About the Author

Chris Shiflett

Hi, I’m Chris: entrepreneur, community leader, husband, and father. I live and work in Boulder, CO.

Published Articles

Here you can find published articles from 2001 to date with some useful and current discussion in the comments.

Cross-Site Scripting

  • Published in PHP Architect on 21 Nov 2005
  • Last Updated 21 Nov 2005

Cross-site scripting (XSS) is a poor description for a vulnerability, because the name refers to an old exploit. This is a common problem within the security community. A vulnerability is not known until someone discovers an exploit for it, so this is hardly surprising. The exploit gets named, and then all exploits that target the same vulnerability inherit the name. The original XSS exploit involved the use of frames, a feature rarely used today. By using a frameset, one was able to incl…

Storing Sessions in a Database

  • Published in PHP Magazine on 14 Dec 2004
  • Last Updated 14 Dec 2004

Welcome to another edition of Guru Speak. I believe that one of the hallmarks of a good writer is the ability to mold a complex topic into something both palatable and interesting. These are the characteristics I strive for in Guru Speak, and I hope you consider my efforts to be a success. Please be sure to let me know what issues tend to trouble you the most or in what areas you would like to expand your knowledge and understanding. I am happy to cater to my readers. This edition's topic…

Cross-Site Request Forgeries

  • Published in PHP Architect on 13 Dec 2004
  • Last Updated 13 Dec 2004

Welcome to another edition of Security Corner. This month's topic is cross-site request forgeries, an attack vector that enables an attacker to send arbitrary HTTP requests from a victim user. That's worth reading a couple of times, and it will likely not be until you've seen your first example attack that you can fully understand or appreciate the danger. The typical scenario involves a victim that has an established level of privilege with the target site, and this allows an attacker to i…


  • Published in PHP Architect on 15 Nov 2004
  • Last Updated 15 Nov 2004

Welcome to another edition of Security Corner. This month's topic is ideology, the theory and practices behind secure programming. While studying specific attacks is necessary for you to understand why to employ some practices, adhering to a strict ideology is what can protect you against unknown attacks. Some of the things I'll be discussing include data flow and naming conventions. Whether you are a developer yourself or manage a group of developers, the most important thing you can be do…

How to Avoid "Page Has Expired" Warnings

  • Published in PHP Magazine on 21 Oct 2004
  • Last Updated 21 Oct 2004

Welcome to the first edition of Guru Speak, a new column that I'll be bringing to you every other month right here in PHP Magazine. The topics that I'll be writing about will vary, but one recurring topic that I want to focus on is that of providing thorough answers to frequently asked questions. This is a topic that is appropriate for PHP developers of all skill levels, and while some questions are not likely to concern experienced developers, the answers will hopefully lend new insight and…

File Uploads

  • Published in PHP Architect on 18 Oct 2004
  • Last Updated 18 Oct 2004

Welcome to another edition of Security Corner. This month's topic is file uploads, and I focus on the mechanism you create to allow users to upload files to your application. Unlike typical form data, files are handled uniquely, and PHP uses the $_FILES array to provide you with all of the information you need. However, because it isn't very clear what information is provided by the client and what information is provided by PHP, a security-conscious developer can have a difficult time deter…

Secure Design

  • Published in PHP Architect on 23 Sep 2004
  • Last Updated 23 Sep 2004

Welcome to another edition of Security Corner. This month's topic is secure design, the application architecture that provides the foundation for secure development. The column on input filtering touched on this topic a bit, and it's something that is sure to appear in this column again. Design has always been a controversial topic, but only because developers tend to be very loyal to their own discoveries, ideas, and approaches. Thus, discussing software design can spawn debates rivaled on…

Session Hijacking

  • Published in PHP Architect on 26 Aug 2004
  • Last Updated 26 Aug 2004

Welcome to another edition of Security Corner. This month's topic is session hijacking, often referred to as an impersonation attack. Session hijacking describes all methods by which an attacker can access another user's session. A successful session hijack attack exploits a flaw in the application; as PHP developers, the safeguard is our responsibility. In an earlier column, I discussed session fixation, a method by which an attacker can gain a valid session identifier. The purpose of such…

Form Spoofing

  • Published in PHP Architect on 22 Jul 2004
  • Last Updated 22 Jul 2004

Welcome to another edition of Security Corner. This month's topic is form spoofing, a technique mentioned briefly in the column on input filtering. As a PHP developer, you have most likely written code to handle HTML forms. If you have been reading this column, you also know that you should filter all input on the server. This article explains why, by detailing some common methods used to spoof form submissions. HTML Forms Form handling is very convenient with PHP, even when register_globa…

Input Filtering

  • Published in PHP Architect on 18 May 2004
  • Last Updated 18 May 2004

Welcome to another issue of Security Corner. This month's topic is input filtering, one of the cornerstones of web application security. Input filtering is the method by which you validate all incoming data and prevent any invalid data from being used by your application. It's very similar in theory to how water filtering works, where impurities in water are not allowed to pass. This article covers a variety of issues, but unlike previous Security Corners, I will be focusing more on the the…

PHP Community

  • Published in PHP Magazine on 22 Apr 2004
  • Last Updated 22 Apr 2004

This is the story of the PHPCommunity.org project's beginnings. Many lessons have been learned (some the hard way), and the project has already been a success without a single line of code being written. How did it happen? To truly understand the answer, I think it is important to describe the motivation behind the project. One of my favorite things about open source software is the community. People are always eager to help, and this is evident on any mailing list. Each major open source t…

SQL Injection

  • Published in PHP Architect on 15 Apr 2004
  • Last Updated 15 Apr 2004

Thanks to Alyona Lompar, this article is also available in Ukrainian. Welcome to another edition of Security Corner. This month's topic is SQL injection, an attack vector that frequents the minds of PHP developers, but for which there is a shortage of good documentation. Most web applications interact with a database, and the data stored therein frequently originates from remote sources. Thus, when creating an SQL statement, you often use input in its construction. A typical SQL injection …

Shared Hosting

  • Published in PHP Architect on 23 Mar 2004
  • Last Updated 23 Mar 2004

Welcome to another edition of Security Corner. This month, I have chosen a topic that is a concern for many PHP developers, shared hosting. Through my involvement with the PHPCommunity.org project, my contributions to various mailing lists, and by keeping tabs on PHP blogs and news sites, I have seen this topic brought up in various incarnations. Some people are concerned about hiding their database access credentials, some are concerned about safe_mode being enabled or disabled, and others …

Session Fixation

  • Published in PHP Architect on 16 Feb 2004
  • Last Updated 16 Feb 2004

Security is gaining more and more attention among PHP professionals. As PHP continues to be a key component of the Web's future, malicious attackers will begin to target weaknesses in PHP applications more frequently, and developers need to be ready. I am very pleased to introduce Security Corner, a new monthly column that is focused completely on PHP security. Each month, I will discuss an important topic in great detail that can help you improve the security of your PHP applications and d…

The Truth about Sessions

  • Published in PHP Magazine on 15 Dec 2003
  • Last Updated 15 Dec 2003

Nearly every PHP application uses sessions. This article takes a detailed look at implementing a secure session management mechanism with PHP. Following a fundamental introduction to HTTP, the challenge of maintaining state, and the basic operation of cookies, I will step through simple and effective methods that can be used to increase the security and reliability of your stateful PHP applications. It is a common misconception that PHP provides a certain level of security with its native s…

Foiling Cross-Site Attacks

  • Published in PHP Architect on 14 Oct 2003
  • Last Updated 14 Oct 2003

This article explores two contrasting attack vectors, cross-site scripting (XSS) and cross-site request forgeries (CSRF). As you read this article, I hope you will not only learn some specific strategies for protecting against these specific attacks, but that you will also gain a deeper understanding of web application security principles in general. Cross-Site Scripting If you're a web developer, you've most likely heard about XSS. In fact, you may have already taken steps to protect your…

Passport Hacking Revisited

  • Published in 2600: The Hacker Quarterly on 15 Aug 2002
  • Last Updated 15 Aug 2002

This article is a follow-up article to Passport Hacking. Much of the information here is given under the assumption that you are familiar with the original article, so you should read it first. The original article was the first to reveal the security vulnerability in Microsoft Passport that prompted Microsoft to discontinue the Passport service for a short period of time while improvements were made. Other articles have appeared since the original, and it has been translated into several di…

Passport Hacking

  • Published in 2600: The Hacker Quarterly on 01 Aug 2001
  • Last Updated 01 Aug 2001

This article introduces a security vulnerability in Microsoft Passport. Specific details explaining how to compromise a user's Passport account as well as example code to do this will be given. However, this information is intended to be used as academic example. The objective is to give a rough analysis of web application security while illustrating some common misconceptions. I conclude with some suggestions for using the existing Passport mechanism as well as ways to improve its security.…