Re: [PHP] Re: how PHP is batter?
In article [EMAIL PROTECTED] [EMAIL PROTECTED] (Chris) wrote: Either phrase can be a good or a bad thing, it all depends on tone - Scottish is very like Japanese in that respect :p with regard to batter - isn't it the scots that have pechant for covering marsbars with the stuff and deepfrying them? The aussies do it too - are we just as crazy as the scots? Didn't we used to ship convicted criminals to Auz? That would explain the craziness ;) -- Andrew Hutchings - LinuxJedi - http://www.linuxjedi.co.uk/ Windows is the path to the darkside...Windows leads to Blue Screen. Blue Screen leads to downtime. Downtime leads to suffering...I sense much Windows in you... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: php security books
In article [EMAIL PROTECTED] [EMAIL PROTECTED](Ross) wrote: http://amazon.co.uk/s/ref=nb_ss_w_h_/203-1671317-2810350?initialSearch =1url=search-alias%3Dapsfield-keywords=php+securityGo.x=0Go.y=0Go =Go looking at the top 3 on the list here, personally I quite like the O'Reilly books. Can someone recommend one of these or any other that will give me a good solid understanding of PHP security? Avoid the O'Reilly one as it is flawed. Go for The PHP|Architect one. I haven't had a chance to read Chris Snyder's one yet but it has the worst amazon rating of the 3. -- Andrew Hutchings - LinuxJedi - http://www.linuxjedi.co.uk/ Windows is the path to the darkside...Windows leads to Blue Screen. Blue Screen leads to downtime. Downtime leads to suffering...I sense much Windows in you... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: php security books
In article [EMAIL PROTECTED] [EMAIL PROTECTED](Mark Kelly) wrote: Hi. On Wednesday 04 July 2007 13:01, Andrew Hutchings wrote: Avoid the O'Reilly one as it is flawed. In what way? Its written by Chris Shiflett, isn't that enough reason? -- Andrew Hutchings - LinuxJedi - http://www.linuxjedi.co.uk/ Windows is the path to the darkside...Windows leads to Blue Screen. Blue Screen leads to downtime. Downtime leads to suffering...I sense much Windows in you... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Re 2D: [ 2CPHP 2D] 2CRe 2D: 2Cphp security books
In article [EMAIL PROTECTED] [EMAIL PROTECTED] (Stut) wrote: Andrew Hutchings wrote: In article [EMAIL PROTECTED] [EMAIL PROTECTED](Mark Kelly) wrote: Hi. On Wednesday 04 July 2007 13:01, Andrew Hutchings wrote: Avoid the O'Reilly one as it is flawed. In what way? Its written by Chris Shiflett, isn't that enough reason? There's no need for that without justification. Please justify that comment. Simply because he has written several articles about fixing holes in PHP code which actually create new holes. And there examples of this in the book as well. -- Andrew Hutchings - LinuxJedi - http://www.linuxjedi.co.uk/ Windows is the path to the darkside...Windows leads to Blue Screen. Blue Screen leads to downtime. Downtime leads to suffering...I sense much Windows in you... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: php security books
In article [EMAIL PROTECTED]quickshift [EMAIL PROTECTED] (Nathan Nobbe) wrote: --=_Part_178329_18179255.1183569772294 Content-Type: text/plain; charset=ISO-8859-1; format=flowedContent-Transfer-Encoding: 7bit Content-Disposition: inline this is getting good; i want to know why its *flawed* now too. no pressure :) OK, well, for example page 3 of the book suggests making PHP output errors into Apache's error_log. To do this on Linux it means PHP would have to be run as root. -- Andrew Hutchings - LinuxJedi - http://www.linuxjedi.co.uk/ Windows is the path to the darkside...Windows leads to Blue Screen. Blue Screen leads to downtime. Downtime leads to suffering...I sense much Windows in you... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Re 2D: [ 2CPHP 2D] 2CRe 2D: 2Cphp security books
In article [EMAIL PROTECTED] [EMAIL PROTECTED](Jochem Maas) wrote: OK, well, for example page 3 of the book suggests making PHP output errors into Apache's error_log. To do this on Linux it means PHP would have to be run as root. huh? funny thing is that on all the machines I work with Apache runs under it own user (apart from at start up when it briefly urns as root before switching), I run php as an Apache module (I'm assuming we're not talking about php cli given that we're mentioning Apache), this means php is running in the context of the apache user and btw is quite capable of logging to the Apache error_log Exactly, the initial process runs as root, and this is the process that does the logging, it would be another security issue to have your logs set as apache's owner. PHP is run as apache's user (unless you use something suPHP) so if you use PHP's error handler function (not the thing that sends data to the error logs) to write to apache's logs they would either have to be owned by apache or php would have to run as root. running php as a CGI probably means you can't have php (which is probably running in the context of the site owners' user account) log to the general apache error_log but in such cases I would assume that the server configuration included error and access loggingon a per (v)host basis. Indeed, I was talking more mod_php side of things, which judging by the wording of the book is also the assumption made. seems like your spreading FUD - I doubt Chris Shiflett is perfect and I'm sure he's probably made a few security mistakes of his own but your current example is not one of themAFAICT. You are entitled to your opinions, and I am entitled to mine. If you believe I am spreading FUD, so be it. But that example _is_ a security flaw. -- Andrew Hutchings - LinuxJedi - http://www.linuxjedi.co.uk/ Windows is the path to the darkside...Windows leads to Blue Screen. Blue Screen leads to downtime. Downtime leads to suffering...I sense much Windows in you... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: RE: [PHP] Re: php security books
In article [EMAIL PROTECTED][EMAIL PROTECTED] (bruce) wrote: andrew... are you sure about this... i would have thought that if you have an apache user 'apache' and allow php to be run as/by 'apache' than this would providecomplete access to anything php needs to do as 'apache'. Logging in apache is done (in standard configurations) by process owned as root, and in most configurations the logs are owned as root and are not readable by any other user. this should definitely work if you allow the 'group' for the apache err logfiles be accessed by this user... If you do this then it is possible for a apache process using PHP to read the error logs and an abused script could show a potential hacker the layout to your site or other useful information. so.. i ask again.. are you sure about this.. Yep. -- Andrew Hutchings - LinuxJedi - http://www.linuxjedi.co.uk/ Windows is the path to the darkside...Windows leads to Blue Screen. Blue Screen leads to downtime. Downtime leads to suffering...I sense much Windows in you... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: RE: [PHP] Re: php security books
In article [EMAIL PROTECTED]quickshifti [EMAIL PROTECTED] (Nathan Nobbe) wrote: [EMAIL PROTECTED] Content-Type: text/plain; charsetãO-8859-1; format\owedContent-Transfer-Encoding: quoted-printable Content-Disposition: inline the root user issue aside, i still dedicate a separate file in /var/logfor my php apps. If is a separate file then that is cool, in fact being in /var/log you could even have it rotate with log_rotate (well you could do that anywhere really, but for completeness...). -- Andrew Hutchings - LinuxJedi - http://www.linuxjedi.co.uk/ Windows is the path to the darkside...Windows leads to Blue Screen. Blue Screen leads to downtime. Downtime leads to suffering...I sense much Windows in you... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: Re[2]: [PHP] Re: php security books
In article [EMAIL PROTECTED] [EMAIL PROTECTED](Richard Davey) wrote: Hi Andrew, Wednesday, July 4, 2007, 4:23:38 PM, you wrote: Avoid the O'Reilly one as it is flawed. In what way? Its written by Chris Shiflett, isn't that enough reason? No, not really. The errata are clearly published online, and while you could argue that some of them shouldn't have existed in the text in the first place, security is such a moveable feast that whatever is written today will almost surely have changed within a very short periodof time, regardless of the author. Sure, and I'm not debating the rate that security moves, or that there are newer techniques for some of the stuff. I haven't read the errata to be honest, do people ever read those? (open question) If just one person takes something useful away from his book, that makes them think damn yes, I DO allow that in my scripts!, then it was a worthwhile purchase. He (along with a number of others) have done a wonderful job of raising the PROFILE of security (or lack thereof) in PHP applications and the PHP world in general. Before the likes of him and Steffan started blogging and writing about all the issues out there it was a piss-poorly covered area that mostdevelopers (*especially* new ones) ignored or were not even aware of. Even if some of the techniques in the book are now flawed, the profile and awareness he has generated did nothing to harm the PHP community,and does not warrant your shit slinging. I have no doubt he is a great bloke and a great public speaker / PR for PHP application level security, I apologise if it sounded like FUDing (why does that sound dirty?). I just don't like / agree with his book or some of the security articles he wrote (again, I haven't read them in quite a while). I think Ilia's book is a lot better. I also agree that awareness is no bad thing, but people should also be aware he is not the be all and end all of PHP application level security, and he has made mistakes (as have I and probably everyone else here at some point). If Chris were to re-write into a second edition, then who knows, I may like it. -- Andrew Hutchings - LinuxJedi - http://www.linuxjedi.co.uk/ Windows is the path to the darkside...Windows leads to Blue Screen. Blue Screen leads to downtime. Downtime leads to suffering...I sense much Windows in you... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: Re[4]: [PHP] Re: php security books
In article [EMAIL PROTECTED] [EMAIL PROTECTED](Richard Davey) wrote: I actually agree with you about Ilia's book, it is the best of the three available (the Pro PHP Security one is certainly the worst), although there are areas where even Ilia basically shrugs his shoulders in the text and says you can never have it 100% and sortof gives up on you :) All three books are now well behind the times though imho. Indeed, in fact I think Ilia's slides for this years PHPtek make a great kind companion to the book. It would be great if he merged the slides and book into a second edition. Although in his slides he mentions that mysql_real_escape_string can be attacked with multibyte characters, but it looks like that hasn't been the case for a while. Not that I am really complaining about that, I prefer prepared statements and would use them all the time if it wasn't for the fact that those queries aren't cached until recent versions of MySQL 5.1 Anyway, I'm rambling now ;) -- Andrew Hutchings - LinuxJedi - http://www.linuxjedi.co.uk/ Windows is the path to the darkside...Windows leads to Blue Screen. Blue Screen leads to downtime. Downtime leads to suffering...I sense much Windows in you... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: PHP 4.4.6 Released!
Derick Rethans wrote: Hello! The PHP development team would like to announce the immediate availability of PHP 4.4.6. This release addresses a crash problem with the session extension when register_globals is turned on that was introduced in PHP 4.4.6. So these release fixes a crash that wasn't introduced until this release. That's clever ;) Regards Andrew -- Andrew Hutchings - Linux Jedi - http://www.linuxjedi.co.uk/ A-Wing Internet Services - http://www.a-wing.co.uk/ Windows is the path to the darkside...Windows leads to Blue Screen. Blue Screen leads to downtime. Downtime leads to suffering...I sense much Windows in you. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php