The Right Tool for the Job

November 4th, 2009 No comments

“I need to nail this board down. Got a hammer?” asked Jim, the lowly construction worker.

John, the foreman replied, “We have a pneumatic nail driver we’ve been using. You’ll have to wait for that one.”

“But it’s just for a temporary brace while I put this wall up,” said Jim.

“We only do nailing with a pneumatic nail driver on this project.”

“It’s in too tight of a space to even fit the nair with this wall here. I can just reach a hammer in and nail it down,” said Jim.

John said definitively “No, we have to use the pneumatic nail driver. Everyone knows that hammers aren’t as good. You’ll need to cut a hole in that wall so it will fit in there.”

Any seasoned developer or any CS graduate can give you a laundry list of best practices when developing software. Things like “Don’t use globals,” “Have explicit garbage collection instead of depending on built in cleanup,” or “The use of GOTO will cause searing pain.” Good developers, however, will know that there are times when deviations to these rules is acceptable, and will at times produce software that doesn’t follow every best practice.
Read more…

Categories: Software Development

PHP Security – Weak salt vulnerabilities

July 17th, 2009 No comments

Salt is good; but if the salt becomes unsalty, with what will you make it salty again?

- Jesus

Salting your hashes is a good thing.  It adds another level of protection to your hash, and prevents the effectiveness of rainbow tables should your hash get out.  It’s been standard practice to use a salt when storing passwords and similar information for almost 30 years now.  Using a weak salt can significantly reduce the protection it will give you.  Also, use of a salt should just be an additional level of protection to your hashes – not your only protection.  However, the use of a salt doesn’t suddenly mean that sharing your hashes with the world is a good thing.

Read more…

Categories: PHP Security

What are you sharing? – Browser History Scraping

June 21st, 2009 No comments

The Internet offers the potential for safe, convenient new ways to shop for financial services and conduct banking business, any day, any time.

-FDIC, Safe Internet Banking

Anytime you visit a website, you’re providing the oppurtunity for that website to discover a lot of information about yourself.  Cross-site scripting (XSS) vulnerabilities in websites could allow a malicious 3rd party site to gain access to your email, your Facebook account, your bank account, credit cards, etc.  Security vulnerabilities in browsers, link handlers, embedded media players, and other software could be used to compromise your local machine and monitor everything you do in the background. Read more…

Categories: General Web Security

PHP Performance – Optimize, Eliminate or Scale

May 14th, 2009 1 comment

Get several more uses from your toothpaste by placing the tube in boiling water for several minutes to loosen up the toothpaste inside, then pulling the tube down across the edge of the bathroom counter to scrape all of the toothpaste from the bottom of the tube to the top.

Once this technique no longer yields more toothpaste from the tube, use a pair of scissors to cut the tube open about an inch or two from the top. Open the top part and use your toothbrush to scrape the toothpaste out of the inside of the tube.

-Associated Content

When it comes to improving performance in a PHP system, there are a few different approaches you can take.  First, find out where your system performance can best be improved – see PHP Optimization – Where to Start.  Once you know where your biggest bottlenecks are, you can try to optimize through them, but at some point, you’ll reach the limits of what optimization can do for you –  run out of toothpaste, so to speak.  There are two widely used performance techniques beyond optimization – eliminate it, or scale it out.

Read more…

Categories: PHP Performance

PHP Security – Escape proof SQL injection in ORDER BY clause

May 13th, 2009 4 comments

It’s a well known, well documented, and well abused fact that SQL injection attacks can take place in the WHERE clause of a SQL statement. The commonly applied practice among professionals is to run user input through mysql(i)_real_escape_string(). However, this only protects against user variables within quoted values, and does not protect against SQL injection attacks elsewhere in the query.

One place that is commonly vulnerable is in the ORDER BY clause. Many developers either do not understand that mysql(i)_real_escape_string does not protect them from these types of attacks, or do not think that meaningful SQL injection can be done at this point in the query on a single statement engine like MySQL. As a result, this vulnerability can be found and exploited in many applications and websites, both commercial and open source, personal and corporate. Read more…

Categories: PHP Security

PHP Optimization – Where to start

May 11th, 2009 1 comment

“Our web app is slow,” complained the boss.
“Well, I hear that using commas instead of periods with echo() makes PHP faster,” replied the code monkey.
“Well, let’s try optimizing that,” said the boss.

$100k later.
“Well, it’s still slow after that change. I guess we’ve reached the limits of PHP. Time to switch to Java.”

If you run a website that becomes successful, at some point, you’re going to run into performance issues. Heck, you may only need a single visitor with some scripts to bring it to a crawl. There are a few different approaches often used for optimizing PHP, but really only one right one. First there’s the old school way, dump in a bunch of var_dumps of script execution time and hope to find a slow spot. Not very efficient.

Then there’s what I like to call the cluster-bomb optimizing approach. These are those lists of 40 things to do to optimize PHP and the like. I call this the cluster-bomb approach because you’re just throwing a bunch of tiny optimizations all over the place hoping that you hit one that’s causing your performance issues. A lot of these recommendations will leave you with a trashed collection of unmaintainable code. A cluster-f*** of code so to speak.

Very rarely will the majority of these recommendations actually make an impact to a real-world performance issue. I know this because I regularly fix real-world performance issues, and I rarely follow most of the optimization “tips” in those lists.

And then there’s the profiling method. This I think is the only right way to begin any sort of optimization process, in PHP or any other language. For the uninitiated, a profiler is a process that will sit with your script handler and generate a detailed log of exactly what happened during a script run, how long a subprocess took, etc. You can then take this log and get a visual representation of your scripts performance. From there, it’s really easy to see where the performance bottlenecks are in the system, and give you a good idea of where the best effort could be put in optimization.

Read more…

Categories: PHP Performance

PHP Upload Security & The 1×1 jpeg Hack

April 4th, 2009 5 comments
Far too often, I’ve seen example PHP code, or live PHP code, where file upload checks exclusively using
$_FILES['userfile']['type'] == ‘image/jpeg’
strpos(‘.jpg’, $_FILES['userfile']['name'] or strstr(‘jpg’, $_FILES['userfile']['name']
followed by something like
move_uploaded_file($_FILES['userfile']['tmpname'], PUBLIC_WEB_UPLOAD_DIR.$_FILES['userfile']['name']);
All of these methods leave the server completely vulnerable to remote script uploading and execution with the 1×1 jpeg hack.

How this can be exploited
To execute the 1×1 jpeg hack on a PHP server:
Create a 1×1 jpeg
Put the PHP code you want executed on the server in the embedded jpeg header, surrounded by tags
Name your file some_random_name.jpg.php
Tell your browser/os that a .php file is of type image/jpeg.
Upload the file
When that file is uploaded your file against a server that uses the above method(s) as a “security” check to prevent remote file upload & execution it will pass all checks, and will be executed whenever that file is requested by a client browser, whether it’s a direct request in the browser address or an embedded request in a <img> tag.

Categories: PHP Security