Use the following PHP code to encode Microsoft Office Word special formatting characters (like m dash, bullets, typographic quotation marks, etc) as HTML entities.

Read the rest of this entry »

In Plesk, you can disable on a per-domain basis PHP’s safe_mode. Before doing this though, be advised that disabling safe_mode could lead to security risks for all of your domains on the server. Read the rest of this entry »

Running a check on Apache’s default logs (/var/log/httpd/access_log), I found attempts to exploit the server thru a “backdoor” in Horde.

I haven’t fully checked what could be done with this exploit but certainly leaving the affected script unprotected is an open invitation for trouble. Read the rest of this entry »

When working with new programmers, and sometimes even experienced ones, I found that most of the time they would know how to solve a problem and code its solution but they wouldn’t be aware of security related implications. In this article, I’ll show how to improve security on PHP forms that use mail().

For a very simple Web site, a common usage of PHP is to create a contact form that will received visitor’s information and send it thru mail to the responsible of the Web site. The solution to this task is quite easy: create a form on HTML which will do a POST of the fields to a PHP script, and on the script use PHP’s mail() function to send the email with the provided information. If you want to have a more flexible solution, you could even receive on the script the recipient’s address, subject or some headers for the message.

Read the rest of this entry »

While I was designing a system that needed to send mass-customized emails from PHP, I faced two problems: a) change the envelope address (Return-path: header) and b) (most important) avoid overloading the server when sending the messages because of virus check.

Basically, I wanted to use a different sendmail configuration file from PHP to skip the relay-mail virus check from Amavis.

Read the rest of this entry »