On Tue, Jun 2, 2009 at 7:39 PM, Shawn McKenzie wrote:
> Grant Peel wrote:
>> Hi all,
>>
>> I am currently setting up the next generation web server for our company and
>> am in need of general consulting/advice on php set up security issues.
>>
>> Any one with knowledge and expierience please fee
Grant Peel wrote:
???
I think you can safely assume that was a joke.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
???
- Original Message -
From: "Shawn McKenzie"
To:
Sent: Tuesday, June 02, 2009 7:39 PM
Subject: [PHP] Re: PHP Security
Grant Peel wrote:
Hi all,
I am currently setting up the next generation web server for our company
and am in need of general consulting/advice on
Grant Peel wrote:
> Hi all,
>
> I am currently setting up the next generation web server for our company and
> am in need of general consulting/advice on php set up security issues.
>
> Any one with knowledge and expierience please feel free to reply :-).
>
> -Grant
Do not under any circumstan
Andrew Hutchings wrote:
> I prefer prepared statements and would use them all the time if
> it wasn't for the fact that those queries aren't cached until
> recent versions of MySQL 5.1
Use PDO. It emulates prepared statements and doesn't avoid the query cache:
$db->setAttribute(PDO::ATTR_EMULATE_
Andrew Hutchings wrote:
> Avoid the O'Reilly one as it is flawed.
Hollow claims are disrespectful and harmful to professional discourse.
Perhaps you are motivated to persuade others that this is true and will
do so at any cost, even if it means spreading misinformation. I'm aware
of one person who
At 11:23 AM -0400 7/4/07, Andrew Hutchings wrote:
In article <[EMAIL PROTECTED]>
[EMAIL PROTECTED](Mark Kelly) wrote:
Hi.
On Wednesday 04 July 2007 13:01, Andrew Hutchings wrote:
Avoid the O'Reilly one as it is flawed.
In what way?
Its written by Chris Shiflett, isn't that enou
In article <[EMAIL PROTECTED]>
[EMAIL PROTECTED](Richard Davey) wrote:
> I actually agree with you about Ilia's book, it is the best of the
> three available (the Pro PHP Security one is certainly the worst),
> although there are areas where even Ilia basically shrugs his
> shoulders in the text
Hi Andrew,
Wednesday, July 4, 2007, 8:29:51 PM, you wrote:
> I have no doubt he is a great bloke and a great public speaker / PR
> for PHP application level security, I apologise if it sounded like
> FUDing (why does that sound dirty?). I just don't like / agree with
> his book or some of the se
On Wed, Jul 04, 2007 at 11:36:06AM -0700, bruce wrote:
> andrew...
>
> are you sure about this... i would have thought that if you have an apache
> user 'apache' and allow php to be run as/by 'apache' than this would provide
> complete access to anything php needs to do as 'apache'.
>
> this shou
In article <[EMAIL PROTECTED]>
[EMAIL PROTECTED](Richard Davey) wrote:
> Hi Andrew,
>
> Wednesday, July 4, 2007, 4:23:38 PM, you wrote:
>
Avoid the O'Reilly one as it is flawed.
>>>In what way?
>> Its written by Chris Shiflett, isn't that enough reason?
> No, not really. T
In article
<[EMAIL PROTECTED]>quickshifti
[EMAIL PROTECTED] ("Nathan Nobbe") wrote:
> [EMAIL PROTECTED]
> Content-Type: text/plain; charsetãO-8859-1;
> format\owedContent-Transfer-Encoding: quoted-printable
> Content-Disposition: inline
>
> the root user issue aside, i still dedicate a separa
In article
<[EMAIL PROTECTED]>[EMAIL PROTECTED]
("bruce") wrote:
> andrew...
>
> are you sure about this... i would have thought that if you have an
> apache user 'apache' and allow php to be run as/by 'apache' than this
> would providecomplete access to anything php needs to do as 'apache'.
the root user issue aside, i still dedicate a separate file in /var/log
for my php apps.
-nathan
On 7/4/07, Andrew Hutchings <[EMAIL PROTECTED]> wrote:
In article
<[EMAIL PROTECTED]>[EMAIL PROTECTED]
("bruce") wrote:
> andrew...
¾
> are you sure about this... i would have thought that if yo
'group' for the apache err log
files be accessed by this user...
so.. i ask again.. are you sure about this..
-Original Message-
From: Andrew Hutchings [mailto:[EMAIL PROTECTED]
Sent: Wednesday, July 04, 2007 10:39 AM
To: php-general@lists.php.net
Subject: Re: [PHP] Re: php secur
Hi Andrew,
Wednesday, July 4, 2007, 4:23:38 PM, you wrote:
>>> Avoid the O'Reilly one as it is flawed.
>> In what way?
> Its written by Chris Shiflett, isn't that enough reason?
No, not really. The errata are clearly published online, and while you
could argue that some of them shouldn't ha
Andrew Hutchings wrote:
> In article
> <[EMAIL PROTECTED]>quickshift
> [EMAIL PROTECTED] ("Nathan Nobbe") wrote:
>
>> --=_Part_178329_18179255.1183569772294
>> Content-Type: text/plain; charset=ISO-8859-1;
>> format=flowedContent-Transfer-Encoding: 7bit
>> Content-Disposition: inline
>>
>
In article
<[EMAIL PROTECTED]>quickshift
[EMAIL PROTECTED] ("Nathan Nobbe") wrote:
> --=_Part_178329_18179255.1183569772294
> Content-Type: text/plain; charset=ISO-8859-1;
> format=flowedContent-Transfer-Encoding: 7bit
> Content-Disposition: inline
>
> this is getting good; i want to kno
this is getting good; i want to know why its *flawed* now too.
no pressure :)
-nathan
On 7/4/07, Stut <[EMAIL PROTECTED]> wrote:
Andrew Hutchings wrote:
> In article <[EMAIL PROTECTED]>
> [EMAIL PROTECTED](Mark Kelly) wrote:
>
>> Hi.
>>
>> On Wednesday 04 July 2007 13:01, Andrew Hutchings w
Andrew Hutchings wrote:
In article <[EMAIL PROTECTED]>
[EMAIL PROTECTED](Mark Kelly) wrote:
Hi.
On Wednesday 04 July 2007 13:01, Andrew Hutchings wrote:
Avoid the O'Reilly one as it is flawed.
In what way?
Its written by Chris Shiflett, isn't that enough reason?
There's no need
On Wed, 2007-07-04 at 11:23 -0400, Andrew Hutchings wrote:
> In article <[EMAIL PROTECTED]>
> [EMAIL PROTECTED](Mark Kelly) wrote:
>
> > Hi.
>
> > On Wednesday 04 July 2007 13:01, Andrew Hutchings wrote:
>
> >> Avoid the O'Reilly one as it is flawed.
>
> > In what way?
>
> Its written by
In article <[EMAIL PROTECTED]>
[EMAIL PROTECTED](Mark Kelly) wrote:
> Hi.
>
> On Wednesday 04 July 2007 13:01, Andrew Hutchings wrote:
>
>> Avoid the O'Reilly one as it is flawed.
> In what way?
Its written by Chris Shiflett, isn't that enough reason?
--
Andrew Hutchings - LinuxJed
Hi.
On Wednesday 04 July 2007 13:01, Andrew Hutchings wrote:
> Avoid the O'Reilly one as it is flawed.
In what way?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
In article <[EMAIL PROTECTED]>
[EMAIL PROTECTED]("Ross") wrote:
> http://amazon.co.uk/s/ref=nb_ss_w_h_/203-1671317-2810350?initialSearch
>
> =1&url=search-alias%3Daps&field-keywords=php+security&Go.x=0&Go.y=0&Go
> =Go
>
> looking at the top 3 on the list here, personally I quite like the
>
Sorry for the split of threds, i dont have the original email.
This is the answer from computerworld regarding the article
http://www.computerworld.com/securitytopics/security/holes/story/0,10801,104124,00.html
,
>Thank you for taking the time to write in. I see your point.
>The article
http://phpsec.org/
PHP Security Consortium
this is what you want.hehe~it`s helpful
"Ian C . McGarvey" <[EMAIL PROTECTED]>
??:[EMAIL PROTECTED]
>I have been studying PHP all summer because I wanted to put some PHP code
>on my schools web site. I got to school and went to the web design teach
I l wrote:
> Lets say you want to store someones picture.
Okay.
> In the database, you would insert the picture, who owns that picture,
> maybe
> the ip address and request headers of where that picture came from, the
> category, sub-category, sub-sub-category in which the picture belongs to,
> e
I beleive the performance hit is much higher than the %2 increase you
are refering to:
$ cat /.../loadtest.php
$ ./ab -n 1000 -c 50 http://.../loadtest.php
Time taken for tests: 1.653 seconds
Complete requests: 1000
...
Requests per second:604.96 [#/sec] (mean)
Time per request:
[EMAIL PROTECTED] wrote:
> Quoting I l <[EMAIL PROTECTED]>:
>> So, you would prefer storing the uploaded file in your directory than a
>> database? Have you tried either method?
>
> And, by the way, once you upload it into a database, it's not a file.
> It's just
> a data field.
Actually, internal
Quoting Richard Lynch <[EMAIL PROTECTED]>:
> Actually, internally, it *is* a file, or part of a file, depending on the
> database implementation details. (*)
Part of a file? Usually. A file? Rarely.
And as part of a file, it is likely to be accessed using a more poorly chosen
I/O model than if
>>Yeah, with any luck at all, your binary file will corrupt itself, and
>> then
>>make your entire database unreadable by anybody, even you.
> really? Then my companies database should be corrupt by now...right?
> Haven't
> had any problems yet. Well, its only been running for 2 years now.
Search
On Fri, 10 Dec 2004 14:07:21 -0800, [EMAIL PROTECTED]
<[EMAIL PROTECTED]> wrote:
> And, by the way, once you upload it into a database, it's not a file. It's
> just
> a data field.
And the data fields are just files on the file system. Look at the
way Postgres stores data.
The filesystem itsel
Yeah, with any luck at all, your binary file will corrupt itself, and then
make your entire database unreadable by anybody, even you.
really? Then my companies database should be corrupt by now...right? Haven't
had any problems yet. Well, its only been running for 2 years now.
I l wrote:
> the b
I l wrote:
> the best security practice is to store the jpg file or any other uploaded
> file in your mySql database. This way you never have to worry about
> someone
> executing php by the url like www.example.com/pic.jpg. To view the file,
> the
> user would type www.example.com/veiw.php?fileID=3
Quoting I l <[EMAIL PROTECTED]>:
> So, you would prefer storing the uploaded file in your directory than a
> database? Have you tried either method?
And, by the way, once you upload it into a database, it's not a file. It's just
a data field.
--
PHP General Mailing List (http://www.php.net/)
To
Quoting I l <[EMAIL PROTECTED]>:
> I never said that this method wouldn't cause you overhead. With all respect,
> I am simply stating that this method is much simpler. Sometimes you must
> choose simplicity over processing costs. What if there was another
> programmer editing your code? Or, you ca
Quoting I l <[EMAIL PROTECTED]>:
> Lets say you want to store someones picture.
>
> In the database, you would insert the picture, who owns that picture, maybe
> the ip address and request headers of where that picture came from, the
> category, sub-category, sub-sub-category in which the picture
I never said that this method wouldn't cause you overhead. With all respect,
I am simply stating that this method is much simpler. Sometimes you must
choose simplicity over processing costs. What if there was another
programmer editing your code? Or, you came back to the same code after one
yea
I l wrote:
Lets say you want to store someones picture.
In the database, you would insert the picture, who owns that picture,
maybe the ip address and request headers of where that picture came
from, the category, sub-category, sub-sub-category in which the picture
belongs to, etc. You can gathe
Lets say you want to store someones picture.
In the database, you would insert the picture, who owns that picture, maybe
the ip address and request headers of where that picture came from, the
category, sub-category, sub-sub-category in which the picture belongs to,
etc. You can gather and store
Quoting I l <[EMAIL PROTECTED]>:
> And finally, file management is much much easier when you store the files in
> a database.
There is a kind of database that is perfectly designed and equipped to store
files, and their very specific metadata properties, optimized for the correct
sort of access.
e and execute it on the server.
And finally, file management is much much easier when you store the files in
a database.
From: Chris Shiflett <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
To: I l <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
Subject: Re: [PHP] Re: PHP Security
Date: Thu, 9
--- I l <[EMAIL PROTECTED]> wrote:
> the best security practice is to store the jpg file or any other
> uploaded file in your mySql database. This way you never have
> to worry about someone executing php by the url like
> www.example.com/pic.jpg. To view the file, the user would type
> www.example
also keep information about the file uploaded in your mysql such as
IP address.
I cann't really see any security problems here.
From: John Nichel <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: [PHP] Re: PHP Security
Date: Thu, 09 Dec 2004 15:53:50 -0500
MIME-Version: 1.0
Rec
Richard Lynch wrote:
Chris Shiflett wrote:
--- Greg Donald <[EMAIL PROTECTED]> wrote:
http://seclists.org/lists/security-basics/2004/Dec/0080.html
Most of this is actually true.
The one statement that is unclear is the following:
"There are two kinds of flaws :
- flaws inherent to the php lan
Chris Shiflett wrote:
> --- Greg Donald <[EMAIL PROTECTED]> wrote:
>> http://seclists.org/lists/security-basics/2004/Dec/0080.html
>
> Most of this is actually true.
>
> The one statement that is unclear is the following:
>
> "There are two kinds of flaws :
> - flaws inherent to the php lan
>> Also, you *SHOULD* force the file to be saved on your server
>> with the correct extension. If a user can upload a JPEG with
>> .php on the end, or worse, with php in the middle of the
>> filename, and then your server puts that file in the web tree or
>> otherwise allows it to be executed, *YOU
--- Richard Lynch <[EMAIL PROTECTED]> wrote:
> I personally think that if you can't upload your images outside
> your web tree then, in fact, your server admin is at fault for not
> providing you a directory structure that allows that. Good
> security requires cooperation from both admin and Progra
--- Greg Donald <[EMAIL PROTECTED]> wrote:
> http://seclists.org/lists/security-basics/2004/Dec/0080.html
Most of this is actually true.
The one statement that is unclear is the following:
"There are two kinds of flaws :
- flaws inherent to the php langage itself, as seen before, in fil
Greg Donald wrote:
> On Wed, 8 Dec 2004 08:42:50 -0500, Joshua Beall <[EMAIL PROTECTED]>
> wrote:
>> Can you also provide a link to the relevant message in the mailing list
>> archive? I would like to read this myself.
>
> http://seclists.org/lists/security-basics/2004/Dec/0080.html
Everything de
On Wed, 8 Dec 2004 08:42:50 -0500, Joshua Beall <[EMAIL PROTECTED]> wrote:
> Can you also provide a link to the relevant message in the mailing list
> archive? I would like to read this myself.
http://seclists.org/lists/security-basics/2004/Dec/0080.html
--
Greg Donald
Zend Certified Engineer
"Greg Donald" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> The other day a post came across one of those mailing lists discussing
> PHP security. One of the posters was describing how insecure PHP's
> file upload functionality is and went on to explain a simple method of
> attach
Remove me from your list
-Original Message-
From: Jani Taskinen [mailto:[EMAIL PROTECTED]]
Sent: Monday, February 17, 2003 12:01 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Subject: PHP Security Advisory: CGI vulnerability in PHP version 4.3.0
-BEGIN PGP SIGNED MES
On Wed, 24 Jul 2002, Scott Fletcher wrote:
> It work very nicely The whole process take 30 to 45 minutes for just
> one server. I wonder how does someone did 12 computers in 10 minutes.
> Cool!
cd /usr/src/local
tar -zxf php-4.2.2.tar.gz
cd php-4.2.2
../php-4.2.1/config.nice
make
At 10:22 AM 7/24/02 -0400, Scott Fletcher wrote:
>It work very nicely The whole process take 30 to 45 minutes for just
>one server. I wonder how does someone did 12 computers in 10 minutes.
>Cool!
For me the key to upgrading many servers is to compile once then copy the
resulting files to
On Wednesday 24 July 2002 22:22, Scott Fletcher wrote:
> It work very nicely The whole process take 30 to 45 minutes for just
> one server.
You've got a slow computer and/or you type too slow ;-)
> I wonder how does someone did 12 computers in 10 minutes.
> Cool!
For me it was a case of
38DA@hsus3">news:4B08FD7DB3CBD4119F560002A508C453015B38DA@hsus3...
> > From: Scott Fletcher [mailto:[EMAIL PROTECTED]]
> > Sent: Tuesday, July 23, 2002 12:43 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: [PHP] Re: PHP Security Advisory: Vulnerability
> > in PHP versions 4.2.0
> >
> >
PROTECTED]]
> > Sent: Tuesday, July 23, 2002 12:43 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: [PHP] Re: PHP Security Advisory: Vulnerability
> > in PHP versions 4.2.0
> >
> >
> > I don't know how to appy patches to the PHP software. I just fin
Hmmm, interesting I didn't know about this and didn't see it in the
docs. So now I know for my next upgrade.
Anyway, my upgrade is in, and through the mails it should be clear to those
who thought how terribly difficult and time consuming it is/was to do the
upgrades that it was in fact
If all you're doing is applying the patch (not adding/removing any
extensions), you should be able to use
./config.nice
which will use all of the configuration commands from your last compile
(This is an extremely handy thing if your GD/Freetype setup was particularly
ornery the first time aroun
"Ian Ball" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> patch -p0 < php-4.2.1-to-4.2.2.patch
> cd php-4.2.1
>
./configure --with-mysql --with-apxs=/usr/local/apache/bin/apxs --with-ldap
> make
> make install
> /usr/local/apache/bin/apachectl restart
Hmm...
> From: Scott Fletcher [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, July 23, 2002 12:43 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [PHP] Re: PHP Security Advisory: Vulnerability
> in PHP versions 4.2.0
>
>
> I don't know how to appy patches to the PHP software.
Amended to this recent posting. Already started a new posting from scratch.
"Scott Fletcher" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I don't know how to appy patches to the PHP software. I just finish
> upgrading the website to work with PHP 4.2.1 fro
I don't know how to appy patches to the PHP software. I just finish
upgrading the website to work with PHP 4.2.1 from PHP 4.0.6. And now
this So, just patched it then configure openssl, mycrypt, curl, modssl
then do the usual stuff for PHP then apache, right??
"Adam Alkins" <[EMAIL PROTECT
Hello,
On 07/22/2002 08:07 PM, Dario Bahena Tapia wrote:
> Hi ...
>
> I want to be warned about php security issues, I couldn't find
> an exact match in the mailing list names ... which one do you
> recommend me?
http://www.phpadvisory.com/ is what you are looking for.
--
Regards,
Manuel Le
>Hi ...
>
>I want to be warned about php security issues, I couldn't find
>an exact match in the mailing list names ... which one do you
>recommend me?
I believe that the Announce list would have any critical security warnings
sent to it.
It's also very low-volume.
--
Like Music? http://l-i-e
Any real programmer should know that almost nothing is bug free, even if you
test it beyond your imagination. Something is always going to elude you and
be found by someone experimenting down the road.
For the widespread use of PHP, I'm rather impressed by the small amount of
vunerabilities disco
[delete some flaming]
Hehe, and I thought I had to go to USENET to see a flamewar. This is great,
a flamewar delivered directly to my mailbox, it doesn't get better...
Let me put my $0.02 in. Security holes happen, no matter what software you
use. PHP and open source in general, unl
Yes. Please post something to php.announce! Nothing ever gets announced in
there anymore.
"Steve Meyers" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Can you post this to php.announce as well?
>
> Marko Karppinen wrote:
>
> >
> >PHP Security Advisory: V
The correct path for the windows binary version is
http://www.php.net/do_download.php?download_file=php-4.2.2-Win32.zip
/lasso ([EMAIL PROTECTED])
Rouvas Stathis wrote:
> Hi all,
>
> Just wanting to notify everyone that
> the link for the PHP.4.2.2 download is broken.
>
> -Stathis.
>
>
Hi all,
Just wanting to notify everyone that
the link for the PHP.4.2.2 download is broken.
-Stathis.
--
Rouvas Stathis
[EMAIL PROTECTED]
http://www.di.uoa.gr/~rouvas
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Can you post this to php.announce as well?
Marko Karppinen wrote:
>
>PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1
>
>
> Issued on: July 22, 2002
> Software: PHP versions 4.2.0 and 4.2.1
> Platforms: All
>
>
>The PHP Group has learned of a serious security vu
> > (1) avoid using .inc files; use .php files like for normal script
>
> No, it is safer to block access to .inc files with an httpd.conf rule.
The way I approach this, besides blocking execution, is to put any
sensitive files in a directory above the Document Root for the virtual
domain. PHP
AFAIK, you need the ScriptAlias line in your httpd.conf
if you are running PHP as a CGI...
Safer to run it as an SAPI module if you can and remove
that ScriptAlias line.
-GED
> "LaserJetter"
> - Re: PHP Security Alert for Apache/Win32
> - Sun, 6 Jan 2002 20:16:39 -
>
> Can
Can you not just delete the ScriptAlias line?
What does that line actually do apart from create an Alias?
LJ
"David" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Wow!, i tried it and it really works, this is serious man! is there a fix
around it without saf
Wow!, i tried it and it really works, this is serious man! is there a fix around it
without safe mode like GED suggested?
>Folks running Apache/Win32 should read this:
>
>http://www.securiteam.com/windowsntfocus/5ZP030U60U.html
>
>If you run in CGI mode you likely have a line similar to >the
76 matches
Mail list logo