Think Different

Introduction PHP is a remarkably powerful open-source server-side scripting language. In very little code it is possible to do things which would be much more complex to do in other similar languages like Perl, ASP, JSP, ColdFusion, or C. However, the desire to hack together a quick solution can lead to insecure web applications which can place your data and, in some cases, your server at risk. This presentation will address some of these issues as they relate to PHP and offer some suggestions to get you thinking in a direction which will provide more security. PHP is neither inherintly secure nor insecure. It is the responsibility of the programmer of a web application, the database administrator and the system administrator to ensure that security is not compromised at several levels as described in Mark Nenadov's article Developing Secure Web Applications. Operating System/Web Server Layer (Red Hat Linux with Apache) General Application Layer (issues common to any web applicatio...

PHP 5.2.6 Release Announcement The PHP development team would like to announce the immediate availability of PHP 5.2.6. This release focuses on improving the stability of the PHP 5.2.x branch with over 120 bug fixes, several of which are security related. All users of PHP are encouraged to upgrade to this release. Security Enhancements and Fixes in PHP 5.2.6: Fixed possible stack buffer overflow in the FastCGI SAPI identified by Andrei Nigmatulin. Fixed integer overflow in printf() identified by Maksymilian Aciemowicz. Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. Properly address incomplete multibyte chars inside escapeshellcmd() identified by Stefan Esser. Upgraded bundled PCRE to version 7.6 Key enhancements in PHP 5.2.6 include: Fixed two possible crashes inside the posix extension. Fixed bug #44069 (Huge memory usage with concatenation using . instead of .=) Fixed bug #44141 (privat...