While talking with PHP developers this morning I thought of another way unverified serialized strings could be abused. This exploit can only affect PHP 5 installs though, but given the growing market share of PHP 5 it is certainly something worth noting. As you may know classes in PHP are allowed to implement a magic method called __wakeup() that contains operation that are to be performed when a class is deserialized. Some native classes like PDO implement this function with a goal of preventing database serialization and throw an error when it is used. Herein lies the abuse, the attack simply needs to specify a short serialized string that looks like a serialized version of a supposed PDO object. [code] O:3:"PDO":0:{} [/code] When PHP tries to unserialize it, it determines that PDO class has a __wakeup() method and promptly calls it. However, since the method is disallowed, it triggers an exception which, if left uncaught terminates the script with a fatal error. Since most people do not expect unseri...

You know you're moving up in the world when Microsoft feels that it’s necessary to make cartoon disparaging your products, in favor of their own wares. Pierre, one of the PHP developers, has found this gem on the French segment of the Microsoft site. I guess it means that PHP is making enough in-roads into the Enterprise market, that big fish like MS feel it necessary to spread some FUD as a stop-gap measure. Thanks to Sean Coates we now have an English translation available: http://www.flickr.com/photos/12538148@N00/100864754/

The final (stable) release of FUDforum 2.7.4 is now available for download. This release is a culmination of several month of developed that have resulted in a series of new features as well as a resolution of fair number of bugs. All FUDforum users are encourages to upgrade to this release at their convenience. Code wise the release is virtually identical to 2.7.4RC2. The upgrade and installation packages can be found here: Upgrade Packages Install Packages

My proposal for the php|tek 2006 conference have been approved, which means that I'll be flying to sunny Florida this spring. Given the gloomy weather here in Toronto, it certainly sounds like a lot of fun. On the conference's agenda I have just two items this time; I will be giving an introductory talk on PDO that should be of interest to anyone writing new PHP applications that utilize databases. The other item is a seminar on PHP Security, which will cover web security topics from the ground up, with the focus on web applications designed in PHP. Aside from my own talks, Marco has collected an impressive array of speakers with notables such as Rasmus, Marcus, Derick, John, Sara (who I've never met in real life ;-)) and many others. So if you need to get away from the day to day drudgery and learn something about PHP in the process, this a conference you don't want to miss!

Chris has written a compelling piece about how the use of addslashes() for string escaping in MySQL queries can lead to SQL injection through the abuse of multibyte character sets. In his example he relies on addslashes() to convert an invalid multibyte sequence into a valid one, which also has an embedded ' that is not escaped. And in an ironic twist, the function intended to protect against SQL injection is used to actually trigger it. The problem demonstrated, actually goes a bit further, which even makes the prescribed escaping mechanism, mysql_real_escape_string() prone to the same kind of issues affecting addslashes(). The main advantage of the mysql_real_escape_string() over addslashes() lies in the fact that it takes character set into account and thus is able to determine how to properly escape the data. For example, if GBK character set is being used, it will not convert an invalid multibyte sequence 0xbf27 (¿’) into 0xbf5c27 (¿\’ or in GBK a single valid multibyte character followed by a single...