Hey all,
I am new to this list so if this topic has already been beaten to death let me
know.
I assume that many of you have already read this article
http://lwn.net/2001/0704/a/study-in-scarlet.php3
about many of the basic security risks you need to be aware of when developing
in PHP. I was curious what ideas have already been covered in the areas of stopping
this. I also wanted to offer up my own suggestion.
It seems that all the issues arise from the feature that sets PHP variable to
be form variables. The cleanest solution I can think of (albeit it breaks backward
compatibility) would be to split the names-pace of form variables. If normal or
session variable stayed as $foo and $bar then form variables would be %foo and %bar,
or something similar. Breaking backward compatibility is bad but it would allow
future applications to be free of these dangers and could be something set in the
php.ini or rather a directive in the php script to allow old an new style scripts on
the same server.
If there is work already being done in this area please point me to where I
can read more about it. PHP is far and away the best web development language and is
really only hindered by security issues like this.
Orion
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
