Thanks for the tip. This is what I am talking about. Even with an error like
the one you mention below, preferably the page should die nicely and not
output a bunch of secret info or other stuff to the client. I am generally
careful to prevent that from happening in all my dealings with my mySQL db
by checking all the db connections, results, and things, and killing the
execution if there was some error. This works well. But I am sure I have not
covered every possibility.
I am mainly looking for a list of links or textbooks that outlines some of
these things.
Johan
-----Original Message-----
From: Seb Frost [mailto:[EMAIL PROTECTED]]
Sent: Friday, August 31, 2001 9:57 AM
To: Alfredeen, Johan; [EMAIL PROTECTED]
Subject: RE: [PHP] PHP Security
Great question - I'd love to know too.
I can give you one hint. Make sure that you validate any variables passed
in the url. I had a script that should take an integer, and realised if
someone put in a fraction or text then the script output errors to the html
page showing file and directory names that I wanted hidden.
To solve this I used:
function SecureInt($var,$default)
{
if (($var!=0) && ($var*1!=0) && is_int($var*1))
{
$var=$var*1;
//echo "is int";
}
else
{
$var=$default;
//echo "is not int";
}
return($var);
}
$intvar = SecureInt($intvar,1);
- seb
-----Original Message-----
From: Alfredeen, Johan [mailto:[EMAIL PROTECTED]]
Sent: 31 August 2001 15:54
To: [EMAIL PROTECTED]
Subject: [PHP] PHP Security
I am looking for a good, practical tutorial on what I should be doing as a
developer to create a secure web site (PHP related). I have looked in my PHP
text and searched the web, but haven't found anything real useful. I am not
interested in Apache or OS security, as this is -hopefully- taken care of by
my webhost. So if you know of a good guide, online or off, please
contribute.
Thanks,
Johan
PongWorld.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.274 / Virus Database: 144 - Release Date: 23/08/2001
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.274 / Virus Database: 144 - Release Date: 23/08/2001
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
