WebGyver

What’s absolutely necessary when doing secure web development in PHP? If you’re like me, you probably have some very good ideas about that, but you’re always open to new insights and tips from technology insiders such as Kevin Schroeder from Zend Technologies.

The Zend PHP Security webinar is absolutely free. Just in case you were wondering, security does not apply only to web sites that conduct financial transactions. An insecure web site can be used by malicious users (i.e., hackers) to launch attacks against other web sites.

If you are a PHP developer who would like to discover the must-knows of secure web development, this free webinar might give you some good insights.

Date & Time:
Wednesday, July 2, 2008
9:00 am (Pacific Daylight Time)

Duration: 1.0 hour

Panelist:
Kevin Schroeder, Zend Technologies

You need to register online for this event.

Writing Secure PHP: If you are interested in the basics of PHP security, head over to “I Love Jack Daniels” and check out the three-part series on writing secure PHP code. It’s free, well written, nicely organized and (in my opinionated view) an absolute must-know for any PHP developer who ventures out in the wild.

Are code injection attacks ever going to stop? According to a statement dated June 23, 2008, Adobe has identified a critical vulnerability in Adobe Reader and Adobe Acrobat 8.1.2.

Is that bad? Again, according to Adobe, “This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system.”

What to do? Adobe recommends users of Acrobat 8 and Adobe Reader install the 8.1.2 Security Update 1 patch. You can download the appropriate Windows and Macintosh update patches (for Acrobat and Acrobat Reader) directly from Adobe’s Security Advisory web site.

By the way, people using Acrobat Reader 7.0 through 7.0.9 should upgrade to Reader 7.1.

If everything goes according to plan, the update should resolve input validation issues in JavaScript methods that could potentially lead to remote code execution. And yes, Adobe admits that reports have been made, claiming this issue has already been exploited in the wild.

Additional articles about this exploit:

WebProNews

Washington Post

A relatively new trend in SQL injection started developing late last year: Numerous web sites were defaced by including malicious HTML <script> tags in text that was stored in SQL databases — and that text was/is used to generate web pages dynamically.

According to Microsoft’s Security Vulnerability Research & Defense web site, such “attacks began to accelerate in the first quarter of 2008 and are continuing to affect vulnerable web applications.”

What surprised me most, however, was that Microsoft  listed the following three commonalities among the web sites that were especially prone to this kind of SQL injection:

1. The web sites use Classic ASP code
2. The back-end is powered by a SQL Server database
3. The web site’s code generates dynamic SQL queries, using URI query strings

Wow! Why was I surprised? Well, for the better part of the last four years or so, I’ve been painstakingly upgrading a legacy web application, running on Classic ASP (but also some C#.NET). Those upgrades included, among a ton of other security-related issues, the conversion of all in-line SQL queries to Stored Procedures.

During that time, I’ve also hired a third-party security company to make sure (every six (6) months) that no new vulnerabilities were added to the web application by me and my developers. Yes, it was painful at first, but it was well worth the effort.

Enter the scary part: As pointed out on the web site I’ve mentioned above, “these attacks have been accelerating through the year.” The researchers at Microsoft then point out that there are two significant factors involved in that:

1) There is a malicious tool that is in the wild that automates this. In a nutshell, the tool uses search engines to find sites that are vulnerable to SQL injection.

2) One or more malicious bots are now launching SQL injection attacks to spread the bot further. (SecureWorks discusses such an example in this article.)

What’s the solution? Since the enemy never sleeps, it looks as though web developers and database administrators won’t be able to rest on their laurels for long.

• Use Stored Procedures to send information to the database
• Verify that the most obvious malicious user input gets caught before it gets passed to any Stored Procedures
• Review the server logs for suspicious URI query strings
• If you find or suspect any exploits, inspect the various database tables that could have infected data
• Periodically review additional information about SQL Injection for your specific development environment

That’s all for now. If anyone has specific tips to combat this kind of web application threat, please lte me know.

A few days ago, Adobe released Flash Player 10 beta. According to Adobe, this “public prerelease is an opportunity for developers and consumers to test and provide early feedback to Adobe on new features, enhancements, and compatibility with previously authored content.”

What’s new? Among other improvements and enhancements, Flash Player 10 comes with built-in 3D Effects, Custom Filters and Effects, Advanced Text Layout, Enhanced Drawing API and Visual Performance Improvements.

Download link for Adobe Flash Player 10. By the way, Adobe suggests you uninstall any currently installed versions of Flash Player before installing the beta prerelease of version 10.

On to the latest version of Firefox: The final release of Firefox 3 is expected to come out in June 2008. Currently, you can get Firefox 3 Release Candidate 1 (in more than 45 languages), if you’re interested in testing the prerelease version.

компютри втора употреба

What’s new? According to the good folks from mozilla, most notable among the more than 14,000 updates of the underlying architecture are the dramatic improvements that have been made to performance, memory usage and speed. Enhancements include a sleuth of security features (including Windows Vista Parental Controls), better usability, personalization features and improved graphics and font handling.

Finally, if you’re a hands-on web designer & developer like me, you owe it to yourself to test-drive YAML Builder 1.0. Yet Another Multicolumn Layout (YAML) is an XHTML/CSS framework that allows you to create contemporary flexible floated layouts.

The premise of this online tool is simple: Rapidly develop a valid and standards based CSS layout for web sites and web applications. This tool is truly amazing!

Aside from taking the hassle out of combining three columns, a header, a footer, the main navigation as well as the top navigation in CSS (plus with the (X)HTML source code), you can also extend the layout with (nested) optional elements.

For example, have you ever cobbled together a perfect web page layout in CSS, with everything behaving just perfectly? And then you needed to drop another three-column layout inside the middle column to showcase three products? Sweat no more, YAML builder can handle all of that plus much more. Oh, and did I mention that it’s free?

You simply have to see it to believe and appreciate it.

Sometimes, certain photo effects grab your attention to the point of mesmerizing you. That’s pretty much what happened when I saw the Curl Border effect, as illustrated below:

If you like this effect, let me tell you how you, too, could create this kind of visual beautification (in my humble opinion):

1. Go to the Photoscape web site.

2. Click the Free Download tab to get to the Photoscape download page.

3. Download and install the latest version of Photoscape. (At the time of this writing, the latest version is 3.0.)

As far as I can tell, there’s no adware, no malware and no kind of annoying reminder or marketing message associated with this incredible photo editor. The good folks from Photoscape would appreciate a donation, but they are not being obnoxious about it.

As soon as you have Photoscape installed and opened the photo to which you want to apply the Curl Border, start your timer.

With the Home tab selected (next to Object, Crop and Region), click on the frame effects drop-down and select Curl Border.

Stop the timer. You’re done.

Yes, I know, the topic of this blog entry could probably be somewhat misleading if you’re a die-hard Photoshop whiz who wants to manipulate every single pixel by hand…then again, why would you want to do that when you could just fire up Photoscape and let it do the hard work for you?

Just for fun, click CONTROL-Z to undo the effect you just applied to your photo. Then scroll all the way to the top of the frame effects drop-down (No Frame) and select that option. With the focus still being on the frame effects drop-down, press the down-arrow key on your keyboard to step through one effect at the time. Each effect gets applied individually; you won’t be adding effect onto effect onto effect, etc. Doing this will give you a great idea of what’s possible within Photoscape.

Of course, there’s so much more that you can do with Photoscape, for example, take screen captures, batch-process photos, resize and rename photos, print photos, combine and merge several photos into one…and much, much more.

Note:  Currently, Photoscape is only Microsoft Windows compatible (Microsoft Windows 98/Me/NT/2000/XP/Vista).

PS: The photo used in this blog entry was repurposed from http://www.powerhousemuseum.com/imageservices/. The name of the photo is Happy Mother’s Day from the Powerhouse Museum. The photographer is Paula Bray. To the best of my knowledge, using the photo for educational purposes should bnot violate the terms of the Creative Commons Attribution-Noncommercial-No Derivative Works 2.0.

Good Gravy! How did I ever miss this awesome web site? Free icons? OK, what else is new? Free high quality icons? Hmmm, that sounds better already. How about free high quality icons that you can download in a variety of sizes, even as PNG files with transparent backgrounds?

Read the rest

Has it been a while since you’ve had to reverse a string in JavaScript? How about counting the number of occurrences of a specific sub-string within a string? Or converting a string to hex? And vice versa?

If you’re like me, you don’t deal with JavaScript string functions all day all the time, so you tend to forget some of the specific JavaScript string function syntax from time to time. Especially when you’re dealing with C#, T-SQL, VBScript and ActionScript at the same time.

Read the rest

Would you believe it? WordPress is getting injected with malicious code, displayed in a one-pixel by one-pixel iframe. How do I know? I just barely removed the offensive code, that’s how.

At first, I thought it was just one of those false alarms from my virus scanner software when I looked at my own blog on my own computer and received a threat alert. Then, I thought, it might not show up when I try looking at my blog from work. Wrong!

Read the rest

Dear Recruiter,

Thank you very much for thinking of me — I do appreciate it. Yes, I’m definitely looking for a new challenge, and although I am flattered that you thought I might be a good fit for one or more positions that you came across, please allow me to describe briefly what I’m looking for:

Read the rest