AppSec Blog: Category - php

Various PHP and MySQL Pitfalls

This is a short post, to summarize some of the issues I see with PHP code and the use of MySQL. Not too many people know about these pitfalls and they are given rise to some of the more subtle security issues: 1 - "SQL Overflow" If a value you insert into a column is … Continue reading Various PHP and MySQL Pitfalls


Session Attacks and PHP - Part 2

Yes, I will talk in this article about why it is not good to leave your session files in /tmp. But first, allow me to follow Jason's lead and talk about the session attacks he discussed in Part 2 of his ASP.NET article. I will keep it short Session fixation isn't really that much of … Continue reading Session Attacks and PHP - Part 2


Session Attacks and PHP

This blog is of course inspired by Jason's ASP .Net blog. I figured as the PHP guy in the group, I may as well cover what he did for .Net from the PHP side. PHP's default session mechanism is rather simple and effective. The php.ini file configures how sessions work. Many of the parameters can … Continue reading Session Attacks and PHP