Code Bus

So you're nearing the end of a project release schedule and decide to contract out the security services of a website auditing company specialising. You might call it release engineering, or project finalisation...

However, a lot of people don't quite realize that these services are not there to fix your bugs, prevent you writing bad security hole ridden code or to stop you doing anything silly in future to stop these bugs from cropping up again.

The vast majority of security consultants out there will be able to provide tips on how you could generally improve code security, along with pointing out and documenting the flaws found. It's upto you as a developer to analyse how you happened to write insecure code and put in place procedures to stop this from happening in future.

... if you don't, prepare to keep releasing vulnerable software or to pay never ending consultancy fees.

escape_string isn't enough!

Ever had an application with concatenated SQL strings all over the place including user data here & there?

$sql = "INSERT INTO example VALUES ('$safe_var','".mysql_real_escape_string($unsafe_var)."','$possibly_unsafe')";

All it takes is one slip up, presuming that a variable is going to be safe and not escaping it. "Magic Quotes" was created simply for this problem, but it creates endless problems meaning you now have the reverse situation - cleaning additional quotes from the majority of normal variables instead of the minority of variables which could be used maliciously.

From the get go you should be using prepared statements, and with the mysqli or PDO extensions which support this natively there's no excuse.

If prepared statements of any sort aren't available on your server, shame the administrator into enabling the extensions. Alternatively you can write your own fairly trivially and many third party libraries like ADOdb support them.

XSS and Output Filtering

Yes, output filtering can be so pesky at times, but how do you introduce a standard way of preventing this?

The most common way is to define echo_safe or echo_unsafe to output the data with or without web un-safe characters being escaped.

You could also take the hardline approach and rename the echo/print/etc. functions using APD and force yourself to use the wrappers.

Since converting to PDO for almost all the database interaction I do I've not really had any bad experiences, sure I got a few crashes here and there early on, but since then it's been pretty good.

However, there is one thing I'd really like to see.

When using prepared statements, I would love to have an extended syntax which would allow me to bind either a single value or an array and have the query modified appropriately.

For example:

$db = new PDO('live_profile');
$stmt = $db->prepare('SELECT * FROM sometable WHERE my_column = :+var');

// Execute it with a single value
// And the query becomes:
// SELECT * FROM sometable WHERE my_column = 'single_value'
$stmt->execute( array('var' => 'single_value') );

// Execute it with an array
// And the query becomes:
// SELECT * FROM sometable WHERE my_column IN('value1','value2')
$stmt->execute( array('var' => array('value1', 'value2')) );

The :+ variable expansion method would search back for the = operator before the variable, and replace it if necessary with the array method, full compatibility could be maintained just using : for variable binding and omitting the + completely.

Alternatively MySQL could allow multiple values to be used with the = operand, for example:

SELECT * FROM sometable WHERE my_column = ('value1', 'value2')

Being synonymous with:

SELECT * FROM sometable WHERE (my_column = 'value1' OR my_column = 'value2')

It would make my life much easier.

For anybody who's been scanning the boards for possible job opportunities you'll have developed your own system for ranking job postings.

Some recruiters don't realize this and try to jazz up a dead-end job with marketing buzzwords. I call them suicide words: because you're only going to get people who are really really desperate for a job, and there's nothing like a low retention rate to kill off a recruitment consultant.

"Executive"

Translation: we want you to think this job is important, but really even a monkey could do it.

Four Trainee Executives

You'll enjoy a challenging and varied role in a professional environment where no two days are the same. After completing four to six months of intensive training you'll join an account team working closely with colleagues and clients to build long-term business relationships.

You will:

• Train clients to use software systems.
• Contribute to product testing.
• Liaise with technical departments.
• Provide application support over the telephone.

What you'll bring to the job:

• A degree.
• At least one year’s customer service experience.
• Commitment to high standards of customer service.
• Strong problem-solving skills.
• Ability to communicate with people at all levels.
• The desire to develop technical knowledge under your own steam.
• A liking for teamwork.

Translation...

Trainee Support?

We need somebody to click buttons, answer the phone and talk balding middle managers through simple tasks.

You will:

• Get the blame.
• Deal with buggy software day in & day out.
• Hand-hold people over the same tasks over the phone.

What you'll bring to the job:

• A beating heart, preferably your own.
• Ability to remember & re-gurgitate stuff.
• Basic computer skills
• No aspirations

Please, to any recruitment consultants out there... this could be re-written with a little thought and transformed into something much better. In reality there are very few people who will look at the job posting and think "Brilliant, just the job for me".

If it were re-phrased, targeting people who want temporary 6 month contracts doing generally computer literate firstline support, with opportunities to move up the ladder into more interesting jobs - then it's appealing to both gap year students, graduates and people looking for temp-ish work etc.

Just for the record, this has no relation to a recent job posting

I'm not a Windows user myself (apart from a single machine at work for Outlook and Photoshop), but I've heard a lot of complaints about activation and how upgrades can interfere with that.

The licensing model is broken, by tying an installation (a serial key) down to one machine everything becomes very fuzzy... you don't have anything tangable to prove that you're not running your licensed version on more than one machine.

Sure dongles are out of fashion, but their cheap, most of the worlds WinTel machines have USB support, their cryptographically sound and it's something tangable that can be carried around, sold or.. used on multiple machines.

The main thing which has made me think about using dongles for operating system licensing isn't only the prohibative cost of a Windows XP/Vista license, but that most business machines are turned off when home machines are turned on.

Lets take the case of a usual office worker, in the morning they might check their e-mail or social networking apps, then they turn the computer off - it's no longer being used. At work they turn the computer on and do their stuff, then turn it off before coming home etc.

If we introduce dongle based licensing, the company buys one Professional Edition license which the employee is free to take home out of hours, this might be loaded with licenses for all the software thats being used at the office (Word, Photoshop) and might be required to be used at home in emergencies or whenever needed.

I think I still have to think about this one.. but it's an interesting subject...