Stephen van Egmond schrieb:

I was going to reply to Phil Driscoll's post (from Friday) about
E_SECURITY warning level, but thought it might belong better in a
different thread.

This thread is for collecting some ideas for security enhancements that
can happen in PHP, besides the already-known register_globals.

My idea:

Have PHP reject (fail to process, die, whatever) a hit that is
anomalous. Definitions of anomalous:

1. GET variables set while METHOD != GET

        <form action="foo.php?x=1" method=POST>

   This is a major point of attack identified in the "study in
Scarlet".  Although I can imagine the above being a programming
technique someone, somewhere, has used, future releases might
reasonably default to rejecting hits that attempt it.

2. when a uploaded file fails is_uploaded_file().

   I felt bad when I saw is_uploaded_file() introduced - it is such a
cheezy function call; people shouldn't even have to call it themselves,
and I can imagine no situation (except for laziness) that you would not
call it.

Other ideas?

      (. .)
+--ooO-(_)-Ooo----------------- ----- ---- -- - - -  -
| rec.arts.int-fiction archive and research library:
| http://bang.dhs.org/if/

PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to