PHP Frameworks » Security

crVCL PHP Framework – Nightly Build – important security fix

IcemanX — Wed, 06 Jul 2011 14:24:06 +0000

crVCL PHP Framework – Nightly Build – important security fix is a post from: PHP Frameworks

crVCL PHP Framework – Nightly Build – important security fix is a post from: PHP Frameworks Important security fix regarding potential cross-site scripting (XSS) attacks when using MVC, see Nightly Build Changeset 355:3b0ef5d70ed8 in http://hg.cr-solutions.net Website: http://www.cr-solutions.net Related Blogs

Banshee PHP framework

banshee — Thu, 06 May 2010 21:48:40 +0000

Banshee PHP framework is a post from: PHP Frameworks

Banshee PHP framework is a post from: PHP Frameworks Banshee is a PHP framework with the main focus on security. Several techniques are used to prevent SQL injection, cross-site scripting and cross-site request forgery. Authentication and authorization are done in a transparent and easy way, so it’s not easy to make a mistake there. An auditing [...]

Vork, open-source PHP framework designed for rapid development of performance-oriented scalable applications

NewUser — Thu, 25 Feb 2010 02:47:36 +0000

Vork, open-source PHP framework designed for rapid development of performance-oriented scalable applications is a post from: PHP Frameworks

Vork, open-source PHP framework designed for rapid development of performance-oriented scalable applications is a post from: PHP Frameworks Vork Enterprise PHP Framework Vork is an open-source PHP framework designed for rapid development of performance-oriented scalable applications. The mission of Vork is to provide an MVC architecture and full-featured toolkit in a gimmick-free no-frills approach without adding overhead, creating [...]

Hacking & the APF 2009/2010

christian — Sat, 30 Jan 2010 14:52:12 +0000

Hacking & the APF 2009/2010 is a post from: PHP Frameworks

Hacking & the APF 2009/2010 is a post from: PHP Frameworks 1. Introduction In 2009, a drastic increase of XSS and code injection attacks could be recognized on the APF web site. Analyzing the log files, we found 92,334 known attacks that were catched by the framework and a total number [...]

Escaping data for use within a CodeIgniter View

wood — Fri, 30 Oct 2009 02:44:02 +0000

Escaping data for use within a CodeIgniter View is a post from: PHP Frameworks

I have a controller and a view; the data that I'm working with inside the controller can't be trusted (it's drawn from somewhere external, and isn't $_GET or $_POST).

How do I escape the data when printing it in the view to ensure that tags and other things are escaped properly? I'm used to Zend_View's $this->escape($foo), which is used from inside the view, so I'm still trying to get my bearings. My preference is to escape it from within the view, as I use the data, but if that's not an option I'll do it within the controller.

(I've discovered the filtering for $this->input, but as the data isn't coming from $_GET/$_POST it's not much use to me. :-) Unfortunately, the examples I've seen so far have all been using a controller putting static data into an array, which is then passing to the view, eg. $data['foo'] = 'Example')

Any ideas?

Edit: I'm asking because I don't particularly relish using html_entities($str, ENT_QUOTES, 'utf-8') everywhere (along with mb_convert_encoding() and friends), but I guess I'll create a custom helper if needed.

Edit #2: The data is a bunch of strings (that may contain anything from straight alphanumeric characters, to <b>foo</b>, to <script>alert('xsslol');</script>.

I need to escape these strings to print them within, say, table cells, not allowing any HTML tags to be printed (converting tags into their HTML entity equivalents).
If I were working with bare PHP, I'd use htmlentities() for this, as per my edit above.

WordPress 2.8.5: Hardening Release

wood — Tue, 20 Oct 2009 23:30:00 +0000

WordPress 2.8.5: Hardening Release is a post from: PHP Frameworks

As you know over the past couple of months we have been working on the new features for WordPress 2.9. We have also been working on trying to make WordPress as secure as possible and during this process we have identified a number of security hardening changes that we thought were worth back-porting to the [...]

How to Keep WordPress Secure

wood — Sat, 05 Sep 2009 19:22:03 +0000

How to Keep WordPress Secure is a post from: PHP Frameworks

A stitch in time saves nine. I couldn’t sew my way out of a bag, but it’s true advice for bloggers as well — a little bit of work on an upgrade now saves a lot of work fixing something later. Right now there is a worm making its way around old, unpatched versions of WordPress. [...]

WordPress 2.8.4: Security Release

wood — Wed, 12 Aug 2009 01:41:54 +0000

WordPress 2.8.4: Security Release is a post from: PHP Frameworks

Yesterday a vulnerability was discovered: a specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password [...]

The WordPress 2.0.x Legacy Branch is Deprecated

wood — Thu, 30 Jul 2009 01:07:23 +0000

The WordPress 2.0.x Legacy Branch is Deprecated is a post from: PHP Frameworks

The WordPress team had initially committed to maintaining the WordPress 2.0.x legacy branch until 2010. Unfortunately, we bit off more than we could chew—the 2.0.x branch is now retired and deprecated, a few months shy of 2010. Many of the security improvements to the new versions of WordPress in the last couple of years were complete [...]

How to filter user submitted data easily in PHP?

wood — Tue, 12 Aug 2008 18:45:27 +0000

How to filter user submitted data easily in PHP? is a post from: PHP Frameworks

Yesterday, I saw one of my friend was working on the the contact form and was filtering the user input data(posted variables) individually. He was using a function in PHP to filter the input and using tedious approach while calling the filtering function for each variables with coding each of them in single line . [...]