PHP offers a convenience superglobal called $_REQUEST that coalesces input from a number of sources into one easy to use array. A common thought amongst PHP developers is that you should avoid the use of $_REQUEST — but do you actually know why? Read the rest of this entry »
Today I want to talk about best practices in regards to reading user input. And if you haven’t already, I’m going to convince you why using PHP’s superglobal arrays are bad. Read the rest of this entry »
Today I want to cover a kind of security issue that is not addressed very often. Just about any book or article aimed at developers has some warning about XSS and SQL injection. Those two attacks are arguably two of the most harmful, but there are certainly other things to be weary of. In this post I will talk about Cross-Site Request Forgeries or CSRF (“see-surf”). Read the rest of this entry »
Almost every website has some sort of members-only area. Anything from a profile system to something as simple as email subscriptions for articles. What every members area has in common is some way for a user to authenticate themselves. Most likely, this is through a username and a password. What I’m going to talk about today is the best practices for storing and handling passwords, since they should never be stored in plain text. Read the rest of this entry »