Smashing Magazine

I have only written one article for Smashing Magazine, a rebuttal to an article they have since retracted. I would happily write for them again sometime.


  • 10 Advanced PHP Tips Revisited

    This article is a rebuttal to 10 Advanced PHP Tips To Improve Your Programming — henceforth referred to as the previous article — published last November here on Smashing Magazine. The introduction sounds intriguing…

    Published in Smashing Magazine on 24 Mar 2009

PHP Architect

I used to write a regular column for PHP Architect called Security Corner. They were kind enough to let me retain the rights, so I can publish them online.


  • Security Testing

    Testing can be a manual or automated process, and there are advantages and disadvantages to each approach. When I test an application, I try to employ a healthy combination of both. Although this can be slightly…

    Published in PHP Architect on 19 Dec 2006
  • Cross-Domain Ajax

    Welcome to another edition of Security Corner. This month's topic is cross-domain Ajax, and it’s specifically an introduction to a few of the security concerns that I hope to elaborate on in future editions. If you don’t use Ajax, don’t know what it …

    Published in PHP Architect on 16 Oct 2006
  • Understanding Superglobals

    A superglobal is a PHP array that is available in every scope. Examples include $_GET and $_POST. Global variables, which exist only in the global scope, are therefore different, despite some claims to the contrary. Consider the following example: …

    Published in PHP Architect on 25 Jul 2006
  • Character Encoding

    I want to give my sincere thanks to Ilia Alshanetsky, who has agreed to take over Security Corner. It has been my pleasure to be the author of this column for the past few years. I think it’s valuable to hear from different sources of security expert…

    Published in PHP Architect on 28 Feb 2006
  • Email Injection

    I must admit that when I first heard about email injection a few years ago, I wasn’t very impressed. After all, it’s just another case of developers making the mistake of blindly trusting user input. If you let users manipulate the arguments passe…

    Published in PHP Architect on 25 Jan 2006
  • Context

    A textbook definition of context is �the circumstances in which an event occurs; a setting.� When speaking about PHP security, the context of your data is important. This is better explained by example:    $username = 'chris';…

    Published in PHP Architect on 22 Dec 2005
  • Cross-Site Scripting

    Cross-site scripting (XSS) is a poor description for a vulnerability, because the name refers to an old exploit. This is a common problem within the security community. A vulnerability is not known until someone discovers an exploit for it, so this is hard…

    Published in PHP Architect on 21 Nov 2005
  • HTTP Response Splitting

    HTTP response splitting derives its name from the technique of splitting a single HTTP response into two. This particular technique is best explained with an example and an examination of the underlying HTTP transactions. Consider this example that redirec…

    Published in PHP Architect on 25 Oct 2005
  • Code Audits

    Before you get started with any task, it's always best to know what exactly you're doing. Before you can effectively audit a PHP application, you need to clearly define your task and its associated goals. What are you doing, and why are you doing it? Wh…

    Published in PHP Architect on 21 Sep 2005
  • Theory

    I was in Vancouver recently to give a talk at PHP West called the PHP Security Audit HOWTO. The positive response has been overwhelming, which is unusual—I typically receive very little feedback from any of my talks (or articles, for that matter). …

    Published in PHP Architect on 18 Jul 2005
  • Persistent Logins

    Remember Me Have you ever visited a web site and noticed a checkbox that says "Remember Me" directly underneath the login form? This is the most common phrase used to describe this feature to the user, and there are two major implementation…

    Published in PHP Architect on 25 May 2005
  • BBCode

    Markup Basics There are many ways to mark up content. In a plain text environment, there are some common forms of markup that have been adopted specifically for the purpose of being easy to interpret by a human. Examples are *bold*, /italics/, and …

    Published in PHP Architect on 19 Apr 2005
  • Magic Quotes

    Filter Input – Escape Output   Note: this article speaks mostly about the magic_quotes_gpc directive, which is by far the most common. For more information on magic quotes, refer to the PHP manual page at http://www.php.net/magic_quotes. …

    Published in PHP Architect on 21 Mar 2005
  • PHP Security Consortium

    This is a brief story about how the PHP Security Consortium came to be. PHP Security Experiments In October 2004, I was conducting a series of experiments to test some new theories regarding the insecurity of modern web apps. There was also a persona…

    Published in PHP Architect on 15 Feb 2005
  • Cross-Site Request Forgeries

    Welcome to another edition of Security Corner. This month's topic is cross-site request forgeries, an attack vector that enables an attacker to send arbitrary HTTP requests from a victim user. That's worth reading a couple of times, and it will likely not …

    Published in PHP Architect on 13 Dec 2004
  • Ideology

    Welcome to another edition of Security Corner. This month's topic is ideology, the theory and practices behind secure programming. While studying specific attacks is necessary for you to understand why to employ some practices, adhering to a strict ideolog…

    Published in PHP Architect on 15 Nov 2004
  • File Uploads

    Welcome to another edition of Security Corner. This month's topic is file uploads, and I focus on the mechanism you create to allow users to upload files to your application. Unlike typical form data, files are handled uniquely, and PHP uses the $_FILES ar…

    Published in PHP Architect on 18 Oct 2004
  • Secure Design

    Welcome to another edition of Security Corner. This month's topic is secure design, the application architecture that provides the foundation for secure development. The column on input filtering touched on this topic a bit, and it's something that is sure…

    Published in PHP Architect on 23 Sep 2004
  • Session Hijacking

    Welcome to another edition of Security Corner. This month's topic is session hijacking, often referred to as an impersonation attack. Session hijacking describes all methods by which an attacker can access another user's session. A successful session hijac…

    Published in PHP Architect on 26 Aug 2004
  • Form Spoofing

    Welcome to another edition of Security Corner. This month's topic is form spoofing, a technique mentioned briefly in the column on input filtering. As a PHP developer, you have most likely written code to handle HTML forms. If you have been reading this co…

    Published in PHP Architect on 22 Jul 2004
  • Input Filtering

    Welcome to another issue of Security Corner. This month's topic is input filtering, one of the cornerstones of web application security. Input filtering is the method by which you validate all incoming data and prevent any invalid data from being used by y…

    Published in PHP Architect on 18 May 2004
  • SQL Injection

    Thanks to Alyona Lompar, this article is also available in Ukrainian. Welcome to another edition of Security Corner. This month's topic is SQL injection, an attack vector that frequents the minds of PHP developers, but for which there is a shortage of goo…

    Published in PHP Architect on 15 Apr 2004
  • Shared Hosting

    Welcome to another edition of Security Corner. This month, I have chosen a topic that is a concern for many PHP developers, shared hosting. Through my involvement with the PHPCommunity.org project, my contributions to various mailing lists, and by keeping …

    Published in PHP Architect on 23 Mar 2004
  • Session Fixation

    Security is gaining more and more attention among PHP professionals. As PHP continues to be a key component of the Web's future, malicious attackers will begin to target weaknesses in PHP applications more frequently, and developers need to be ready. I am…

    Published in PHP Architect on 16 Feb 2004
  • Foiling Cross-Site Attacks

    This article explores two contrasting attack vectors, cross-site scripting (XSS) and cross-site request forgeries (CSRF). As you read this article, I hope you will not only learn some specific strategies for protecting against these specific attacks, but t…

    Published in PHP Architect on 14 Oct 2003

PHP Magazine

I used to write a regular column called Guru Speak for the now-defunct PHP Magazine.


  • Storing Sessions in a Database

    Welcome to another edition of Guru Speak. I believe that one of the hallmarks of a good writer is the ability to mold a complex topic into something both palatable and interesting. These are the characteristics I strive for in Guru Speak, and I hope you c…

    Published in PHP Magazine on 14 Dec 2004
  • How to Avoid "Page Has Expired" Warnings

    Welcome to the first edition of Guru Speak, a new column that I'll be bringing to you every other month right here in PHP Magazine. The topics that I'll be writing about will vary, but one recurring topic that I want to focus on is that of providing thorou…

    Published in PHP Magazine on 21 Oct 2004
  • PHP Community

    This is the story of the PHPCommunity.org project's beginnings. Many lessons have been learned (some the hard way), and the project has already been a success without a single line of code being written. How did it happen? To truly understand the answer, I…

    Published in PHP Magazine on 22 Apr 2004
  • The Truth about Sessions

    Nearly every PHP application uses sessions. This article takes a detailed look at implementing a secure session management mechanism with PHP. Following a fundamental introduction to HTTP, the challenge of maintaining state, and the basic operation of cook…

    Published in PHP Magazine on 15 Dec 2003

2600: The Hacker Quarterly

I wrote my first two articles for 2600, a quarterly magazine I used to read regularly.


  • Passport Hacking Revisited

    This article is a follow-up article to Passport Hacking. Much of the information here is given under the assumption that you are familiar with the original article, so you should read it first. The original article was the first to reveal the security vuln…

    Published in 2600 on 15 Aug 2002
  • Passport Hacking

    This article introduces a security vulnerability in Microsoft Passport. Specific details explaining how to compromise a user's Passport account as well as example code to do this will be given. However, this information is intended to be used as academic e…

    Published in 2600 on 01 Aug 2001