Due to the relative simplicity of PHP, more and more young webmasters are getting their hooks into scripting. This can be a good thing — it increases the range of functionality and fun that we can add to our websites without the need to learn how to code ourselves — the problem is, a lot… read full entry »
First things first, we might as well get out of the what PHP is not: PHP is not a replacement for HTML. PHP is not a synonym for MySQL. Although they work well together, they’re not the same thing. PHP is not all about layout-based includes. PHP is not magically going to make your website… read full entry »
It amazes me how frickin’ stupid some people are. You’ve been “hacked” before because of someone else’s lack of interest in updating their own script. You get your website back online and you’re at a forum and people are discussing how insecure another script is right in front of your eyes. Do you: a) continue… read full entry »
I haven’t had time of late to do a detailed analysis of scripts that I’ve found to be unsafe for whatever reason, so I’m going to do a quick flick through of my list with basic reasons why. I’ll also try and provide links to “safe” alternatives where possible. Skip links: Simpbook, XueBook, PHPFanBase, Enthusiast3,… read full entry »
As most of you are aware, some issues were found with some of the CodeGrrl scripts late last year and an announcement was made with the necessary fixes. Unfortunately, despite these fixes being easily and freely available people still ignored the risks (despite hundreds being exploited) or even worse: deleted the protection.php file (which had… read full entry »
I recently took a look at faqtastic, by Cine of INEXISTENT scripts, to try and figure out why a friend was repeatedly being hacked. Much to my disappointment I found several holes in the script most commonly caused by a lack of validation. It’s also jam-packed with errors (only noticeable when error_reporting() is whacked up… read full entry »
I was directed to pootato.org’s Dynamic Inclusion tutorial yesterday by somebody who has been using it, and as a result have been “hacked” — index page defaced as well as a fake banking website/etc put on her web space. This girl could potentially land in serious trouble, depending on how forgiving her hosts are, because… read full entry »
With the current surge in “hackings” (or rather: script kiddies exploiting known holes to deface websites that don’t support their view on the war) I’ve been going through a lot of scripts to find common and easy to fix vulnerabilities. With my fingers crossed, and perhaps a naive hope that people don’t release scripts with… read full entry »
I’ve released part one of what I hope will be a series of PHP security articles — a PHP Script Checklist for those developing or looking to develop their own scripts. If you have any thoughts on PHP security problems that you’d like to be covered in part 2, or you’re an ‘expert’ and want… read full entry »
As I’m browsing around various personal websites and forums I see people offering up space on their domains for those who can’t/won’t buy ‘proper’ hosting for one reason or another, and every time I see these offers I cringe. I cringe at the naivety of these trusting website owners, and at the lack of published… read full entry »