Since the topic of securing web-based applications written in PHP
is again a timely one, this note is to share some resources related
to that topic.
(I'm not a PHP programmer, so I'm sending these without first-hand
knowledge of the topic and without assessment of the quality of these
references; hopefully this will help spur some commentary and perhaps
additional resources from members of these lists.)
Aron Roberts
Information Services and Technology
-- At 16:28 -0700 2007-06-20, IST's Sarah Jones wrote: > >From Bill Allison, IST Web Applications manager: > >>While it's possible to do good PHP development, the language is >>very forgiving about bad practices and hasn't fostered strong >>commonality of practices, nomenclature etc., whereas other >>languages (and their associated frameworks & toolsets) provide more >>structured and one would hope, safer options. ... >> >>For people thinking about doing PHP on campus, I'd recommend the >>following reading: >> >>http://www.devshed.com/c/a/PHP/PHP-Security-Mistakes/ >> >>Essential PHP Security >>http://proquest.safaribooksonline.com/059600656X >> >>On web security more generally, IST participates in the San >>Francisco chapter of OWASP (http://www.owasp.org/). The website >>provides information on security, as well as tools to help examine >>an application's vulnerabilities. -- At 13:37 -0400 2007-06-18, Rich Bowen (a web application programmer at Asbury College, KY, wrote on the uwebd list [University and College Webmasters/University Web Developers]): > >The problem is of course not so much with PHP and MYSQL, but the >fact that there's so much bad PHP code out there that doesn't >concern itself with basic input validation. However, PHP6 will take >great strides in being even more paranoid about user input, for >programmers who aren't careful enough on their own. ... > >The most concise statement of what you need to do is: "Assume all >user input is malicious." Most PHP exploits come from assuming that >user input is safe, and then using it directly in either file access >or database queries. > >There are several good online resources, but the best is the >official PHP security guide, here: http://phpsec.org/projects/guide/ >It is long, but very much worth your time to read the whole thing. > >If you want to buy something, you should get Chris Shiflett's book - >http://phpsecurity.org/ >Chris is the expert on this, and speaks at numerous conferences on >the topic. He is always understandable and practical, rather than >dwelling on high-level theory. I highly recommend this book. -- At 16:05 -0400 2007-08-10, Bill Dennen wrote (on the uwebd list): > >I'm a fan of SmartyValidate, which is a Smarty plugin. > >http://www.phpinsider.com/php/code/SmartyValidate/ > >and > >http://smarty.php.net/ > >You also might be interested in: > >http://www.owasp.org/index.php/OWASP_PHP_Filters -- At 09:58 -0500 2007-08-13, Brett Bieber <http://saltybeagle.com/> wrote (on the uwebd list): > >I use mostly built in tools for filtering incoming data... the >external tools I use are PEAR packages, and I'll second the Validate >package, as well as HTML_Safe ( >http://pear.php.net/packages/HTML_Safe/ ) > >For database interaction I use prepared statements to avoid >mishandling any unescaped data. If I don't use prepared statements, I >use the database specific quote/escape functions for field data. > >For handling output, I use htmlentities and htmlspecialchars, as well >as urlencode. >... >you can't mention security and PHP in the same sentence without also >mentioning Chris Shiflett --- http://shiflett.org/ >Check out his book if you're interested in reading more. > >For those that want a quick cheat sheet, Davey Shafik made a handy pdf >on filtering and escaping which some might find useful - >http://www.pixelated-dreams.com/archives/231-Filtering-Escaping-Cheat-Sheet.html ------------------------------------------------------------------------ The following was automatically added to this message by the list server: To learn more about MAGNet, including how to subscribe to or unsubscribe from its mailing list, please visit the MAGNet Web site: http://magnet.berkeley.edu/ Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet. This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.Received on Wed Sep 05 2007 - 12:17:40 PDT
This archive was generated by hypermail 2.2.0 : Wed Sep 05 2007 - 12:17:40 PDT