Chris Shiflett wrote:
> Jean-Christian Imbeault wrote:
>> In general how does one go about hardening a PHP script. i.e. making
>> it as "hacker-proof" as possible
There is no such thing as a 100% secure solution (this applies to
everything running on a computer, PHP included). But basically you can
make it pretty secure. Then again, quite a lot depends on what you are
going to write. Govt/Banks need much more defense than a small/midsized
commercial site (and are capable to pay for it). You can basically be
happy with some care in you development, just make sure your customers
do understand the amount of time this is going to take and are ready to
pay for it. Then let them decide themselves, but if you see they choose
a risky path in order to save budget money do write them a formal
letter, in which you acknowledge the problem. Many customers do not
think they need security until it's too late, then they get mad at you
because they did not want to buy the extra time for secure coding. So
make sure everyone knows what their responsibility are and make sure
this is stated on paper.
> 1. Never, ever trust data from the client
That's it. If you leave Register_globals off you will be sure you get
only what you need to get. Then, of course, you shall control data
content. As I am sure you know yourself most of the trouble will come
from uncorrect data input.
You might actually write client-side javascript controls to avoid
uncorrect input and then think that your data are clean. This is where
most of the problems come from (as Chris points out, it's not difficult
to post a form to your script after writing it at home, or just do a
plain command line call with altered parameters from a user browser, I
see that stuff on our customers logs quite often).
So, no matter what you checked on the client, check it again on the
server (even if you are not paranoid, some users may just have disabled
their javascript, right?)
> Basically, if you code very carefully and deliberately, you will create
> a very secure application. Many people focus only on securing the
> environment, but writing secure code is often much more important.
Words of wisdom! and actually about 75% of the code you write is
dedicated to this very job, if you really want to get a stable application.
Alberto
Kiev
--
@-_=}{=_-@-_=}{=_-@-_=}{=_-@-_=}{=_-@-_=}{=_-@-_=}{=_-@-_=}{=_-@
LoRd, CaN yOu HeAr Me, LiKe I'm HeArInG yOu?
lOrD i'M sHiNiNg...
YoU kNoW I AlMoSt LoSt My MiNd, BuT nOw I'm HoMe AnD fReE
tHe TeSt, YeS iT iS
ThE tEsT, yEs It Is
tHe TeSt, YeS iT iS
ThE tEsT, yEs It Is.......
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
