Josh Duck

I had a client send me a copy of their website for testing purposes today. Some of it used off-the-shelf commercial PHP components which were encoded with a product called Zend Guard. I’m generally not a fan of encoding files, but headed off to get the relevant extensions from the Zend website. After installing the extension I found Apache throwing a bunch ominous errors when trying to decode a file with the extension (more…)

The static keyword is a core feature of PHP’s object oriented programming. Unfortunately, there doesn’t seem to be much in the way of easy introductions available online, so I’d like to give a brief overview of how the keyword functions, and how it should be used.

PHP actually has two distinct uses for the static keyword. The first and most common usage is related class method and property scoping, the second to variable scoping within in a single function. (more…)

Over the last week I’ve been working with a commercial PHP eCommerce package. Amongst some shockingly bad code one of the patterns that has stood out has been the use of includes a kind of pseudo-function. Dozens of files in the application are in the following format. (more…)

Redditor troelskn made an interesting observation about my recent blog post about Singletons, pointing out that static variables defined within a method behave completely differently to regular static properties. I use static method variables often but still found this behaviour surprising. I decided this was a good opportunity to find out exactly how static methods, properties and variables work in PHP. (more…)

Why would I be showing you how implement singletons in PHP? Don’t I know that the singleton pattern suffers from obvious shortcomings? Of course I do, but I have an ulterior motive. Singletons are a simple way to show off some of the features of PHP you probably don’t get to see and use too often. Now we’ve got that covered let’s see some code. If you haven’t seen a Singleton before the premise is simple: there should only ever be one instance of our class. (more…)

I was recently looking for a simple RSS reader for PHP. There are a few out there, like Magpie RSS. These seem like adequate projects, but much too high level for the scripts I was throwing together. I need to read a couple of different feed formats: namely WordPress’ RSS feed and Flickr’s Atom feeds. I decided to put together a single-class implementation which didn’t do anything more than the bare minimum.

(more…)

I’ve been doing a little bit of research into ways to misuse browser history and cache and came across a very simple technique for tracking users without the need for cookies. Firstly, a demo. If you watch the HTTP requests you’ll see that there are no cookies being used.

(more…)

SQL injection is a well trodden topic so I won’t go into too much detail.

For those who don’t know, the problem occurs when you fail to properly escape variables being placed into your strings. For example the SQL statement "SELECT * FROM users WHERE name = '$name'" will fail if $name is set to ' or '1' = '1. The string will be expanded to produce SELECT * FROM users WHERE name = '' or '1' = '1'. This is obviously not what you wanted, and could lead to very bad results when coupled with DELETE or UPDATE queries.

(more…)

When protecting your server environment you’ll want to ensure that two things happen. Firstly, you’ll want to keep your scripts from prying eyes; you want to make sure that you don’t accept input that will break your code. Secondly, and most importantly, you want to stop anyone from executing their own code on your servers.

(more…)

Today I’m going to start a three part series looking at security issues affecting web developers. The specifics apply to PHP developers, but the general concepts carry across all technologies.

Any significant website is going to consist of three core layers: the client side code (HTML and JavaScript), server code (PHP) and a storage layer (MySQL). As a developer you should be aware of the security implications of each layer of technology and how you can best secure your code.

(more…)