Alexander Andonov (Mordred) has written an articled called The Unexpected SQL Injection for the Web Application Security Consortium:
We will look at several scenarios under which SQL injection may occur, even though
mysql_real_escape_string() has been used.
The focus of the article is stressing the importance of filtering input and escaping output, as neither is a substitute for the other, but he does so very clearly with specific examples that include queries that use integer values (sans quotes), user-supplied column names,
LIMIT clauses, and
LIKE clauses. A number of example exploits are supplied for each case, and he discusses which ones work, which ones don't, and why. It's a good article and worth a few minutes of your time.
On a slightly related note, Paul Reinheimer (who moved his blog for no good reason) has recently posted about addslashes() Versus mysql_escape_string(), and if you're curious about the difference between
mysql_real_escape_string() or just want to see an example that demonstrates why character encoding matters, check out my posts on addslashes() Versus mysql_real_escape_string() and the Google XSS Example.
As you may have heard, Paul Jones is joining us at OmniTI. We're very excited to have him, and you can meet him in person by attending the Columbia PHP Meetup Monday night (please RSVP), where he'll be speaking about framework and application benchmarking:
This talk will begin with an outline of the differences between profiling code blocks and benchmarking a system or subsystem. After a short discussion on the purpose and intent of running benchmarks, we will cover how to set up a benchmarking system, including the
ab tool and the experimental controls needed when doing comparative benchmarks.
Finally, we will cover some real-life examples of comparative benchmarks between some major frameworks, and describe what the results indicate (and just as importantly what they do not indicate).
Sadly, I'll miss his talk, because I'll be in London for the Future of Web Apps conference, but I'm sure it will be a fun evening.
Welcome to the team, Paul!
Earlier this month (on the 4th, to be exact), OmniTI celebrated its 10th birthday. From humble beginnings in Theo's basement to a company of almost 50 employees, things have certainly changed. We now have an entire division devoted to email (Message Systems), a new office opening in New York, and a strong reputation that we all cherish. I haven't been here since the beginning, but I'm very proud to be a part of this team.
On his blog, Theo shares his thoughts on the occasion:
OmniTI is my other child, and the stresses and accommodations that I and everyone close to me have shouldered for OmniTI have been both heavy and relentless.
Like anything you care deeply about, this company requires great sacrifice but yields great reward. The people who work here are smart, but more importantly, we're passionate about what we do. What do we do? Apache, Linux, Solaris, FreeBSD, PHP, Perl, PostgreSQL, MySQL, and Oracle, just to name a few favorites. We create, fix, scale, secure, and maintain some of the biggest web sites around, and we love it.
Here's to the next ten years!
I often get distracted when following discussions online due to the abundance of flawed logic. It's distracting enough that I sometimes find myself tending to disagree with someone whose argument is illogical, even if I agree with the conclusion. (I can usually overlook poor grammar, as long as it's not too bad; we all make mistakes.) The following logical fallacies are the ones that I notice most often:
In case you're a pedant, note that logical fallacy is "often used more generally in informal discourse to mean an argument which is problematic for any reason, and thus encompasses informal fallacies as well as formal fallacies." Hopefully you can tolerate such informal discourse. :-)
Affirming the Consequent is something I first remember hearing about in high school, when a math class took a brief foray into logic. I can still remember the example, because it made the fallacy quite obvious:
If A is a dog, then A is an animal.
A is an animal.
Therefore, A is a dog.
This was contrasted with a logical conclusion:
If A is a dog, then A is an animal.
A is not an animal.
Therefore, A is not a dog.
A good example can be found in an old post of mine, Top X List of Mac OS X Annoyances. Although I don't mention Windows and only focus on my experience with Mac OS X and Linux, many people commented under the assumption that I use Windows. Now, I can't be absolutely sure how people came to this false conclusion, but I can speculate that their logic went something like this:
Those who use Windows find some characteristics about Mac OS X annoying, but only because those characteristics are different.
Chris finds some characteristics about Mac OS X annoying.
Therefore, Chris uses Windows. (A related conclusion is that my opinion isn't valid, because I use Windows.)
Next on the list is the Ad Hominem Argument, likely the most popular online fallacy. If you've ever witnessed someone resorting to personal attacks, you know what I'm talking about. I always attribute personal attacks to the lack of a valid, logical argument. (I'm almost always right about this, too.) The false premise upon which this fallacy is based is that by attacking someone who holds a certain position, you attack the position itself.
Last on the list is my personal pet peeve, the Straw Man Argument. This is often described as putting words in someone's mouth, but more specifically, it's when you misrepresent someone else's position in order to make it seem as if your position is superior.
What bothers me about the Straw Man Argument is that it is both very dishonest and very effective. This is a rampant problem in politics, at least here in the US. We often hear:
My opponent would have you believe...
In most cases, whatever follows is not at all what the opponent wants you to believe. Lies are nothing new in politics, but this particular variety is extremely effective. (The Straw Man Argument is very popular on FOX News.)
Got any more to add to the list?
Another conference has come and gone. As always, the folks at php|architect hosted a good conference, and it was nice to meet some new people and see old friends. There weren't even any hotel snafus this time. :-)
I really enjoyed my keynote. Not only was this my first keynote, it was also the first talk I've given that was more entertaining than educational. I even enjoyed preparing for it, which is unusual. For those who missed it, I provided a regular expression that automatically converts your code from PHP 4 to PHP 5, began the search for PHP 4's killer (and received an unsolicited confession from Derick), revealed Wez and Andrei as zombies, and demonstrated a couple of ways to test your legacy applications with PHP 5, one for those who test and one for those who don't. In retrospect, ending the talk after the serious part probably wasn't the best idea, since the energy from earlier had mostly subsided. Other than that, I think everyone had fun.
My other talk, Security 2.0, was also a fun talk, partly because it's constantly evolving. Covering everything within an hour is almost impossible, but I managed to get pretty close. I'm looking forward to giving a longer version of this talk at The Future of Web Apps next month. For those who saw the talk, the pixelated characters are the work of Jon Tan, inspired in part by The IT Crowd. You'll hopefully be seeing more of the WebAppSec Crowd soon.
Digg and Facebook were represented at the conference, with Eli White of Digg and Lucas Nealan and Brian Shire of Facebook all giving talks.
Terry Chay of Tagged stole the show with his talk, Finding Art in Software Architecture. Concerns that Terry had mellowed in recent years were quickly put to rest; his energy and expletive-count were back to all-time highs. (Maybe all he needed was a new camera.) He discussed stability, scalability, speed, and security as layers, advising developers to focus on these issues in order. The experience was shared, to a certain extent, with everyone on #phpc.
Now it's time to get back to work. We're celebrating our 10-year anniversary this week!
I've been very busy since OSCON, so my blog pipeline is full. Hopefully I can properly catch up on some topics I've been meaning to discuss in the next few weeks. If you've been busy like me, you might be wondering how to catch up and keep up with the things that are most important to you. I've found that having my own planet (blog aggregator) has helped tremendously. If your tastes are similar (PHP, web application security, etc.), you might like mine, cleverly (yeah, right) dubbed Planet Chris. Other planets you might find interesting are Planet PHP, Planet Web Security, and Planet MySQL, although I highly recommend creating your own. I haven't found a feed aggregator that compares to the simplicity and elegance of a planet's river of news style, and no existing one is likely to perfectly match your own tastes.
In my absence, one of the most interesting stories was the Facebook leak that was reported on TechCrunch. The interesting part of the story was how badly the leak was explained:
It seems that the cause was Apache and
mod_php sending back uninterpreted source code as opposed to output, due to either a server misconfiguration or high load (this is a known issue).
As you can imagine, the "known issue" remark resulted in more than a few raised eyebrows. The author, Nik Cubrilovic took the time to elaborate on his own blog:
PHP has always been notorious for sometimes not processing requests poorly and sending back the source code for pages to the client.
I've been known to sometimes not write poorly. In fact, I'm notorious for it. I've always been notorious for it.
Joking aside, this comment fueled a number of posts, including Clay Loveless's fact-filled response and Vidyut Luther's humorous recommendations for avoiding PHP leakage. My favorite comments came from Sean Coates during an episode of the Pro PHP Podcast:
Anyone who's ever set up PHP and Apache knows exactly what happened here.
I love how he says it with a tone that a parent might use with a child, the "you know what you did" tone. He also makes another straightforward observation:
PHP by definition is not at fault, because PHP code didn't run.
It's a shame Terry Chay didn't comment.
Earlier today, my editor and friend Tatiana Apandi launched Women in Technology, a series on the O'Reilly Network that she describes as follows:
This series is comprised of articles written by women on the topic of "Women in Technology," which will run through September. My hope is that the myriad of experiences you read about here will showcase how valuable it is to hear from different women at all stages of their careers and lives.
Whenever a minority group pops up, a few people understandably question its purpose and ask why there isn't a similar majority group. Tatiana addresses these types of questions, albeit indirectly:
Whether you believe that there is gender inequality within the tech community that we should all work to improve or if you think that there are no issues at all, one underlying truth is that we should support each other as individuals.
Similar groups have been popping up in recent years. Two groups that come to mind are Debian Women, a group started in 2004 that now seems defunct, and PHP Women.
Members of PHP Women can be found on #phpc as well as in attendance at some of the major PHP and open source conferences.
There is currently an article on Social Engineering, and since this series is only planned for the month of September, there should be a steady stream of content on its way.
Best of luck, Tatiana.