PHP, PDO & HP Vertica

As part of my new role, we’ll be working with HP’s Vertica for some of the data storage. I’ve been struggling the last few days to get it working on a Vagrant-provisioned linux box (VirtualBox) and finally have the process down. I thought I’d share it for those out there needing some help. I’m working with a Ubuntu server box, but these instructions could be pretty easily adapted to other distros:

1. Ensure you have the Unix ODBC package installed. This is what PDO uses to connect to the Vertica instance:

sudo apt-get -y install unixodbc

2. Ensure that your PHP installation has PDO support with ODBC handling:

php -m | grep -i odbc

You should see something like “PDO_ODBC” there if it’s installed.

3. Grab the latest Vertica linux drivers from the My.Vertica site (requires a login). Click on the Downloads section and scroll all the way down to the drivers. Grab the right ones for your linux installation. I used the Linux ODBC 64-bit.

4. Make a “/opt/vertica” directory on your system and untar the archive there.

sudo mkdir /opt/vertica
sudo tar zxvf vertica-odbc-6.1.3-0.x86_64.linux.tar.gz -C /opt/vertica/ > /dev/null

5. Create the configuration files where needed. There’s three of them – odbc.ini, odbcinst.ini and vertica.ini. Here’s the examples and the paths for them:

In /etc/odbc.ini:

[VerticaDev]
Description = Vertica Dev
Driver = /opt/vertica/lib64/libverticaodbc.so
Port = 5433
ServerName = your-hostname-here.com
DatabaseName = database-name
UserId = database-username
Driver = Vertica

In /etc/odbcinst.ini:

[Vertica]
Description = Vertica driver
Driver = /opt/vertica/lib64/libverticaodbc.so

In /etc/vertica.ini:

[Driver]
DriverManagerEncoding=UTF-16
ODBCInstLib = /usr/lib/x86_64-linux-gnu/libodbcinst.so.1
ErrorMessagesPath=/opt/vertica/lib64
LogLevel=4
LogPath=/tmp

If all goes well, you should be able to make a script like this to test it:

<?php
$dbName = 'your-database-name';
$hostname = 'your-hostname.com;
$account = 'your-username';
$password = 'your-password';
$driver = 'Vertica';

$dsn = 'Driver='.$driver.';Server='.$hostname.';Database='.$dbName;
$pdo = new PDO('odbc:'.$dsn, $account, $password);
var_export($pdo);
?>

The Usual Suspects…now with XSS!

I’ve just pushed the latest update of the most recent book in the Securing PHP ebook series – The Usual Suspects – and included an entire chapter covering cross-site scripting:

Next we come to something that’s probably a bit more widely known but often misunderstood, especially when it comes to the power that it offers to the attacker. Part of the confusion comes from the name of the attack. When you think about the attack method an XSS vulnerabilities allows, the only thing “cross site” about it is that it can possibly come in as a link from another site. Other than that, a cross-site scripting vulnerability can be more closely associated with injection. In fact, the main reason a site might have a cross-site scripting issue is because of improper output escaping.

This new chapter has loads of information about the different types of XSS issues, the different contexts it can happen in and plenty of code and configuration examples of how to prevent them. If you haven’t picked up a copy of it yet, there’s no time like the present!

Don’t forget about the first book in the Securing PHP series too! Core Concepts is a great introduction to security terminology, methods and principles that can help you lay a good foundation for more secure applications.

Securing PHP: The Usual Suspects Released

I’m happy to announce that the next book in the popular “Securing PHP” ebook series has been released – “Securing PHP: The Usual Suspects”!

You are the developer, you hold the power in your hands to protect your users and their information. They trust you with it, shouldn’t you do everything you can to keep that trust?

Let me guide you through a look at some of the most common issues with web applications and suggest ways to correct them along the way. Even if you’re a novice to security or to PHP, this book can help you get started down a more secure path. The OWASP Top 10 is a great guide to the common vulnerabilities, but it doesn’t provide the useful, concrete examples you need to be a more effective and secure developer. I’ll provide this foundation on topics like:

  • Cross-site scripting, what it is and how to prevent it
  • Poor authentication and authorization practices
  • Preventing several types of injection
  • Auditing potentially vulnerable components
  • Protecting your users’ sensitive data

This book will help you sleep better at night knowing you’ve put in the time and work to protect your applications and the users that trust it.

You can grab a copy of it over on LeanPub right now for just $19.99 USD. The book is on an incremental rollout schedule, so right now just the first two chapters are included. The first covers various injection types (including SQL injection, one of the most widespread) and how to prevent them in your applications. The second chapter covers some of the common problems around authentication and authorization.

Securing PHP: Core Concepts Released!

I’m happy to announce that my latest labor of (PHP) love has officially been released – the Securing PHP: Core Concepts ebook is now available over on LeanPub. It’s been a project I’ve been tossing around for a while now and, with encouragement from the stories of others, finally made it a priority.

I’m really happy with how the book turned out – here’s a summary of the book in case you hadn’t see it yet:

Security is a big topic. I mean *really* big. If you break it down into little chunks, there’s lots of important bits to pay attention to but it all really starts with the application. Without good secure coding practices, your application could be doomed from the start. We as PHP developers have had trouble in the past integrating these practices into our day to day development. This book walks you through some of the most common terms and practices, giving you a better picture of the whole of application security.

I’ve just put it on sale this morning and it’s already getting a great reception. You can find out more about the book and pick up a copy on the Securing PHP: Core Concepts ebook page on LeanPub.

Thanks and happy reading!

PHP Security Intro on O’Reilly’s Programming blog

The article I wrote for the O’Reilly Programming blog has been published this morning – Preventing Problems in PHP Security. In it I talk about three of the major threats (the top three from the OWASP Top 10) – SQL injection, Cross-site scripting and Cross-site request forgeries – and some basic methods of how to prevent them.

I do want to put a disclaimer on the article, though…as one person pointed out already, this article is definitely not comprehensive as far as the methods of prevention. The purpose was to raise awareness about some of the most basic methods for prevention to hopefully spark further research. There’s also a few websec.io articles that can help if you’re looking for more information:

If you’re not already familiar with the concepts behind the OWASP Top 10, I’d definitely suggest you at least read through the latest version to get an idea of what some of the most prevalent threats are out there.

Starting Secure Development

As I’m trying to get back into some more regular article writing for the websec.io security tutorial site, I thought I’d ask on Twitter for some of the things people might be interested in reading. I thought I’d gather them all up and share them here (since Twitter is sooo good at tracking this kind of thing…). There were some good responses and some things I hadn’t thought about yet:

> Top 10 pitfalls and how to avoid them. @calevans
> how to actually filter input and escape output correctly. @skoop
> I’d like the ability to answer to the question “Is it safe?” with confidence. @AmyStephen
> Data sanitization, escaping, and authentication. @codeguy
> how to test for secure code. @scottmattocks
> One of my largest stumbling blocks has been learning how to write proper (library-less) templates in a secure and flexible manner. @mkmcdonald

You can see all of the responses here. There’s a few articles related to these posted already:

If you have any other suggestions let me know!

iniscan: a security scanner for php.ini

I do a lot of talking at conferences and in the articles I write about application security, mostly in PHP. There’s been a resurgence of interest in creating secure applications and some of the best practices around it. There’s lots of examples of bad code out there but thankfully there’s a growing base of good reference materials that show how to Do Things the Right Way too. Most of these focus on good code practices, though, and don’t think too much about something fundamental to the PHP language and key to any installation – the php.ini configuration.

PHP’s configuration has quite a few settings (and is getting more all the time) so it can be confusing to have to keep it all straight and be sure you’re “thinking secure” in your app’s setup. There’s lots of sites out there that offer recommendations about how you should set up your config file to follow along with the best security practices, but they’re either all the same thing (copy and pasted?) or refer to settings that are now deprecated. So, in an effort to make it easier for developers (and sysadmins) to set up a php.ini file with a more secure configuration, I created the “iniscan” tool (catchy name, huh?).

I want to thank Ed Finkler for the foundational work he did on the PHPSecInfo project a few years back. PHPSecInfo was a web-based tool that you could load in a browser and report back similar information as what the iniscan tool reports. A lot of the rules in the iniscan tool are inspired by the ones he defined.

The tool runs from the command line and evaluates the php.ini file you’ve given it and evaluates it based on a set of pre-defined rules to provide a pass/fail grade on your current configuration. The goal behind it was to create something that was easy to install and easy to use to reduce the barrier for adoption and lead to an increased awareness about what a hardened php.ini looks like.

You can install it using Composer and call the command line “scan” command to get the results. They look something like:

== Executing INI Scan [11.09.2013 01:51:13] ==

Results for /private/etc/php.ini:
============
Status | Severity | Key                      | Description
----------------------------------------------------------------------
PASS   | ERROR    | session.use_cookies      | Must use cookies to manage sessions
FAIL   | WARNING  | session.cookie_domain    | It is recommended that you set the default domain for cookies.
PASS   | ERROR    | session.cookie_httponly  | Setting session cookies to 'http only' makes them only readable by the browser
FAIL   | WARNING  | session.save_path        | Path /tmp is world writeable

[...more test results...]

15 passing
6 failure(s)

Each of the tests gets a pass/fail grade with a bit of color-coding to help the really bad issues stick out a bit more. It looks at settings like:

  • session.cookie_httponly
  • register_globals
  • safe_mode
  • allow_url_fopen
  • expose_php
  • register_long_arrays

…and more. The tool, by default, reports back the information in a “table” output directly back to the command line. There’s options you can pass in that will change the output format into something a bit more machine-friendly (like JSON and XML).

If this sounds interesting to you, check out the github repo for it and try out the latest version (v2.5 at the time of this post). I definitely welcome feedback so I can help make this an even better tool for the PHP community overall. Many thanks to the PHP community members that have already contributed back to the project – Eric Hogue, Jeremy Cook, Hari KT and Alexandru G!

iniscan