Introduction Does your PHP website need to accept uploads? Do you maybe let customers upload graphics, or maybe PDFs? If you do, I have good news, and bad news. First, the bad news: Accepting uploads is stunningly dangerous. There might be rogue code lurking in that JPG that could compromise your WordPress site (like CVE-2014-1905). […]
PHP
Can’t Use Whitelists for your PHP Web App? Don’t Abandon Hope!
In my last post, I refreshed your memory about how whitelists are a great way protecting very focused Java web applications like financial systems. They’re not so great if you need to allow a wide range of input types, maybe even to the point of allowing customers to enter HTML tags. So what about PHP applications? If a […]
Protecting Input: Don’t Allow SQL Injection, PHP and SQL Server Style!
My last post talked about using parameterized queries to guard against SQL Injection for a specific environment: MySQL databases within the context of a PHP application. Those applications ran under Apache, which was running under Linux. The MySQL database also ran under Linux. You probably already know that this collection of technology is named Linux Apache […]
Protecting Input: Don’t Allow SQL Injection, LAMP Style!
Introduction In my last post, I facetiously said that the problem with databases is that they do what we tell them to. Then I introduced you to SQL Injection and demonstrated how to protect yourself against it if you’re running a Java application (for example, under Apache Tomcat 8.0.39). That technique relied on JDBC and parameterized SQL […]
Protecting Input: Implementing Whitelists in PHP
Introduction In my last post, I talked about implementing whitelists in Java. We finally got to see some actual code! Not actual cannibal SHIA LABEOUF level stuff, but kinda cool nonetheless. As promised, in this post, I’ll show you how to implement the same whitelist with the same philosophical underpinnings in PHP. But first… Why do we care […]