PHP Traverser 'mp3_id.php' Remote File Include Vulnerability www.securityfocus.com | 7/29/10 1:00 AM

SQL injection vulnerability in ttvideo.php in the TTVideo (com_ttvideo) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the cid parameter in a video action to index.php. web.nvd.nist.gov | 7/28/10 1:00 AM

[ MDVSA-2010:140 ] php www.securityfocus.com | 7/28/10 12:20 AM

vBulletin 'faq.php' Information Disclosure Vulnerability www.securityfocus.com | 7/22/10 1:00 AM

Multiple SQL injection vulnerabilities in Small Pirate (SPirate) 2.1 allow remote attackers to execute arbitrary SQL commands via (1) the id parameter to the default URI in an rss .xml action, or the id parameter to (2) pag1.php, (3) pag1-guest.php, (4) rss-comment_post.php (aka rss-coment_post.php), or (5) rss-pic-comment.php. web.nvd.nist.gov | 7/22/10 1:00 AM

Cross-site scripting (XSS) vulnerability in photos/index.php in TCW PHP Album 1.0 allows remote attackers to inject arbitrary web script or HTML via the album parameter. web.nvd.nist.gov | 7/13/10 1:00 AM

SQL injection vulnerability in photos/index.php in TCW PHP Album 1.0 allows remote attackers to execute arbitrary SQL commands via the album parameter. web.nvd.nist.gov | 7/13/10 1:00 AM

Multiple cross-site scripting (XSS) vulnerabilities in CruxSoftware CruxPA 2.00, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via the (1) txtusername parameter to login.php, (2) todo parameter to newtodo.php, and unspecified vectors to (3) newtelephone.php and (4) newappointment.php. web.nvd.nist.gov | 7/13/10 1:00 AM

Multiple SQL injection vulnerabilities in PsNews 1.3 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) ndetail.php and (2) print.php. web.nvd.nist.gov | 7/13/10 1:00 AM

Multiple cross-site scripting (XSS) vulnerabilities in Online Contact Manager (formerly EContact PRO) 3.0 allow remote attackers to inject arbitrary web script or HTML via the (1) showGroup parameter to (a) index.php and the (2) id parameter to (b) view.php, (c) email.php, (d) edit.php, and (e) delete.php. web.nvd.nist.gov | 7/12/10 1:00 AM

PHP remote file inclusion vulnerability in the SEF404x (com_sef) component for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig.absolute.path parameter to index.php. web.nvd.nist.gov | 7/12/10 1:00 AM

PHP remote file inclusion vulnerability in config.php in TotalCalendar 2.4 allows remote attackers to execute arbitrary PHP code via a URL in the inc_dir parameter, a different vector than CVE-2006-1922 and CVE-2006-7055. web.nvd.nist.gov | 7/12/10 1:00 AM

Cross-site scripting (XSS) vulnerability in index.php in Edge PHP Clickbank Affiliate Marketplace Script (CBQuick) allows remote attackers to inject arbitrary web script or HTML via the search parameter. web.nvd.nist.gov | 7/12/10 1:00 AM

SQL injection vulnerability in index.php in Edge PHP Clickbank Affiliate Marketplace Script (CBQuick) allows remote attackers to execute arbitrary SQL commands via the search parameter. web.nvd.nist.gov | 7/12/10 1:00 AM

Multiple cross-site scripting (XSS) vulnerabilities on the IBM BladeCenter with Advanced Management Module (AMM) firmware build ID BPET48L, and possibly other versions before 4.7 and 5.0, allow remote attackers to inject arbitrary web script or HTML via the (1) INDEX or (2) IPADDR parameter to private/cindefn.php, (3) the domain parameter to private/power_management_policy_options.php, the slot parameter to (4) private/pm_temp.php or (5) private/power_module.php, (6) the WEBINDEX parameter to... web.nvd.nist.gov | 7/8/10 1:00 AM

Many thanks to the folks who came out for my talk last week at Atlanta PHP on Windows Azure.

www.topix.net | 7/6/10 11:59 PM

BrotherScripts Auto Dealer Software 'info.php' SQL Injection Vulnerability www.securityfocus.com | 7/6/10 1:00 AM

Multiple cross-site scripting (XSS) vulnerabilities in TornadoStore 1.4.3 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) tipo or (2) destino parameter to login_registrese.php3 in the Services section, (3) the rubro parameter to precios.php3 in the Products section, (4) the arti parameter to recomenda_articulo.php3 in the Products section, (5) the descrip parameter in a profile action to control/abm_det.php3 in the e-Commerce section, (6) the tit paramete... web.nvd.nist.gov | 7/6/10 1:00 AM

phpFK PHP Forum ohne 'search.php' Cross Site Scripting Vulnerability www.securityfocus.com | 7/5/10 1:00 AM

iScripts SocialWare 'events.php' SQL Injection Vulnerability www.securityfocus.com | 7/5/10 1:00 AM

Wiki Web Help 'uploadimage.php' Arbitrary File Upload Vulnerability www.securityfocus.com | 7/5/10 1:00 AM

Multiple SQL injection vulnerabilities in iScripts EasySnaps 2.0 allow remote attackers to execute arbitrary SQL commands via the (1) comment parameter to add_comments.php, (2) values parameter to tags_details.php, or (3) begin parameter to greetings.php. web.nvd.nist.gov | 7/2/10 1:00 AM

PHP remote file inclusion vulnerability in inc/smarty/libs/init.php in AdaptCMS 2.0.0 Beta, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the sitepath parameter. web.nvd.nist.gov | 7/2/10 1:00 AM

Cross-site scripting (XSS) vulnerability in bible.php in PHP Bible Search allows remote attackers to inject arbitrary web script or HTML via the chapter parameter. web.nvd.nist.gov | 7/2/10 1:00 AM

SQL injection vulnerability in bible.php in PHP Bible Search, probably 0.99, allows remote attackers to execute arbitrary SQL commands via the chapter parameter. web.nvd.nist.gov | 7/2/10 1:00 AM

SQL injection vulnerability in include/classes/tzn_user.php in TaskFreak! Original multi user before 0.6.4 allows remote attackers to execute arbitrary SQL commands via the password parameter to login.php. web.nvd.nist.gov | 6/30/10 1:00 AM

PHP Bible Search 'bible.php' SQL Injection and Cross Site Scripting Vulnerabilities www.securityfocus.com | 6/29/10 1:00 AM

Customer Paradigm PageDirector 'result.php' SQL Injection Vulnerability www.securityfocus.com | 6/29/10 1:00 AM

PHP 'SplObjectStorage' Unserializer Arbitrary Code Execution Vulnerability www.securityfocus.com | 6/28/10 1:00 AM

Multiple cross-site scripting (XSS) vulnerabilities in 2daybiz Web Template Software allow remote attackers to inject arbitrary web script or HTML via the (1) keyword parameter to category.php and the (2) password parameter to memberlogin.php. web.nvd.nist.gov | 6/28/10 1:00 AM

Latest PDT release from the Foundation will help improve the PHP development experience for developers.

redir.internet.com | 6/26/10 12:13 PM

With the release of Zend Server Cluster Manager, the commercial PHP vendor is aiming to corral the management of multiple large-scale deployments.

redir.internet.com | 6/25/10 11:40 PM

AbleSpace 'news.php' SQL Injection Vulnerability www.securityfocus.com | 6/25/10 1:00 AM

Cross-site request forgery (CSRF) vulnerability in index.php in Acc PHP eMail 1.1 allows remote attackers to hijack the authentication of administrators for requests that change passwords. web.nvd.nist.gov | 6/25/10 1:00 AM

Use-after-free vulnerability in the SplObjectStorage unserializer in PHP 5.2.x and 5.3.x through 5.3.2 allows remote attackers to execute arbitrary code or obtain sensitive information via serialized data, related to the PHP unserialize function. web.nvd.nist.gov | 6/24/10 1:00 AM

Cross-site scripting (XSS) vulnerability in class/tools.class.php in AneCMS Blog 1.3 and possibly earlier allows remote attackers to inject arbitrary web script or HTML via the comment variable to modules/blog/index.php. web.nvd.nist.gov | 6/24/10 1:00 AM

getaphpsite.com Classifieds 'search.php' SQL Injection Vulnerability www.securityfocus.com | 6/22/10 1:00 AM

The Uploader 'download_launch.php' Directory Traversal Vulnerability www.securityfocus.com | 6/22/10 1:00 AM

Top Sites 'category.php' SQL Injection Vulnerability www.securityfocus.com | 6/22/10 1:00 AM

Multiple cross-site scripting (XSS) vulnerabilities in odCMS 1.06, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via the Page parameter to (1) _main/index.php, (2) _members/index.php, (3) _forum/index.php, (4) _docs/index.php, and (5) _announcements/index.php. web.nvd.nist.gov | 6/21/10 1:00 AM

Something that is great about PHP is that you can write code that generates more PHP code to be used later. Now, I am not saying this a best practice. I am sure it violates some rule in some book somewhere. But, sometimes you need to be a rule breaker. A simple example is taking a database of configuration information and dumping it to an array. We do this for each publication we operate. We have a publication table. It contains the name, base URL and other stuff that is specific to that publication. But, why query the database for something that only changes once in a blue moon? We could cache it, but that would still require an on demand database hit. The easy solution is to just dump the data to a PHP array and put it on disk. <?php$sql = "select * from publications";$res = $mysqli->query($sql);while($row = $res->fetch_assoc()){    $pubs[$row["publication_id"]] = $row;}$pubs_ser = str_replace("'", "\\'", serialize($pubs));$php_code = "<?php global \$PUBLICATIONS; \$PUBLICATIONS = unserialize('$pubs_ser'); ?>";file_put_contents("/some/path/publications.php", $php_code);?> Now you can include the publications.php file and have a global variable named $PUBLICATIONS that holds the publication settings. But, how do we load a single publication without knowing numeric ids? Well, you could make some constants. <?php$sql = "select * from publications";$res = $mysqli->query($sql);while($row = $res->fetch_assoc()){    $pubs[$row["publication_id"]] = $row;    $constants[$row["publication_id"]] = strtoupper($row["name"]);}$pubs_ser = str_replace("'", "\\'", serialize($pubs));$php_code = "<?php\n";$php_code.= "global \$PUBLICATIONS;\n";$php_code.= "\$PUBLICATIONS = unserialize('$pubs_ser');\n";foreach($constants as $id=>$const){    $php_code.= "define('$const', $id);\n";}$php_code.= "?>";file_put_contents("/some/path/publications.php", $php_code);?> So, now, we have constants. We can do stuff like: <?php//load a publicationrequire_once "publications.php";echo $PUBLICATIONS[DEALNEWS]["name"];?>But, how about autoloading? It would be nice if I could just autoload the constants. <?php$sql = "select * from publications";$res = $mysqli->query($sql);while($row = $res->fetch_assoc()){    $pubs[$row["publication_id"]] = $row;    $constants[$row["publication_id"]] = strtoupper($row["name"]);}$pubs_ser = str_replace("'", "\\'", serialize($pubs));$php_code = "<?php\n";$php_code.= "class PUB_DATA {\n";foreach($constants as $id=>$const){    $php_code.= " const $const = $id;\n";}$php_code.= "    private \$pubs_ser = '$pubs_ser';\n";$php_code.= "}";$php_code.= "?>";file_put_contents("/some/path/pub_data.php", $php_code);?> Then we create a class in our autoloading directory that extends that object.<?phprequire_once "pub_data.php";class Publication extends PUB_DATA {    private $pub;    public function __construct($pub_id) {        $pubs = unserialize($this->pubs_ser);        $this->pub = $pubs[$pub_id];    }    public function __get($var) {        if(isset($this->pub[$var])){            return $this->pub[$var];        } else {            // Exception        }    }}?> Great, now we can do things like: $pub = new Publication(Publication::DEALNEWS);echo $pub->name; The only problem that remains is dealing with getting the generated code to all your servers. We use rsync. It works quite well. You may have a different solution for your team. Back when we ran our own in house ad server we did all the ad work this way. None of the ad calls ever hit the database to get ads. We stored stats on disk in logs and processed them on a schedule. It was a very solid solution. One more benefit of using generated files on disk is that they can be cached by APC or XCache. This means you don't have to actually hit disk for them all the time. brian.moonspot.net | 6/18/10 7:56 PM

PHP remote file inclusion vulnerability in system/application/views/public/commentform.php in EZPX Photoblog 1.2 beta allows remote attackers to execute arbitrary PHP code via a URL in the tpl_base_dir parameter. web.nvd.nist.gov | 6/18/10 1:00 AM

[security bulletin] HPSBUX02543 SSRT100152 rev.1 - HP-UX Running Apache with PHP, Remote Denial of Service (DoS), Unauthorized Access, www.securityfocus.com | 6/17/10 11:24 PM

PHP remote file inclusion vulnerability in picturelib.php in SmartISoft phpBazar 2.1.1 allows remote attackers to execute arbitrary PHP code via a URL in the cat parameter. web.nvd.nist.gov | 6/17/10 1:00 AM

In this post I will explain how to install Nginx with PHP 5.3.2 and PHP-FPM on Ubuntu Lucid Lynx .

www.topix.net | 6/16/10 9:28 AM

HLstatsX CE 'hlstats.php' SQL Injection Vulnerability www.securityfocus.com | 6/14/10 1:00 AM

This series of Web seminars and labs from MSDEV is designed to quickly guide PHP developers on how to work with Windows Azure.

www.topix.net | 6/12/10 6:40 PM

Multiple SQL injection vulnerabilities in phpCommunity 2 2.1.8, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via (1) the forum_id parameter in a forum action to index.php, (2) the topic_id parameter in a forum action to index.php, (3) the wert parameter in an id search action to index.php, (4) the wert parameter in a nick search action to index.php, or (5) the wert parameter in a forum search action to index.php, related to class_forum.php and cl... web.nvd.nist.gov | 6/11/10 1:00 AM

SQL injection vulnerability in Content Management System WEBjump! allows remote attackers to execute arbitrary SQL commands via the id parameter to (1) portfolio_genre.php and (2) news_id.php. web.nvd.nist.gov | 6/11/10 1:00 AM

SQL injection vulnerability in books.php in the Book Panel (book_panel) module for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the bookid parameter. web.nvd.nist.gov | 6/11/10 1:00 AM