On the NETTUTS.com website, there's a great article with some "essential security considerations" that you can use to see just how hackable your site could be.

This article walks through the brainstorming stage of planning for what is in this instance, a hypothetical user-centric web application. Although you won't be left with a complete project '" nor a market ready framework, my hope is that each of you, when faced with future workloads, may muse on the better practices described. So, without further ado...Are you sitting comfortably?

The tutorial is broken up into a few sections based around an example with a few points of failure (about book information). They work through the thought process behind the code, using the $_REQUEST variables correctly, preventing SQL injections, filtering the HTML output and a sample code download for you to see how it's all tied together.

The folks over at php|architect magazine has updated the free issue they're offering to anyone looking to get a taste of the great content inside each issue. Sean Coates writes:

We've recently updated our web site to offer a new free issue of php|architect magazine! The May 2007 edition of php|architect has proven to be extremely popular, and with PHP 6 on the horizon, we thought everyone should read the cover article on Unicode, so we're releasing it completely free (and without obligation) to registered users of our web site.

Other topics covered in the issue include working with server/client-side validation, preventing SQL injections, a look at the Model View Controller design pattern and dictionary attacks.

You can grab this free issue directly from the php|architect website.

Greg Bever has a (very) quick post about his experiences with the Pixy XSS and SQLI Scanner running against PEAR files.

I tried out the Pixy XSS and SQLI Scanner (http://pixybox.seclab.tuwien.ac.at/pixy/index.php) on a few simple PEAR files. On the first, I got a java exception, on the second it was unable to resolve the simplest of includes (no ability to resolve include_path). In short, the thing is useless for anything written using PEAR. Fun!

The Pixy XSS and SQLI Scanner is made to find SQL and XSS injection issues in scripts. It runs as a Java application and scans PHP4 source code to try to find problems. For more information on the scanner or to try it out for yourself, check out the project's homepage for documentation and downloads.

Matthew Weir O'Phinney has posted one of his own security tips to the Zend Developer Zone today involving the use of a database abstraction layer to help prevent SQL injections in your application.

SQL injections are a common vulnerability in web-based applications that use databases. [...] There are several methods to prevent this type of attack.

He gives three helpful hints for SQL injection prevention:

• Use your database extension's quoting mechanism to quote values prior to executing a query
• Use PDO's prepared statements support
• Use a database abstraction layer (DAL), such as AdoDB, PEAR::MDB2, or Zend_Db.

Recently , Google has released a new service for their search engine, the Google Code Search. It allows for developers to look through and locate items in public source code through the simple Google interface we're all used to. Fortunately, there's also a few security problems the site can help with as well, and Chris Shiflett shares some of these in his latest post.

Stephen de Vries sent an email to SecurityFocus's web application security mailing list earlier today to comment on the new Google Code Search: "Google's code search provides an easy way to find obvious software flaws in open source and example applications."

Chris talks about cross-site scripting problems, issues with the superglobals, SQL injection problems, and even a misplaced trust of the $_SERVER superglobal. Each of the items is linked to is search terms on the Code Search to make it easy to locate.