Re: [PHP] Re: Security/Development Question

On Thu, 2010-04-29 at 08:49 +1000, Ross McKay wrote: > On Wed, 28 Apr 2010 16:54:56 -0400, "David Stoltz" wrote: > > >[...] > >We recently have added a very small web application that is vendor > >supported. They said it's not working, so I investigated. I found that > >our software protection wa

[PHP] Re: Security/Development Question

On Wed, 28 Apr 2010 16:54:56 -0400, "David Stoltz" wrote: >[...] >We recently have added a very small web application that is vendor >supported. They said it's not working, so I investigated. I found that >our software protection was blocking their pages because they are >actually passing entire S

Re: [PHP] Re: Security Concerns with Uploaded Images:

At 4:34 PM -0500 5/23/06, Richard Lynch wrote: On Tue, May 23, 2006 9:52 am, tedd wrote: At 9:45 AM +0100 5/23/06, Rory Browne wrote: I'm not disagreeing with you, but how would that work? The file would still have a suffix of ".gif" and as such wouldn't be recognized as code to execute. U

Re: [PHP] Re: Security Concerns with Uploaded Images:

On Tue, May 23, 2006 9:52 am, tedd wrote: > At 9:45 AM +0100 5/23/06, Rory Browne wrote: > I'm not disagreeing with you, but how would that work? The file would > still have a suffix of ".gif" and as such wouldn't be recognized as > code to execute. Unless you have ANOTHER bug somewhere in those m

Re: [PHP] Re: Security Concerns with Uploaded Images:

On Tue, May 23, 2006 3:45 am, Rory Browne wrote: >> Use the unix command "file" to determiner what file you have. >> I have had the same problem... > > Don't depend on it. http://php.net/getimagesize would be slightly better, as it tries to dig out width/height and number of colors for any given

Re: [PHP] Re: Security Concerns with Uploaded Images:

At 9:45 AM +0100 5/23/06, Rory Browne wrote: Use the unix command "file" to determiner what file you have. I have had the same problem... Don't depend on it. graphic.php GIF89 ANY_GIF_FOOTERS_HERE should according to file be a gif, but contains embedded php. Rory: I'm not disagreeing wi

Re: [PHP] Re: Security Concerns with Uploaded Images:

Use the unix command "file" to determiner what file you have. I have had the same problem... Don't depend on it. graphic.php GIF89 ANY_GIF_FOOTERS_HERE should according to file be a gif, but contains embedded php. Many thanks! Greetings Michelle Konzack -- Linux-User #280138 with

[PHP] Re: Security Concerns with Uploaded Images:

Am 2006-05-14 00:11:09, schrieb Nick Wilson: > Hi all, > > are there any security concerns with uploaded images? > > My thought is that it wouldnt be too hard to have some kind of script > masquerade as a gif file, and perhaps cause damage. > > I cant find anyway to check a file really is a gi

Re: [PHP] Re: security of uploaded gif files

Hi, Gerry. Gerry Danen wrote: There's a couple of things a person can do. 1. check for .gif extention 2. see if exif_imagetype() returns type IMAGETYPE_GIF 3. see if getimagesize() returns reasonable values and not FALSE 4. check the file content for binary vs text content It's enough to know

[PHP] Re: security of uploaded gif files

Hi, James. James Benson wrote: Even if you can embed PHP in a GIF it would still need to be executed by PHP as PHP code, would PHP actually execute that file when it looks like an image, I would think PHP would output an error? Unless you include/require or eval() its content, PHP won't execu

Re: [PHP] Re: security of uploaded gif files

There's a couple of things a person can do. 1. check for .gif extention 2. see if exif_imagetype() returns type IMAGETYPE_GIF 3. see if getimagesize() returns reasonable values and not FALSE 4. check the file content for binary vs text content Gerry -- PHP General Mailing List (http://www.php.ne

[PHP] Re: security of uploaded gif files

Even if you can embed PHP in a GIF it would still need to be executed by PHP as PHP code, would PHP actually execute that file when it looks like an image, I would think PHP would output an error? More importantly though, you should be checking the file extension of uploaded files to make sur

[PHP] Re: security of uploaded gif files

James Benson wrote: Even if you can embed PHP in a GIF it would still need to be executed by PHP as PHP code, would PHP actually execute that file when it looks like an image, I would think PHP would output an error? More importantly though, you should be checking the file extension of uploa

Re: [PHP] Re: Security Issues - Where to look?

Richard Lynch wrote: On Thu, November 10, 2005 3:29 pm, GamblerZG wrote: IMO, the best way is to re-generate SIDs on each request, but such method will decrease perfomance of a script. But if Cookies are off, you just destroyed their "Back" button in their browser, which should be a crime.

Re: [PHP] Re: security code

On Fri, November 11, 2005 8:47 am, Gustavo Narea wrote: > On the other hand, if your website is for programmers, you may want to > know that programmers can be blind (although you won't take this into > account): http://www.blindprogramming.com What I found most interesting about this site: PHP's

Re: [PHP] Re: security code

Gustavo Narea wrote: Hello. [snip] As I said previously, It depends on the target of your website. For instance, if your website is for web designers, you may only need to use visual turing numbers: They must have a user agent which is able to process images and I cannot imagine a blind we

Re: [PHP] Re: security code

Hello. Richard Lynch wrote: On Thu, November 10, 2005 10:11 am, Jochem Maas wrote: ... or put another way - is there a good reason why the web should be any less discriminating than the rest of society. Yes. It's the WORLD WIDE WEB. I mean, it's all very well to discriminate against

Re: [PHP] Re: security code

Hello. Richard Lynch wrote: On Thu, November 10, 2005 10:45 am, Gustavo Narea wrote: CAPTCHA tests are indispensables. The problem comes when you *only* use visual tests (such as "visual turing numbers"). If you need CAPTCHA tests, you may use them both visuals and audibles. This is a good ex

Re: [PHP] Re: security code

Richard Lynch wrote: On Thu, November 10, 2005 10:11 am, Jochem Maas wrote: ... or put another way - is there a good reason why the web should be any less discriminating than the rest of society. Yes. It's the WORLD WIDE WEB. shucks, now your getting all pedantic. I really don't thin

Re: [PHP] Re: Security Issues - Where to look?

GamblerZG wrote: Richard Lynch wrote: Please pay attention. Sorry, I did not see your message when I posted that. Oh and would you mind using an email address that exists? Every time I reply to one of your posts, I get a returned mail from highstream.net saying your user doesn't exist..

Re: [PHP] Re: Security Issues - Where to look?

On Thu, November 10, 2005 3:29 pm, GamblerZG wrote: >> IMO, the best way is to re-generate SIDs on each request, but such >> method will decrease perfomance of a script. But if Cookies are off, you just destroyed their "Back" button in their browser, which should be a crime. Re-generate only when

Re: [PHP] Re: Security Issues - Where to look?

Richard Lynch wrote: Please pay attention. Sorry, I did not see your message when I posted that. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Re: Security Issues - Where to look?

GamblerZG wrote: > > I think it's still reasonable to restrict a session to a > > single IP. > > No, it's not, for all of the reasons Richard mentioned and > more. I agree that using only IP to identify session is bad. Read more carefully. Enforcing IP consistency is bad, and many good reason

Re: [PHP] Re: Security Issues - Where to look?

GamblerZG wrote: This comes at a price of a small inconvinience for dial-up users (since they would need to login on each reconnect), but I think such price it reasonable. Ok, scrap this statement. I did not know about AOL thing. But this one still stands: IMO, the best way is to re-generate

Re: [PHP] Re: Security Issues - Where to look?

On Thu, November 10, 2005 3:08 pm, GamblerZG wrote: > Chris Shiflett wrote: >> GamblerZG wrote: >>> I think it's still reasonable to restrict a session to a single IP. >> No, it's not, for all of the reasons Richard mentioned and more. > > I agree that using only IP to identify session is bad. > Us

Re: [PHP] Re: Security Issues - Where to look?

Richard Lynch wrote: AOL users WILL change their IP in a single [web-surfing] session. Ugh... I did not know that. That's horrible. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Re: security code

On Thu, November 10, 2005 10:45 am, Gustavo Narea wrote: > CAPTCHA tests are indispensables. The problem comes when you *only* > use > visual tests (such as "visual turing numbers"). > > If you need CAPTCHA tests, you may use them both visuals and audibles. > This is a good example: https://www.e-g

Re: [PHP] Re: security code

On Thu, November 10, 2005 10:11 am, Jochem Maas wrote: > ... > or put another way - is there a good reason why the web should be any > less > discriminating than the rest of society. Yes. It's the WORLD WIDE WEB. I mean, it's all very well to discriminate against those people way far away whom

Re: [PHP] Re: Security Issues - Where to look?

Chris Shiflett wrote: GamblerZG wrote: I think it's still reasonable to restrict a session to a single IP. No, it's not, for all of the reasons Richard mentioned and more. I agree that using only IP to identify session is bad. Using only SID is ok. Using SIDs that are tied to a single IP is e

Re: [PHP] Re: Security Issues - Where to look?

On Thu, November 10, 2005 1:08 pm, GamblerZG wrote: > Richard Lynch wrote: >> IP is useless for identification or authentication of the general >> web-surfer: >> Users behind firwalls will all appear to be from one (1) IP >> AOL users change IPs faster than drummers change underwear > > I think

Re: [PHP] Re: Security Issues - Where to look?

GamblerZG wrote: I think it's still reasonable to restrict a session to a single IP. No, it's not, for all of the reasons Richard mentioned and more. Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe

Re: [PHP] Re: Security Issues - Where to look?

Richard Lynch wrote: IP is useless for identification or authentication of the general web-surfer: Users behind firwalls will all appear to be from one (1) IP AOL users change IPs faster than drummers change underwear I think it's still reasonable to restrict a session to a single IP. -- P

Re: [PHP] Re: security code

Hello. CAPTCHA tests are indispensables. The problem comes when you *only* use visual tests (such as "visual turing numbers"). If you need CAPTCHA tests, you may use them both visuals and audibles. This is a good example: https://www.e-gold.com/acct/login.html Regards. Jochem Maas wrote:

Re: [PHP] Re: security code

this email contains swearing so that the sensitive amongst you will be spared what I have to say (assuming you have a stupid 'Im a sensitive person, don't expose me to bad language' mail filter) Gustavo Narea wrote: Hello, Clive. Depending on the target of your website, you shall need to keep

[PHP] Re: security code

Hello, Clive. Depending on the target of your website, you shall need to keep in mind the (in)accessibility of this kind of tests: http://www.w3.org/TR/2003/WD-turingtest-20031105/ By the way, AFAIK they are also known as "turing numbers". Regards. Clive wrote: Hi does any one have a class

[PHP] Re: security code

Yep! It's called captcha. There is a PEAR package Text/CAPTCHA, and also you can find some other classes at phpclasses.org Good luck! Sincerely, Rosty Kerei <[EMAIL PROTECTED]> "Clive" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Hi > does any one have a class/function to gener

Re: [PHP] Re: Security Issues - Where to look?

Thanks once again, Chris. I must read that guide. Have a nice day! Chris Shiflett wrote: Gustavo Narea wrote: I found a document titled "A Guide to Building Secure Web Applications" while I was reading one of the documents you suggested us,

Re: [PHP] Re: Security Issues - Where to look?

Thanks for the explanation, Richard. I'll definitely take it into account. So, let's distrust *everything*. Best regards. Richard Lynch wrote: On Tue, November 8, 2005 9:43 am, Gustavo Narea wrote: *Distrust everything coming from your users, even their user agents* *I

Re: [PHP] Re: Security Issues - Where to look?

On Tue, November 8, 2005 2:55 pm, Gustavo Narea wrote: > I found a document titled "A Guide to Building Secure Web > Applications" > while I was reading > one of the documents you suggested us, and I would like to know what > do > you think about i

Re: [PHP] Re: Security Issues - Where to look?

On Tue, November 8, 2005 9:43 am, Gustavo Narea wrote: > *Distrust everything coming from your users, >even their user agents* > >*If you make your scripts taking this into account, > they'll be pretty secure* > > > Actually, I believe that the one thing you c

Re: [PHP] Re: Security Issues - Where to look?

Gustavo Narea wrote: I found a document titled "A Guide to Building Secure Web Applications" while I was reading one of the documents you suggested us, and I would like to know what do you think about it? The OWASP Guide is good, but that site

[PHP] Re: Security Issues - Where to look?

Hello. I found a document titled "A Guide to Building Secure Web Applications" while I was reading one of the documents you suggested us, and I would like to know what do you think about it? -- Best regards, Gustavo Narea. PHP Documentation

Re: [PHP] Re: Security Issues - Where to look?

Hello, Chris. I will take into account what you said. It is right what you mentioned regarding that example. We have to take into account that cookies can be stolen. Thanks for the URLs, I will visit them. Cheers. Chris Shiflett wrote: Gustavo Narea wrote: By the way, I liked the link th

RE: [PHP] Re: Security Issues - Where to look?

be funding for this kind of app... ps.. this kind of app would not be trivial to create!!! -bruce -Original Message- From: Chris Shiflett [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 08, 2005 12:08 PM To: Gustavo Narea Cc: php-general@lists.php.net Subject: Re: [PHP] Re: Security Issu

Re: [PHP] Re: Security Issues - Where to look?

Gustavo Narea wrote: By the way, I liked the link that Pablo suggested: http://www.devshed.com/c/a/PHP/PHP-Security-Mistakes/ Be careful. There is a lot of misinformation out there regarding PHP security, and this article is a good example. Here's something that caught my eye: "The second s

[PHP] Re: Security Issues - Where to look?

*Distrust everything coming from your users, even their user agents* *If you make your scripts taking this into account, they'll be pretty secure* Actually, I believe that the one thing you can trust in, is their IP addresses. Isn't it? By the way, I liked th

Re: [PHP] Re: security/sql issues with php

sage- > From: Aaron Greenspan [mailto:[EMAIL PROTECTED] > Sent: Wednesday, September 21, 2005 7:18 AM > To: php-general@lists.php.net > Subject: [PHP] Re: security/sql issues with php > > > Bruce, > > If you're looking for commercial-grade open-source packages, I thin

RE: [PHP] Re: security/sql issues with php

rom: Aaron Greenspan [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 21, 2005 7:18 AM To: php-general@lists.php.net Subject: [PHP] Re: security/sql issues with php Bruce, If you're looking for commercial-grade open-source packages, I think you're going to have a pretty hard time findi

[PHP] Re: security/sql issues with php

Bruce, If you're looking for commercial-grade open-source packages, I think you're going to have a pretty hard time finding much. Most commercial-grade software is...commercial. The truly robust open-source packages, i.e. Mozilla, MySQL, JBoss, BerkeleyDB, etc., are backed by some sort of com

Re: [PHP] Re: security while building online store

You must read the articles by shiflet http://www.phpgurru.com/index.php?acion=paging&chid=www.shiflett.org&offset=10 On 8/31/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > [EMAIL PROTECTED] wrote: > > kat > > Dzesi momak ;) > > I think you know PHP enough to make your code secure. > Just

[PHP] Re: security while building online store

[EMAIL PROTECTED] wrote: kat Dzesi momak ;) I think you know PHP enough to make your code secure. Just take care (as Christian wrote)about sql-injections and register_globals. The biggest problem could be Linux/Apache/MySQL server security threat... --- avast! Antivirus: Outbound message

Re: [PHP] Re: Security, Late Nights and Overall Paranoia

On Jul 12, 2005, at 6:50 AM, Chris Shiflett wrote: As far as allowing [red] goes, you can just as easily add to the list of available tags and not have to come up with a replacement for every other HTML tag that already exists. but what about the poor bastards that'll go around trying

Re: [PHP] Re: Security, Late Nights and Overall Paranoia

Evert|Rooftop wrote: If you for example only allow and doing this with bbcode would require extra cpu-cycles to convert [i] to I don't really agree with this, because I think escaping the html + replacing bbcode would require less cpu cycles then scanning the string for invalid html and escap

Re: [PHP] Re: Security, Late Nights and Overall Paranoia

Richard Davey wrote: I gave several valid good usability reasons, that I've yet to see anyone provide a coherent reason not to use. The usability arguments in favor of BBCode are fine. I'm not interested in that debate. I just don't want more people thinking that allowing BBCode somehow prote

Re: [PHP] Re: Security, Late Nights and Overall Paranoia

The point is.. If you for example only allow and doing this with bbcode would require extra cpu-cycles to convert [i] to I don't really agree with this, because I think escaping the html + replacing bbcode would require less cpu cycles then scanning the string for invalid html and escapin

Re: Re[6]: [PHP] Re: Security, Late Nights and Overall Paranoia

I've been loosely following this thread, and have a question now. Isn't one advantage of a bbcode type solution that you can more easily avoid session hijacking vis cross site scripting? If you allow html, then you open the door for people to add eventhandlers. I guess you could always strip the

Re[6]: [PHP] Re: Security, Late Nights and Overall Paranoia

Hello Greg, Monday, July 11, 2005, 5:06:51 PM, you wrote: GD> I wouldn't know, isn't one of the tags I allow. If you stick to the plain vanilla HTML tags such as i, b, u, etc then BBCode is pointless - I agreed on this with you several posts ago. I don't however use it just for that, I use it t

Re: Re[4]: [PHP] Re: Security, Late Nights and Overall Paranoia

On 7/11/05, Richard Davey <[EMAIL PROTECTED]> wrote: > u wanted to allow a user to say colour a piece of text red, > they'd have to enter x to make it I wouldn't know, isn't one of the tags I allow. > happen? Poor bastards (never mind the fact I'd love to see you use > less CPU cycles to perfect

Re[4]: [PHP] Re: Security, Late Nights and Overall Paranoia

Hello Greg, Monday, July 11, 2005, 3:46:24 PM, you wrote: GD> On 7/11/05, Richard Davey <[EMAIL PROTECTED]> wrote: >> I gave several valid good usability reasons, that I've yet to see >> anyone provide a coherent reason not to use. GD> Misuse of CPU cycles. So if you wanted to allow a user to s

Re: Re[2]: [PHP] Re: Security, Late Nights and Overall Paranoia

On 7/11/05, Richard Davey <[EMAIL PROTECTED]> wrote: > I gave several valid good usability reasons, that I've yet to see > anyone provide a coherent reason not to use. Misuse of CPU cycles. -- Greg Donald Zend Certified Engineer MySQL Core Certification http://destiney.com/ -- PHP General Mail

Re[2]: [PHP] Re: Security, Late Nights and Overall Paranoia

Hello Chris, Sunday, July 10, 2005, 2:31:57 AM, you wrote: CS> I completely agree. I think you'll find that, when pressed, no one CS> can really provide a good reason to use BBCode. I often see CS> security cited as a reason, but it makes no sense. I gave several valid good usability reasons, th

Re: [PHP] Re: Security, Late Nights and Overall Paranoia

On Fri, July 8, 2005 11:25 am, Ezra Nugroho said: > > Here is one security measure that you HAVE to do if you allow people to > submit contents to your site. > > 1. track client's IP. > 2. Associate sensitive cookies with the IP, if they don't match, ignore > it or invalidate the cookie. > > We may

Re: [PHP] Re: security question...??

Matthew Weier O'Phinney wrote: The reason I ask is that (1) it shouldn't matter HOW the HTTP request is initiated. What *should* matter is that the page handles the request gracefully and returns something (HTTP headers only, or headers + page) as a result. That's an interesting way of explaini

Re: [PHP] Re: Security, Late Nights and Overall Paranoia

Ezra Nugroho wrote: Here is one security measure that you HAVE to do if you allow people to submit contents to your site. 1. track client's IP. 2. Associate sensitive cookies with the IP, if they don't match, ignore it or invalidate the cookie. If by "HAVE to" you mean "MUST NEVER," then I agr

Re: [PHP] Re: Security, Late Nights and Overall Paranoia

Greg Donald wrote: > [i]This text will be in italics.[/i] > [b]This text will be in bold.[/b] > [url=http://php.net]This will be a URL that points to php.net.[/url] While I do not disagree with the information content of your post, I do think this sort of thing is pretty silly. If you're gonna

Re[5]: [PHP] Re: Security, Late Nights and Overall Paranoia

To follow-up my own post... which is sad I know, but hey... Saturday, July 9, 2005, 7:08:37 PM, I wrote: RD> The difference is the extra hoops your reg exps will have to jump RD> through, and have to jump through perfectly. You will have to disallow RD> all <'s and >'s, but do allow them for , ,

Re[4]: [PHP] Re: Security, Late Nights and Overall Paranoia

Hello Greg, Saturday, July 9, 2005, 6:40:06 PM, you wrote: GD> The same regular expression magic that keeps you from forgetting your GD> [/i] can just as easily keep you from forgetting your . The difference is the extra hoops your reg exps will have to jump through, and have to jump through per

Re: Re[2]: [PHP] Re: Security, Late Nights and Overall Paranoia

On 7/9/05, Richard Davey <[EMAIL PROTECTED]> wrote: > I have to say I disagree, because with all modern BBcode parsers it > would never get to that stage. The same regular expression magic that keeps you from forgetting your [/i] can just as easily keep you from forgetting your . -- Greg Donald

Re[2]: [PHP] Re: Security, Late Nights and Overall Paranoia

Hello Greg, Friday, July 8, 2005, 5:00:23 PM, you wrote: GD> On 7/8/05, Ryan A <[EMAIL PROTECTED]> wrote: >> Yep, but this has no way of breaking my html GD> If [/i] is missing, it'd be the same as being missing. I have to say I disagree, because with all modern BBcode parsers it would nev

Re: [PHP] Re: Security, Late Nights and Overall Paranoia

a user, unless you are fine with invalidating users on > > a frequent basis > > > > Michael > > > > > -Original Message- > > > From: Ezra Nugroho [mailto:[EMAIL PROTECTED] > > > Sent: Friday, July 08, 2005 11:49 AM > > > To: Michael Caplan > >

RE: [PHP] Re: Security, Late Nights and Overall Paranoia

ge- > > From: Ezra Nugroho [mailto:[EMAIL PROTECTED] > > Sent: Friday, July 08, 2005 11:49 AM > > To: Michael Caplan > > Subject: RE: [PHP] Re: Security, Late Nights and Overall Paranoia > > > > True, but it's better than nothing. > > > >

Re: [PHP] Re: Security, Late Nights and Overall Paranoia

On Jul 8, 2005, at 1:25 PM, Ezra Nugroho wrote: Here is one security measure that you HAVE to do if you allow people to submit contents to your site. 1. track client's IP. 2. Associate sensitive cookies with the IP, if they don't match, ignore it or invalidate the cookie. We may not stop th

Re: [PHP] Re: Security, Late Nights and Overall Paranoia

Here is one security measure that you HAVE to do if you allow people to submit contents to your site. 1. track client's IP. 2. Associate sensitive cookies with the IP, if they don't match, ignore it or invalidate the cookie. We may not stop the information redirection. We can make the informati

Re: [PHP] Re: Security, Late Nights and Overall Paranoia

On Jul 8, 2005, at 12:31 PM, Edward Vermillion wrote: On Jul 8, 2005, at 12:02 PM, Ezra Nugroho wrote: I am just wondering, how could someone craft an html to steal cookies? If your cookie distribution is done right, I don't think you need to worry about this. That's what XSS is all abou

Re: [PHP] Re: Security, Late Nights and Overall Paranoia

On Jul 8, 2005, at 12:02 PM, Ezra Nugroho wrote: I am just wondering, how could someone craft an html to steal cookies? If your cookie distribution is done right, I don't think you need to worry about this. That's what XSS is all about. I don't have the link handy but I do have a PDF file

Re: [PHP] Re: Security, Late Nights and Overall Paranoia

I am just wondering, how could someone craft an html to steal cookies? If your cookie distribution is done right, I don't think you need to worry about this. There are a gazillion of sites (CMS-based, wiki-based, etc, including php.net) that allow users to contribute html. They are not concern a

Re: [PHP] Re: Security, Late Nights and Overall Paranoia

On 7/8/05, Ryan A <[EMAIL PROTECTED]> wrote: > I am not really bothered about the closing tags (for example ) > I am more bothered about the opening closing tag (for example should be ) > as this can mess up my page...but this cant do squat: [i > or this: i] That's where a good preview function

Re: [PHP] Re: Security, Late Nights and Overall Paranoia

On Jul 8, 2005, at 4:21 AM, <[EMAIL PROTECTED]> wrote: Personally, I don't think it's a bad idea at all. The best way (and probably ONLY real way) to achieve decent security would be to limit the subset of tags the user can post. Best way to achieve this is to use your own tagging system (e.g.

Re: [PHP] Re: Security, Late Nights and Overall Paranoia

> > Yep, but this has no way of breaking my html > > If [/i] is missing, it'd be the same as being missing. > > I can just as easily clean out any missing tags as I can any > missing [/i] tags. > I am not really bothered about the closing tags (for example ) I am more bothered about the ope

Re: [PHP] Re: Security, Late Nights and Overall Paranoia

On 7/8/05, Ryan A <[EMAIL PROTECTED]> wrote: > Yep, but this has no way of breaking my html If [/i] is missing, it'd be the same as being missing. I can just as easily clean out any missing tags as I can any missing [/i] tags. -- Greg Donald Zend Certified Engineer MySQL Core Certificati

Re: [PHP] Re: Security, Late Nights and Overall Paranoia

Hey, > > The problem with this approach is if people dont close their tags properly > Nothing makes it impossible for me to hand type and not close one of those > tags. > > [i]blah Yep, but this has no way of breaking my html the max you would get is: [i this will be in italics which is

Re: [PHP] Re: Security, Late Nights and Overall Paranoia

On 7/8/05, Ryan A <[EMAIL PROTECTED]> wrote: > The problem with this approach is if people dont close their tags properly Nothing makes it impossible for me to hand type and not close one of those tags. [i]blah -- Greg Donald Zend Certified Engineer MySQL Core Certification http://destiney.com

Re: [PHP] Re: Security, Late Nights and Overall Paranoia

Hey, > > The typical way that forums handle this is to use what is called > > "BBCode". In short, you have a non-HTML way for users to supply > > [i]This text will be in italics.[/i] > > [b]This text will be in bold.[/b] > If you're gonna allow the tag then just allow it. There's no > p

Re: [PHP] Re: Security, Late Nights and Overall Paranoia

On 7/8/05, Jason Barnett <[EMAIL PROTECTED]> wrote: > The typical way that forums handle this is to use what is called > "BBCode". In short, you have a non-HTML way for users to supply > information that will produce markup instead of just plain text. So if > you want to allow italics, bolds, URL

[PHP] Re: Security, Late Nights and Overall Paranoia

The typical way that forums handle this is to use what is called "BBCode". In short, you have a non-HTML way for users to supply information that will produce markup instead of just plain text. So if you want to allow italics, bolds, URL's, etc. then you have some codes for it like: [i]This

RE: [PHP] Re: security question...??

On Wed, June 22, 2005 3:27 pm, bruce said: > rene.. > > you've grapsed the problem/issue, as have most. all i said was that i've > started to think about the issue of security as also meaning i have to > start > thinking about the client. just as users have had to start to think about > 'is the sit

RE: [PHP] Re: security question...??

bruce on Wednesday, June 22, 2005 3:17 PM said: > but chris... > > go back and look at the entire thread... > > i never stated that i wanted to be able to know whether the entire > system is secure on the client's end.. i stated that i wanted to be > able to know i

RE: [PHP] Re: security question...??

e market to dscide... and let's be real, there will never be a solution for any problem that satifies everyone! that's life.. peace.. -bruce -Original Message- From: Rene Brehmer [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 22, 2005 2:55 PM To: php-general@lists.php

RE: [PHP] Re: security question...??

D]; Rory Browne; php-general@lists.php.net Subject: RE: [PHP] Re: security question...?? bruce <mailto:[EMAIL PROTECTED]> on Wednesday, June 22, 2005 10:28 AM said: > sure it can rory... > > i can give you a file... i create a hash of the file... if i have a > process withi

Re: [PHP] Re: security question...??

Bruce, I think you missed my point here: Nomatter how secure the client's browser is, or even if he uses a custom made Client Access Program (believe me, the banks in Denmark used that approach at first because browsers weren't secure enough), it still doesn't change the fact that there may be oth

Re: [PHP] Re: security question...??

rch, check some of the literature.. > > -bruce > > > -Original Message- > From: Rory Browne [mailto:[EMAIL PROTECTED] > Sent: Wednesday, June 22, 2005 6:58 AM > To: [EMAIL PROTECTED] > Cc: Rene Brehmer; php-general@lists.php.net > Subject: Re: [PHP] Re: security

RE: [PHP] Re: security question...??

> if i as a bank, refuse to allow you to signin to my server, because i > detect > that your client is not valid/legitimate, meaning i think it's been > hacked, > how have i trampled the rights of anyone. i haven't. will some customers > run, sure.. perhaps.. will i potentially feel better. yeah. w

RE: [PHP] Re: security question...??

bruce on Wednesday, June 22, 2005 10:28 AM said: > sure it can rory... > > i can give you a file... i create a hash of the file... if i have a > process within the file that i give you that allows the file to more > or less create the hash of itself, and if i can qu

RE: [PHP] Re: security question...??

, June 22, 2005 6:58 AM To: [EMAIL PROTECTED] Cc: Rene Brehmer; php-general@lists.php.net Subject: Re: [PHP] Re: security question...?? Okay Bruce: There's one very major problem with your suggestion - IT CAN NOT BE DONE. YOU CAN NOT TEST A REMOTE PIECE OF SOFTWARE TO MAKE SURE THAT THERE

Re: [PHP] Re: security question...??

s... > > rene, you also have to understand, i'm not trying to determine if the user's > entire system is 'clean/valid'. i'd settle for a way of knowing that the > browser/client that i'm talking to is legitimate!! > > -bruce > > > > -Ori

RE: [PHP] Re: security question...??

e -Original Message- From: Rene Brehmer [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 21, 2005 3:18 PM To: php-general@lists.php.net Subject: Re: [PHP] Re: security question...?? Documented research indicate that on Tue, 21 Jun 2005 13:37:50 -0700, "bruce" wrote: > chris... &g

Re: [PHP] Re: security question...??

Documented research indicate that on Tue, 21 Jun 2005 13:37:50 -0700, "bruce" wrote: > chris... > > what you state is true at the extreme... but in the case of an client app, i > could already extract information about the various apps that make up the > client.. ie if, as in the case of IE, I wa

Re: [PHP] Re: security question...??

Documented research indicate that on Tue, 21 Jun 2005 16:25:36 +0100, "Shaw, Chris - Accenture" wrote: > You could always use a IE exploit to crash the browser, if they are still > requesting, you know they are not IE. ;) > > Out of interest, what information are you planning on getting from the

Re: [PHP] Re: security question...??

Even if you could pull it off technically, and I'd be very interested if you did, considering that the most insecure browser out there, is also the most commonly used. Ditto for OS. If all you're concerned about is client image(which from the tone seems to be the case), then you could simply exclu

RE: [PHP] Re: security question...??

bruce on Tuesday, June 21, 2005 1:38 PM said: > what you state is true at the extreme... but in the case of an client > app, i could already extract information about the various apps that > make up the client.. ie if, as in the case of IE, I was able to get > inform

  1   2   >