Assuming they have access to the PHP files, all decoding keys would be
available there, so while encrypting the database would definitely slow up
the attacker, it would only do so until they discovered the decoding method.
Any experienced hacker would find this in no time. If you pre-compile th
.com/ ICVerify
http://www.icverify.com/
Payflow Pro products/payflow/pro
CyberCash
- Original Message -
From: "I. Gray" <[EMAIL PROTECTED]>
To: ; "Bastien Koert" <[EMAIL PROTECTED]>
Sent: Tuesday, June 14, 2005 9:36 AM
Subject: Re: [PHP-DB
Thanks,
I kind of suspected this, but it's good to be told. I wouldn't want to
like to think my CC details were held on some database somewhere where
it can get hacked into. Apart from paypal are there any other 3rd party
payment processors that anyone recommends? I think we're perhaps goin
You should never [almost never ever] store cc details from your users.
Integrate a 3rd party payment processor into your site and process the
payments immediately. It will cut down on fraud and chargebacks by the
users. Its also more secure since the cc details are not stored on your
machine. W
TECTED]
> Sent: 17 January 2005 03:47
> To: php-db@lists.php.net
> Subject: Re: [PHP-DB] Security Question
>
>
> But what I'm saying is that if you're submitting a form from an unsecured
> page, to a script on a secure server, the data will still be encrypted.
> Any
t; insecure login carries less risk.
>
> You could always host the login page on a non secure server but post the
> form to a secure server.
>
> Peter
>
> > -Original Message-
> > From: Micah Stevens [mailto:[EMAIL PROTECTED]
> > Sent: 17 January 2005 02:46
t the login page on a non secure server but post the form
to a secure server.
Peter
> -Original Message-
> From: Micah Stevens [mailto:[EMAIL PROTECTED]
> Sent: 17 January 2005 02:46
> To: php-db@lists.php.net
> Subject: Re: [PHP-DB] Security Question
>
>
>
If it submits to a secure server the form data will be encrypted before
transmission I believe. At least that's my understanding, and that seems to
be how ebay does it for example. Once you log-in, it submits to a secure
page.
-Micah
On Sunday 16 January 2005 06:38 pm, Chris Payne wrote:
>
From: "Dylan Barber" <[EMAIL PROTECTED]>
I am accessing a database on my site from another site - I am
not the only developer on the other site and there is the potential
for someone to access the database for nefarious purposes from
the other site. Can I somehow protect the password and still hav
> so I've been doing a little thinking about web server security..
>
> #1. Since all files on the web are 644, what is to stop someone on the
> same server from copying your files to their own directory?
> (specifically your database connection info)
> #2. if a folder if 777, what's to stop someon
Jonathan Haddad wrote:
so I've been doing a little thinking about web server security..
#1. Since all files on the web are 644, what is to stop someone on the
same server from copying your files to their own directory?
(specifically your database connection info)
#2. if a folder if 777, what's t
From: "Galbreath, Mark A" <[EMAIL PROTECTED]>
> Does anybody know if the security issues outlined in
>
> http://www.securereality.com.au/archives/studyinscarlet.txt
>
> are still salient or not? My boss wants a technical document outlining
the
> security risks of using PHP in an attempt to get it
check
http://www.mysql.com/doc/en/Miscellaneous_functions.html
it covers a number of options
Peter
---
Excellence in internet and open source software
---
Sunmaia
www.sunmaia.net
tel. 0121-242-1473
on 3/4/02 11:34 PM, jas at [EMAIL PROTECTED] appended the following bits
to my mbox:
> how can you find out what the php.ini is looking like? is there a way to
> use php to get that info. i have used phpinfo() but i cannot see whether or
> not file_uploads is disabled
It will only show up in P
er from the bug. No big deal--go on with life!
Court
> -Original Message-
> From: jas [mailto:[EMAIL PROTECTED]]
> Sent: Monday, March 04, 2002 8:35 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [PHP-DB] security
>
>
> how can you find out what the php.ini is looking lik
how can you find out what the php.ini is looking like? is there a way to
use php to get that info. i have used phpinfo() but i cannot see whether or
not file_uploads is disabled
Jas
"Paul Burney" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED].;
on 3/3/02 7:39 PM, Ric Mañalac at [EMA
on 3/3/02 7:39 PM, Ric Mañalac at [EMAIL PROTECTED] appended
the following bits to my mbox:
> i personally think that the developer still has
> the control in making his php code secure. but how do you
> think will this news affect php as one of the most popular
> choice for web developers?
Prob
1st, you should limit the permissions that you have for the user doing
the update.
This user should not be able to do things like ALTER / DROP / CREATE
etc...
If you don't have a need for the DELETE command you can remove the
permissions for it to, however this does not solve all of your problems
A quick suggestion would be to build your query normally and then don't run
the query if it has a semicolon that isn't inside quotes. Also, use single
quotes in the update to make your checks easier:
UPDATE table_name SET field1='value1'
-Original Message-
From: Ronald Wiplinger
To: [EM
OTECTED]>
Cc: "'Simon R Jones'" <[EMAIL PROTECTED]>; "PHP-DB (E-mail)"
<[EMAIL PROTECTED]>
Sent: Wednesday, May 23, 2001 1:12 PM
Subject: Re: [PHP-DB] security in PHP under Apache
> But how do you set it so a webuser would run sudo? That sounds pretty
&g
But how do you set it so a webuser would run sudo? That sounds pretty
dangerous, to me.
I have a similar situation where I want PHP to create a subdirectory and
set privileges to it based on the login user. I end up having to create
the directory by hand via SSH and then run the php script.
T
PHP runs via Apache, so it adopts the user that Apache uses, essentially.
You can use a program like sudo to allow them to run certain commands on the
server.
Jonathan
-Original Message-
From: Simon R Jones [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, May 23, 2001 10:31 AM
To: [EMAIL PRO
22 matches
Mail list logo
