My Blog
contains PHP, Web and business/entrepreneurial related content. Please join in the conversation!
Category Archives: security
Keep your Admin Interface CSS Separate
There are a number of performance arguments about combining assets to reduce HTTP requests and speed up your site. I agree! However, I do have to say that there is such a thing as overkill – to the detriment of … Continue reading
Filtering and Validating Discussion
I came up with a great topic to write this blog entry about: filters and validators. Then, I got to thinking – maybe I can get more feedback from other programmers I know. I decided to send a note out … Continue reading
Why IP Authorization No Longer Works on Web Apps
The last time someone brought up authorizing certain actions by IP address – or I should say, limiting the amount of actions that can happen by one IP address. I brushed that off without a second thought. It didn’t occur … Continue reading
Easiest Form Token class to prevent CSRF
So, if you’re not familiar with CSRF, check out this blog post about AJAX Security. Some of the steps talking about Cross Site Request Forgeries will help you understand the problem. I’ve been using a very simple system with my … Continue reading
Easy MCrypt encryption class
For whatever reason, I can never remember the exact coding of MCrypt. And maybe that is a good thing – so I stop doing so much code duplication and start using a class I wrote. For this reason, I’ll save … Continue reading
Restrict your .git directory on live site
Do you use Git to manage your repository? If so, do you use it to check out code onto the server as well? If you do, you really should restrict access to your .git directory if it’s in your public … Continue reading
Scanning for Unfiltered Content Automatically with PHP
A friend of mine posed a question: Do you know of any good PHP based vulnerability scanners? I told him I did not (add any in the comments, if you know! ) – but it wouldn’t be that hard to … Continue reading
Another example of CSRF – in CSS
Just saw this really cool example get submitted on one of my websites testing for CSRF: ?View Code CSS1 #logo{background:url(deletepost.process.php?id=12345&userID=12345); Just another great example of why you should 1) not use GET for irreversible changes 2) filter filter filter! (I … Continue reading
My Progression through Forgot Passwords
I thought I’d take some time to look at the 3 main ways that I’ve handled forgotten passwords on my websites, why I did them that way, and if there was anything wrong. Disclaimer: there is a lot of bad … Continue reading
Disable md5 now – or you will die
I remember a while ago hearing about a few theoretical collisions of the md5 algorithm, but I thought nothing of them. Now, as more information emerges, Microsoft is issuing advisories, and people are proving more and more collisions with example … Continue reading