Validate your input

An important thing to consider when accepting input from users is validation. When PHP is used, powerful functions can be performed. The problem is that it can also do powerful and bad things if a malicious user is entering data which isn’t validated. Consider this: you accept input asking for a month or year. The problem is that a user decides to enter “”;rm -rf *” after the year, and in so doing could cause the deletion of your whole website. Obviously, this is not a good thing, so what to do? Data validation is the answer. As the name suggests, it validates or verifies data, ensuring that it complies to form. […]

By | July 13th, 2010|Development, PHP|0 Comments

The importance of secure PHP code

In recent days, I’ve talked about the importance of server hardening and security, but there’s another aspect of the integrity of your server that must not be ignored: PHP code. If you don’t have secure PHP code, you may find yourself the victim of numerous type of attacks, including SQL injection attacks, which as the name suggest, goes directly after your database, which in most cases is the very heart of your website or application. […]

By | July 12th, 2010|Development, PHP, PHP, PHP Articles|0 Comments

PHP, MySQL and memcached

According to memcached is a distributed object memory caching system. It can be used to set and get data by keys by any application that supports sockets. As a website security consultant I advise you to ensure that your memcache server runs on only and that you secure your server. Anyone with access to the server can telnet to the server’s local interface and get/set your memcache data. I’ve used memcached for a number of PHP/MySQL projects, where I want greater cache control on database queries, than just relying on MySQL’s inbuilt caching abilities. Now, whilst memcached should not be used to mask bad database design and optimization, or badly written SQL queries, it can help dramatically with queries that simply take a long time and have already been optimized as far as possible. Assume that you had a simple database query wrapper: […]

By | June 24th, 2010|Development, MySQL, PHP, PHP, PHP Articles, Technology|0 Comments

Website Security Scan

Websites get hacked every day, customers details taken, and it’s usually REALLY EASY to do. As a security consultant,  I often get a call after a Google search turns up with my details as the guy to contact when this happens. Shameless plug over, why not consider some of the things that can be done to help prevent a website breach.. […]

By | January 19th, 2010|Development, Linux, MySQL, PHP, Security Consultant, Technology|1 Comment

PHP Security

As a PHP programmer, there are a couple of things you can do quickly and easily to increase the security of your PHP code installation. Look into PHP’s “safe mode” feature, ESPECIALLY if you’re running a webserver that takes the general public can upload scripts to. Here you’ll find a list of the functions disabled or restricted by safe mode. It is not strictly PHP’s job to restrict these types of functions, however unless you really know what you’re doing, the list of functions restricted by safemode is a good starting point for building secure applications. These are generally functions that allow file and directory manipulation, and socket manipulation. If it’s not possible within your environment to disable them all, disable as many of these functions as possible. Although not that common, if I’m writing an application that heavily relies on functions that manipulate directories or sockets, I’ll prefer to create a C daemon or similar to handle this side of things and simply use PHP to communicate with it. […]

By | January 14th, 2010|Development, PHP, PHP, PHP Articles, Technology|0 Comments

PHP Programmer – Logical Operators

PHP allows the use of boolean operators. AND, OR, XOR and NOT. We can combine NOT with AND and OR to form the NAND and NOR operators respectively. $a = ($b and $c); will return TRUE if both $b AND $c are TRUE, otherwise, it will return FALSE. This can also be specified as $a = ($b && $c) $a = ($b or $c); will return TRUE if $b OR $c are TRUE, otherwise, it will return FALSE. This can also be specified as $a = ($b || $c); $a = ($b xor $c); will return TRUE if $b OR $c are TRUE, but not if they are both TRUE, otherwise, it will return FALSE. $a = (! $b); will return TRUE if $b is NOT TRUE. $a = (!($b && $c)); will form NAND (NOT + AND) $a = (!$b || $c)); will form NOR (NOT+AND); […]

By | December 17th, 2009|Development, MySQL, PHP, PHP, PHP Articles|0 Comments

PHP Programmer – Reading from files

Here I’ll give some file reading examples. There’s a few different ways to do this. I’m going to focus on plain text files only, as opposed to binary files. If you just want to read the contents of a file into a string variable, then the easiest thing to do is use $mystring = file_get_contents(“/home/adam/myfile”); For more control over what you’re doing, or if you want to do anything more than reading a file into a string, you’ll need to use the fopen, fread and fclose functions. To read everything in one go: […]

By | December 3rd, 2009|Development, PHP, PHP, PHP Articles|1 Comment