Interstell, Inc.

Security, Application Security, and Software Research

Category: PHP

4 Ways to Protect Your PHP Website from File Uploads

Introduction Does your PHP website need to accept uploads? Do you maybe let customers upload graphics, or maybe PDFs? If you do, I have good news, and bad news. First, the bad news: Accepting uploads is stunningly dangerous. There might be rogue code lurking in that JPG that could compromise your WordPress site (like CVE-2014-1905). There might be exploit code hiding in the PDF (like in CVE-2013-0724) you just let someone […]

Continue Reading →

Can’t Use Whitelists for your PHP Web App? Don’t Abandon Hope!

In my last post, I refreshed your memory about how whitelists are a great way protecting very focused Java web applications like financial systems. They’re not so great if you need to allow a wide range of input types, maybe even to the point of allowing customers to enter HTML tags. So what about PHP applications? If a whitelist won’t do, you could write a module to filter all possible types of input, but you’d […]

Continue Reading →

Protecting Input: Don’t Allow SQL Injection, PHP and SQL Server Style!

My last post talked about using parameterized queries to guard against SQL Injection for a specific environment: MySQL databases within the context of a PHP application. Those applications ran under Apache, which was running under Linux. The MySQL database also ran under Linux. You probably already know that this collection of technology is named Linux Apache MySQL PHP — LAMP for short. This is a common configuration for cloud providers, and […]

Continue Reading →

Protecting Input: Don’t Allow SQL Injection, LAMP Style!

Introduction In my last post, I facetiously said that the problem with databases is that they do what we tell them to. Then I introduced you to SQL Injection and demonstrated how to protect yourself against it if you’re running a Java application (for example, under Apache Tomcat 8.0.39). That technique relied on JDBC and parameterized SQL queries, which means we rely on a mechanism between Java and the database engine itself […]

Continue Reading →

Protecting Input: Implementing Whitelists in PHP

Introduction In my last post, I talked about implementing whitelists in Java. We finally got to see some actual code! Not actual cannibal SHIA LABEOUF level stuff, but kinda cool nonetheless. As promised, in this post, I’ll show you how to implement the same whitelist with the same philosophical underpinnings in PHP. But first… Why do we care about whitelisting again? Yeah, we all know sanitizing input’s a good idea. It’s become a […]

Continue Reading →