As I mentioned earlier this month, I have a series of announcements I’ll be making as this summer rolls on by. The first announcement won’t fully be revealed until Arbor Day, April 28, 2006. In the meantime, this is the first post in a series that will continue until that date, and each post will give you a little more information about what is in store in a brief and topical manner.

Before I go on, please visit this teaser page. Enter your e-mail address if you like. Visited the page yet? Good, now I can begin talking about Willowgarden.

As PHP developers, we’re used to the fact that PHP doesn’t solve all our problems when it comes to security. In fact, PHP has had some weak security issues dogging it for some time, due to design mistakes made in a bygone era. Thankfully, these are largely avoidable with proper configuration. Nevertheless, we still have to make conscious decisions about the security of our Web sites and applications.

First, there’s the problem of tainted input data. Any time you let someone send information to your site using a form, you open yourself to risks. There’s the risk of input data corrupting a database. There’s the risk of input data altering the behavior of your code. There’s the risk of input data altering output HTML, scripts, etc. in evil ways. But it doesn’t even stop there. The very URLs accepted by your site can be subject to hacking if you aren’t careful. Clearly, this is something every competent PHP programmer has to deal with every time they create a new Web site.

Second, there’s the problem of access control. Nearly every Web site these days is a true application and allows users and administrators to edit content. With this fundamental shift in the nature of site design comes the serious question of who has access to what content. And once you determine that, how are people going to access those editing features? It isn’t enough just to stick a simple login form in an “admin.php” file and you’re done. There needs to be a secure and fool-proof way to protect every single access point in your application, every single URL if need be, from any of the various kinds of operations you don’t want users or groups of users to be able to perform.

Willowgarden aims to solve these problems by providing clear, concise, and obvious tools to developers that allow them to make conscious and informed decisions about the security of their Web applications.

This entry was posted on Monday, April 24th, 2006 at 1:37 pm and is filed under Design Philosophy, Willowgarden. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.