Comments on: The Problem With PHP Application Security http://wolphination.com/linux/2007/01/13/the-problem-with-php-application-security/ J_K9 Sat, 11 Oct 2008 21:45:51 +0000 http://wordpress.org/?v=2.1.3 By: Andrew van der Stock http://wolphination.com/linux/2007/01/13/the-problem-with-php-application-security/#comment-11490 Andrew van der Stock Mon, 15 Jan 2007 18:15:05 +0000 http://wolphination.com/linux/2007/01/13/the-problem-with-php-application-security/#comment-11490 We have updated filters coming soon, which will bring Stinger levels of input validation, along with: CSRF library AntiXSS library with hard core escaping Keep watching. :-) Andrew van der Stock Executive Director, OWASP We have updated filters coming soon, which will bring Stinger levels of input validation, along with:

CSRF library
AntiXSS library with hard core escaping

Keep watching. :-)

Andrew van der Stock
Executive Director, OWASP

]]> By: J_K9 http://wolphination.com/linux/2007/01/13/the-problem-with-php-application-security/#comment-11496 J_K9 Mon, 15 Jan 2007 21:06:19 +0000 http://wolphination.com/linux/2007/01/13/the-problem-with-php-application-security/#comment-11496 Excellent! I'm actually writing a short tutorial at the moment about using your PHP filters to secure user input, which should help those new to PHP to secure their web apps. I'm focusing mainly on the paranoid filter function, but that is too extreme for some situations so I intend to outline the usage and appropriate situations for the other filtering functions. Thanks for letting me know - I look forward to the updated filters ;) Excellent! I’m actually writing a short tutorial at the moment about using your PHP filters to secure user input, which should help those new to PHP to secure their web apps. I’m focusing mainly on the paranoid filter function, but that is too extreme for some situations so I intend to outline the usage and appropriate situations for the other filtering functions.

Thanks for letting me know - I look forward to the updated filters ;)

]]> By: Cd-MaN http://wolphination.com/linux/2007/01/13/the-problem-with-php-application-security/#comment-12900 Cd-MaN Sun, 28 Jan 2007 17:30:27 +0000 http://wolphination.com/linux/2007/01/13/the-problem-with-php-application-security/#comment-12900 Being a long time PHP programmer I think that the PHP language is a little "tackled" together and this shows: -creating a common API to allow unified access to both local and remote files feels more like a "cool factor" than a feature which would be useful. -only the recently released mysqli interface has support for prepared queries (and even that has a braindead interface). Compare this with the perl DBI interface which had support for prepared queries independent of the database driver (because it implements its own SQL parser) since 1991 (that's right, for more than 15 years) -what other language is there with an .ini file? :-) Being a long time PHP programmer I think that the PHP language is a little “tackled” together and this shows:

-creating a common API to allow unified access to both local and remote files feels more like a “cool factor” than a feature which would be useful.

-only the recently released mysqli interface has support for prepared queries (and even that has a braindead interface). Compare this with the perl DBI interface which had support for prepared queries independent of the database driver (because it implements its own SQL parser) since 1991 (that’s right, for more than 15 years)

-what other language is there with an .ini file? :-)

]]> By: Cd-MaN http://wolphination.com/linux/2007/01/13/the-problem-with-php-application-security/#comment-12912 Cd-MaN Sun, 28 Jan 2007 20:03:02 +0000 http://wolphination.com/linux/2007/01/13/the-problem-with-php-application-security/#comment-12912 It's me again :D I've put together a short list which can server as a starting point for securing your PHP code, both from a coder and a sysadmin perspective: <a href="http://hype-free.blogspot.com/2007/01/php-coders-of-world-secure-your-code.html" rel="nofollow">http://hype-free.blogspot.com/2007/01/php-coders-of-world-secure-your-code.html</a> It’s me again :D

I’ve put together a short list which can server as a starting point for securing your PHP code, both from a coder and a sysadmin perspective: http://hype-free.blogspot.com/2007/01/php-coders-of-world-secure-your-code.html

]]> By: J_K9 http://wolphination.com/linux/2007/01/13/the-problem-with-php-application-security/#comment-12915 J_K9 Sun, 28 Jan 2007 20:17:18 +0000 http://wolphination.com/linux/2007/01/13/the-problem-with-php-application-security/#comment-12915 I agree, Cd-MaN - I'm not quite sure what the advantages of being able to include remote files is, and why this "feature" would be enabled by default is beyond me. I've just finished coding a login brute force protection system, so I'm hoping to open source the code as soon as I get a chance to clean it up and comment it properly :) And thanks for that excellent list - it deserves some exposure, so I suggest you submit it to sites like LinuxSecurity.com and LXer.com. That'll hopefully allow a few more people to be taught how to secure their code! Another good article I've recently come across is this one: http://www.owasp.org/index.php/PHP_Top_5 I agree, Cd-MaN - I’m not quite sure what the advantages of being able to include remote files is, and why this “feature” would be enabled by default is beyond me.

I’ve just finished coding a login brute force protection system, so I’m hoping to open source the code as soon as I get a chance to clean it up and comment it properly :)

And thanks for that excellent list - it deserves some exposure, so I suggest you submit it to sites like LinuxSecurity.com and LXer.com. That’ll hopefully allow a few more people to be taught how to secure their code!

Another good article I’ve recently come across is this one: http://www.owasp.org/index.php/PHP_Top_5

]]> By: Anonymous http://wolphination.com/linux/2007/01/13/the-problem-with-php-application-security/#comment-369789 Anonymous Thu, 03 Apr 2008 03:41:15 +0000 http://wolphination.com/linux/2007/01/13/the-problem-with-php-application-security/#comment-369789 <strong>Pubesent Teens...</strong> Pubesent Teens... Pubesent Teens…

Pubesent Teens…

]]> By: Anonymous http://wolphination.com/linux/2007/01/13/the-problem-with-php-application-security/#comment-371091 Anonymous Fri, 04 Apr 2008 06:49:07 +0000 http://wolphination.com/linux/2007/01/13/the-problem-with-php-application-security/#comment-371091 <strong>Abigail Fraser Free Hardcore Video...</strong> Abigail Fraser Free Hardcore Video... Abigail Fraser Free Hardcore Video…

Abigail Fraser Free Hardcore Video…

]]> By: Cipro shipping. http://wolphination.com/linux/2007/01/13/the-problem-with-php-application-security/#comment-469673 Cipro shipping. Mon, 09 Jun 2008 18:36:28 +0000 http://wolphination.com/linux/2007/01/13/the-problem-with-php-application-security/#comment-469673 <strong>Cipro shipping....</strong> Cipro shipping.... Cipro shipping….

Cipro shipping….

]]> By: Vestra reboxetine. http://wolphination.com/linux/2007/01/13/the-problem-with-php-application-security/#comment-532627 Vestra reboxetine. Fri, 18 Jul 2008 21:28:26 +0000 http://wolphination.com/linux/2007/01/13/the-problem-with-php-application-security/#comment-532627 <strong>Reboxetine....</strong> Vestra reboxetine. Reboxetine edronax. Reboxetine.... Reboxetine….

Vestra reboxetine. Reboxetine edronax. Reboxetine….

]]>