Linux Blog

Securing PHP Web Applications Review

Filed under: General Linux — TheLinuxBlog.com at 11:43 am on Friday, February 27, 2009

Securing PHP Web Applications

As a somewhat seasoned PHP developer, I’m always looking for ways to improve code and keep up with the latest happenings. When I saw the book, “Securing PHP Web Applications” by Addison-Wesley, I thought I’d give it a look. PHP is known for its wide deployment and rapid development. Unfortunately, with such a large user base, it is not uncommon to see mistakes within development. Often developers are unaware that what they are doing is insecure. This book addresses important security concerns every developer should be aware of.

The first ten chapters are on programming practices of which, if you’re a system administrator, may not interest you. If you are a developer you should know, understand, be able to fix and, of course (the fun part), exploit for demonstration.

Chapters 11, 12 and 13 are essential reading to any system administrator who will be supporting a LAMP or WAMP stack.
The IIS chapter may not apply to those reading this blog since we all know that securing IIS is not necessary when you’re running Linux. The chapters on securing PHP, MySQL, and Apache outline the basic concepts and give some important pointers that may not be obvious to everyone.

Chapter 14 (Introduction to Automated Testing) and Chapter 15 (Introduction to Exploit Testing) have really opened my eyes to methods I have not used before. We’ve all heard of Selenium and PHPUnit but what about CAL9000 and PowerFuzzer? I’ll be off to try them soon. I can always appreciate applications designed to help secure applications. Nessus, Nikto and MetaSploit lack any mention in this book but now that you’ve read this review, you’ll know to look into those as well.

Chapter 16 is on designing secure applications and 17 is on patching, which would have been useful for me to explain to someone as to why they shouldn’t be working on their production site (to make things worse with no version control.)

There are so many products out there that are vulnerable to some of the attacks. We see them everyday in the security lists. I think that any company and developer of PHP based Web Applications should have a keen grasp on the concepts outlined within the pages of this book.

I do not think, however, that “Securing PHP Web Applications” is a book that is necessarily intended for every developer out there. I think its a great book for anyone with an active interest in security that has been developing for a while but would like some pointers on how to secure their web apps or a reference for developers in need.

For more information and a sample chapter, please visit the publisher page: http://www.informit.com/title/0321534344 or if you subscribe to Safari Books Online you can access the complete book here: http://techbus.safaribooksonline.com/9780321534347

Making your scripts user and sysadmin friendly

Filed under: Shell Script Sundays — TheLinuxBlog.com at 11:08 pm on Sunday, November 18, 2007

When designing a shell script it is important to make them easy to use but also to make it easily automated for deployment. One example of this that comes to mind is the NVIDIA installer. It has command line options to allow for deployment but also gives a nice interface for the end user.

To implement this “dialog” can be used for the user interface and “getopts” can be used for the command line options. The script may look something like:

#help function
help () {
echo "Linux Blog - getopts and dialog example";
echo "Usage:";
echo -e "\t -h shows this help";
echo -e "\t -a [y/n][other] ANSWER (Yes, No or Other)";
}
 
#show dialog to get the answers
showDialog () {
dialog --yesno "Do you want to enter y?" 5 50 && \
ANS="Yes was entered using dialog" ||\
ANS="No was entered using dialog"
showAnswer;
}
 
#actually show the answer
showAnswer() {
echo $ANS;
}
 
#check answer for command line processing
checkAns() {
if [ "${OPT1}" == "y" ]
then
ANS="Yes sent by getopts";
elif [ "${OPT1}" == "n" ]
then
ANS="No was sent getopts";
else
ANS="This: $OPT1 was sent by getopts";
fi
#call showAnswer
showAnswer;
}
 
#get the options
while getopts "a:h" ARG;
do case "${ARG}" in
a) OPT1="${OPTARG}";;
h) HELP="TRUE";;
esac;
done
 
#see if help was entered
if [ "${HELP}" ]
then
#display help and quit
help;
exit;
fi
#if the options are empty
if [ -z "${OPT1}" ]
then
showDialog;
else
checkAns;
fi

Keep this getopts and dialog post in mind next time your shell scripting. It will take a little extra time to implement but the result will be a user and sysadmin friendly script.