brainbulb.com— Nice flash presentation that will provide you with a good foundation on how to make your PHP apps more secure.
Jun 30, 2006View in Crawl 4
For the people complaining about the lack of explanation : notice that it's called PHP Security by Example. That's exactly what it is, examples. Maybe you don't like that kind of teaching but if you already know the theory and just want to see examples it is great.I agree that it would have been much better in an HTML page instead of SWF.
The idea was right, but the presentation was low on details. "Exploit any XSS holes you can find" prompting doesn't really open the door for beginners. Hopefully, the book does a better job with this! Maybe this presentation is meant for people who already know something about PHP/web code security.This is an important topic - a lot of developers don't care at all about security other than a password form. However, the quality of the presentation is too low to give a digg.
No actually it was accurate, albeit missing the specifics of what would have made it XSS. The enabling technology is javascript. He shows how someone could craft input that fools a site into inadvertantly accepting javascript. That in itself isn't an issue until that javascript is emitted back onto a page. The solution is to filter the input. While it's not the only way an XSS exploit could be injected in PHP, it's the most typical one. In this case he doesn't need to actually demonstrate a working exploit, when the solution is the same regardless.
I'm not crazy about flash (or proprietary web technology in general). Some flash aficionados go way overboard, doing entire sites in flash, navigation and all (<a class="user" href="http://www.tribalddb.com/).">http://www.tribalddb.com/).</a> If you don't use the plug-in, you don't get in. That's what I call bad web -- disabling a plug-in shouldn't disable the whole site. On the other hand, the same could be said of javascript, but that is a native part of the browser, so if there is a security flaw, you can try a different browser.I prefer to keep most of the plug-ins in my browser disabled for security reasons, and would rather see people make better use of open and standardized client side technologies. I do not usually go so far as to disable javascript, but there are now good ways to white list javascript-enabled sites (at least in FFox).That being said, check out <a class="user" href="http://meyerweb.com/eric/tools/s5/">http://meyerweb.com/eric/tools/s5/</a> for a good way to make web presentations without plug-ins.And finally, here is an example of what flash *is* good for: <a class="user" href="http://www.badgods.com/">http://www.badgods.com/</a>
vegasbrightJun 30, 2006
This looks like it was thrown together by a retarded earwig.
sebthJun 30, 2006
For the people complaining about the lack of explanation : notice that it's called PHP Security by Example. That's exactly what it is, examples. Maybe you don't like that kind of teaching but if you already know the theory and just want to see examples it is great.I agree that it would have been much better in an HTML page instead of SWF.
doncorneliusJun 30, 2006
The idea was right, but the presentation was low on details. "Exploit any XSS holes you can find" prompting doesn't really open the door for beginners. Hopefully, the book does a better job with this! Maybe this presentation is meant for people who already know something about PHP/web code security.This is an important topic - a lot of developers don't care at all about security other than a password form. However, the quality of the presentation is too low to give a digg.
gizmolaJul 4, 2006
No actually it was accurate, albeit missing the specifics of what would have made it XSS. The enabling technology is javascript. He shows how someone could craft input that fools a site into inadvertantly accepting javascript. That in itself isn't an issue until that javascript is emitted back onto a page. The solution is to filter the input. While it's not the only way an XSS exploit could be injected in PHP, it's the most typical one. In this case he doesn't need to actually demonstrate a working exploit, when the solution is the same regardless.
pshanksAug 5, 2006
I'm not crazy about flash (or proprietary web technology in general). Some flash aficionados go way overboard, doing entire sites in flash, navigation and all (<a class="user" href="http://www.tribalddb.com/).">http://www.tribalddb.com/).</a> If you don't use the plug-in, you don't get in. That's what I call bad web -- disabling a plug-in shouldn't disable the whole site. On the other hand, the same could be said of javascript, but that is a native part of the browser, so if there is a security flaw, you can try a different browser.I prefer to keep most of the plug-ins in my browser disabled for security reasons, and would rather see people make better use of open and standardized client side technologies. I do not usually go so far as to disable javascript, but there are now good ways to white list javascript-enabled sites (at least in FFox).That being said, check out <a class="user" href="http://meyerweb.com/eric/tools/s5/">http://meyerweb.com/eric/tools/s5/</a> for a good way to make web presentations without plug-ins.And finally, here is an example of what flash *is* good for: <a class="user" href="http://www.badgods.com/">http://www.badgods.com/</a>