J_K9 @ Linux

The Problem With PHP Application Security

PHP application security and the vulnerabilities which are often found in PHP apps have already been discussed at length. PHP is a great language, but it suffers in that it provides no simple method of escaping special characters when handling input and thus leaves many budding programmers’ web applications vulnerable to remote file inclusion (RFI) exploits, Cross Site Scripting (XSS), SQL injection and a host of other remote exploitation techniques which may allow the attacker to steal confidential data (such as clients’ credit card details), disrupt services and cause many other problems. These techniques allow the attackers to use the web application to do things it was not originally designed for.

The programmer in question can be blamed to a certain extent for not reading up on how to secure their web application, but the problem is that many new programmers are not aware of the fact that they need to escape and clean the data they receive from the application’s inputs in order to stop it from doing what it was not designed to do. They are probably unaware that such types of attacks exist anyway. However, PHP provides limited, complex and slightly obscure functions to secure input handling which are usually insufficient and lack the functionality required to prevent certain attacks. Worse still, many books and tutorials written to teach people with no previous experience how to code in PHP usually omit secure data handling techniques or tips, and provide examples thoughout the book/tutorial which are vulnerable to the attacks mentioned above! This is irresponsible on the authors’ behalf: it’s no wonder that PHP application vulnerabilities accounted for 43% of the security issues found in 2006.

However, all hope is not lost. The Open Web Application Security Project (OWASP) have produced a set of PHP filters which allow the newest of PHP programmers to secure their input data handling methods. Doing so is a simple as downloading the filters, including them in the web app (with a command such as require_once(’sanitize.inc.php’)), storing the input into a variable and then sanitizing the data as shown on the project’s homepage.

It would be better if the PHP developers added functions such as OWASP’s PHP filters into the PHP code itself and if the authors of PHP instruction material added sections on securing input handling, but these filters are far better than nothing

Project X In Full Throttle

I’m currently working on a commercial web project (written in PHP, of course) which will be released at 00:00 GMT on the 25th December. I shall earn 50% of the profits (booyah :P) which, considering that it was my idea and I both designed and coded it is not a bad deal! Hehe… In case you’re wondering who the remaining 50% will go to, it will go to my father who is has funded the project (by renting a (dv) server from (mt), purchasing the SSL certificate, Mint (I paid for that) and a laptop to code it on) and managed the business side of things (such as setting up a bank account for the project and touching up the legal documents which I had drafted).

I can’t reveal too many details (ie. anything), so I’ll just say this: I thought of it by following some advice I read somewhere - by lying down on a sunbed with my notepad and a pen and just waiting for the thought to hit me.. Oddly enough, it did, and from there I developed the idea into a grander project.

I haven’t finished coding it yet and I’ve only got seven days until it debuts - crap, I better get coding

Converting HTML To BBCode

I am currently learning PHP, so I set out to write an application which would convert my HTML-coded tutorials into BBCode suitable for forums. That goes without saying that my code failed miserably.. I was not too far off though; I got the general gist of it. So, I decided to ask the wonderful guys and gals on the ‘General user’ PHP mailing list (which, by the way, means what it says about being of very high volume!), and they came up with a solution.

Continue reading Converting HTML To BBCode…