18 Nov 09 PHP Developer – Serialize
PHP has two ver useful functions, serialize and unserialize.
serialize() generates a string based storable representation of any variable type that you like. Take a complex variable:
(more…)
Tags: array, object, PHP, PHP Developer, serialize
15 Nov 09 PHP Developer – Loops in General
There are 3 types of loop in PHP:
while (condition)
{ code_goes_here; }
do
{ code_goes_here; }
while (condition);
for(expr1, expr2, expr3)
{ code_goes_here; }
In terms of the ‘for’ loop above, ‘expr1′ being the starting expression, i.e. $i=0. expr2 being the condition that must be satisfied to keep the loop running, i.e. $i < 100. expr3 being the expression evaluated each time the loop runs, i.e. $i++. Each loop type has it’s uses.
(more…)
Tags: do, for, loop, MySQL, PHP, PHP Developer, PHP MySQL Developer
28 Sep 09 Security Consultant – Scope of work
As a Security Consultant, I’ve always had a difficult time with the scope of work and just how much detail to go into during the test. What to pen test is more often than not strictly defined, however what detail to go in to, is often not. In some cases the time constraints dictate the detail of the penetration test itself, however often with pen testing, more time is allowed than is necessary.
I have a specific example in mind, whereby I identified a possible DoS (Denial of Service) attack against a service running on a particular vendor’s hardware. The attack was only vaguely theoretically possible, however given the spare time, I did spend a number of hours writing an actual implementation of the Denial of Service attack, and then demonstrating proof of it’s functionality. At that point, the Client changed various configuration options which prevented this DoS, whilst technically mildly limiting functionality.
(more…)
Tags: consultant, denial of service, dos, pen test, penetration test, PHP Developer, Security Consultant, web developer
04 Sep 09 Security Consultant – PHP Developer – Exploiting Common PHP Code Flaws
There are a number of PHP and in fact programming errors in general that PHP Programmers and Security Consultants need to be aware of. Specifically, how can a malicious user use the code to gain access above what he is supposed to.
Cross Site Scripting (XSS), Shell Execution and SQL Injection are all issues that programmers need to be aware of. Luckily, buffer overflows in their traditional sense are not something that PHP developers need to concern themselves with.
Here in it’s most basic sense is an example of how we can read arbitrary files on the filesystem that we should not have access to.
(more…)
Tags: code flaws, cross site scripting, exploit, exploiting, PHP, php code, PHP Developer, Security Consultant, shell execution, sql injection, xss
10 Aug 09 PHP Developer – PHP Sessions
Sessions are a useful web technology that are used on just about every interactive site out there. Sessions are an important part of all PHP development. A session is a useful method of keeping track of a user’s browser throughout different page requests. The session is dealt with via a cookie sent to the user’s browser, with an expiry time of 0, that is to say, as soon as the browser window is closed, the cookie is destroyed and the session is over.
Examples when you might use a session:
- A user logs in to your site, on successful login, a session is created, and the ID stored in the database along with the user’s username and password. The user does not need to pass his username and password to subsequent pages as he’s recognised by his session ID.
- A user is not required to log in, however as he selects options and browses through subsequent pages, we store his information entered in a session.
It is important that a PHP developer also know what not to do in a session:
- Do not store sensitive information in a session. It’s just a plaintext cookie sent each time the browser requests a page from your site.
- Do not initialize a session on the site’s landing page unless you have good reason to. Some browsers do not accept cookies and besides, it’s not polite to trigger a cookie on the user’s machine without him performing an action that warrants it.
Tags: PHP, PHP, PHP Developer, sessions, session_destroy, session_start, web
07 Oct 08 PHP, MySQL, Apache2 install HOWTO on Debian
Setting up a PHP/MySQL/Apache2 environment on Debian is really easy, and as a PHP MySQL Developer, it’s kinda important! I’ll walk through a quick Debian lamp install howto and optimization process. I’ve optimized it for a 1.5Gb to 2GB RAM machine with reasonable load.
mysqladmin password ‘NEWPASSWORD’
Now download eaccelerator from http://eaccelerator.net
(more…)
Tags: apache2 optimization, debian, Debian lamp install howto, Development, LAMP, LAMP Optimization, MySQL, mysql optimization, Optimization, PHP, PHP Developer, PHP MySQL Developer, php optimization, php5, Programmer
|
I'm Adam Palmer, and I'm a PHP Programmer, Web Security Consultant, and Linux Consultant.
I run 'APNIC Solutions Ltd' and spend most of my time consulting, managing server clusters, and writing PHP, whilst what little spare time I have is dedicated to playing with gadgets.
|
