intellectual property by encoding your PHP source code.

With the help of the encoder to can convert your plain-text PHP files into something that only the end user with the correct loader setup can use. He includes a simple "hello world" example showing the before and after of using the encoder. Also included are the commands to encode and decode the scripts manually if you want to handle it that way.

0 comments voice your opinion now!
ioncube encoder protect tutorial commercial


ITNewb.com:
Building a Spam Free Contact Form without Captchas
August 12, 2009 @ 08:14:53

New on the ITNewb.com site today there's a tutorial looking at making your forms a bit more "spam free" without resorting to CAPTCHA images.

Most anti-spam methods used by websites today are annoying at best. They use impossible-to-read captcha images, or they make users jump through some kind of hoop to get the email address instead of just clicking on it. This can mean lost sales and opportunities for you, because each hurdle turns away more users.

The trick uses some CSS and Javascript to hide a form field (display:none) and check on the submit to ensure that it's empty. The email address is the output of a Javascript document.write() as well, preventing those pulling the information off of your site without Javascript support (like some automated tools) to miss it completely.

0 comments voice your opinion now!
spam form protect tutorial contact


Smashing Magazine:
10 Steps To Protect The Admin Area In WordPress
January 28, 2009 @ 09:31:54

As all of the WordPress users out there know, the "admin" section of the installations is one of the most important areas of your site. That being said, it should also be one of the most well protected parts. This new article from Smashing Magazine has ten tips that you can use to help protect you and your blog from prying eyes.

The administration area of a Web application is a favorite target of hackers and thus particularly well protected. The same goes for WordPress: when creating a blog, the system creates an administrative user with a perfectly secure password and blocks public access to the settings area with a log-in page. This is the cornerstone of its protection. Let's dig deeper!

Here's their ten tips:

  • Rename and Upload the wordpress Folder
  • Extend the file wp-config.php
  • Move the wp-config.php file
  • Protect the wp-config.php file
  • Delete the admin User Account
  • Choose strong passwords
  • Protect the wp-admin Directory
  • Suppress Error Feedback on the Log-In Page
  • Restrict Erroneous Log-In Attempts
  • Keep Software Up to Date
0 comments voice your opinion now!
steps list wordpress protect admin blog wpconfig



Community Events

Don't see your event here?
Let us know!


application language framework laravel community series programming example yii2 symfony project opinion interview part2 introduction podcast api list composer php7

All content copyright, 2015 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework