In second post of the series I describe methods of checking the integrity of remote code - from checksums to (simple) Public Key Infrastructure. To transfer the code I introduce the popular Phar archives.
Showing posts with label php5. Show all posts
Showing posts with label php5. Show all posts
Thursday, July 29, 2010
Hardening PHP: How to securely include remote code (part 1)
First post of the series discussing various methods of including remote PHP code in your application - from security standpoint. In this post we discuss the history of remote code execution vulnerabilities in PHP apps and ways to prevent them. We finish off by presenting an unsecure method of including a remote code and describe what is the problem with that method.
Friday, March 19, 2010
Hardening PHP: SQL injection - Complete walkthrough
Below are the slides from the presentation I recently gave on SQL injection on OWASP Poland Chapter meeting. The materials teach how to use prepared statements, how to escape and write secure stored procedures. Many PHP projects are covered - PDO, Propel, Doctrine, Zend Framework and MDB2. Multiple gotchas and caveats are included. I discuss why escaping is usually the wrong choice, which practices to avoid or follow and how stored procedures sometimes offer no protection at all.
I tried to make this as complete as possible, so a PHP developer could learn how to protect his applications no matter what framework / database he uses.
You could also watch video recorded from the presentation. There are already some comments on the slides on niebezpiecznik.pl (Polish), but of course feel free to add comment here.
I tried to make this as complete as possible, so a PHP developer could learn how to protect his applications no matter what framework / database he uses.
English version
SQL Injection: complete walkthrough (not only) for PHP developers
View more presentations from Krzysztof Kotowicz.
Polish version
You could also watch video recorded from the presentation. There are already some comments on the slides on niebezpiecznik.pl (Polish), but of course feel free to add comment here.
Wednesday, March 3, 2010
You're from Cracow and want to beat SQL injection?
Anyone interested in secure development probably knows what OWASP is. If not - it's a worldwide non-profit organization focused on web application security.
There is an upcoming OWASP Poland chapter meeting in Cracow, Poland next week. This time it is focused on secure PHP application development.
I will be giving a presentation there - it's entitled
"SQL injection: Complete walktrough (not only) for PHP developers".
We will talk a bit about the theory and demonstrate an attack. Then I'll show how to write code immune to SQL injection in various PHP frameworks, using various databases. We'll also talk about writing secure stored procedures in Oracle, MS SQL Server and MySQL. Different gothchas, bugs and tricks will be covered, so even if you think you know the subject - it will surprise you.
The meeting is totally free and no registration is required*, so if anyone wants to develop securely in PHP or deals with databases (who doesn't?), please bring your fellow developers and come. It's important - please come and let's beat the SQL injection once and for all!
I'll share the floor with Łukasz Pilorz who will talk about creating Secure PHP framework - and, given some internal details, I can assure you there's much to expect from this talk - don't miss it!
Date: 10.03.2010 (Wednesday), 17:00
Place: Compendium Centrum Edukacyjne, ul. Tatarska 5, Kraków, I piętro
Update: Read the full announcement from OWASP mailing list.
* If you're planning to go, please drop a mail to Przemysław from the link above to prepare the room for the audience.
There is an upcoming OWASP Poland chapter meeting in Cracow, Poland next week. This time it is focused on secure PHP application development.
I will be giving a presentation there - it's entitled
"SQL injection: Complete walktrough (not only) for PHP developers".
We will talk a bit about the theory and demonstrate an attack. Then I'll show how to write code immune to SQL injection in various PHP frameworks, using various databases. We'll also talk about writing secure stored procedures in Oracle, MS SQL Server and MySQL. Different gothchas, bugs and tricks will be covered, so even if you think you know the subject - it will surprise you.
The meeting is totally free and no registration is required*, so if anyone wants to develop securely in PHP or deals with databases (who doesn't?), please bring your fellow developers and come. It's important - please come and let's beat the SQL injection once and for all!
I'll share the floor with Łukasz Pilorz who will talk about creating Secure PHP framework - and, given some internal details, I can assure you there's much to expect from this talk - don't miss it!
Date: 10.03.2010 (Wednesday), 17:00
Place: Compendium Centrum Edukacyjne, ul. Tatarska 5, Kraków, I piętro
Update: Read the full announcement from OWASP mailing list.
* If you're planning to go, please drop a mail to Przemysław from the link above to prepare the room for the audience.
Thursday, September 17, 2009
HTTP File server released
Problem
Imagine a situation where your application has to store and retrieve files on the web (i.e. not on a local filesystem). You have many options - you may upload them to FTP server, e-mail them, use some file hosting services like Dropbox, upload files using a HTML form, use WebDAV server. Finally you may mount some remote filesystem like NFS.All of these options are valid, but they all carry certain amount of requirements that may not always be met:
- To use FTP, you need to set up a remote FTP server, have an implemented FTP client in your language of choice and the ability to open FTP connections on the system you're using.
- To use e-mail you need to be able to handle POP3 and SMTP protocols and have a mail server set up.
- WebDAV, although convenient, is hard to set up in the first place. The protocol itself takes some time to implement.
- Using any other web application like Dropbox requires you to have a client for their services and you need to accept the licence restrictions.
- HTML form - an excelent choice. If you're doing the uploads manually, you may write a simple script in minutes - but what if you want to upload files automatically (e.g. in a batch script)? You need to make a HTTP request with form and the file within encoded, you have to deal with mime-types, encoding file contents etc. Not really fast to implement.
- Mounting remote filesystem is impossible on a shared Linux server, or Windows server.
Solution
HTTP File server to the rescue. This small little fellow, written in PHP5 is a simple REST-oriented file server with minimal requirements:- PHP 5 (5.2 I suppose)
- web server (Apache will do)
- writable directory (this is where your files will be stored)
Example
Example usage:# store file on server - use HTTP POST wget --post-file=file_to_send.txt http://server/index.php/path/to/store/file.txt -O - # retrieve file - use HTTP GET wget http://server/index.php/path/to/store/file.txtThat's pretty much it. The server is so simple, it doesn't (yet?) offer even the ability to list directory contents. All it does is store files and retrieve them.
Download
Download HTTPFileServer and take a look for yourself. Your comments are welcome. The project is BSD licensed.
Subscribe to:
Posts (Atom)
Posts
