PHP Security by Example

06 Jul 2006

Almost an entire month has passed since my last blog entry, and a lot has happened. I'll try to catch up over the next week or two.

About a week ago, the Flash version of PHP Security by Example was Dugg.

I'm always disappointed to see trolls (Digg seems to have a bigger problem with this than Slashdot), but a few of the comments raise some valid questions. I'll try to summarize and answer those here.

It's true that slides are never a substitute for a talk, and this is especially true for this one, because it's a hands-on workshop. It's something Marco calls a BYOL (bring your own laptop), and it involves a lot of one-on-one attention and hand-holding.

The reason it's in Flash is because the person submitting the story linked to the Flash version. :-) To be fair, the only other format available for this talk is PDF. I've been wanting to create a nice web application for viewing Keynote slides. I think the best approach might be to export the slides as images, and create a simple slide navigator. I can always continue to also offer PDF, Quicktime, and Flash formats.

One comment really stands out:

If these tips helped you in a commercial website, then you should refund your customers money because you have no business writing software. The last thing the world needs is another PHP programmer that doesn't understand security.

I disagree with this type of comment (the underlying sentiment is shared by others) for a couple of reasons:

These comments have motivated me to improve the slides for this talk, and I might try to prepare a video that demonstrates some of these attacks, so that it's more useful to an Internet audience.

This is a perfect opportunity to promote Dan Kuykendall's new Hackme Test Site. It's a hands-on environment where you can try some XSS and SQL injection attacks of your own. Check it out.