Jim O'Halloran's Weblog

Building a Complete CodeIgniter Application: Part 3

Jim O'Halloran — Wed, 24 Oct 2007 02:18:16 +0000

I left you at the end of part 2 with the news that there was a large security hole in the work we’d done so far. Readers who’ve done a bit of web development in the past should recognise the vulnerability as cross site scripting (XSS) and might understand the problems XSS can create. In this part I want to discuss some common security problems, and the steps we need to take to eliminate those.

Understand that security is not a product but a process. We can’t buy security, we can’t develop our code and “bolt on” some security later. Effective security needs to be built into the product/project from the time it’s first written, and ongoing care and attention needs to be paid to making sure that every new line of code doesn’t compromise our security in some way. If you need evidence of that, there’s any number of Open Source CMS or forum products out there which were put together and released, and have struggled for many many releases (often with little success) to properly secure themselves against attack. Security in the applications we write is the result of education, awareness, care and attention to detail in every piece of code we write, secure code should be the result of the process we use to write our code, not an afterthought.

In the first two parts I’ve done a couple of things already which were security related, so lets first loop back and explain what we did and why. Then settle in while I explain cross site scripting (XSS) and we look at the HTML Purifier tool then apply it to the problem at hand. Finally I’ll talk about handling user logins and secure storage of passwords. (more…)

links for 2007-10-17

Jim O'Halloran — Wed, 17 Oct 2007 22:17:14 +0000

EzAuth 0.4 (beta) Released! - An ACL/user management CodeIgniter Project | CodeIgniter Forums

Simple, lightweight user authentication for CodeIgniter

(tags: codeigniter php webdev authentication)

links for 2007-10-11

Jim O'Halloran — Thu, 11 Oct 2007 22:19:06 +0000

Voice over Digital Subscriber Line (VoDSL)

A nice VoDSL tutorial.

(tags: vodsl voip)
SQl Injection - Bobby Tables Comic

Hilarious comic covering SQL Injection.

(tags: sql injection security funny)

links for 2007-10-04

Jim O'Halloran — Thu, 04 Oct 2007 22:17:24 +0000

Using Hamachi in Linux

Explains how to install and use Hamachi in Linux, inclusing an init script for automagic startup.

(tags: hamachi linux vpn)
XVR27’s Apples To Apples Page

Contains links to the “Apples to Apples” word lists.

(tags: word game)

links for 2007-10-03

Jim O'Halloran — Wed, 03 Oct 2007 22:17:12 +0000

Stay Safe Online

Stay Safe Online provides free and non-technical cyber security and safety resources including a “How safe are you?” quiz.

(tags: security)
Computer Security Awareness Video Contest 2007

(tags: security)
Paranoid Penguin - Securing Your WLAN with WPA and FreeRADIUS, Part II | Linux Journal

Explains how to generate certificates we can use for EAP-TLS in WPA-Enterprise.

(tags: wifi security wpa-enterprise radius authentication)

links for 2007-10-01

Jim O'Halloran — Mon, 01 Oct 2007 22:18:05 +0000

[The Unexpected SQL Injection] Web Security Articles - Web Application Security Consortium

Excellent SQL Injuection article

(tags: sql injection security webdev php mysql)
Installing VMware Tools in Fedora Core 6

Fixes for problems installing Vmware tools on Fedora Core 6, also applies to Centos 5.

(tags: centos vmware dedora)

links for 2007-09-29

Jim O'Halloran — Sat, 29 Sep 2007 22:17:09 +0000

OpenLayers: Home

OpenLayers makes it easy to put a dynamic map in any web page. It can display map tiles and markers loaded from any source.

(tags: opensource maps javascript webdev)

links for 2007-09-28

Jim O'Halloran — Fri, 28 Sep 2007 22:17:11 +0000

CentOS + Postfix + virtual users + Squirrelmail + …

W00t…. Just want I was looking for. CentOSPlus has a postfix RPM with MySQL suipport which should make this a lot easier.

(tags: postfix virtual mysql)

links for 2007-09-26

Jim O'Halloran — Wed, 26 Sep 2007 22:17:49 +0000

GooSync - Home Page

Over the air, Google Calendar sync to mobile devices. Works great with my iMate PDA/Phone

(tags: google calendar sync pda smartphone)
AutoCompleter Tutorial - jQuery(Ajax)/PHP/MySQL

(tags: webdev jquery ajax javascript)
The Standard PHP Library (SPL)

(tags: webdev php patterns)

Building a Complete CodeIgniter Application: Part 2

Jim O'Halloran — Sun, 23 Sep 2007 11:32:10 +0000

This is the second installment in a series called “Building a Complete CodeIgniter application”. In this series I’ll walk readers through the construction of a complete AJAX application using the CodeIgniter framework. I’ve chosen to build a multi-user Feed Reader, which I’ll call “Feedignition”. Feed Readers seem to be the new “hello world”, and there’s good feed parsing libraries available which allow us to concentrate on the application itself without having to worry about the myriad of details involved in actually parsing of a feed. That leaves us free to explore a number of topics which will be of interest to anyone building applications with CodeIgniter.

In the last part of this series we created the foundations on which we’ll build the FeedIgnition aggregator. We installed the basic CI framework, and set up our database connections. When we finished up we have an app that did absolutely nothing, every possible URL resulted in a 404 error. However, this was necessary to give us a base on which we can build our feed reader, now we’ll get down to the nuts and bolts of actually building an app in CodeIgniter. Before we get started, you’ll need to make sure you’ve worked through part 1 and have CI + a database ready to go.
(more…)