Anthony Ferrara discovered a significant security vulnerability and an even more fundamental security flaw in WordPress.
The correct fix is to ditch this whole prepare mechanism (which returns a string SQL query). Do what basically everyone else does and return a statement/query object or execute the query directly. That way you can’t double-prepare a string.
It’s worth saying that this would be a major breaking change for WP. One that many other platforms have done successfully (PHPBB did this exact thing, and went from having massive SQL Injection vulnerabilities to almost none).
WordPress has made great strides in modernizing and hardening core. I really had no idea WPDB was still in the dark ages! For shame!
Read his post for all the gory details.
In a recent episode of Build & Analyze Marco Armet (creator of Instapaper) explained that the standard practice of salting a hash is no longer a really good way to secure passwords. CPUs (and GPUs) are so fast that they can effectively guess your salt in a reasonable amount of time*. The solution, use bcrypt.… Continue reading Assault on the Hash (or how to make secure your passwords)
Upload progressbars are pretty common on the web these days, they add a touch of feedback to the long and mysterious process of uploading a file to a website. Unfortunately, the most common methods for doing so involve flash or baring that PHP addons that require a recompiling. In this post I’m going to talk about… Continue reading How To: File Upload Progress Bar. No Flash. No PHP addons.
To scale at Digg they followed a set of practices very similar to those used at eBay. No joins, no foreign key constraints (to scale writes), primary key look-ups only, limited range queries, and joins were done in memory. When implementing the comment feature a 4,000 percent increase in performance was created by sorting in… Continue reading DIGG: 4000% PERFORMANCE INCREASE BY SORTING IN PHP RATHER THAN MYSQL
When ordering lists of names or titles it’s sometimes desirable to exclude articles or other words from the order clause (eg. you want “The Burning Hell” to show up before “Great Lake Swimmers” in a list ordered by name). Early on in my career I must have assumed it was not possible and never bothered… Continue reading How To: Exclude Words Like “An, A, The” From Alphabetized MySQL ORDER