- Above the Fold: Understanding the Principles of Successful Web Site De
- Adapting to Web Standards
- Art of Non-Conformity
- Art of Readable Code
- Art of SEO
- Back to the User
- Beginning PHP6, Apache, MySQL Web Development
- Book Notes
- Books to Read
- Bored and Brilliant
- Born For This
- Choosing A Vocation
- Complete E-Commerce Book
- Content Inc
- Core PHP Programming
- CRM Fundamentals
- CSS Text
- Dealing with Difficult People
- Defensive Design for the Web
- Deliver First Class Web sites
- Design for Hackers: Reverse-Engineering Beauty
- Designing Web Interfaces
- Designing Web sites that Work: Usability for the Web
- Designing with Progressive Enhancement
- Developing Large Web Applications
- Developing with Web Standards
- Economics of Software Quality
- Effortless commerce with php and MySQL
- Epic Content Marketing
- Extending Bootstrap
- Foundation Version Control for Web Developers
- Guerrilla Marketing for a Bulletproof Career
- HACKING EXPOSED WEB APPLICATIONS, 3rd Edition
- Hacking Web Apps
- Happiness At Work
- Implementing Responsive Design
- Inmates Are Running the Asylum
- Instant LESS CSS Preprocessor How-to
- jQuery Pocket Reference
- Letting Go of the Words
- Lost and Found: A Painfully Honest Field Guide to the Startup World
- Making Every Meeting Matter
- Manage Your Day to Day
- Marketing to Millenials
- Mobile First
- Monster Loyalty
- More Eric Meye on CSS
- Official Ubuntu Book
- Organized Home
- Pay Me… Or Else!
- Perennial Seller
- Pet Food Nation
- PHP 5 E commerce Development
- PHP In a NutShell
- PHP Refactoring
- PHP5 and MySQL Bible
- PHP5 CMS Framework Development
- PHP5 Power Programming
- Preventing Web Attacks with Apache
- Pro PHP and jQuery
- Professional LAMP
- Purple Cow: Transform Your Business
- Responsive Web Design with HTML and CSS3
- Responsive Web Design with HTML5 and CSS3
- Rules of Thumb
- Saleable Software
- Search Engine Optimization Secrets
- Securing PHP Web Applications
- Serving Online Customers
- Simple and Usable Web, Mobile and Interaction Design
- Smart Organizing
- Smashing UX Design: Foundations for Designing Online User Experiences
- Studies in History and Philosophy of Science
- Talent is Not Enough
- The 10x Rule
- The Benefits of Working with Git In Your Software Projects
- The Clean Coder
- The Herbal Handbook for Home & Health
- The Life-changing Magic of Tidying up
- The Modern Web
- Think First
- This Is Marketing
- Traction
- Version Control with Git, 2nd Edition
- Web Analytics 2.0: The Art of Online Accountability and Science of Cus
- Web Site Usability: A Designer's Guide
- Web Word Wizardry
- Web Word Wizardy
- Website Owner’s Manual
- Whats Stopping Me
- Work for Money, Design for Love
- Your Google® Game Plan for Success: Increasing Your Web Presence with
- Checklists I Have Collected or Created
- Crafts To Do
- Database and Data Relations Checklist
- Ecommerce Website Checklist
- Learning Stuff From Blogs
- My Front End UI Checklist
- New Client Needs Analysis
- Newsletters I Read
- Puzzles
- Style Guides
- User Review Questions
- Web Designer's SEO Checklist
- Web site Review
- Website Code Checklist
- Website Final Approval Form
- Writing Content For Your Website
- Writing Styleguide
- Writing Tips
- 7 essentialls of graphic design
- Accidental Creative
- Choosing the right color for your logo
- CMS Design
- Communicating Design: Developing Web Site Documentation for Design and
- Designing for Web Performance
- Eat That Frog
- Elements of User Experience
- Flexible Web Design
- Forms that Work: Designing Web Forms for Usability
- Homepage Usability
- Responsive Web Design
- Seductive Interaction Design: Creating Playful, Fun, and Effective Use
- Strategic Web Designer
- Submit Now: Designing Persuasive Web sites
- The Zen of CSS Design
- Complete Book of Potatoes
- Creating Custom Soil Mixes for Healthy, Happy Plants
- Edible Forest Garden
- Garden Design
- Gardening Tips and Tricks
- Gardens and History
- Herbs
- Houseplants
- Light Candle Levels
- My Garden
- My Garden To Plant
- Organic Fertilizers
- Organic Gardening in Alberta
- Plant Nurseries
- Plant Suggestions
- Planting Tips and Ideas
- Root Cellaring
- Things I Planted in My Yard
- Way We Garden Now
- Weed Decoder
- 101 Organic Gardening Hacks
- 2015 Herbal Almanac
- Beautiful No-Mow Lawns
- Beginner's Guide to Heirloom Vegetables
- Best of Lois Hole
- Design in Nature
- Eradicate Invasive Plants
- Gardening Books to Read
- Gardens West
- Grow Organic
- Grow Your own Herbs
- Guerilla Gardening
- Heirloom Life Gardener
- Hellstrip Gardening
- Indoor Gardening: The Organic Way
- Landscaping with Fruits and Vegetables
- Real Gardens Grow Natives
- Seed Underground
- Small plot, high yield gardening
- Thrifty Gardening from the Ground Up
- Vegetables
- Veggie Garden Remix
- Weeds: In Defense of Nature's Most Unloved Plants
- What Grows Here
- Activities for Kids
- Animals In My Yard
- Baking & Cooking Tips
- Bertrand Russell
- Can I Get that on Sale?
- Cleaning Tips and Tricks
- Colour Palettes I Like
- Compound Time
- Cooking Tips
- Crafts
- Crafts for Kids
- Household Tips
- Inspiration
- Interesting
- Interior Design
- Keywording & Tags
- Latin Phrases
- Laundry Tips
- Learn Something New
- Links, Information, and Cool Videos - Stuff for My Kids
- Music Websites for Parents and Kids
- My Miscellany
- Organizing
- Quotes
- Reading List
- Renovations
- Silly Sites
- Things that Make Me Laugh
- Videos to Watch
- Ways to Be Nice
- YouTube Hacks
- Bug Tracking Tool
- Business Tips
- Code Packages I Like on GitHub
- Content Management systems
- Creating Emails & Email Newsletters
- Games
- I Made A Framework
- Open Source
- Patterns, Textures and other media
- PHP Coding Standards
- Programming
- Project Verbs for to do lists
- Qualities of Creative Leaders
- Scalable Vector Graphics
- SEO
- Software Design
- The Shell, Scripts and Such
- Writing Instructions
- Accessibility
- CSS Frameworks
- CSS Reading List
- CSS Sticky Footer
- Design of Sites
- htaccess files
- HTML Tips and Tricks
- Javascript (and jQuery)
- Landing Page Tips
- Making Better Websites
- More Information on CSS
- MySQL and Databases
- Navigation
- Responsive Design
- Robots.txt File
- Security and Secure Websites
- SVG Images
- Types of Content
- UI and UX and Design
- Web Design and Development
- Web Design Tools
- Web Error Codes
- Website Testing Checklist
- Writing for the Web
- Writing Ideas for your website
- Animations and Interactions
- Being a Better Designer
- Bootstrap Resources
- Color in Web Design
- Colour
- CSS Preprocessors: Sass and Less
- CSS Tips Tricks
- Customer Centered Design Myths
- Design Systems
- Designing User Interfaces
- Font & Typographical Inspiration
- Fonts, Typography, Letters & Symbols
- Icons
- Logo Designs
- Photoshop Tips and Tricks
- Sketch
- UX and UI and Design Reading List
- Web Forms
- Well Designed
Security
It’s not a guarantee of security—there will always be new vulnerabilities and new exploits—but at least you’ll know that if someone is going to hack your application, he or she is going to have to work at it.
Infrastructure Functions
As you design your application, you’ll find that there are certain functions you’re going to need more than once—database insert and retrieval, for instance. These are the things you want to write first because they are the foundation of your application. Once they’re done, you can forget about them. Here are the infrastructure functions we wrote for the guestbook application:
getDatabaseHandle(): Handles connecting to the database. Returns a database handle.
getDisplayComments($numComments): Retrieves the most recent comments from the database. Takes the optional parameter $numComments that governs how many comments to retrieve. This defaults to ten. Returns an associative array keyed on datestamp.
storeComment($comment, $image, $username): Stores comments in the database. Inserts the comment, image, and username (if available) directly in the Comments table.
User::new($username, $password, $email): Constructor for the User object. Returns a reference to the instantiated object. Does not store data in the database. Call the update() function to store user data.
User::load($username): Retrieves user data from the database and uses the constructor to instantiate a User object. Returns a reference to the instantiated object or NULL on failure.
User->update(): Inserts or updates the database with the data stored in the object. Returns a Boolean—TRUE on success, FALSE on failure.
User->isAdmin(): Returns TRUE if the user is an administrative user, FALSE otherwise.
User->makeAdmin(): Stores the value Y in the local $user->isAdmin variable. Calls User->update() to store the information in the database. Returns TRUE on success. Calls errorHandler() on failure and returns FALSE.
errorHandler($message, $user): Logs errors to the log file and to the local $user->errormsg variable (if available). Returns $message formatted for output to the browser or $user object, if available.
Login($username, $password): Authenticates the user and instantiates a User object.
Logout ($username): Invalidates the session ID associated with the username and redirects the browser to the public side of the Web site.
Choose Solid Test Data
Remember to check odd situations, boundary conditions, and other special cases.
Boundary conditions are the most extreme cases you can think of. When we test the constructor, which takes a username as data, the following may be useful boundary conditions:
- NULL data
- Length exceeding the size of the variable
- Data including ASCII control characters
- Data including special characters, such as & and *
- Data that replicates an injection attack, such as ;drop table users;
- Any other extreme data you can think of
These are tests that you expect to fail—in fact, if they don’t fail, you know that you need to go back and harden your code some more.
function authenticateUser($tainted_username, $tainted_password) {
// Set up our variables
$username = NULL;
$password = NULL;
if (validateUsernamePassword($tainted_username, $tainted_password)) {
// At this point we can safely assume that both $username and $password
// are legitimate
$username = $tainted_username;
$password = $tainted_password;
}
// The login() function will return either a user object (if the username and
// password are found in the database) or FALSE. If $username and
// $password are false at this point, they won't be found in the database, so
// login() will return FALSE.
return login($username, $password);
}
function validateUsernamePassword($tainted_username, $tainted_password) {
// Set up our variables
if (strlen($tainted_filename) > 256 || (strlen($tainted_password) > 256 &&
strlen($tainted_password) < 8)) {
//return FALSE; //Bail
}
$username = NULL; // This will hold the validated username
$password = NULL; // This will hold the validated password
// Validate username
if(preg_match("/^[A-Za-z0-9]*$/", $tainted_username)) {
$username = $tainted_username;
if(preg_match("/^[A-Za-z0-9@*#_]{8,}$/"), $tainted_password) {
$password = $tainted_password;
} else {
return FALSE; //Bail
}
} else {
return FALSE; // Bail
}
return TRUE;
}
Exploit Testing Tools
- PowerFuzzer: sourceforge.net/projects/powerfuzzer
- CAL9000: www.owasp.org/index.php/Category:OWASP_CAL9000_Project
- Acunetix Web Vulnerability Scanner: www.acunetix.com
Bibliographical Information
Securing PHP Web Applications
By: Tricia Ballad; William Ballad
Publisher: Addison-Wesley Professional
Pub. Date: December 16, 2008
Print ISBN-10: 0-321-53434-4
Print ISBN-13: 978-0-321-53434-7
These are notes I made after reading this book. See more book notes
Just to let you know, this page was last updated Monday, Dec 02 24