Security Tip: Use a Database Abstraction Layer to help prevent SQL Injection

by weierophinney | 2 comments | Tuesday, April 10, 2007

SQL injections are a common vulnerability in web-based applications that use databases. As an example of a potential SQL injection, consider a login form asking only for a username, where the backend has code reading: mysql_query('SELECT * FROM user WHERE username = "' . $_GET['username'] . '"); A malicious hacker could attempt to enter the value ""; DELETE FROM user WHERE 1", which would have the effect of removing all users in the table. (Granted, this won't happen with PHP's mysql extension as it will not execute multiple queries by default; this is just an illustration.)

PHP Security Tip #21

by Cal Evans (editor) | 0 comments | Monday, April 2, 2007

Today’s PHP security tip is short, sweet and easily actionable. It fits in well with the theme of the last one, to stay vigilant. Here’s another resource for you to consider.

PHP Security Tip #20

by Cal Evans (editor) | 0 comments | Friday, March 30, 2007

To paraphrase an American Patriot “The price of security is eternal vigilance”. You have to keep watch over your system but you also have to keep learning.

PHP Security Tip #19

by Cal Evans (editor) | 6 comments | Thursday, March 29, 2007

Sometimes, the best application security you can install is simply disconnecting the network cable from your server.

PHP Security Tip #18

by kevinkorb | 3 comments | Wednesday, March 28, 2007

When you allow users to upload files, your system may be at risk. Handle file upload scripts with care. Without proper security precautions, you can leave a gaping hole in your system.

PHP Security Tip #17

by Cal Evans (editor) | 0 comments | Tuesday, March 27, 2007

Application security should not be a "when all else fails" situation. It's not something you can "put in later". As we've mentioned before, there is no single silver bullet to solve your application security issues. Security is something that should be rolling around in the back of your dead in the design phase, the coding phase, the testing phase, even after you've rolled your code into production.

PHP Security Tip #16

by sascha_leib | 1 comment | Monday, March 26, 2007

This idea was originally posted as a comment to a previous PHP Security Tip. I believe that this is an important issue, and worth being a tip itself.

PHP Security Tip #15

by Cal Evans (editor) | 5 comments | Friday, March 23, 2007

As developers, most of us are very messy. I’ve worked on countless projects and at each either run across or left a trail of diagnostic files laying around.

PHP Security Tip #14

by Cal Evans (editor) | 2 comments | Wednesday, March 21, 2007

Almost any application running PHP on the back-end uses web technologies for it’s front end. Many developers who think hard on PHP security, don’t spend a thought on front-end security for their application. Here’s a tip to think long and hard about when building your HTML and JavaScript.

PHP Security Tip #13

by Cal Evans (editor) | 4 comments | Tuesday, March 20, 2007

Security is a mindset, not just something you do. It colors your application design as well as your coding. However, you also need to constantly monitor your production environment. That’s where selecting the right tool comes into play.

Quick Links

Categories