Eureka!

Stefan Esser made a great suggestion: we should have a “Month of PHP Bugs”, highlighting a bug in PHP every day for a month.

I think this is a great idea. If for no other reason than to give novice programmers some good learning material. So far there hasn’t been much “active awareness” pushed by PHP (Zend, et al.) to communicate things that beginning programmers need to be aware of.

The drawback with this is that the programmers need to learn by trial and error (usually at the employer’s expense) and in the mean time make their applications vulnerable.

I would love it if there was a site dedicated to PHP security. Not just vulnerabilities as in bugs, but also in proper ways of coding secure applications, best practices, and such. I’ve always found php.net to be the best resource when looking up functionality and syntax. A lot of the issues and vulnerabilities that programmers need to know about are indeed “hidden” in the user contributions at the bottom of the pages, however, they are cumbersome to read through, and often include a slew of ideas, tips, tricks, warnings, and best practices thrown together.

Of course, the other side of the coin (playing devil’s advocate here) is that developers need to be on top of their game at all times. Meaning they need to educate themselves regularly about their chosen programming languages. This includes reading up on best practices, coding securely, and learning new tricks.

**SQUASH**

Here are some links on the topic to get you started:

• PHP Security Blog
• PHP Security Consortium
• Essential PHP Security
• PHP Advisory
• Hardened-PHP Project
• SecurityFocus

Many sites have alot of different select fields in their forms. In order to streamline my coding efforts I have consolidated and am using a function to satisfy all my drop-down needs:

    function MakeSelectList($strSQL, $strParameters, $blnShowBlank)    {        $arrData = GetArrayQuery($strSQL);?>                    <select <?= $strParameters ?>>                        <option value=""></option>                        <option value="<?= $arrData[$i][0] ?>"><?= $arrData[$i][1] ?></option>                    </select>The GetArrayQuerry() function is another streamlined function I use to return data as a data array from the database. This way I only deal with arrays and am removing my code from having to deal directly with the database:
    function GetArrayQuery($strSQL)    {        $i = 0;        $objRS = $db->query($strSQL);        CheckError($objRS);        while ($objRS->fetchInto($arrRow)) {$arrData[$i++] = $arrRow;}

        return $arrData;    }
Let me know if you have more elegant ways of doing this! I’m always open to new ideas.  

Use the following code in your target page from the file upload form to handle saving the file on the server:

//set the destination directory$uploaddir = '/var/www/uploads/';//set the destination file name$uploadfile = $uploaddir . $_FILES['userfile']['name'];print('');//move file to designated directory, then test if successfulif (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)){    print('File is valid, and was successfully uploaded. ');    print('Here's some more debugging info:n');    print_r($_FILES);}//show if problems occurelse{    print('Possible file upload attack! Debugging info:n');    print_r($_FILES);}print('');

Link: http://www.php.net/features.file-upload