Why Sanitization and Type Casting is Important in PHP

PHP is a language that is very open to different types of coding.
Many good, many bad. There are always multiple ways of doing something in PHP, that’s one reason it is such a great language.
Everyone has their own way of doing something. The most common problem, however, is lack of proper knowledge of the language. Take someone who has worked on Java or C for 20 years and put them in front of PHP, they will learn the language quickly, but they will not necessarily pick up the true and correct methods and concepts of the language. Amazingly, few do.

In working with many PHP programmers as an instructor, I’ve seen coders from every level, starting from novice to advanced.
From inexperienced beginners to 20-30 years of experience programming C-based languages.
It is an easy language to learn, but a difficult language to master -- properly.
But even as easy as the language is, as popular as the language is, as many people program in it, few code correctly and securely as the language was intended to be programmed in. -- As an instructor, I regularly see code that is vulnerable in one way or another, about 1 in every 3 scripts has a severe vulnerability of some kind (75% of the time, it is an SQL Injection and usually due to poor or no sanitisation methods).
These are mostly due to not understanding typecasting properly, not using it, or not understanding the concepts behind proper coding in PHP, including coding PHP securely and the way it was intended to be used.

The reason that there were 20,000 sites hacked between January and April of 2008 was due to SQL Injections in web applications that hackers exploited to insert code that would inject iframes into every web-based dynamic (ASP or PHP) file on the website.
Some 200,000 plus webpages contained these iframes.
So how do people address this? How do you, as a site owner and coder, secure your site or ensure that the applications or scripts that you use or code are going to be secure and free from exploits?
You code in the way that PHP was intended, and the way that PHP was intended to work with databases.
Sure, you can program PHP in the way that you want to, you can use shortcuts, or do things your way because you feel like it, or you can program in a way that is correct and secure.

One of the most important concepts that I’ve had to drill into the heads of my students has been proper sanitisation of variables AND type casting.
Type casting is equally as important as sanitisation of strings.
PHP is built to be a dynamic language where you can dynamically assign an assortment of type definitions to a variable, it does not require or support explicit type definitions, this means that it is set by the content that is assigned to the variable.

If your Database field is intended to contain a float, you, the programmer must ensure that the data you are placing into that field is a float. If the field is an integer, you must ensure that the variable is an integer. If it is meant to contain a string, you must ensure that the variable type is going to be a string.
User data can be entered as a string, integer, float, or an array.
You cannot insert an array into a string field, a string field into an integer field, or float into an integer field (for example).

When you create a database, you define the fields to be exact database types, exact numeric data types such as Integer, decimal and numeric, approximate numeric data types such as float, real or double, a bit data type (as of MySQL 5), date and time data types, string data types such as char, varchar, text, binary (similar to char, but stores binary byte strings), blob and enum.

When creating a database, you do not create each field to be a string, you create the field with the data type of the information it will be storing -- I hope I don’t have to go into examples about *why* you must do this with databases --.
You then assign data to these database tables through your database interface, most commonly the built-in mysql functions in PHP.
When inserting data, they are meant to contain the data type that you have assigned to the field. If you created an numeric data type field, you need to ensure that the variable is an integer or float (float, double or real) as necessary.
If you do not, you introduce many potential and guaranteed problems into both your code and your database, database errors notwithstanding.

If you insert string data types, you need to ensure that the data that you are inputting is not a resource or array. -- Integer data types are allowed in string data type fields.
That means that even when pulling data, such as $_POST['my_variable'], you cannot just input this straight into your database, obviously, you need to sanitise the variable.
Your method of sanitisation does depend on what data type the field is that you will be inserting it into.
If it is int, force var-type int, if it is a float, you need to force it to be a float or double. Remember, PHP is a dynamic language, so it will change the var-type easily.
The variable may be an array, which you will need to deal with if you are attempting to insert the data into a string data type field.

All these must be must be considered if one is to create a script that is completely secure from Injection. -- If you want to ensure you are secure, create your code the way PHP intended for it to be created. Use proper type-casting.
It will save you many headaches down the road, it is well worth the research anyone would bother to spend on data types and type casting in PHP and your database.

People take database manipulation and interaction much too lightly, and it shows... 20,000 sites hacked in 4 months is too many. Certainly unnecessary and could have been avoided if the programmers had bothered to become familiar with correct sanitisation methods and typecasting.

If you are a user who is unsure about your script, you are unsure if you are using proper sanitisation and type casting methods, talk to programmers who you know are experienced in the language you are working with.
Do some research, on type casting and proper usage of the mysql_real_escape_string() function. If you are not using MySQL, check your DBMS type to see what function it uses to properly sanitise strings.
And last but not least, read Type Casting in PHP on how to properly use typecasting in PHP.
And use Google to research the topic in question, a little bit of research will go a long way to providing you with the necessary knowledge to build secure and stable scripts for your site or your clients.

- Highway of Life

phpBB3 Gold Released!

London, UK (PRWEB) December 13, 2007 -- phpBB™, the leading open source forum and online collaboration system, announced today the availability of phpBB Version 3.0. This release includes enhanced collaboration features, better security and delegated administration features, extended support for open source and commercial database management systems, and optimisation for mobile devices and search engines. phpBB is available at no cost, released under the GNU General Public License.

Online discussion forums and user-generated content represent the largest source of new information on the Internet. phpBB is used throughout the world by commercial and non-commercial companies to share documents, collaborate and encourage peer-to-peer resolution of issues to reduce the cost of product and/or technical support.

"phpBB is a highly scalable, feature rich environment that can be easily deployed and integrated into any Web site or online application," says Bob Norton of HREnhancement. "phpBB version 3 represents a huge milestone and we continue to be amazed by this project and its community."

phpBB is easy-to-use with an intuitive administration system and extensive customisation capabilities. It is capable of supporting hundreds of millions of discussions in any language and boasts some of the largest forum communities on the Internet. phpBB is developed by six core developers, more than forty team members and is supported by a community of almost 300,000 users and developers. Among the new features announced today, phpBB has been specifically optimised for the mobile market.

"With the enhanced search engine optimisation of phpBB, we see a huge opportunity for companies to deploy more customer self-service and collaboration features for their customers," says William Leake, Chief Executive Officer of Apogee Search. "The mobile Web is a key component for every 2008 Web strategy and phpBB is a perfect fit for the growing mobile collaboration market."

The phpBB community, comprised of users, Web developers and designers, have produced more than 5,000 add-ons and 400 styles for phpBB2 making it easy for Website owners to customise the system to their needs. The phpBB community has already made nearly 500 enhancements, modifications and extensions for phpBB version 3.0, even before final release.

Organisations can quickly build advanced social and peer networking communities using phpBB and it can be deployed with "one-click" through cPanel, Plesk, Ensim, DirectAdmin and Fantastico. Hosting providers such as GoDaddy, The Planet, and 1and1 provide phpBB with many standard hosting packages.

"phpBB version 3 represents over five years of development from some of the most talented developers in the world. As the project continues to grow, we hope to serve our community better and deliver innovative software that is released under the GPL. Our sincere thanks go to our users, developers, team members and partners." Says Meik Sievertsen, Lead Developer of the phpBB project. With phpBB version 3, detailed source code analysis and penetration testing has also been performed to proactively make steps toward improved enterprise security.

For developers who want to quickly and inexpensively integrate collaboration and forum capabilities into their own Web applications, phpBB provides a flexible framework, documented Application Programming Interfaces (APIs), customisable themes, and extensions. phpBB can quickly integrate into almost any content management system (CMS) or static Website.

About phpBB
phpBB™ ("PHP Bulletin Board") is the world's leading Open Source forum software. Distributed under the GNU General Public License, phpBB is free software, developed by volunteers from around the world. phpBB is used on over 2.4 million commercial, non-profit, social networking and community websites in over sixty languages. For more information and to learn how you can contribute, please visit http://www.phpbb.com

Press Contact
Christopher Justice
(512) 493-2071
justice @ sparksight.com

Handyman Joins the phpBB.com Modifications Team

The Secret is finally out!!

My brother, Handyman, has been invited to the phpBB.com Modifications Team as of Sunday. This is very special for both of us, and great for me, because it means I can stop keeping secrets from him. :D If you would like to Congratulate Handyman, please do so in This topic.

phpBB Weekly #038 Will Come to You Via Skypecasting

Per my last post on Sunday, David and I have decided to test out an episode on a new service from Skype called Skypecasts in the hopes that it will be a more viable and reliable service than TalkShoe. Again, this will primarily be a test, and we will decide after the fact whether we want to permanently move our show to Skype’s new network.

So, if you want to be here on Saturday, what do you need to do? Well, on Saturday, the phpBB Weekly Skypecasts page will have a “Join this Skypecast” link. You will need to have a Skype account and have downloaded the latest version of Skype for this to work.

Skypecasts does not include a chat room, so we will be congregating on irc.freenode.net in the #phpbb-weekly channel. I will also try to keep my eyes on the Star Trek Guide chatbox as well.

We will not be participating in the TalkShoe Live! chat room, however as a courtesy to our regular TalkShoe streamers, I will try to hook the Skypecasts call in with TalkShoe so that you can listen to the call through TalkShoe’s live stream. Of course, this assumes that TalkShoe cooperates, I’m able to get Skypecasts to connect to the TalkShoe phone number, and I’m only guaranteeing that we will do this for this particular episode.

Also, unless there’s some hidden button or setting that I can’t find until David points me to it, Skypecasts is really nothing more than a public Skype conference call, which means that if you call in, you will be live immediately. Therefore, please make my life so much easier by calling in with headphones in order to prevent echo and background noise, otherwise, I’ll have to stop what I’m saying to scroll through the list and find out who’s making the gossip in order to mute them. I don’t know, if we end up using Skypecasts, we may end up having to hire someone to be an ad hoc call screener. :/

Have any questions about this Saturday’s setup? Leave a note in the comments below or go to the phpBB Weekly forum topic. Also, for those of you who do participate in the show live, we will be asking you to post your feedback in the phpBB Weekly forum (with a feedback link to be announced during the show) to help us decide if we want to make the switch.

Again, thank you for working with us as we evaluate this transition. Going through these growing pains now will help us make phpBB Weekly a better show in the future.

phpBB3 RC5 Released! - Special guest today!

Hi everyone!!

Do you all remember me telling you how hot Tennessee was/is? Well, I decided to beat the heat. -- I moved down to... Dallas Texas!!! And you’re thinking I’m crazy, right? Actually, no. Its been on average about 10 degrees cooler here in Dallas than it has been in Tennessee. Why? I have no idea. They/we are having a mild summer here I guess.
By now I'm sure a thousand questions are conjuring up in your mind: “Texas? what the heck are you doing there?”.
Quite simple actually. With enough motivation, you can move to strange places on this planet.

About 6 weeks ago, I got a call from a company down here called Stratus Technologies (I can see half of you hitting the google link in your browser bar) who hired Handyman and I for Software Engineering positions with the company. We moved down to Dallas about 3 weeks and have been working full time for Stratus since then. Its been great though, Handyman and I are enjoying working together once again. But we also really love Texas and the people here. Its a great Country. (for those of you who did not know, Texas really does seem like another Country apart from the rest of the U.S.)
So this may explain my somewhat sporadic absence from the forums recently. This is due to the fact that Handyman and I are trying to get settled here, as well as trying to finish up some duties for one of the companies that we had worked for in the past (they just can't let go!!). Plus, all my duties with the MOD Team, which has increased very recently. Both Igor (eviL<3) and I have to pick up a lot more duties due on the MOD team due to some circumstances recently.
Handyman and I got to spend lunch this afternoon with drathbun (Dave Rathbun of the Modifications Team). With only 40 or so Team Members spread throughout the world, its pretty awesome that two of them live within 20 minutes of eachother.

Okay, yes, thats nuts. you can all feel free to call me crazy now, though haven't we always been crazy? And thats the reason StarTrekGuide/phpBB Academy exists for all of YOU!

This Newsletter I created really quickly and after midnight, its very short notice, and I apologize, but sometimes its really difficult to find a good slot of time to get this out.
Tomorrow (today for some of you), Marshalrusty (Yuriy Rusko) will be joining us on the phpBB Weekly LIVE podcast at 16:00 UTC (12:00 noon Eastern Time), see below announcement for how to determine when it will be on in your timezone. -- We will discuss many issues especially pertaining to spam, spam prevention, including the phpBB3 CAPTCHA. -- As most of you know, Marshalrusty is a spam prevention wizard. So if you have any specific questions you would like answered, please send them in by replying to the below topic, or best of all, write them in the chatroom on Talkshoe during the show. -- We also encourage you to call in and ask your questions, so don't be shy!!

I'll expect a few of you there to give us a good hassle too, over the Official phpBB Podcast, which was just released 2 days ago. (yes, Marshalrusty and I were on that podcast as well) There has been a lot of podcasting going on around here lately, what can I say? -- See the announcement below on the phpBB Podcast, its a great episode of 45 minutes packed full of awesome discussions many of you will want to hear. Hey, how else are you going to get the *inside* scoop?

Also this Newsletter, we have the Style of the Month by Frost (Dark Frost on phpBB.com). A Vista based style that looks INCREADIBLE!!! -- Go have a peak at the demo and let Frost know what you think. I’m no Windoz fan, as most of you know I'm a Mac Gui, but I have to admit that style looks like a top-5 phpBB3 Style.

We have the Handyman Display Posts Anywhere MOD, which has been highly popular for phpBB3. He tells me that its nearing completion (actually, hes working on it as we speak). Go have a look!

Well, thats all for tonight. It's past midnight and I have to be up early in the morning.
I'll see all of you on the boards, and HOPEFULLY hear from you in the chatbox of Talkshoe or if you call in.

Until next time!
- David “Highway of Life” Lewis

Read More...

phpBB3 RC4 Released! - MOD Team, phpBB Weekly Update

Hello everyone!

Wow, the last 3 weeks have been a blur... and HOT! very hot down here in Tennessee USA anyways. We’ve had 5 consecutive days over 100°F (38°C), and if you’re familiar with Southern USA weather, you know it has been humid. You know what a sauna feels like? yeah, thats what it feels like here... ALL the time!
Well we have a very packed newsletter for you this month, though this newsletter is about 2 weeks later than it should have been, better late than never, but you’ll soon find out why.

The phpBB Development team recently released phpBB3 RC4, which will, according to Meik (Acyd Burn) hopefully be the final RC release prior to Gold and Final release, which will be an exciting moment in phpBB history.
If you’ve not already, grab the latest RC and update your board, it has some nice enhancements which you can read about in the announcement topic below.
phpBB also won the Community Choice Award for best open-source Communications project, this means bragging rights for the entire year for phpBB.

3 weeks ago to the day (by the time most of you get this letter), wGEric and the phpBB Teams invited Igor (eviL<3) and myself to become a part of the phpBB MOD Team as coders and validators. Ironically, both Igor and myself are Founders of two of the largest phpBB3 MOD Communities on the internet. Igor and I have worked closely on multiple projects and we are both honored for the opportunity that phpBB has presented to us.
At this point, our primary duties will include validating MODs submitted for phpBB3 - though Igor will be working on phpBB2 MODs as well -- and coding projects, including further development and enhancements to the MOD and Styles Databases, which paul (previously paul999) has put so much work into since January to make the MOD Database what it is today. This may explain my suddenly slight lack of presence here on STG/phpBB Academy as I’ve been trying to catch up on all the information and duties that as a MOD Team Member I am responsible for. -- As you can see, I’m finally catching up, so I have time now to write and get this newsletter out.
I still plan on continuing support for all my MODs and getting them all released, though the development process is a little slower now with everything else that is going on. -- But overall this is a benefit to the community as it means that all of you have two more validators that can help get MODs validated and released to the phpBB community that much faster.

Most of you also know by now that I am now co-host of phpBB Weekly podcast with Douglas Bell (Webmacster87 / Fountain of Apples and former MOD Team Member). The last few shows have been quite fun, we had Techie-Michael (Support Team Leader for phpBB) join us a guest speaker on the August 4th podcast, and This last weekend, paul joined us for a moment and discussed the MOD Database. -- I think you will all find those most enjoyable, and encourage each of you (especially the MOD Authors) to listen to those podcasts, which can be found at http://phpbbweekly.net

This months featured MODs is Geoffreaks Easy MODX Script Generator, especially helpful for MOD Authors who make a lot of edits to existing files and you need help creating the MODX XML file needed for the installation package of your MOD. If you are one of those kind of people, then YOU NEED THIS TOOL!! ... its an online tool, so you can use it on the fly.
And finally, the ACP Notepad MOD. This MOD will enable you to leave yourself and other administrators notes in the ACP, a handy little tool for leaving fellow admins messages, and reminder snippets for yourself. -- This is a very well coded MOD and is currently in the phpBB.com MOD Database Queue awaiting validation from ... well, me... (and the MOD team)

Until next time, see you on the boards!!
- David “Highway of Life” Lewis

Read More...

Third Edition of the Subspace Communications Newsletter

Hello Everyone!

I hope you had a good weekend, I know we did. Finally got some much needed rain, though the lightning strikes have almost outnumbered the raindrops.
This past weekend, had the privilege to join Webmacster87 on the phpBB Weekly podcast episode #21. It was a great show, if you have not yet heard the podcast, I encourage you to head over to the phpBB Weekly Blog and have a listen.
Next week’s podcast will feature recaps of the MOD Authors convention, going on the same day. Please feel free to call or write in and participate. More details are below for those of you who were not able to join into the live chat, and an overview of the show. If you have any comments or questions about the show, please reply to the below topic.

I’m sending out another quick newsletter this week due to the release of phpBB3 Release Candidate 2 (RC2), there are some important updates in this release including many bug fixes and a few new features. Remember upgrades are supported from RC1 to RC2, so have at it!! -- See the below announcement for more details.

This week we are featuring the Auto Groups MOD by A_Jelly_Doughnut, which has been a highly requested MOD, especially for those that are concerned about human spammers, and a reminder for you to join us for the MOD Authors Convention next week (June 30).
Let me know for those of you who are viewing this Newsletter in the archives, if you have not received it via email.

Until next time!
- Highway

Read More...

Second Edition of the Subspace Communications Newsletter

Hello Everyone!
I hope you all had a good June, better than I did at least. We had no rain here, and it was very hot, everything looks so brown. Welcome to summer!

In our second edition of the Subspace Communication Newsletter, WGEric and the phpBB MOD Team are inviting all of you who are aspiring phpBB3 MOD Authors to join us for an all-day MOD Authors Convention on June 30th, I will be there along with most of the phpBB MOD Team. If you are interested in MODing or currently MOD for phpBB3, or just have questions regarding any aspect of MODing, don’t miss it!! See the post for more details on the times.

WebMacster87 (Fountain of Apples) a former phpBB MOD Team member tells us about his phpBB Weekly Live Podcast show. Hopefully some of you will have the opportunity to call or write it to the show your questions or comments... I will be.
Derky tell us about the phpBB3 styles demo, full previews of styles released so far for phpBB3.
Featured MOD this month is Geoffreak’s Thank Post MOD, and WebMacster87 gives us a small glimpse into an important tool for all MODs released for phpBB3... the MOD Update Check, a sequel to the popular Advanced Version Check for phpBB2.

If you are a MOD author, and would like to submit your MOD for consideration as the next featured MOD, please PM me a request.
If you have any questions about this newsletter, have a bug report or suggestion, please let me know through a PM or by clicking the "Reply" button you see below.

Enjoy!!

Read More...

Welcome to the first edition of the Subspace Communication Newsletter

Hello and welcome to the first edition of the new Subspace Communications Newsletter.

This will begin as a monthly publication and will eventually move to a bi-weekly or weekly publication if I can continue to get my ducks in order or find a good way to automate the Newsletter. Each publication will have a little something for everyone, from stats and announcements, to MOD releases and developments. If you don’t want to receive any emails at all from us, Click here to go to your User Preferences and set "Administrators can email me" to No.

In the near future, we will be adding some preferences to allow you to set the frequency of the emails: Never, Major Announcements, Monthly, or weekly.

If you are a MOD author, and would like to submit your MOD for consideration as the next featured MOD, please PM me a request.
This month we have some popular MODs to share with you: .::Frans::. created a nice update script for people who are stuck with Beta5, Igor shares with us his Quick Reply that is currently in development. -- A nice simple solution for those that don’t want the feature-packed Lew21 Quick Post MOD. And Handyman gives us some details about the latest release of the ChatMOD, which has received more than double the number downloads of any other MOD listed for download on StarTrekGuide.

If you have any questions about this publication, have a bug report or suggestion, please let me know through a PM or by clicking the "Reply" button you see below.

Enjoy!!

Read More...

Community Time III - Joomla! Meeting phpBB

We, Chris Justice and myself, met the phpBB crew down in the lobby of our hotel for a few drinks and then headed out to a restaurant for some food and off course more drinks. Talks ranged over the release of phpBB3, press announcements, marketing, GPL and legal issues … and off-course code. What else did you expect when you put the core guys of two...

read more | digg story

phpBB3 Release Candidate 7 (RC7) released - Major Security Enhancements

The "We are sorry and love our support team" edition. This release fixes some critical issues which arised with the recently released RC6. This release is mostly the outcome of an external security audit performed by the SektionEins and includes major security enhancements and improvements. phpBB is among the leading bulletin board solutions...

read more | digg story

Styles Demo for Current phpBB3 Styles

Derky has a demo site setup over at http://phpbb3styles.eu where users can preview all current (pre)released styles for phpBB3, they are complete installations, and include all currently known styles to exist for phpBB3. check it out!

read more | digg story

MAMP and MAMP Pro 1.6 released! - Mac OS X 10.4

living-e AG released a new version of their Mac OS X Apache bundle on April 27th.
This release marks only the second release of the MAMP Pro bundle, and the first with both MAMP and MAMP pro combined.

The MAMP is a free, open source utility that enables Mac OS X users to install Apache server, MySQL, PHP, eAccelerator and PHPMyAdmin with ease. Mac OS X users can download the MAMP, and with just a few clicks, install the software bundle in a folder, making it easier than ever (in typical Mac fashion) for users to host applications on their local server with MAMP, or remote server using MAMP Pro. The process takes about a minute to complete.
Requirements:

• Mac OS X 10.4 or higher (Universal binary)

MAMP 1.6 is designed to run on the following operating systems:

• Mac OS X 10.4 PPC
• Mac OS X 10.4 Intel
• Mac OS X 10.5 PPC
• Mac OS X 10.5 Intel

Earlier versions of Mac OS X can still download older versions of MAMP from the Sourceforge file releases.

The new version carries some new upgrades including: Apache 2.0.59, PHP 5.2.1 (and PHP4), MySQL 5.0.37, support now for
the new XCache from lighttpd as an alternative to eAccelerator, which is still included in the default MAMP package, and APC support.

MAMP Pro is ideal for running on a OS X based server, as upgrading is simply drag-and-drop into the applications folder.
Since the databases are contained in the /Library/Application\ Support/MAMP\ Pro/db/ directory. And the preferences within MAMP Pro allow you to choose a localhost directory outside of the default /htdocs/ location within the MAMP package, making upgrades only seconds long.

You can download the latest distribution of MAMP from the official website: living-e.com or from Sourceforge

I’ll post some tutorials and tips for setting up the httpd.conf and php.ini configuration files for both localhost testing of your PHP applications, and secure use on a remote server later.

Enjoy!!