I really haven’t had much time to work on the WACT PHP Application Security wiki page. Here is a roundup of some of the PHP security articles that I have collected since the page went up.
The Google Hackers Guide (PDF) has a nice summary of the search features of google. It also has a information on how hackers might use these features to find vulnerabilities on your site.
I’ve always been a bit uncomfortable with putting “Powered By” links on pages. That said, there is one at the bottom of this page. If a security problem is discovered in Wordpress, google will happily provide a list of vulnerable sites. If I were a comment spammer, I know the phrase “Powered by Wordpress” would be my friend.
Slashdot had a link to Hardened PHP, a version php built with some extra security checks and logging. Slashdot also had a PHP Security Article a few weeks ago. I wasn’t impressed by the site they were linking to, but some of the comments aren’t bad. Here is another short PHP Security article.
The summary:
If it comes in, check it.
If it goes out, escape it.
A usability note:
Double buffer your input so that your security filters don’t change the user’s input on validation round trips and make sure that special characters like <> ” ‘ still work in places where they make sense. (Unlike sourceforge which cannot correctly display < or > in bug reports or feature requests.)
Feed
Subscribe to this blog…