funkatron.com

First off, a new build of PHPSecInfo is out: Version 0.1.2, build 20061218. Here’s what’s new:

• Code is now licensed under “New BSD” license. See LICENSE

• Added PhpSecInfo_Test_Core_Allow_Url_Include to test for allow_url_include in PHP5.2 and above

• fix bug in post_max_size check where upload_max_size value was being checked

• change curl file_support test to recommend upgrading to newest version of PHP rather than disabling support in cURL for ‘file://’ protocol

• removed =& calls that force pass by reference in PHP4, so as to not throw PHP5 STRICT notices. It means passing objects by value in PHP4, but this seems acceptable for our purposes (memory usage isn’t terribly high).

• Fixed bug in PhpSecInfo_Test_Session_Use_Trans_Sid where wrong ini key was requested (Thanks Mark Wallert)

• New, detailed README file with explanations and basic usage instructions - Now providing an md5 hash for releases

Here’s what I’m planning to do in the next few releases:

1. More detailed test results, including the current and recommended settings
2. A web-based “glossary” with more details on each test & how to fix problems
3. More tests!!! I especially need your help with this one!

I’m also going to look into options to reformat the test result structure, so it plays more nicely with templating systems. No promises on how this will go, but we’ll see.

This version fixes the errant Notices we were getting, makes it easier to extract test data for your own nefarious purposes, and fixes a bug with the curl file protocol test on PHP4. The latter unfortunately just skips the test on PHP4 because I’m not sure how to do the check; suggestions are welcome.

Download: http://phpsec.org/projects/phpsecinfo/phpsecinfo.zip

Docs: http://phpsec.org/projects/phpsecinfo/docs/

What’s new: v0.1.1 - Added PhpSecInfo::getOutput(), PhpSecInfo::loadAndRun() and PhpSecInfo::getResultsAsArray() methods - Modified PhpSecInfo::runTests() to fix undefined offsent notices - Modified PhpSecInfo_Test::setMessageForResult() to fix undefined offset notices - Modified PhpSecInfo_Test_Curl_File_Support to skip if PHP version is < 5 (detection of file protocol support relies on PHP5 version of curl_version)

I decided to not be all self-deprecating as I usually am with things like this, and admit that I’m really happy and proud to say that I was interviewed by Cal Evans for the Zend Developer Zone.

I guess the first question that comes to my mind is “Why did you build this?”
I built it because there was no good way to audit the security settings in your PHP.INI or your PHP environment. The average PHP user I feel is someone who can use an installer to install scripts on their server, get them running and do a little customization or hack up some code but they are not educated developers. These users have no easy way to check how secure their environment is. So I wrote PHPSecInfo to give these uses something easy to run and present the information in a format they are already familiar with.

Read the rest »

So we finally went public with PHPSecInfo as an official project of the PHP Security Consortium.

http://phpsec.org/about/news/20oct2006.html

http://phpsec.org/projects/phpsecinfo/

http://phpdeveloper.org/news/6543

I just was interviewed by Cal Evans for the Zend Developer Zone, which was pretty cool — it was nice to talk to him again. He said the story should be posted sometime this weekend or Monday.