My Blog
contains PHP, Web and business/entrepreneurial related content. Please join in the conversation!
Category Archives: security
Why IP Authorization No Longer Works on Web Apps
The last time someone brought up authorizing certain actions by IP address – or I should say, limiting the amount of actions that can happen by one IP address. I brushed that off without a second thought. It didn’t occur … Continue reading
Easiest Form Token class to prevent CSRF
So, if you’re not familiar with CSRF, check out this blog post about AJAX Security. Some of the steps talking about Cross Site Request Forgeries will help you understand the problem. I’ve been using a very simple system with my … Continue reading
Easy MCrypt encryption class
For whatever reason, I can never remember the exact coding of MCrypt. And maybe that is a good thing – so I stop doing so much code duplication and start using a class I wrote. For this reason, I’ll save … Continue reading
Restrict your .git directory on live site
Do you use Git to manage your repository? If so, do you use it to check out code onto the server as well? If you do, you really should restrict access to your .git directory if it’s in your public … Continue reading
Scanning for Unfiltered Content Automatically with PHP
A friend of mine posed a question: Do you know of any good PHP based vulnerability scanners? I told him I did not (add any in the comments, if you know! ) – but it wouldn’t be that hard to … Continue reading
Another example of CSRF – in CSS
Just saw this really cool example get submitted on one of my websites testing for CSRF: ?View Code CSS1 #logo{background:url(deletepost.process.php?id=12345&userID=12345); Just another great example of why you should 1) not use GET for irreversible changes 2) filter filter filter! (I … Continue reading
My Progression through Forgot Passwords
I thought I’d take some time to look at the 3 main ways that I’ve handled forgotten passwords on my websites, why I did them that way, and if there was anything wrong. Disclaimer: there is a lot of bad … Continue reading
Disable md5 now – or you will die
I remember a while ago hearing about a few theoretical collisions of the md5 algorithm, but I thought nothing of them. Now, as more information emerges, Microsoft is issuing advisories, and people are proving more and more collisions with example … Continue reading
Password Complexity Class
After many times of coding relatively the same thing, it becomes prudent to have a standard library for certain sets of processes. Of course – that is why there are things like frameworks! At any rate, one of the biggest … Continue reading
How custom passphrases/pictures still don't protect against phishing
As you probably remember, I have lots of interest in phishing techniques (I talked about one here, and preventing them here). I’ve noticed a new trend: a dual stage login form with a custom picture or passphrase. Users are to … Continue reading