RE: [PHP-DB] PHP Security Basics - web seminar

[Lasitha Alawatta]

Hi All,

If you would like to download the presentation you can find it here:
http://www.zend.com/webinar 



Reg.,
Lasitha


-Original Message-
From: Chris [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, May 30, 2007 11:14 AM
To: Lasitha Alawatta
Cc: php-db@lists.php.net
Subject: Re: [PHP-DB] PHP Security Basics - web seminar

Lasitha Alawatta wrote:
> Hi All,
> 
>  
> 
> "PHP Security Basics - Must-Knows for Everyone"
> 
>  
> 
> Presenter: John Coggeshall, Zend Solutions Consultant Target audience:

> Anyone who believes Security is important in Web Application
development 
> and deployment
> 
> Duration: 45 minutes, including Q&A
> 
>  
> 
> Security is not just important when you are doing financial
transactions 
> - an insecure Web site can be used by others for malicious purposes to

> launch attacks against other Web sites. There are a few must-knows for

> anyone who ventures out into the world of PHP Web development. In this

> webinar John Coggeshall will focus on the absolute necessities when 
> doing secure Web development.
> 
>  
> 
> REGISTER - PHP Security Basics 
>
<http://cts.vresp.com/c/?ZendTechnologies/911c551250/d53224e5ba/292e9a4c
50>

Is this going to available as a download or something after the event 
happens?

The main reason I ask is that I'm in Sydney so it's on at 2am :P

I'm sure others are going to be in a similar boat.

-- 
Postgresql & php tutorials
http://www.designmagick.com/

DOTW DISCLAIMER:

This e-mail and any attachments are strictly confidential and intended for the 
addressee only. If you are not the named addressee you must not disclose, copy 
or take
any action in reliance of this transmission and you should notify us as soon as 
possible. If you have received it in error, please contact the message sender 
immediately.
This e-mail and any attachments are believed to be free from viruses but it is 
your responsibility to carry out all necessary virus checks and DOTW accepts no 
liability
in connection therewith. 

This e-mail and all other electronic (including voice) communications from the 
sender's company are for informational purposes only.  No such communication is 
intended
by the sender to constitute either an electronic record or an electronic 
signature or to constitute any agreement by the sender to conduct a transaction 
by electronic means.


--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DB] PHP Security Basics - web seminar

[Chris]

Lasitha Alawatta wrote:

Hi All,

 


“PHP Security Basics - Must-Knows for Everyone”

 

Presenter: John Coggeshall, Zend Solutions Consultant Target audience: 
Anyone who believes Security is important in Web Application development 
and deployment


Duration: 45 minutes, including Q&A

 

Security is not just important when you are doing financial transactions 
- an insecure Web site can be used by others for malicious purposes to 
launch attacks against other Web sites. There are a few must-knows for 
anyone who ventures out into the world of PHP Web development. In this 
webinar John Coggeshall will focus on the absolute necessities when 
doing secure Web development.


 

REGISTER - PHP Security Basics 



Is this going to available as a download or something after the event 
happens?


The main reason I ask is that I'm in Sydney so it's on at 2am :P

I'm sure others are going to be in a similar boat.

--
Postgresql & php tutorials
http://www.designmagick.com/

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP-DB] PHP Security and Code Design

[Hutchins, Richard]

Thanks, Adam. All clear now.

Rich

-Original Message-
From: Adam Alkins [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 10, 2002 4:28 PM
To: [EMAIL PROTECTED]
Subject: Re: [PHP-DB] PHP Security and Code Design


> I understand that this applies to data put into a form to be submitted to
a
> database (or another page, I guess), but does it also apply to
> variable/value pairs passed along the URL from a hyperlink ( href="foo/bar.php?thisVar=thisVal>Click here.)? I couldn't quite get
it
> from the explanation above. Would I need to reference the passed variable
> with $_GET["thisVal"] on the receiving page (bar.php)? I'm sure I would
have
> to if $thisVar was passed from a form with the GET method, but wasn't sure
> about the hyperlink stuff.
>
> Anybody working with register globals off already that can clear this up?

Yes. URL passed variables are access via the GET method. So page.php?foo=bar
is accessed by $_GET['foo']

--
Adam Alkins
http://www.rasadam.com
--


-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DB] PHP Security and Code Design

[Adam Alkins]

> I understand that this applies to data put into a form to be submitted to
a
> database (or another page, I guess), but does it also apply to
> variable/value pairs passed along the URL from a hyperlink ( href="foo/bar.php?thisVar=thisVal>Click here.)? I couldn't quite get
it
> from the explanation above. Would I need to reference the passed variable
> with $_GET["thisVal"] on the receiving page (bar.php)? I'm sure I would
have
> to if $thisVar was passed from a form with the GET method, but wasn't sure
> about the hyperlink stuff.
>
> Anybody working with register globals off already that can clear this up?

Yes. URL passed variables are access via the GET method. So page.php?foo=bar
is accessed by $_GET['foo']

--
Adam Alkins
http://www.rasadam.com
--


-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP-DB] PHP security

[php3]

Addressed to: "s.budd" <[EMAIL PROTECTED]>
  [EMAIL PROTECTED]

** Reply to note from "s.budd" <[EMAIL PROTECTED]> Wed, 21 Feb 2001 10:03:33 -
>
>
> But if the database is on another machine then the password is sent as plain
> text over the internet, no?

No.  MySQL encrypts the password when it sends it from the client to the
server.

Also, in most cases where the db and the web server are separate
machines they are on the same subnet, in the same building, and the
packets never make it past the first switch or router they encounter.

If you want serious security, put a second set of network cards in the
web servers and create a special network that only connects them to the
database server, and disconnect the db server from the Internet.  Make
sure IP forwarding is OFF in the web servers and you have one more
thing a hacker has to get thru to see what is in the database.







Rick Widmer
Internet Marketing Specialists
http://www.developersdesk.com

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

RE: [PHP-DB] PHP security

[s.budd]

But if the database is on another machine then the password is sent as plain
text over the internet, no?




-Original Message-
From: Ben Cairns [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, February 21, 2001 10:06 AM
To: [EMAIL PROTECTED]
Subject: RE: [PHP-DB] PHP security


Anything contained within the PHP open & close Tags ( ) is parsed out 
server side.

In order for them to read the source of the file, they must have console 
access.

Try and get a password from www.mywapfone.net/index.php

That page does a DB connect using your script.

You cannot see my Password in the source right?

Does this answer your question?

As the MySQL server is on localhost, then the password never leaves the 
machine, so is not travelling over the internet.

Therefore, no-one can packet grab from the machine to get the password.

-- Ben Cairns - Head Of Technical Operations
intasept.COM
Tel: 01332 365333
Fax: 01332 346010
E-Mail: [EMAIL PROTECTED]
Web: http://www.intasept.com

"MAKING sense of
the INFORMATION
TECHNOLOGY age
@ WORK.."


-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

RE: [PHP-DB] PHP security

[Ben Cairns]

Anything contained within the PHP open & close Tags ( ) is parsed out 
server side.

In order for them to read the source of the file, they must have console 
access.

Try and get a password from www.mywapfone.net/index.php

That page does a DB connect using your script.

You cannot see my Password in the source right?

Does this answer your question?

As the MySQL server is on localhost, then the password never leaves the 
machine, so is not travelling over the internet.

Therefore, no-one can packet grab from the machine to get the password.

-- Ben Cairns - Head Of Technical Operations
intasept.COM
Tel: 01332 365333
Fax: 01332 346010
E-Mail: [EMAIL PROTECTED]
Web: http://www.intasept.com

"MAKING sense of
the INFORMATION
TECHNOLOGY age
@ WORK.."


-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

RE: [PHP-DB] PHP security

[s.budd]

moreover , even if they cant see the text of the page,  Your password is
going over  the internet in plain  text.

-Original Message-
From: Don [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, February 20, 2001 7:24 PM
To: php-db list
Subject: [PHP-DB] PHP security


I am writing aome PHP scripts to connect to a MySQL database.  In order
to connect, I have found the following documented code:

$dbLink = mysql_connect("localhost", "my_user", "my_password")

Here, the password is plain text.  This does not seem very secure to
me.  What is to prevent someone using a program like Frontpage to
download my web and discover my password?



-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP-DB] PHP security

[Ron Brogden]

At 01:50 PM 2/20/2001 -0600, you wrote:
>As far as I know, you can not download PHP programs without access to
>download them. Meaning you need an account on the webserver, so they would
>need your account user and pass before they could steal your mysql user and
>pass.

The main issue is that (especially under Unix), the Front Page server 
extensions are notoriously poorly written and in most cases leave massive 
security holes wide open.  Try doing a Google search for "hacking 
frontpage" to see some examples. The real solutions are:

do not host with a provider that supports Front Page
do not use Front Page as your HTML editor

If you do decide to use Front Page as your editor make sure that you do not 
let it (or immediately remove them) the "shadow" directories of _vti_cnf 
(there are others too which I forget) that it likes to include with 
uploads.  As long as you avoid that pitfall and the server does not have 
the server extensions installed you should be safe.

You should also place your sensitive values in a separate file that is 
located in a non-web accessible directory or if you are running under "safe 
mode", in a protected sub-directory.  Under Apache you would just have to 
create a directory called something like "./include" and in it place a 
.htaccess file with the following line:

deny from all

This makes it so that the only way to access the file is via an include 
command within PHP.  This won't save you from local users viewing the file 
but that is a different sack of nuts.

Cheers


-
Island Net AMT Solutions Group Inc.  Telephone:  250 383-0096
1412 Quadra  Toll Free:1 800 331-3055
Victoria, B.C.   Fax:250 383-6698
V8W 2L1  E-Mail:[EMAIL PROTECTED]
Canada   WWW:   http://www.islandnet.com/
-


-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

RE: [PHP-DB] PHP security

[Ben - FCP]

Absolutely correct!

Having said all of this, it is still a bad idea (certainly on UNIX systems,
I can't speak for Micro$oft) to keep passwords embedded in scripts in this
way, particularly if you are running PHP as a CGI process, it is a better
idea to have the appropriate passwords stored as variables inside a separate
script that is then called via and 'include' statement (which should then be
read-only to 'root' if memory server me right -its been a long time since I
ran PHP this way!).

Ben Stoneham
Technical Director - FCP Internet LTD.

___

FCP Internet LTD - 'Making the Web Work for You'

70 Smithbrook Kilns, Cranleigh, Surrey, GU6 8JJ, UK.

Tel. 01483 272 303 Fax. 01483 272 303 mail: [EMAIL PROTECTED]

http://www.fcpl.com

___

This message is confidential; Any unauthorised disclosure, use or
dissemination,

either whole or partial, is prohibited. If you are not the intended
recipient of the message, please notify the sender immediately.

-Original Message-
From: Doug Schasteen [mailto:[EMAIL PROTECTED]]
Sent: 20 February 2001 19:51
To: Don; php-db list
Subject: Re: [PHP-DB] PHP security


As far as I know, you can not download PHP programs without access to
download them. Meaning you need an account on the webserver, so they would
need your account user and pass before they could steal your mysql user and
pass. I don't know how frontpage works, but it would probably have to call
on the server to parse the php script before downloading it. There is no way
to download a PHP script as a "nobody" user without it being parsed by PHP
first.


- Original Message -
From: "Don" <[EMAIL PROTECTED]>
To: "php-db list" <[EMAIL PROTECTED]>
Sent: Tuesday, February 20, 2001 1:24 PM
Subject: [PHP-DB] PHP security


> I am writing aome PHP scripts to connect to a MySQL database.  In order
> to connect, I have found the following documented code:
>
> $dbLink = mysql_connect("localhost", "my_user", "my_password")
>
> Here, the password is plain text.  This does not seem very secure to
> me.  What is to prevent someone using a program like Frontpage to
> download my web and discover my password?
>
>
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>
>
>
>


--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]


-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP-DB] PHP security

[Doug Schasteen]

As far as I know, you can not download PHP programs without access to
download them. Meaning you need an account on the webserver, so they would
need your account user and pass before they could steal your mysql user and
pass. I don't know how frontpage works, but it would probably have to call
on the server to parse the php script before downloading it. There is no way
to download a PHP script as a "nobody" user without it being parsed by PHP
first.


- Original Message -
From: "Don" <[EMAIL PROTECTED]>
To: "php-db list" <[EMAIL PROTECTED]>
Sent: Tuesday, February 20, 2001 1:24 PM
Subject: [PHP-DB] PHP security


> I am writing aome PHP scripts to connect to a MySQL database.  In order
> to connect, I have found the following documented code:
>
> $dbLink = mysql_connect("localhost", "my_user", "my_password")
>
> Here, the password is plain text.  This does not seem very secure to
> me.  What is to prevent someone using a program like Frontpage to
> download my web and discover my password?
>
>
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>
>
>
>


-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]