Discover the best of the web!
Learn more about Digg by taking the tour.
PHP Security by Example
brainbulb.com — Nice flash presentation that will provide you with a good foundation on how to make your PHP apps more secure.
bonlebon- 1065 diggs
- digg it
- Xoligy, on 10/12/2007, -0/+9Most of them aren't even PHP specific and should be applied to any web language.
- sensor, on 10/12/2007, -1/+12They just identify the problems and don't even try to explain how to fix them. This is just some sort of an advertisement for this awfull book.
- veza, on 10/12/2007, -6/+3Book is avaible soon.. Hmm, well, I think I'll pick it up from ebookshare.
- Bogtha, on 10/12/2007, -3/+4Chris Shiflett resorting to lame marketing tactics? Never!
http://blog.php-security.org/archives/29-Chris-Shiflett-once-again-proves-his-poor-character.html - dork101, on 10/12/2007, -8/+2Who the ***** is Chris Shiflett?
Christopher Aubrey Shiflett (born May 6, 1971) is a guitarist for the Foo Fighters, joining the band after the release of their third album, There is Nothing Left to Lose. - http://en.wikipedia.org/wiki/Chris_Shiflett
WTF .. - b0n0, on 10/12/2007, -2/+2Hackers are much more interested in your Desktop than some Webserver nowadays:
http://travelingforever.com/blogs/?p=17
- sathia, on 10/12/2007, -11/+6i'll never watch a _tutorial_ in *.swf
- ajck, on 10/12/2007, -3/+5Despite the other cynical comments here, I actually thought it was pretty good. If you have a small bit of intelligence it does actually show you how to fix the problems as well as describing them, and I've directly used some of the examples in the commercial websites I'm developing.
So, good find.- oepapel, on 10/12/2007, -3/+3"it does actually show you how to fix the problems as well as describing them, and I've directly used some of the examples in the commercial websites I'm developing."
If these tips helped you in a commercial website, then you should refund your customers money because you have no business writing software. The last thing the world needs is another PHP programmer that doesn't understand security.
- oepapel, on 10/12/2007, -3/+3"it does actually show you how to fix the problems as well as describing them, and I've directly used some of the examples in the commercial websites I'm developing."
- philo23, on 10/12/2007, -5/+3personally i don't think that deserves a digg, i believe its not quite good enough, swf isn't meant for sideshows, would of been nice in a framed page with section titles in a side frame. swf however doesn't give this slide show justice, the contents good but the design/layout is not to be wished for.
- A1kmm, on 10/12/2007, -4/+1The main example was that you shouldn't encourage your users to install risky code like SWF viewers :) Seriously, to show examples of code, what is wrong with plain old HTML 2.0 (or at most XHTML with Javascript)? Requiring SWF hurts portability, accessibility, usability, and client security at the same time.
- vegasbright, on 10/12/2007, -1/+5This looks like it was thrown together by a retarded earwig.
- JiveTurkeyPunk, on 10/12/2007, -1/+7Not all earwigs are retarded... please don't generalize.
- dbr_onix, on 10/12/2007, -0/+2Link to the class-files for the lazy : http://brainbulb.com/php-security-by-example.tar.gz
..I don't quite get the anti-Flash (???) people, it's hardly the prettist slideshow ever, but it could have been a powerpoint with lots of tacky transitions, with animated gif backgrounds etc.. The only thing it's missing is a previous-slide button..
- Ben- pshanks, on 10/12/2007, -1/+0I'm not crazy about flash (or proprietary web technology in general). Some flash aficionados go way overboard, doing entire sites in flash, navigation and all (http://www.tribalddb.com/). If you don't use the plug-in, you don't get in. That's what I call bad web -- disabling a plug-in shouldn't disable the whole site. On the other hand, the same could be said of javascript, but that is a native part of the browser, so if there is a security flaw, you can try a different browser.
I prefer to keep most of the plug-ins in my browser disabled for security reasons, and would rather see people make better use of open and standardized client side technologies. I do not usually go so far as to disable javascript, but there are now good ways to white list javascript-enabled sites (at least in FFox).
That being said, check out http://meyerweb.com/eric/tools/s5/ for a good way to make web presentations without plug-ins.
And finally, here is an example of what flash *is* good for: http://www.badgods.com/
- pshanks, on 10/12/2007, -1/+0I'm not crazy about flash (or proprietary web technology in general). Some flash aficionados go way overboard, doing entire sites in flash, navigation and all (http://www.tribalddb.com/). If you don't use the plug-in, you don't get in. That's what I call bad web -- disabling a plug-in shouldn't disable the whole site. On the other hand, the same could be said of javascript, but that is a native part of the browser, so if there is a security flaw, you can try a different browser.
- dork101, on 10/12/2007, -0/+3There's no way you can click 'back'. Even if it's there, probably it's hidden.
- dbr_onix, on 10/12/2007, -0/+6Just noticed : http://brainbulb.com/talks/php-security-by-example.pdf
PDF version of the slide show
- Ben
{Edit : Why is the edit timer randomly start at 50 seconds?}- dork101, on 10/12/2007, -2/+3Much better.
- amed, on 10/12/2007, -2/+3That was the most useless presentation ever, This dude needs to be slapped and learn how to give proper presentation. Here's a few pointer Chriss, just incase you like to check back on your readers
- Back button
- Screenshots
- More information on the problem and solution
- Summarization
- preview on the book ( the back cover would be nice ) - sebth, on 10/12/2007, -2/+3For the people complaining about the lack of explanation : notice that it's called PHP Security by Example. That's exactly what it is, examples. Maybe you don't like that kind of teaching but if you already know the theory and just want to see examples it is great.
I agree that it would have been much better in an HTML page instead of SWF. - joshfraz, on 10/12/2007, -0/+2dugg because developers need to focus on security more. it blows my mind just how little most developers know about simple security issues like these.
- pdubois95, on 10/12/2007, -6/+0I *would* have dugg this except for the fact that FLASH AIN'T GOT A 64 BIT PLAYER YET and I refuse to dirty my laptop with lame 32 bit binaries...
No digg for you fat boy! - prockcore, on 10/12/2007, -4/+0someone needs to learn what XSS means. His first example was retarded. Running javascript in your own browser is not XSS, there's no benefit. You might as well save the page locally and modify it for all the good it'll do you.
- gizmola, on 10/12/2007, -0/+2No actually it was accurate, albeit missing the specifics of what would have made it XSS. The enabling technology is javascript. He shows how someone could craft input that fools a site into inadvertantly accepting javascript. That in itself isn't an issue until that javascript is emitted back onto a page. The solution is to filter the input. While it's not the only way an XSS exploit could be injected in PHP, it's the most typical one. In this case he doesn't need to actually demonstrate a working exploit, when the solution is the same regardless.
- Jack9, on 10/12/2007, -1/+1The flash presentation is nice. I would be interested in the actual lecture if I was REALLY bored and drunk.
The exploits are poorly explained and impractical for doing any damage unless you have some kind of hokey system that doesn't use sessions properly because you're kludging from PHP4.
$_SESSION['logged_in'] = TRUE; // What kind of moron does this? The session itself is A LOGGED SESSION
$_SESSION['admin'] = TRUE; // This would be more realistic
http://host/ex2.php?isbn=1234&quantity=1 // This is such a complex question and it's completely not dealt with (within the presentation). I use a user object that contains a session check and a user "homepage" that the user is redirected to when they (or their session) arent authenticated, before the page loads further.
ajck is some kind of yes-man moron for saying this is worth anything, by itself.- gizmola, on 10/12/2007, -0/+1Jack9,
The examples are suppossed to be trivial. For your first complaint, sorry, I don't agree. Leaving out whether or not the code is "real world" which of course it is not, having a php session indicates nothing other than a session was started. There are circumstances where someone hits a site, and a session is begun for that person, even though they haven't logged in, and in many cases, won't ever login. Perhaps you haven't had need of this, but many applications do.
My recollection on the second question, was that he was asking what could be inferred in regards to a form that uses a POST method that can be manipulated with url parms. I think what he was suggesting was that the next logical question for someone looking to exploit the site is: is it using register globals on?
It's either going to be that, or its going to be using the $_REQUEST. Otherwise, url parms would not be acceptable.
- gizmola, on 10/12/2007, -0/+1Jack9,
- DonCornelius, on 10/12/2007, -0/+1The idea was right, but the presentation was low on details. "Exploit any XSS holes you can find" prompting doesn't really open the door for beginners. Hopefully, the book does a better job with this! Maybe this presentation is meant for people who already know something about PHP/web code security.
This is an important topic - a lot of developers don't care at all about security other than a password form. However, the quality of the presentation is too low to give a digg.
Digg is coming to a city (and computer) near you! Check out all the details on our 
© Digg Inc. 2008 —
Content posted by