Check Your PHP Code For Vulnerability

I’ve been meaning to review some of my older PHP code for security vulnerabilities for a while, but never really got around to it. This afternoon, I started searching for some tools I might be able to use to do that for me. I came across the Spike PHP Security Audit Tool, and was actually fairly impressed with it.

In order to run it, I believe you need to have the PHP command-line interface installed. However, as long as you’ve got that, all you need to do is upload the package and type a simple command. It will take a while, but when it’s done, the script generates a nice HTML report showing all of the vulnerabilities it detected.

FTP vs. SFTP

It’s recently come to my attention that FTP (file transfer protocol) can cause some serious security concerns when developing and maintaining a Web site. Apparently, when files are uploaded or downloaded via FTP, all ASCII files are transferred as plain text. Therefore, anyone trying to spy on you through your FTP connection can easily see the content of any files you upload (including all of your passwords, etc. that you might have embedded in your files). Apparently, even the username and password you use to login to your FTP server are sent as plain text, making it rather easy for someone to pick those up while spying on you, as well.

Avoiding SQL Injection with PHP

This is a very quick tutorial to help people avoid SQL injection with their PHP scripts. It seems all too common that people are writing PHP scripts without considering the fact that someone could easily inject some malicious SQL code that could wreak havoc on an entire Web site.

To put it very simply, for those of you that don’t know what SQL injection is; it’s basically sending SQL code through a script that causes the query to execute unintended commands. Some very good examples of SQL injection can be found in the Wikipedia article.

Here are a few very quick tips to help you avoid SQL injection. Of course, nothing is foolproof, but this should take you a long way.

Now, That’s an Annoying CAPTCHA

RapidShare CAPTCHAI use RapidShare, occasionally to share files back and forth between friends. I never felt it warranted to pay for the service, as, if I really got hard up, I could always just give those friends FTP accounts on one of my servers. However, being that I’ve never paid for a RapidShare subscription, I’ve always had to deal with their CAPTCHA scripts.

Over the last few months, they’ve “upgraded” their CAPTCHAs a few times. The most recent upgrade has made the CAPTCHA nigh impossible to decipher in many cases. I find myself having to try two or three times before finally getting the code right.

I’ve posted a screen shot of one of the CAPTCHAs they’re using on RapidShare so that you can see if you agree with me. The point of the CAPTCHA is this: they’ve included eight random characters in the image. Four of those characters have a picture of a cat, and the other four have a picture of something that looks a heck of a lot like that cat. You have to figure out which four have the real picture of the cat, and type those into the box.

It should be noted that the screen shot I’ve included has not been altered or resized.  That is exactly what the CAPTCHA looks like on screen.

Two Good Password-Related Resources

I just wanted to make a good, quick post about two good resources I find myself using quite a bit.  The first is an md5 encrypter.  It’s a very nice, simple tool that simply converts any string into an md5-encrypted string.

At work, I find myself making a lot of very simple scripts that require me to set up administration areas, but don’t really warrant taking the time to set up online registration, etc.  Instead, I simply use the md5 encrypter to encrypt the passwords I want to use, and then I enter those encrypted passwords directly into the database.

You can find that tool, along with quite a few others, at http://www.iwebtool.com/tools.  The link directly to the md5 encryption tool is http://www.iwebtool.com/md5.

The other tool I’ve found myself using quite a bit, for basically the same reasons listed above, is a random password generator.  The one I’ve been using the most is presented by PCTools.com.  It offers a lot of options, and does a very nice job of generating random, secure passwords.  You can find that tool at http://www.pctools.com/guides/password/.

Pages: