Almost the end of another year and to celebrate a another year for Cribz Network the website and blog have updated.
Hopefully you guys & gals like the look of the new site and blog.
To follow up on my previous post about user input in PHP I'm now going to discuss one of the biggest issue in PHP which is SQL Injection vulnerabilities.
SQL Injection is when an end user can run arbitrary SQL commands and even shell commands. There are various way to mitigate this issue, the best solution is to use PDO to interact with the database using parameterize SQL Queries.
Here is an example of some SQL Injection vulnerable code:
This is the first of a series of posts about writing PHP in a safe and secure manner. So to start things off I will be talking about the proper use of user input and how to safetly sanitize it.
First things first and most importantly USER INPUT IS NOT TO BE TRUSTED.
User input can come in different forms, data inputted into a form, HTTP requests (GET, POST, PUT, DELETE) and cookie information. To get started here is an example of an insecure way of handling user input.
It's 2014 which can only mean one thing... More code, opensource projects and general awesomeness.
Starting this year off with building a node.js cms, Sonic CMS and Organisation Dashboard a PHP 5.4+ system to help organisations to manage their Facebook, Twitter and check analytics for their sites in one place.
Happy Coding and a late Happy New Year.
I have written a lot of PHP over the past 6 years and time and time again I see little & big common mistakes.
1) Not sanitising user input before displaying it, executing it or putting it in the database.
2) Not using consistent naming convention s. (We have all done this before)
3) Not breaking big functions into smaller functions when possible. (Breaking up a big function can help with debugging and maintainability)
4) Not using classes and OOP.
5) Not using a database abstraction layer such as ABODB or even better yet PDO.
Not so much PHP related things
6) The belief anyone can write a secure site in PHP with little or a no experience. (This is an outright lie and is the same in any Programming language)
7) If I learn a PHP framework I have learned PHP. (You have learned how to use a tool or framework in this case, but you have not learnt all of what PHP has to offer. Or ruby if your doing rails)
This is more of a misconception with PHP.
8) PHP is insecure. (This can be said of any programming, damn Java. Its not the language that's insecure but the way you used the language and the code you wrote.)
That rant is done. Hopefully there is something useful in there for you guys and gals.
To follow up on my last blog post about a DOS vulnerability in Silverstripe I thought I might talk about the importance of testing and show you a few handy tools that make it easy to test your applications.
So why testing important? Testing insurers that your application or code is running as you expect. Application/Code that is regularly tested give some confidence to your users or customer that if something does show up you will know about it and fix it. With that being said you can't test for every use case, this is where unit tests come in.
Unit tests are used to test the Application/Code in small parts and breaks it down to functionality based testing for example, you could have a test that checked whether you could create, delete, edit, publish and un-publish a page, that would be a group of tests, you would have one for create, edit, delete, publish and un-publish. You can also setup the tests to depend on each other so if the create test fails the whole page test will fail. Having this single point of failure in tests can be handy.
Security testing is a whole different thing within itself. You can check for things like SQL injection and basic privilege escalation etc. But you can't always find the less obvious security flaws. One solution if you can afford it is to hire a IT security company to pentest your Application/Code but this can be expensive. You could ask some friends to try and hack your application or just to have a look at the code, sometimes a second set of eyes is very helpful.
Here are a couple of cool free tools that can help you test your applications/code:
Before I start I have a disclaimer: DISCLAIMER: "PLEASE NOTE I TAKE NO RESPONSIBILITY FOR OTHERS ACTIONS AND USE OF THE INFORMATION FOUND IN THIS BLOG POST, THIS VULNERABILITY IS ALREADY PUBLIC KNOWLEDGE !!!!!!!"
I have been doing some work recently with Silverstripe. Whilst doing some dev work I needed to flush the sites cache which is as easy as appending this ?flush=1 to the end of any url on the site. This got me thinking what would happen if someone sent a bunch of requests to different page on the site with ?flush=1 appended to the url.
So the next thing I did was set a production ready web server VM on my PC and install a traditional LAMP stack, Linux (Ubuntu 12.04), Apache, MySQL and PHP 5.4 (I would of also tested this using Nginx & PHP-FPM but the re-write rule for Nginx don't work and couldn't be bothered stuffing around). Then I downloaded and installed Silverstripe 3.0.5 on the server and got it up and running, I also didn't bother to add any extra content to the default content given by a basic install.
So I did a basic test which was to find out how long a page takes to load when cached and when you flush the cache.
This method of hooking events can be useful in php. For example you have a function that a connection to a database. By using callback function you can allow people to handle errors or modify the database object on success.
Here is an example of what I mean:
As of PHP 5.4 you will get error message for using a variable as a array or object without declaring it as a an array or object.
For example, PHP 5.3
Another day at Kiwi Pycon. Not as funny as the day before but sweet as.
Today's talks started with a talk about when to use Relational Databases v.s Non Relational Database. Basically what Mark Ramm was talking about is that you should find the best solution for your applications needs. Also he talked about the importance of know the tools or libraries that you are using.
I'm not a big python programmer myself so I went to the Django for noobs talk by Jen Zajac from Catalyst IT. She explained the basic principals and design aspects that Django has. Which made me think I have to write a web app in Python and see how it goes.
Grant Paton-Simpson did a really interesting talking about open-source business models. He did make a good point that having a popular application is not necessarily going to make big money.
This talk was the best one of the day because it had a robot. Jeremy Stott talked about a python implementation for micro controllers call Pymite. So rather than just writing C code you embed the native C code in the Python doc strings.Check it out on google code: http://code.google.com/p/python-on-a-chip/.
Aurynn Shaw's talk about async and event based programming in python using twisted left my brain twisted and confused. The power you can get from doing async programming is huge and it allows for some much scalability in your apps. But the code was just wwwoooooooo hardcore. So if your reading a you with twisted, you are crazy and a legend for putting with it.
Dave Kujawski from Weta talked about how they use Python as the "glue" that hold their big and complex system together.
And yet again another talk from Mark Ramm but this time it was about how python took over Sourceforge. Now I have a couple of old dead projects on sourceforge and I did not know that it was a python application until today.
One thing I have learnt this weekend is that Python is even more awesome than what I did before. And one more thing never and I mean never mention PHP at a python conference, not a good idea as some people found out.
A big thanks to the New Zealand Python User Group for putting on such a good conference.
Happy Coding Laters
P.S. Write some Python it will do you a world of good.
Today was the first day of Kiwi Pycon 2011.
This mornings key note from Jeff Rush on meta-programming in python was intense but very good. The concept of meta-programming is interesting. The way you can change a what a function does and not even modify the function the file the function is in. But instead by using a meta class you can change the output of the function or the whole function itself.
Here is a link with some more info: http://nz.pycon.org/2011/aug/18/magic-metaprogramming/
The talk from Malcom Tredinnick about behaviour driven development was interesting because it wasn't so much about developing application but it was about testing and the different types of testing such as unit tests etc.
There was also a talk from Olly Betts and he was discussing how the they use SWIG to create wrappers for python and perl etc. That are used for bindings to native C apps.
They also had Lightning Talks were you get up on stage and you have 5 minutes for a talk. One of the guys Christopher I think it was did a talk with some slides about Python Job Security. Now you really had to have been there but it was funny as hell. Basically all the things that you need to keep your job and it all centred around writing code that only you can understand. One of the recommended things you can do is come up with a naming convention only you can understand. And how you can use meta-programming to redirect calls to the standard python lib to your own custom function. Hopefully someone filmed it and if so I will find it and post the link.
Overall it was a good day.
Happy Coding Laters