[OWASP-ESAPI] PHP Port

Andrew van der Stock vanderaj at owasp.org
Tue Mar 3 08:44:41 EST 2009


Hi all,

I've just come back from OWASP AU, where I managed to find some  
additional victims to help with the effort. The port is still in the  
earliest days, so we have a lot of leeway in how the port is coded and  
which classes are first.

I want to make sure we target supported PHP versions, so the minimum  
version during development will be PHP 5.2.6 - 5.2.9, with 5.3  
compatibility. Eventually, we will move to name spaces, et al, offered  
by 5.3.0, but not for a while, and probably not until PHP 6.0  
eventually comes out.

I think we will have to use mb_string to manage Unicode characters in  
PHP until PHP 6.0 comes out. However, mb_string is an optional PECL  
install. I am really in some doubt about it as not many hosters have  
bothered to re-compile PHP to include it or make PEAR / PECL work for  
their shared hosting customers. Maybe do it that way first, and then  
work on back compat later if we get stuck?

PHP 4 will not be supported - it's already EOL'd, it doesn't have  
enough OO support to produce a faithful rendition of the J2EE ESAPI,  
and more to the point, is practically unsecurable. By the time we  
finish ESAPI for PHP, PHP 4 support will be a moot point.

I am looking for volunteers to take on a class or two, port "their"  
classes from the J2EE reference implementation and write test cases in  
SimpleTest to prove that it does what is says it does on the label. If  
you're interested, please contact me. If you're an older volunteer  
(i.e. folks from MN, etc), please get into contact with me, and we'll  
get this baby rolling!

thanks,
Andrew



On 03/03/2009, at 10:28 AM, Jeff Williams wrote:

> Hi!
>
> Let’s see if Andrew can give us an update on the project.
>
> --Jeff
>
>
>
> From: owasp-esapi-bounces at lists.owasp.org [mailto:owasp-esapi-bounces at lists.owasp.org 
> ] On Behalf Of Bryan Waters
> Sent: Monday, March 02, 2009 5:10 PM
> To: owasp-esapi at lists.owasp.org
> Subject: [OWASP-ESAPI] PHP Port
>
> I'm looking for the maintainers and/or mailing list for the php port.
> I see a google code project with some interfaces but no mention of  
> it on the OWASP Wiki.
>
> I'm trying to shore up some XSS vulnerabilities in a widely deployed  
> php shopping cart and started hacking away at some custom functions  
> based on the Java implementation.  I just found the Google project  
> this morning and have some questions.
>
> What version of php are you trying to target?
> What type of unicode support are you targeting?
> What modules are required mb_string, etc....???
>
> Thanks to all for putting together the OWASP docs and actually  
> writing some code - at the very least it keeps me from scouring the  
> entire web looking for "random security tips"
>
>
> -- 
> Bryan Waters
> SolutionsbyWaters.com
> IT and Web Solutions to Business Problems
>
> Cell: 903-360-3858
>
>
>
> -- 
> Bryan Waters
> SolutionsbyWaters.com
> IT and Web Solutions to Business Problems
>
> Cell: 903-360-3858

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090304/918b9137/attachment.html 


More information about the OWASP-ESAPI mailing list