Re: [nyphp-talk] [OT] PHP IDS & Web Application Security

Mitch Pirtle mitch.pirtle-at-gmail.com |nyphp dev/internal group use| wrote: On 9/24/07, Ben Sgro (ProjectSkyLine) <[EMAIL PROTECTED]> wrote: I recently finished a security audit and pen test for a client. I couldn't believe the problems they had. They found a developer off CL and with his

[nyphp-talk] Re: Digest Authentication w/ Login Form

On 9/27/07, Michael B Allen <[EMAIL PROTECTED]> wrote: > Is it possible to do digest authentication from a login form? Of course I just figured out how to do this in record time. I also just realized that, for reasons not worth going into I can't use this. But for posterity here's the solution: A

[nyphp-talk] Digest Authentication w/ Login Form

Hi, I think I already know the answer to this is a simple "no" but I suppose it can't hurt to ask. Is it possible to do digest authentication from a login form? I'm curious as to why there isn't a special form element type like "password" that doesn't compute a digest. Otherwise, is there a rea

Re: [nyphp-talk] Apache document root location question

On 9/27/07 4:42 PM, "Mitch Pirtle" <[EMAIL PROTECTED]> wrote: > On 9/27/07, Cliff Hirsch <[EMAIL PROTECTED]> wrote: >> >> Should I just make my application htdocs dir the new document root? Or >> should I make a symbolic link, alias, redirect or virtual host (always get >> confused about which to

Re: [nyphp-talk] Apache document root location question

On 9/27/07, Cliff Hirsch <[EMAIL PROTECTED]> wrote: > > Should I just make my application htdocs dir the new document root? Or > should I make a symbolic link, alias, redirect or virtual host (always get > confused about which to use since they seem to achieve the same thing)? Or I > guess I could

[nyphp-talk] Apache document root location question

I am bringing up a production server where the Apache document root is currently: /srv/www/htdocs Yet my application is in another directory and has its own public htdocs directory. The php files in the public htdocs dir know that they are in a subdir one level below the application directory, so

Re: [nyphp-talk] Webservice Issue (was Webserivce Issue with .NET ) no longer just .NET

Ok well i belive its not longer just a .NET issue it seems the service it self isnt returning a value for that property at all and i know its being set because if i dump the object to the screen via php it appears fine. On Thu, 2007-09-27 at 16:11 -0400, David Krings wrote: > Donald Organ wrote: >

Re: [nyphp-talk] Webservice Issue with .NET

Donald Organ wrote: Wow no one has had any problems like this?? Maybe no one else uses .NET? ___ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Yo

Re: [nyphp-talk] Webservice Issue with .NET

Wow no one has had any problems like this?? On Thu, 2007-09-27 at 09:44 -0400, Donald Organ wrote: > I am wondering if anyone else has had this issue before. > > I have a webservice made using Services_Webservice(PEAR Package). In > one method of my service I am returning a complex type, which i

Re: [nyphp-talk] Not-so-subtle attack on PHP

On 9/27/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > John Zabroski wrote: > > We should always say what we mean, and always question what we mean. I > > can guarantee you I learned this the hard way. > > You got conned into sitting on a stupid egg too? I squished mine. -- Mitch, sobbing un

Re: [nyphp-talk] Not-so-subtle attack on PHP

At 6:54 AM -0400 9/26/07, Kenneth Downs wrote: From: http://www.eweek.com/article2/0,1759,2188714,00.asp Q: How can sites protect themselves against SQL injection? A: The best defense is to design your database-backed Web site properly to ma

Re: [nyphp-talk] Not-so-subtle attack on PHP

John Zabroski wrote: We should always say what we mean, and always question what we mean. I can guarantee you I learned this the hard way. You got conned into sitting on a stupid egg too? ___ New York PHP Community Talk Mailing List http://lists.nyph

[nyphp-talk] Webservice Issue with .NET

I am wondering if anyone else has had this issue before. I have a webservice made using Services_Webservice(PEAR Package). In one method of my service I am returning a complex type, which is able to be read just fine, but I had to add more properties to the object, and now one of the properties i

Re: [nyphp-talk] Not-so-subtle attack on PHP

On 9/26/07, John Campbell <[EMAIL PROTECTED]> wrote: > > My personal favorite: > > public function esc( $value ) { > > return mysql_real_escape_string( $value, $this->db ); > > } > > If that is your personal favorite, you are justifying the the article. > All you have to do is forget to use singl

Re: [nyphp-talk] SPL - Do you use?

Jon Baer wrote: Do many here use the SPL library? I use the ArrayAccess interface all the time. It allows me to get some OOP benefits for data structures while still having the ease of use of an array. For example, we opened up a SOAP interface for our system. Internally we had things wor

[nyphp-talk] SPL - Do you use?

Do many here use the SPL library? I could never really understand this "library", on one side part of the Java programming that I really felt to be a burden of added / bloated code was the idea of the "Iterator" (you always had to grab one) and that is pretty much what the SPL is (for PHP5)

Re: [nyphp-talk] Not-so-subtle attack on PHP

If that is what you call input validation, then you'd be wrong. SQL Injection is a subset of all attacks based off input vulnerability. As an example, input validation can include calculating and effectively using string length to avoid a buffer overrun or truncation attack. Come to that, the

Re: [nyphp-talk] Not-so-subtle attack on PHP

Dell Sala wrote: Ken Wrote: Applying security in the database renders you structurally immune from SQL injection. Can you elaborate on this? I'm always intrigued by your DB-centric slant. Sure. The typical SQL injection example is where I put some command in on an email form: EMAIL: [

Re: [nyphp-talk] Not-so-subtle attack on PHP

John Campbell wrote: On a similar subject: If your solution is to "validate input" or "input filtering", you are going about things all wrong. Validating input is for the birds; prepared sql and output escaping is the way to go. I don't give a shit if my user's use names like "" , just like my