Since the topic of securing web-based applications
written in PHP
is again a timely one, this note is to share some resources
related
to that topic.
(I'm not a PHP programmer, so I'm sending these without
first-hand
knowledge of the topic and without assessment of the quality
of these
references; hopefully this will help spur some commentary
and perhaps
additional resources from members of these lists.)
Aron Roberts
Information Services and Technology
--
At 16:28 -0700 2007-06-20, IST's Sarah Jones wrote:
>
>From Bill Allison, IST Web Applications manager:
>
>>While it's possible to do good PHP development, the
language is
>>very forgiving about bad practices and hasn't
fostered strong
>>commonality of practices, nomenclature etc., whereas
other
>>languages (and their associated frameworks &
toolsets) provide more
>>structured and one would hope, safer options. ...
>>
>>For people thinking about doing PHP on campus, I'd
recommend the
>>following reading:
>>
>>http://www.devshed.com/c/a/PHP/PHP-Security-Mistakes/
>>
>>Essential PHP Security
>>http
://proquest.safaribooksonline.com/059600656X
>>
>>On web security more generally, IST participates in
the San
>>Francisco chapter of OWASP (http://www.owasp.org/). The
website
>>provides information on security, as well as tools
to help examine
>>an application's vulnerabilities.
--
At 13:37 -0400 2007-06-18, Rich Bowen (a web application
programmer
at Asbury College, KY, wrote on the uwebd list [University
and
College Webmasters/University Web Developers]):
>
>The problem is of course not so much with PHP and MYSQL,
but the
>fact that there's so much bad PHP code out there that
doesn't
>concern itself with basic input validation. However,
PHP6 will take
>great strides in being even more paranoid about user
input, for
>programmers who aren't careful enough on their own. ...
>
>The most concise statement of what you need to do is:
"Assume all
>user input is malicious." Most PHP exploits come
from assuming that
>user input is safe, and then using it directly in either
file access
>or database queries.
>
>There are several good online resources, but the best is
the
>official PHP security guide, here: http://phpsec.org/p
rojects/guide/
>It is long, but very much worth your time to read the
whole thing.
>
>If you want to buy something, you should get Chris
Shiflett's book -
>http://phpsecurity.org/
>Chris is the expert on this, and speaks at numerous
conferences on
>the topic. He is always understandable and practical,
rather than
>dwelling on high-level theory. I highly recommend this
book.
--
At 16:05 -0400 2007-08-10, Bill Dennen wrote (on the uwebd
list):
>
>I'm a fan of SmartyValidate, which is a Smarty plugin.
>
>ht
tp://www.phpinsider.com/php/code/SmartyValidate/
>
>and
>
>http://smarty.php.net/
>
>You also might be interested in:
>
>http
://www.owasp.org/index.php/OWASP_PHP_Filters
--
At 09:58 -0500 2007-08-13, Brett Bieber <http://saltybeagle.com/&g
t;
wrote (on the uwebd list):
>
>I use mostly built in tools for filtering incoming
data... the
>external tools I use are PEAR packages, and I'll second
the Validate
>package, as well as HTML_Safe (
>http://pear.p
hp.net/packages/HTML_Safe/ )
>
>For database interaction I use prepared statements to
avoid
>mishandling any unescaped data. If I don't use prepared
statements, I
>use the database specific quote/escape functions for
field data.
>
>For handling output, I use htmlentities and
htmlspecialchars, as well
>as urlencode.
>...
>you can't mention security and PHP in the same sentence
without also
>mentioning Chris Shiflett --- http://shiflett.org/
>Check out his book if you're interested in reading
more.
>
>For those that want a quick cheat sheet, Davey Shafik
made a handy pdf
>on filtering and escaping which some might find useful
-
>http://www.pixelated-dreams.com/
archives/231-Filtering-Escaping-Cheat-Sheet.html
------------------------------------------------------------
------------
The following was automatically added to this message by the
list server:
To learn more about Micronet, including how to subscribe to
or unsubscribe from its mailing list and how to find out
about upcoming meetings, please visit the Micronet Web
site:
http://micronet.berkele
y.edu/
Messages you send to this mailing list are public and
world-viewable,
and the list's archives can be browsed and searched on the
Internet.
This means these messages can be viewed by (among others)
your bosses,
prospective employers, and people who have known you in the
past.
|
