on 03/07/02 11:36 PM, Jean-Christian Imbeault ([EMAIL PROTECTED]) wrote: > In general how does one go about hardening a PHP script. i.e. making it > as "hacker-proof" as possible. General things like:
I think the general answer is "you can't", but you can make it more secure. > - verifying user inputted data "verify user inputted data" means nothing... you should take a specific example, like "make sure a text box is less than 500 words, contains only <B> <BR> <I> & <U> tags, and starts with a capital letter", and then let us help you solve it. Obviously verifying a date is different to a password, verifying that a certain select box was selected is different from making sure that their phone number contains only numbers, etc etc. The string functions will do most of this for you with very little effort. empty(), isset(), strlen(), is_int(), is_str(), strip_tags(), ereg() & eregi() and many others will all help, but you need to approach them one at a time. You should also be concerned about character sets. If you wanna get anal about it, you should be using register_globals OFF in your php.ini file, and should be treating any $_GET var as unsafe, and same with all other such variables (cookies, sessions, post, etc) > - not putting clear-text passwords in php scripts A thread started in here about two weeks back with the subject "Keeping "Secrets" in PHP Files"... you should read that end-to-end... HEAPS of infomation. > - use "safe-mode"? I have no idea about safe mode. This list really does work best (ie best results for you) if you come to us with a specific problem, rather than something general. Justin French -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
