How to Prevent Attacks With Proper Input Handling (Part 2)

Part 2 of this article is aimed at demonstrating how to code a accept-list validation class in PHP. We will start with a classic example of request routing where a HTTP GET request will include a “page=” parameter which will instruct the server which page the user is requesting and an empty “?action” parameter which will instruct the sever-side application which HTTP POST data to expect in the request. However, this model of input validation can be modified to handle other forms of HTTP GET and POST attribution to specify the data request. Let’s start with the basics of compiling the accept-lists for GET and POST. This is specified as a config file as shown below. The configuration is setup as constants that hold arrays. This does a couple things. Firstly, it makes the values global and they can be access from anywhere in the application code. Secondly, it prevents…

Read more

How to Prevent Attacks With Proper Input Handling (Part 1)

Input handling is an key aspect of secure web-design.  But what makes a good data validation/sanitation engine? The implementation depends greatly on the language and framework that your site is build on.  However, best practices across IT security topics maintain that “whitelisting” or “strict checking” is a more secure way to validate.  The Open Web Application Security Project (OWASP) is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security.  Below are some exerpts from their advisories on input validation .  After the quotes from OWASP, the article will use the terms “strict checking”  and “accept list”  to refer to whitelisting and “blocklist” to refer to blacklist . OWASP Input Validation Cheat Sheet Input validation is performed to ensure only properly formed data is entering the workflow in an information system, preventing malformed data from persisting in the database and triggering…

Read more

Update PHP 7.x to 7.4 CentOS 7 Remi Repo

WordPress 5.4 has been reminding admins to update PHP to 7.4.  Even if you are on PHP 7.1 you will receive the message in your dashboard.  Here are the instructions to upgrade from PHP 7.1 Remi Repo on Centos 7. READ FIRST — IMPORTANT !!! Get a complete backup snapshot of your server before you complete these update steps 1. First thing you should do is do any core OS updates and package updates. # yum update -y   2. Check which version of PHP you are currently running. # php -v PHP 7.1.33 (cli) (built: Oct 26 2019 10:16:23) ( NTS ) Copyright (c) 1997-2018 The PHP Group Zend Engine v3.1.0, Copyright (c) 1998-2018 Zend Technologies   3. Print a list to see all the PHP packages you have installed. You will need to replace all these packages in PHP 7.4. You should copy this list to a file…

Read more