DevShed finishes off their series on database security in PHP applications with this look at protecting your application and data from the threat of SQL injections.
In this article we will continue to explore various attacks that can be made on a database and how to prevent these attacks. We will also build the last page of our site.
Their example script is a login for a secured area of the site and contains a possible place for an injection - non-validated user input. With something as simple as making the username a single quote, an attacker could find out more about your database structure and use that to get further into your systems. To avoid it, they recommend validating with the mysql_real_escape_string function as a first line of defense.
DevShed continues their look at security in (PHP) web application in this next-to-last part of their series - it focuses on database a password security.
In this article we will discuss security for databases accessed through the Internet. We will also examine the issue of password management, since handling that task properly will help us make our web site and its applications more secure.
They continue to use their "Internet cafe" application as an example to show proper escaping practices, the creation of a password management script (including validation of format) and includes a full listing of the code so far.
DevShed continues their look at web application security with part six of the series - a look at creating a registration form your site's visitors can use to create accounts/logins.
In this article we will be exploring the registration script of our site. This script is responsible for registering new users for the website. We will also be looking at database security; since the registration script also uses a database table, we will implement some of the concepts that we will be discussing.
Their example is relatively simple - it checks to ensure that none of the fields are empty, that one password matches the other and that the email address is in a valid format (using a regular expression). If it passes completely, its dropped into a MySQL database table that stores current user information.
In this new tutorial from DevShed, they continue the series looking at developing a simple web application with security being one of its primary goals.
In the last article we started to build our site and then continued to explore the login script. In this article we will continue to explore the script but will also discuss in detail the process of authentication and its security implications. We will eventually look at some of the common attacks that are perpetrated by malicious users.
This fourth part of the series adds the authentication piece to the puzzle - a simple system that does some form validation and checks the input against a MySQL table (users). Full code explanation and example usage is included.
DevShed continues their look at security in PHP applications in this third part of the series, a focus on filtering and login systems for your applications.
Any web site that is selective in the kind of users that it wants to grant access to will need some method of filtering. This filtering is usually done through a login system. This (and more) is what we will be building.
The site is made up of a few key components - login/logout pages, password management, a registration page and various configuration and settings files. They include everything you'll need, including the HTML and CSS to make things look exactly the same. The backend is driven off of a MySQL database to store the users and their account info.
On the symfony blog Fabien Potencier encourages all symfony developers that the security of your application must be taken seriously and that, despite the built-in protection the framework offers, there still could be issues.
The symfony framework has always provided the tools needed by the developers to secure their applications. With the new form framework, we have added an automatic protection against CSRF. Speaking of the form framework, we have also added a lot of security features to protect you against all sort of injections.
He does include an example, though, of a situation where it's not just about protecting from cross-site scripting or attacks. It's about checking user input to ensure it's what it should be. They give the example of a user pushing an "is_admin" value into a form posting where there wasn't one and updating the right column to give them admin rights.
He mentions some work the Rails team has tried to do to prevent this sort of thing automatically, but Fabian points out what the symfony framework already does - prevent any injected fields other than what's in the forms from being submitted and included.
The IBM DeveloperWorks site has posted some advice that can help keep you, your application and your data safe from security-related attacks.
Security in a PHP application includes remote and local security concerns. Discover the habits PHP developers should get into to implement Web applications that have both characteristics.
This new tutorial DevShed has posted today talks about planning for your application's security and some handy tips you can use to keep it safe.
In this article we will look at how to start a project while considering its related security issues. We will focus on form validation as well as other topics such as site structures. To demonstrate the topics that we will be discussing, we will create a site that will enable a user to log in, log out, register and manage passwords.
They look at things like the overall structure of the site (including how it lives on the file system) and protecting your application from dangerous user input through forms.
DevShed starts off a new series today focusing on security in web applications, specifically in PHP-based ones, with this first article - an overview.
With the web and web sites open to everyone -- including malicious hackers -- the security of web applications sits at the top of the list of issues on any web developer's mind. In this eight-part series, we will look at the security concerns of PHP developers, and what they can do to make their web applications more secure.
They talk about the importance of having a security plan from the start and look at a few simple steps to get started with in enhancing your application's security - the proper use of register globals, using error reporting to correctly catch problems and how to minimize the code exposure of your app.
Kevin Waterson has posted a new article to his site today - an introductory look at security in your PHP applications.
One of the great benefits of PHP is its ease of access to new-comers. Its entry level is minimal and so attracts those looking for simple scripts to their sites. It is this same ease of access that becomes a problem as the new-comers begin to deal with input from users. Failure to adequately validate and sanitize data is the leading cause of security problems when dealing with PHP.
He looks at a few different areas that developers need to focus on (and be sure to filter on) like PHP_SELF, protection from email header injections, file inclusion and the use of error reporting to make handling user-generated errors "more correct".
