It has only been two years since Tim O'Reilly coined the phrase Web 2.0 and even shorter time since Jesse James Garret created the shortcut AJAX for the base technology of modern internet applications. In this period the nature of web applications underwent a major change in user experience and development methods.

It is the age of integrated communication. Content is created using rich interfaces by users for others users, collected by feed aggregators, collaboratively bookmarked, tagged, complemented by maps and delivered as a service for mash-ups. A good portion of this services a supplied by the LAMP (Linux, Apache, MySQL, PHP / Python / Perl). Since every technology has its dark companion, new security risks arose, and others grew more important.

If you are developing Web 2.0 and AJAX applications and want to know about the old and new security risks, …

Looking for code inclusions?
The versatile google cluster has a solution for this, like for many other tasks.
This search

lang:php \secho\([^)]*_REQUEST[^)]*\); lets You find various places where some variable from the superglobal $_REQUEST is printed with echo. By the same means, you can easily find places where such a variable is directly included in an SQL query, for instance with lang:php \smysql_query\([^)]*_REQUEST[^)]*\); .
This alone yields 50 results for each query, but it may be varied with printf() instead of echo() or just …

[English readers: this is the start of a new series called "/dev/video" (current project name, may change without further notice) which targets PHP and other web application developers and covers interviews with public projects and tech talk between Mayflower employees and other people. The series will be both in English and German, this first video is in German with Thomas Bachem, Chief Architect at sevenload.de, one of Germany's hottest Web2.0 startups.]

Ich hatte am Montag die Gelegenheit, den Brückentag dazu zu nutzen, den neuen Camcorder (Sony DCR DVD-205) auszuprobieren und den Auftakt zu einer neuen Serie zu starten - wer das PHP Magazin gelesen hat, wird den Artikel zu sevenload.de gesehen …

This morning is rich for troubles
Some PHP script was to act with MySQL database, but it failed with: “Warning: mysql_connect(): Client does not support authentication protocol requested by server; consider upgrading MySQL … Client does not support authentication protocol requested by server; consider upgrading MySQL client“.
I’ve digged a bit and solution was very simple -
SET PASSWORD FOR user@localhost = OLD_PASSWORD(?newpassword?);
This updates password to use old authentication protocol.

I’ve had an introductory article to MySQL Cluster 5.1 Disk Data published in the September 2006 issue of International PHP Magazine.

If you’re using Cluster or you’re interested in doing so, and you’ve not yet tried out MySQL 5.1, you’ll find that disk data storage makes MySQL Cluster more flexible, scalable, and cheaper to run than MySQL 4.1 and 5.0 Cluster. In the article, I’ve outlined some reasons why this is so. The article covers the basics of creating disk-based Cluster tables, and discusses some Disk Data do’s and dont’s. There’s also some info about some other improvements to MySQL Cluster that are being made in 5.1, as well as some diagrams and sample PHP5 code for accessing a MySQL Cluster. Just in case you’re not that familiar with setting up a MySQL …

Web applications can easily become very complex. Several hundreds of thousands of lines of code (no HTML templates!) is usual at larger corporate solutions. This also means that your PHP applications follows the standards like object oriented programming, nested classes etc.

When it comes down to detect security vulnerabilities, a lot of tools are available. In a previous post I told you that we developed Chorizo! mainly because we needed a tool that checks for security vulnerabilities (both XSS issues and server side issues) very easily. I think our GUI is very nice :-)

In a previous post I introduced Morcilla to you (see video here and here and …

OK, so I returned from vacation late last night, after putting almost 1700 miles on my car this past four days. A friend of mine had his Master's thesis show (in furniture design) down in Savannah, Georgia. It was a fantastic time, and Ezra's work is truly astonishing, but I was quite exhausted after the long drives to and from Columbus, Ohio.

You may remember that I have been helping my twin brother learn PHP and MySQL programming. I'm pleased to say that he is progressing quite well! Every time we Skype chat, he seems to have picked up more and more programming vocabulary and is understanding some of the trickier concepts fairly well. My teaching is ongoing. I have advised him to try and learn five new PHP functions every time he sits down to code, and to practice the functions by using them in his work. For instance, …

Well, database operations are bread-and-butter work for most PHP applications. PHP and MySQL, for example, have been like brother and sister for many years. You may have heard about "SQL injections", a bad taste from the outside world of $_GET, $_POST, $_COOKIE and the like.

Everybody should know that you shouldn't pass variables from outside unfiltered to i.e. mysql_query. Of course, sometimes this can slip through because we are human and humans make errors. The initial development of Chorizo! was driven by our own need to make it easier for our developers to detect potential security issues and fix them in a second. With Morcilla, our server-side PHP extension, life will be much easier, especially when you turn display_errors = Off in your php.ini settings which won't give a hint to potential attackers that a modified GET variable produced a SQL error. With Morcilla, we look inside the server and can detect SQL injection …

(See bigger version with better quality at https://chorizo-scanner.com/flash_morcilla )

This video shows you how Morcilla, our brand new PHP extension, lets Chorizo! have a look inside your application on the server.

We are able to hook into every PHP function and trace the payloads of Chorizo!. By default, Morcilla hooks into the whole MySQL function family, fopen, mail, include/require/include_once/require_once, preg_* and others. With a ZendEngine patch, we are able to trace unset variables and a lot more.

See the video how it works (Google Video, YouTube). Check out the …

This is another bugfix release with only a couple of module-related new features.

The news for this release are:

* “fixed a bug with using the alternate search backend. database search was still done while it shouldn’t.”

* MFH: addon.php allows for addon scripts that are implemented using a module

* Added extra hook ‘posting_custom_action’ to the posting editor code

* MFH: Added signing of editor form data to prevent data tampering

* Added a simple general purpose private key based signature system

* redirect back to vroot if mark-read is used (fixing #403)

For users running 5.1.15 we recommend to replace at least search.php to lessen the load on searching. A couple of smaller fixes were also implemented therefore we recommend every user running phorum 5.1.x to upgrade to this version.

If you want to see the full changelog you can find it here …