A very overlooked part of PHP security is file uploading. A quick for instance. Lets say that you have a file uploader in which there is no security applied. Any file may be uploaded to the server. What if someone uploads a file that has a little extension by the name of ‘.php’? All that needs to be done now is in the file write a little script with ‘fopen’ and read all the files and echo them out to the browser. Now we have all the source code (maybe even usernames/passwords if we’re lucky) to the entire application. Not only that, but now we can write sql code to get all the data we want from the database. Then we could get really mean and update the database with some malicious javascript and have it download viruses or trojans on all the users computers who visit the website. Now google checks your website, realizes something bad is going on and decides to blacklist your website. Now mr. user comes along to your website, and he’s using firefox. Firefox checks with google to see if its ok to visit the website, google says ‘noooo’, firefox puts up a really scary red screen with a hand and an exclamation point and mr. user gets scared and decides never to come to this ‘bad’ site again. Then russia decides to launch ‘nucular’ missiles and we’re back in the cold war…. ok,, maybe not that last part but pretty much all the stuff before ‘nucular’ missiles I’ve experienced happening. So how do we stop the madness??
Archive for the ‘ PHP ’ Category
Updated on 01/22/2009 There is no such thing as a 100% secure anything in this world of hackers/counter hackers. Especially when it comes to the world of web development. One of the many methods hackers use to infiltrate web applications is through session fixation. Session fixation is a way that hackers can use to gain unauthorized access to another users login. So how do we guard against this?
So whats up with the hype?
To really appreciate JSON its good to understand XML and why an alternative to XML exists. XML is a powerful robust markup language that makes many things that were formerly very difficult much more feesable. One of those things is data interchange between different systems. Data interchange between different systems has always been possible, however up until recent years it has been very difficult because of the lack of a unified protocol. These days most modern languages and DBMSs have XML parsing functions that allow you to grab the data that you need and search and filter your data with Xpath. XML has many uses. Everything from styling to configuration files to web services and site maps. More recently, XML has been used to encapsulate data in AJAX HTTP requests. XML is very powerful in that it is platform independent so you can conceivably transfer data between multiple operating systems, languages, databases, and other systems and sub systems. You can see what XML looks like here (more…)
What is it?
The Publish/Subscribe model allows you to build loosely coupled applications in which an event is ‘fired’ and subscribing functions ‘respond’. This can be very powerful, if implemented correctly, and provides your application with more scalability. (more…)
Site maps are important tools for webmasters to have some sort of control over how their sites are indexed. This doesn’t give ultimate control by any stretch of the imagination. Google and yahoo will still index websites the way they will, a site map is more like a webmasters ‘tip’ to crawler bots to tell them what pages they should crawl, how often they change and what kind of priority the crawler bots should give to certain pages.
Here’s a handy little function. This comes in handy in many different situations, especially in regards to parsing database results. Here’s a typical way to parse through a MySQL result set: (more…)
The whole point of an IDE is to help you develop faster and with fewer errors. Eclipse PDT has many features that can help accomplish this, but if you don’t know what those features are and don’t use them, then you might as well just use notepad. Here are a few shortcuts that I’ve found very helpful: (more…)
“Ok, so I have a great text editor. Why do I need an IDE?” A very common question especially among PHP developers. There are many different text editors that do a really good job when you need a basic text editor and maybe a little syntax highlighting. But what does a full fledged IDE typically offer that a text editor does not? (more…)