Forwarding these tips to phpdoc. Can somebody please add this to the security documentation?
Vip, thanks for the tips... Goba ----- Original Message ----- From: "Vip Malixi" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, November 23, 2001 11:22 PM Subject: Re: PHP: Cool PHP Tips > A recent article noted some security risks for PHP > applications. I've come up with some solutions to > those security concerns:1. always use ".php" (or > ".php3" for earlier versions) file name extensions for > include files, otherwise, crackers can view your > code.2. for linked pages coming from another page > where some variables are set, if you want to disallow > users from manually entering different values to those > variables from their browser's Location input field, > use HTTP_REFERER to check for this.For example, > let's say I have a file called "viewCorpData.php" and > depending on the corpid, users can view secret > corporate data. Now users are supposed to first go > through a login before being able to see their > particular corp. data, and once authenticated, they go > to > http://wherever.com/properdirectory/viewCorpData.php?corpid=3 > where they can view their particular corp. data.But > what if a user thinks to himself, "Hmm, what if I > change the corpid number to something else, I might > chance on seeing someone else's corp. data? And true > enough, he/she will be able to do this unless I've > added security checks for that particular page. One > easy way to protect ALL pages though from this is what > I just mentioned: use HTTP_REFERER. So to do this with > the previous example, at the top of the > viewCorpData.php page, I add the following PHP > code:<?php include_once("security.php");?>And > inside the file "security.php":<?php if > (!strstr($HTTP_REFERER, > "http://wherever.com/properdirectory/";)) { exit(); > }?>What this means is, if the user just typed in > the corpid or if the user came to the page from > another web site other than the current one and the > current directory, all he/she'll see will be a blank > page. Simple, effective, and safe.Care take,Vip > > __________________________________________________ > Do You Yahoo!? > Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month. > http://geocities.yahoo.com/ps/info1 >
