Skip to main content

Posts

Showing posts from January, 2017

Complying with PCI database requirements in Laravel on AWS

Image: pexels.com I'm busy with the self assessment questionnaire for PCI compliance.  Part of the database requirements are that cardholder data are encrypted at rest as well as in transit. I host with Amazon RDS and use Laravel so my life is made pretty easy. Amazon RDS natively supports encrypted connections and also lets you create a database that is stored on an encrypted backing instance.  If you've enabled this option then all that you need to do is make sure that you connect to the database using an encrypted connection. I'm not getting paid anything for saying that I really enjoy using RDS, but today is another occasion when I'm really happy that I didn't have to sit and install certificates and fiddle with a cluster configuration to enable SSL connections.  The "zero config" that comes with RDS saves time and money. Laravel was really easy to configure to use SSL.  All that you need to do is download the RDS certificate chain from  ht

Email injection attacks in PHP

Image: Pixabay Email injection is one of the topics I cover in my Zend certification guide.  You can grab a copy on Leanpub - https://leanpub.com/phpforprogrammers/ It is possible for a user to supply hexadecimal control characters that allow them to change the message body or recipient list. For example, if your form allows the person to enter their email address as a “from” field for the email then the following string will cause additional recipients to be included as cc and blind carbon copy recipients of the message: sender@example.com%0ACc:target@email.com%0ABcc:anotherperson@emailexample.com,stranger@shouldhavefiltered.com It is also possible for the attacker to provide their own body, and even to change the MIME type of the message being sent.  This means that your form could be used by spammers to send mail from. You can protect against this in a couple of ways. Make sure that you properly filter input that you use when sending mails.  The `filter_var()` functi

Traits in PHP

What are traits? Image: Pixabay Let's start by understanding what traits are and how they're useful.  We'll move on to code examples straight after that. Traits are not unique to PHP and are available in other languages too.  They provide a way to extend the functionality of a class.  A trait will have methods to implement this functionality and make these available as if they had been defined in the class itself. In other words traits are flattened into a class and it doesn’t matter if a method is defined in the trait or in the class that uses the trait. You could copy and paste the code from the trait into the class and it would be used in the same manner. The code that is included into a trait is intended to encapsulate reusable properties and methods that can be applied to multiple classes.  Traits group functionality in a fine-grained and consistent way and allow you to reuse this functionality without requiring inheritance. I mentioned before