News Feed
Sections




News Archive
feed this:

Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

PHP.net:
PHP 5.3.12 and 5.4.2 and the CGI flaw (CVE-2012-1823)
May 07, 2012 @ 09:03:59

The PHP.net site as new post with some supplemental information for those users of the PHP CGI that might be effected by the recently announced bug, the reason for the most recent release. Unfortunately, this patch only fixes some of the cases of the problem, so they've amended their instructions to included a more effective mod_rewrite rule to help protect your applications.

PHP 5.3.12/5.4.2 do not fix all variations of the CGI issues described in CVE-2012-1823. It has also come to our attention that some sites use an insecure cgiwrapper script to run PHP. These scripts will use $* instead of "$@" to pass parameters to php-cgi which causes a number of issues. Again, people using mod_php or php-fpm are not affected.

The rewrite rule is there in the post, ready for copy and pasting into your config. Even if you're running the latest PHP 5.3.12 and 5.4.2., be sure to use this rule as a stop-gap measure for now. Another release is planned for tomorrow to fully correct the CGI flaw.

0 comments voice your opinion now!
cgi flaw bug rewrite rule protect release


Gonzalo Ayuso's Blog:
How to protect from SQL Injection with PHP
February 08, 2012 @ 08:07:05

In a recent post to his blog, Gonzalo Ayuso shares a few tips on preventing SQL injection attacks on your applications.

Security is a part of our work as developers. We need to ensure our applications against malicious attacks. SQL Injection is one of the most common possible attacks. Basically SQL Injection is one kind of attack that happens when someone injects SQL statements in our application. You can find a lot of info about SQL Injection attack. Basically you need to follow the security golden rule: "Filter input, Escape output".

He advocates the use of the PDO abstraction layer to filter out a lot of the issues. Using its prepared statements, you can easily strip out things that just adding slashes to user input wouldn't prevent. He also includes a reminder about database permissions - allowing only certain users the ability to, for example, delete can help provide one more level of security (in other words, don't use a "super user" in production).

0 comments voice your opinion now!
sql injection pdo protect database permissions tutorial


Artur Ejsmont's Blog:
How to properly secure remote API calls over SSL from PHP code
September 19, 2011 @ 13:56:00

Artur Ejsmont has a new post with a passionate call to arms for anyone who thinks that just because their URL has "https" in it, it's secure. He presents his suggestion on how to properly secure SSL API calls for your PHP application.

Lets make something clear from the very start: JUST BECAUSE THERE IS https:// IN THE URL OF THE REMOTE SERVICE IT DOES NOT MEAN THE CONNECTION IS SECURE! I am sorry for the tone of this post but i am enraged by how popular this issue is online. If you ask why i suggest a little experiment [involving changing your hosts file and using a self-signed certificate].

The issue he spotlights is all too common - a server serves up SSL pages but doesn't actually verify the certificate in the process. He gives a bad example of how some scripts handle this issue using the CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST to turn off this verification - a very bad idea. To protect yourself from any kind of man-in-the-middle or DNS hijack issues, you should leave these on.

0 comments voice your opinion now!
ssl certificate api call protect verification


DevShed:
Optimize File Downloading in PHP
July 07, 2011 @ 11:05:50

New on DevShed.com today is a tutorial helping you optimize your file downloading for your web application and provide a way to give users dynamic links to files instead of direct ones.

The true path to the downloadable content can be revealed easily and is not protected, allowing users to bypass web forms and download the content directly using a browser. [...] The Solution: A Secure and Efficient PHP Download Script

This tutorial is actually an update of their previous tutorial looking at a similar subject, with a few differences. Their code provides a way to limit the files a user can download, the number of times they can download it and a script to read the file and push it to the user without them ever knowing the path.

0 comments voice your opinion now!
optimize file download protect tutorial


Script-Tutorials.com:
How to Protect any Site from Spam using Akismet
May 30, 2011 @ 08:10:59

From Script-Tutorials.com there's a new post that wants to help you prevent one of the biggest menaces of the social online world - spam. Their solution uses the Akismet service to detect possible spam and notify you.

What is spam? - this is (usually) any message which not relevant to this page - usually just an advertisement of something (and even with a backward link to another site). Yes, you can put the first line of defense - a captcha, but I think spammers are also ready for this and find ways to avoid the CAPTCHA (or, they even can solve its by self). In today's tutorial I'll show you how to create a second line of defense against spam - using web services - for example akismet.

They include all the code you'll need to create a simple interface to the Akismet system with the help of this library that handles a lot of the connection and messaging for you. They apply it to a comment form and check the POSTed values against the Akismet spam checking. You can download the full package to get started immediately.

0 comments voice your opinion now!
spam protect akismet tutorial


Gonzalo Ayuso's Blog:
Protect files within public folders with mod_rewrite and PHP
November 29, 2010 @ 09:45:43

Gonzalo Ayuso has a new post that can help you protect certain files inside of a public folder by combining mod_rewrite and PHP.

Here's the problem. We have a legacy application (or a WordPress blog for the example) and we want to protect the access to the application according to our corporate single sign on. We can create a plug-in in WordPress to ensure only our single sign-on's session cookie is activated.

In his example, he shows the handling of an uploaded file and a plugin that can be used to protect parts of the site based on session information. Unfortunately, by itself, this doesn't prevent the direct access of the file. His trick is to route all file access back through a central "media.php" script that fetches it from a file location (could even be outside the docroot). The routing to the PHP is handled via mod_rewrite and the code checks the permissions on the current user's session for access.

0 comments voice your opinion now!
modrewrite public folder tutorial protect file wordpress


phpRiot.com:
Protecting Your PHP Source Code With ionCube Encoder
June 08, 2010 @ 09:15:00

In a new post on phpRiot.com Quentin Zervaas shows you how to use ionCube Encoder to help protect the applications you've written and their source code.

One of the issues PHP developers face is that PHP is an interpreted language, meaning PHP source code is readable by anybody who downloads your applications. In this article I will show you how to protect your intellectual property by encoding your PHP source code.

With the help of the encoder to can convert your plain-text PHP files into something that only the end user with the correct loader setup can use. He includes a simple "hello world" example showing the before and after of using the encoder. Also included are the commands to encode and decode the scripts manually if you want to handle it that way.

0 comments voice your opinion now!
ioncube encoder protect tutorial commercial


ITNewb.com:
Building a Spam Free Contact Form without Captchas
August 12, 2009 @ 08:14:53

New on the ITNewb.com site today there's a tutorial looking at making your forms a bit more "spam free" without resorting to CAPTCHA images.

Most anti-spam methods used by websites today are annoying at best. They use impossible-to-read captcha images, or they make users jump through some kind of hoop to get the email address instead of just clicking on it. This can mean lost sales and opportunities for you, because each hurdle turns away more users.

The trick uses some CSS and Javascript to hide a form field (display:none) and check on the submit to ensure that it's empty. The email address is the output of a Javascript document.write() as well, preventing those pulling the information off of your site without Javascript support (like some automated tools) to miss it completely.

0 comments voice your opinion now!
spam form protect tutorial contact


Smashing Magazine:
10 Steps To Protect The Admin Area In WordPress
January 28, 2009 @ 09:31:54

As all of the WordPress users out there know, the "admin" section of the installations is one of the most important areas of your site. That being said, it should also be one of the most well protected parts. This new article from Smashing Magazine has ten tips that you can use to help protect you and your blog from prying eyes.

The administration area of a Web application is a favorite target of hackers and thus particularly well protected. The same goes for WordPress: when creating a blog, the system creates an administrative user with a perfectly secure password and blocks public access to the settings area with a log-in page. This is the cornerstone of its protection. Let's dig deeper!

Here's their ten tips:

  • Rename and Upload the wordpress Folder
  • Extend the file wp-config.php
  • Move the wp-config.php file
  • Protect the wp-config.php file
  • Delete the admin User Account
  • Choose strong passwords
  • Protect the wp-admin Directory
  • Suppress Error Feedback on the Log-In Page
  • Restrict Erroneous Log-In Attempts
  • Keep Software Up to Date
0 comments voice your opinion now!
steps list wordpress protect admin blog wpconfig


Douglas Brown's Blog:
Three Important Tips to Write PHP Code Defensively
December 23, 2008 @ 16:40:30

Douglas Brown has a few helpful hints to help you write your PHP code defensively, protecting your code from malicious attackers.

The phenomenal growth of PHP applications has also led to a mushrooming of increased quantum of malicious activity. It thus becomes imperative that you write secure PHP code to protect your website. Here are some tips for the same. The three most vulnerable aspects of PHP that can become easily accessible to anyone are XSS (Cross Site Scripting), Global Variables and SQL code.

He details what each is and how you can protect your code against the problems they cause. Some example code is included to give you a better idea of the possible solution.

0 comments voice your opinion now!
defense tip application protect xss global variable sql injection



Community Events





Don't see your event here?
Let us know!


security application install framework community release library opinion version series composer tool symfony language introduction laravel interview package podcast voicesoftheelephpant

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework