Hi, I'm Chris, a web developer and a founding member of Analog. I live and work in Brooklyn, NY.
Here you can find published articles from 2001 to date with some useful and current discussion in the comments.
Cross-site scripting (XSS) is a poor description for a vulnerability, because the name refers to an old exploit. This is a common problem within the security community. A vulnerability is not known until someone discovers an exploit for it, so this is ...
Welcome to another edition of Guru Speak. I believe that one of the hallmarks of a good writer is the ability to mold a complex topic into something both palatable and interesting. These are the characteristics I strive for in Guru Speak, and I hope y...
Welcome to another edition of Security Corner. This month's topic is cross-site request forgeries, an attack vector that enables an attacker to send arbitrary HTTP requests from a victim user. That's worth reading a couple of times, and it will likely ...
Welcome to another edition of Security Corner. This month's topic is ideology, the theory and practices behind secure programming. While studying specific attacks is necessary for you to understand why to employ some practices, adhering to a strict ide...
Welcome to the first edition of Guru Speak, a new column that I'll be bringing to you every other month right here in PHP Magazine. The topics that I'll be writing about will vary, but one recurring topic that I want to focus on is that of providing th...
Welcome to another edition of Security Corner. This month's topic is file uploads, and I focus on the mechanism you create to allow users to upload files to your application. Unlike typical form data, files are handled uniquely, and PHP uses the $_FILE...
Welcome to another edition of Security Corner. This month's topic is secure design, the application architecture that provides the foundation for secure development. The column on input filtering touched on this topic a bit, and it's something that is ...
Welcome to another edition of Security Corner. This month's topic is session hijacking, often referred to as an impersonation attack. Session hijacking describes all methods by which an attacker can access another user's session. A successful session h...
Welcome to another edition of Security Corner. This month's topic is form spoofing, a technique mentioned briefly in the column on input filtering. As a PHP developer, you have most likely written code to handle HTML forms. If you have been reading thi...
Welcome to another issue of Security Corner. This month's topic is input filtering, one of the cornerstones of web application security. Input filtering is the method by which you validate all incoming data and prevent any invalid data from being used ...
This is the story of the PHPCommunity.org project's beginnings. Many lessons have been learned (some the hard way), and the project has already been a success without a single line of code being written. How did it happen? To truly understand the answe...
Welcome to another edition of Security Corner. This month's topic is SQL injection, an attack vector that frequents the minds of PHP developers, but for which there is a shortage of good documentation. Most web applications interact with a database, a...
Welcome to another edition of Security Corner. This month, I have chosen a topic that is a concern for many PHP developers, shared hosting. Through my involvement with the PHPCommunity.org project, my contributions to various mailing lists, and by keep...
Security is gaining more and more attention among PHP professionals. As PHP continues to be a key component of the Web's future, malicious attackers will begin to target weaknesses in PHP applications more frequently, and developers need to be ready. ...
Nearly every PHP application uses sessions. This article takes a detailed look at implementing a secure session management mechanism with PHP. Following a fundamental introduction to HTTP, the challenge of maintaining state, and the basic operation of ...
This article explores two contrasting attack vectors, cross-site scripting (XSS) and cross-site request forgeries (CSRF). As you read this article, I hope you will not only learn some specific strategies for protecting against these specific attacks, b...
This article is a follow-up article to Passport Hacking. Much of the information here is given under the assumption that you are familiar with the original article, so you should read it first. The original article was the first to reveal the security ...
This article introduces a security vulnerability in Microsoft Passport. Specific details explaining how to compromise a user's Passport account as well as example code to do this will be given. However, this information is intended to be used as academ...
Glad it helped, Niall!
Having tried other methods without success and looked through plenty of bloated documentation, th...
I have problem with this example. In my php.ini magic_quotes_gpc is off so i'm using only addsla...
Well, I'm not Chris, but I will do my best to address the questions raised in the comments by Ian...
Thanks for the kind words, Simon. I'm glad you liked the tutorial. In case it's helpful, here'...
