Archive for August, 2008
Saturday, August 23rd, 2008
I had to release Suhosin 0.9.27 today, because in two places within the replacement rand() and mt_rand() functions the string 'php_' was not replaced by 'suhosin_'. The result of this is that version 0.9.26 of the extension will not load on systems with lazy symbol loading disabled and on the ...
Posted in Uncategorized | 2 Comments »
Friday, August 22nd, 2008
I just released Suhosin 0.9.26 which among bugfixes contains new features. The full changelog is
Fixed problem with suhosin.perdir
Thanks to Hosteurope for tracking this down
Fixed problems with ext/uploadprogress
Reported by: Christian Stocker
Added suhosin.srand.ignore and suhosin.mt_srand.ignore (default: on)
Modified rand()/srand() to use the Mersenne Twister algorithm with separate state
Added better internal seeding of rand() ...
Posted in PHP, Projects, Security | 34 Comments »
Thursday, August 21st, 2008
Last week I gave my first webinar for MySQL titled "Bau sicherer LAMP Anwendungen". The webinar, which was a cooperation between MySQL and my company SektionEins, was held in german, covered SQL-Malware, SQL-Injection, safe programming and some tools to detect and block SQL-Injection attacks.
The recording of this webinar is now ...
Posted in MySQL, PHP, Security | 9 Comments »
Monday, August 18th, 2008
While SQL-Injection is one of the most discussed security problems in web applications other possible problems for SQL queries like overlong input are usually ignored although they can lead to all kinds of security problems.
This might be caused by the fact that security problems that are the result of overlong ...
Posted in MySQL, PHP, Security | 182 Comments »
Sunday, August 17th, 2008
PHP comes with two random number generators named rand() and mt_rand(). The first is just a wrapper around the libc rand() function and the second one is an implementation of the Mersenne Twister pseudo random number generator. Both of these algorithms are seeded by a single 32 bit dword when ...
Posted in PHP, Security | 119 Comments »
Friday, August 15th, 2008
I previously reported about my joy with MySQL-Proxy and a simple SQL-Injection detection based on a simple heuristic.
Today I present the more interesting approach that I promised to publish after my webinar yesterday. This approach is based on the idea that SQL queries issued by an application always have a ...
Posted in MySQL, PHP, Projects, Security | 16 Comments »
Friday, August 8th, 2008
Since last night PHP 4 is finally dead...
Is it?
Well not really, because there are still millions of servers running PHP 4 that haven't upgraded to the faster, more stable and more secure PHP 5 and most of them will continue to use it. So PHP 4 will still be around ...
Posted in PHP, Projects, Security | 8 Comments »
Wednesday, August 6th, 2008
I just released a long overdue update to the Suhosin extension. There are only a few changes in it. The full changelog is
Fixed PHP 4 compilation problem introduced in 0.9.24
Fixed PHP 5.3 compilation problem
Changed PHP default POST handler to PHP's current handler
As usual you can grab your copy at
http://www.suhosin.org/
Posted in PHP, Projects, Security | No Comments »
Tuesday, August 5th, 2008
“MySQL Proxy is a simple program that sits between your client and MySQL server(s) that can monitor, analyze or transform their communication. Its flexibility allows for unlimited uses; common ones include: load balancing; failover; query analysis; query filtering and modification; and many more.”
The flexibility of MySQL Proxy is based on ...
Posted in MySQL, PHP, Projects, Security | 6 Comments »
Monday, August 4th, 2008
On PHP conferences or user group meetings one question that pops up again and again is why Xdebug and some other commercial PHP extensions e.g. Zend Debugger cannot be loaded at the same time. Those asking usually can understand why running two debuggers at the same time will lead to ...
Posted in PHP | 8 Comments »