RE: [PHP] Security Question

2011-04-09 Thread tedd
At 2:53 PM -0500 4/8/11, Jay Blanchard wrote: [snip] whats the best way to learn about security in php? [/snip] Study, study, study! Chris Shiflett is a recognized expert on PHP security - http://shiflett.org/ He has a great book on PHP Security - http://www.amazon.com/exec/obidos/ASIN/0596006

Re: [PHP] Security Question

2011-04-08 Thread Adam Richardson
On Fri, Apr 8, 2011 at 3:24 PM, nighthawk1256 wrote: > hey guys/girls, > > whats the best way to learn about security in php? Here are some relevant topics to consider: - Validate input (only accept what you're expecting, via GET, POST, and COOKIE, and don't try to fix an invalid value,

RE: [PHP] Security Question

2011-04-08 Thread Alex Nikitin
Best way to learn about security of something is to learn how to break it... On Apr 8, 2011 3:55 PM, "Jay Blanchard" wrote: > > [snip] > whats the best way to learn about security in php? > [/snip] > > Study, study, study! > > Chris Shiflett is a recognized expert on PHP security - > http://shifl

RE: [PHP] Security Question

2011-04-08 Thread Jay Blanchard
[snip] whats the best way to learn about security in php? [/snip] Study, study, study! Chris Shiflett is a recognized expert on PHP security - http://shiflett.org/ He has a great book on PHP Security - http://www.amazon.com/exec/obidos/ASIN/059600656X/ref=nosim/chrisshiflet t-20 -- PHP Genera

[PHP] Security Question

2011-04-08 Thread nighthawk1256
hey guys/girls, whats the best way to learn about security in php? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] security question of ZCE exam

2009-08-25 Thread Daniel Brown
On Tue, Aug 25, 2009 at 00:07, Augusto Flavio wrote: > > Answers: (choose 2) >    Error messages will contain sensitive session information >    Error messages can contain cross site scripting attacks >    Security risks involved in logging are handled by PHP > X    Error messages give the percepti

[PHP] security question of ZCE exam

2009-08-24 Thread Augusto Flavio
Hi all, i'm discutting with my friend about this question for 30 min and i do not agree with he. Here is the question: Why is it important from a security perspective to never display PHP error messages directly to the end user, yet always log them? Answers: (choose 2) Error messages wil

Re: [PHP] Security question

2009-01-15 Thread Micah Gersten
Frank Stanovcak wrote: > "VamVan" wrote in message > news:12eb8b030901141421u6741b943q396bc784136b7...@mail.gmail.com... > >> On Wed, Jan 14, 2009 at 2:22 PM, Frank Stanovcak >> wrote: >> >> >>> This is mostly to make sure I understand how sessions are handled >>> correctly. >>> As far as

Re: [PHP] Security question

2009-01-15 Thread Frank Stanovcak
"VamVan" wrote in message news:12eb8b030901141421u6741b943q396bc784136b7...@mail.gmail.com... > On Wed, Jan 14, 2009 at 2:22 PM, Frank Stanovcak > wrote: > >> This is mostly to make sure I understand how sessions are handled >> correctly. >> As far as sessions are concerned the variable data is

Re: [PHP] Security question

2009-01-14 Thread VamVan
On Wed, Jan 14, 2009 at 2:22 PM, Frank Stanovcak wrote: > This is mostly to make sure I understand how sessions are handled > correctly. > As far as sessions are concerned the variable data is stored on the server > (be it in memory or temp files), and never transmitted accross the net > unless ou

[PHP] Security question

2009-01-14 Thread Frank Stanovcak
This is mostly to make sure I understand how sessions are handled correctly. As far as sessions are concerned the variable data is stored on the server (be it in memory or temp files), and never transmitted accross the net unless output to the page? So this means I should be able to store the

Re: [PHP] Security Question

2007-10-17 Thread Jim Lucas
Andrew Peterson wrote: Does anyone know a good way to protect a directory that a php script NEEDS to write too? What I'm doing now: 1. create a directory manually "myDir" 2. chmod 777 myDir 3. password protect the directory with htaccess Is this the best way, or is there something better? Als

Re: [PHP] Security Question

2007-10-17 Thread Richard Heyes
Does anyone know a good way to protect a directory that a php script NEEDS to write too? What I'm doing now: 1. create a directory manually "myDir" 2. chmod 777 myDir 3. password protect the directory with htaccess Is this the best way, or is there something better? You could chmod the file/d

[PHP] Security Question

2007-10-17 Thread Andrew Peterson
Does anyone know a good way to protect a directory that a php script NEEDS to write too? What I'm doing now: 1. create a directory manually "myDir" 2. chmod 777 myDir 3. password protect the directory with htaccess Is this the best way, or is there something better? Also, is there a way to mkdi

Re: [PHP] Security Question, re directory permissions [long answer]

2007-05-22 Thread Daniel Brown
My pleasure, Arno! On 5/22/07, Arno Kuhl <[EMAIL PROTECTED]> wrote: -Original Message- From: Daniel Brown [mailto:[EMAIL PROTECTED] Sent: 18 May 2007 10:27 To: Al Cc: php-general@lists.php.net Subject: Re: [PHP] Security Question, re directory permissions [long answer] On 5

Re: [PHP] Security Question, re directory permissions

2007-05-19 Thread Al
I use Hosting Matters. It is super reliable and solid. itoctopus wrote: I'm genuinely interested to know with whom you're hosting... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Security Question, re directory permissions

2007-05-19 Thread Tijnema
On 5/19/07, itoctopus <[EMAIL PROTECTED]> wrote: I'm genuinely interested to know with whom you're hosting... No problem, it's www.dapx.com, it hasn't a lot security, safe_mode is off for example. If you know the right stuff from another user on the same server, you can actually do some nice st

Re: [PHP] Security Question, re directory permissions

2007-05-18 Thread itoctopus
I'm genuinely interested to know with whom you're hosting... -- itoctopus - http://www.itoctopus.com "Tijnema" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > On 5/19/07, Al <[EMAIL PROTECTED]> wrote: >> How can anyone, other than the staff, get into my site? Far as I know, >> ot

Re: [PHP] Security Question, re directory permissions

2007-05-18 Thread Al
I guess your comment "The less secure everything else is." is the best answer. I'm developing a CMS where logged-in, selected users can create new directories and pages in them. I'm comfortable that my code is secure. I'm using php's ftp functions, with good security, to mkdir and create

Re: [PHP] Security Question, re directory permissions

2007-05-18 Thread Tijnema
On 5/19/07, Al <[EMAIL PROTECTED]> wrote: How can anyone, other than the staff, get into my site? Far as I know, other users can't get out of their own domain space and into mine. That's quite easy, especially when you have SSH access. Of course, it will only work with specific settings, and

Re: [PHP] Security Question, re directory permissions

2007-05-18 Thread Robert Cummings
On Fri, 2007-05-18 at 20:16 -0400, Al wrote: > How can anyone, other than the staff, get into my site? Far as I know, other > users can't get out of their own domain > space and into mine. Bugs in your code, bugs in third-party code, bugs in PHP itself, sometimes they can be abused to take adva

Re: [PHP] Security Question, re directory permissions

2007-05-18 Thread Al
How can anyone, other than the staff, get into my site? Far as I know, other users can't get out of their own domain space and into mine. Tijnema wrote: On 5/19/07, Al <[EMAIL PROTECTED]> wrote: But, SSH and telnet, etc. require authentication login-in and all the executables you mentioned [a

Re: [PHP] Security Question, re directory permissions

2007-05-18 Thread Tijnema
On 5/19/07, Al <[EMAIL PROTECTED]> wrote: But, SSH and telnet, etc. require authentication login-in and all the executables you mentioned [and others] require someone who has access to upload a harmful file to start with. Right? Once they are in there, they can do anything they please anyhow.

Re: [PHP] Security Question, re directory permissions

2007-05-18 Thread Al
But, SSH and telnet, etc. require authentication login-in and all the executables you mentioned [and others] require someone who has access to upload a harmful file to start with. Right? Once they are in there, they can do anything they please anyhow. Al. Tijnema ! wrote: On 5/18/07,

Re: [PHP] Security Question, re directory permissions [long answer]

2007-05-18 Thread Daniel Brown
On 5/18/07, Al <[EMAIL PROTECTED]> wrote: I'm on a shared Linux host and have been wondering about security and directory "other" ["world"] permissions. The defaults are 755. The 'others' [world] can read them only. Is there a security hole if a dir on the doc root if a directory has permissio

Re: [PHP] Security Question, re directory permissions

2007-05-18 Thread Tijnema !
On 5/18/07, Al <[EMAIL PROTECTED]> wrote: How can they write or edit files there without having ftp access or the site's file manager? SSH access? Telnet maybe? PHP script? CGI script? ASP script? There are a lot of possible ways someone can write there. Tijnema Tijnema ! wrote: > On 5/18/

Re: [PHP] Security Question, re directory permissions

2007-05-18 Thread Al
How can they write or edit files there without having ftp access or the site's file manager? Tijnema ! wrote: On 5/18/07, Al <[EMAIL PROTECTED]> wrote: I'm on a shared Linux host and have been wondering about security and directory "other" ["world"] permissions. The defaults are 755. The 'ot

Re: [PHP] Security Question, re directory permissions

2007-05-18 Thread Tijnema !
On 5/18/07, Al <[EMAIL PROTECTED]> wrote: I'm on a shared Linux host and have been wondering about security and directory "other" ["world"] permissions. The defaults are 755. The 'others' [world] can read them only. Is there a security hole if a dir on the doc root if a directory has permissi

[PHP] Security Question, re directory permissions

2007-05-18 Thread Al
I'm on a shared Linux host and have been wondering about security and directory "other" ["world"] permissions. The defaults are 755. The 'others' [world] can read them only. Is there a security hole if a dir on the doc root if a directory has permissions 757? If there is a security problem, w

Re: [PHP] Security Question

2007-01-20 Thread Jochem Maas
Al wrote: > Here is part of my proxie tags to html tags translation array. Looks > pretty safe to me. There is other code to recognize paragraphs and > lists, etc. any 'real' html in the content your 'translating' is still going to be there after translation - and therefore sent to the client, qui

Re: [PHP] Security Question

2007-01-20 Thread Al
Here is part of my proxie tags to html tags translation array. Looks pretty safe to me. There is other code to recognize paragraphs and lists, etc. $translate_array= array( '' => ''=> '', '' => '" target="_blank">', "" => ' => "

Re: [PHP] Security Question

2007-01-19 Thread Jochem Maas
Al wrote: > Good point about the ' evil haxor code here; '. That's > bad for our users, not the site, per se. what is bad for your users is bad for your site, on top of that the script is running in the context of your domain - all sorts of nasty possibilities that could affect your site. > > R

Re: [PHP] Security Question

2007-01-19 Thread Al
Good point about the ' evil haxor code here; '. That's bad for our users, not the site, per se. Raw text to html is primarily done with a series of preg_replace() operations. No include() or exec() allowed near the text. Sounds like I'm in pretty good shape. Thanks for the help.. Jochem

Re: [PHP] Security Question

2007-01-19 Thread Jochem Maas
Al wrote: > I've got a website on a virtual-host, Apache/Linux system running php > scripts. > > I particular, I've designed a CMS where designated individuals compose > and edit text in an html textarea, and then save the raw text in files. > Custom [i.e., proxie] tags are used for emphasizing an

[PHP] Security Question

2007-01-19 Thread Al
I've got a website on a virtual-host, Apache/Linux system running php scripts. I particular, I've designed a CMS where designated individuals compose and edit text in an html textarea, and then save the raw text in files. Custom [i.e., proxie] tags are used for emphasizing and the formating tex

Re: [PHP] security question

2006-11-24 Thread Richard Lynch
void session_set_cookie_params ( int lifetime [, string path [, string domain [, bool secure [, bool httponly ) The "bool secure" part of that means you can set your cookie parameters such that your cookies are sent/received only over SSL connections. Only available since PHP 4.0.4 On Thu, N

Re: [PHP] security question

2006-11-23 Thread Rory Browne
Sorry didn't quite get that finished - hit send by accident ( and had it go to one person, instead of to the list ). Few quick tips - not all strictly security related, but may affect security. Devel

Re: [PHP] security question

2006-11-23 Thread Robert Cummings
On Wed, 2006-11-22 at 22:45 -0600, Larry Garfield wrote: > On Wednesday 22 November 2006 22:38, Robert Cummings wrote: > > > > maybe we should all refer to forum and google > > > > Teach a man to fish... > > And you lose your monopoly on fisheries. Yeah, but I got Park Place and Boardwalk!!! *ny

Re: [PHP] security question

2006-11-23 Thread Dave Goodchild
There are a few ways of working you should adpot early as they protect against a range of security problems. Some examples: 1. Always initialised your variables. 2. If you can, turn off register_globals, or code defensively if you can't. 3. Always mistrust incoming data, validate, check contents

Re: [PHP] security question

2006-11-23 Thread David Robley
Robert Cummings wrote: > On Thu, 2006-11-23 at 09:56 +0530, Sumeet wrote: >> Western, Matthew wrote: >> > >> >> where did u learn all the stuff?... ;-) >> > Maybe reading the manual? >> >> thanks matthew, >> >> maybe we should all refer to forum and google > > Teach a man to fish... > > Chee

Re: [PHP] security question

2006-11-22 Thread Larry Garfield
On Wednesday 22 November 2006 22:38, Robert Cummings wrote: > > maybe we should all refer to forum and google > > Teach a man to fish... And you lose your monopoly on fisheries. -- Larry Garfield AIM: LOLG42 [EMAIL PROTECTED] ICQ: 6817012 "If nature has made any

Re: [PHP] security question

2006-11-22 Thread Robert Cummings
On Thu, 2006-11-23 at 09:56 +0530, Sumeet wrote: > Western, Matthew wrote: > > > >> where did u learn all the stuff?... ;-) > > Maybe reading the manual? > > thanks matthew, > > maybe we should all refer to forum and google Teach a man to fish... Cheers, Rob. -- .

Re: [PHP] security question

2006-11-22 Thread Sumeet
Western, Matthew wrote: where did u learn all the stuff?... ;-) Maybe reading the manual? thanks matthew, maybe we should all refer to forum and google, and stop posting in this forum can u please start first... thanks anyway...mani needed some silly sarcastic comments to get pa

Re: [PHP] security question

2006-11-22 Thread Sumeet
dear richard, yours was an amazing reply... simple and true and well written... where did u learn all the stuff?... ;-) anyway. is there a step by step process for checking if your site is secure?... i know you would say to get a hacker or something... but as a programmer, i would like to

Re: [PHP] security question

2006-11-22 Thread Jon Anderson
Alain Roger wrote: I've heard that cookies and sessions can be easily hacked...so what do you use to secure your web page. which methods ? If you want to be secure, don't trust anything. Cookies are easily modified by a user, so never store anything sensitive in there without masking it well.

Re: [PHP] security question

2006-11-22 Thread Richard Lynch
On Wed, November 22, 2006 11:20 am, Alain Roger wrote: > Now that i finished the client side of the web application i would > like to > improve the security of my administration side of this web > application. > My web hoster support a shared SSL protocol, however i would like to > do more > than s

[PHP] security question

2006-11-22 Thread Alain Roger
Hi, Now that i finished the client side of the web application i would like to improve the security of my administration side of this web application. My web hoster support a shared SSL protocol, however i would like to do more than simply use the SSL... I've heard that cookies and sessions can

RE: [PHP] Security question

2005-12-07 Thread Ahmed Saad
Hi Andy, On 12/7/05, Andy Pieters <[EMAIL PROTECTED]> wrote: > Right now when the user is logged in, I put its id in the session. > Then when the user edits his details I put the id in the form and when it > comes back I verify if the id matches the one in the session. Well, is session data saved

Re: [PHP] Security question

2005-12-07 Thread Andy Pieters
On Wednesday 07 December 2005 08:57, Łukasz Hejnak wrote: > The best way to know is to try and keep up with places like > the bugtraq@securityfocus.com list, or other security websites/mailing > lists and such. > It isn't a forum, it is software I write myself. -- Now listening to Top! Radio Live

Re: [PHP] Security question

2005-12-07 Thread Łukasz Hejnak
Andy Pieters napisał(a): Is it possible for someone who does not have access to the server to edit arbitary accounts? well this depends on the forum You use, there're many many exploits out there. The best way to know is to try and keep up with places like the bugtraq@securityfocus.com list,

[PHP] Security question

2005-12-07 Thread Andy Pieters
Hi list I've got a concern for a user add/edit form. Right now when the user is logged in, I put its id in the session. Then when the user edits his details I put the id in the form and when it comes back I verify if the id matches the one in the session. Is it possible for someone who does no

RE: [PHP] security question... "man in the middle attacks"

2005-11-21 Thread bruce
using an SMS type of system via the cell phone... -bruce -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, November 21, 2005 8:34 PM To: [EMAIL PROTECTED] Subject: RE: [PHP] security question... "man in the middle attacks" 'man in the middle&

[PHP] security question... "man in the middle attacks"

2005-11-21 Thread bruce
hey... anybody here have a serious background in security, or with 'man in the middle attacks'??? in particular, i'm trying to get my hands around ways of preventing a server/browser app to be susceptible to a 'man in the middle attack' serious pointers would be helpful. searching across google

Re: [PHP] security question...??

2005-07-09 Thread Chris Shiflett
how many of you actually attempt to verify that the browser being used by the client is indeed a legitimate (non-hacked) browser? I think you need to clearly define what a legitimate browser is. In my opinion, the ambiguity in your question is the root cause of the disorganization in this part

Re: [PHP] security question...??

2005-06-21 Thread Rory Browne
On 6/20/05, bruce <[EMAIL PROTECTED]> wrote: > hi... > > a number of you write apache/web/server apps that deal with secure > information.. in doing some research it occured to me that a potential weak > link is on the client side, regarding the browser? how many of you actually > attempt to verif

[PHP] security question...??

2005-06-20 Thread bruce
hi... a number of you write apache/web/server apps that deal with secure information.. in doing some research it occured to me that a potential weak link is on the client side, regarding the browser? how many of you actually attempt to verify that the browser being used by the client is indeed a l

Re: [PHP] Security Question with my password protected login script...

2004-12-08 Thread John Holmes
Richard Lynch wrote: Ian Gray wrote: My question is, how secure is this? I have the password, username etc in a MYSQL database but I haven't encrypted it (don't know how) The MySQL 'password' function at http://mysql.com would work. For something that is portable to non MySQL systems, you can use

Re: [PHP] Security Question with my password protected login script...

2004-12-08 Thread Richard Lynch
Ian Gray wrote: > Hello all, > My question is, how secure is this? I have the password, username etc in > a > MYSQL database but I haven't encrypted it (don't know how) The MySQL 'password' function at http://mysql.com would work. For something that is portable to non MySQL systems, you can use

[PHP] Security Question with my password protected login script...

2004-12-08 Thread Ian Gray
Hello all, I have the following script called login.inc which I include at the beginning of each page on my customer control panel. Basically it checks to see if a session has been created with user details and if it has it carries on with the rest of the page and if not the login screen is print

Re: [PHP] Security Question (from Chris's OSCON 2004 talk)

2004-09-30 Thread Jason Wong
On Friday 01 October 2004 00:59, Pablo Gosse wrote: > When talking about protecting database credentials, Chris mentions > creating a file (readable only by root) with the following: > > SetEnv DB_USER "myuser" > SetEnv DB_PASS "mypass" > > and then using this: > > Include "/path/to/secret-stuff"

Re: [PHP] Security Question (from Chris's OSCON 2004 talk)

2004-09-30 Thread Chris Shiflett
--- Pablo Gosse <[EMAIL PROTECTED]> wrote: > I've got a question about a section of Chris's article on PHP > security from his OSCON 2004 talk. > > When talking about protecting database credentials, Chris > mentions creating a file (readable only by root) with the > following: > > SetEnv DB_USER

[PHP] Security Question (from Chris's OSCON 2004 talk)

2004-09-30 Thread Pablo Gosse
Hi folks. Sorry if this gets posted twice, but I sent it originally almost an hour ago and it hasn't shown up on the list yet. Thanks to all for the replies to my question about security on shared hosting the other day. I've contacted my hosting provider and they will be fixing the issues I've p

[PHP] Security Question (from Chris's OSCON 2004 talk)

2004-09-30 Thread Pablo Gosse
Hi folks. Thanks to all for the replies to my question about security on shared hosting the other day. I've contacted my hosting provider and they will be fixing the issues I've pointed out to them. I've got a question about a section of Chris's article on PHP security from his OSCON 2004 talk.

RE: [PHP] Security Question

2004-02-24 Thread Ford, Mike [LSS]
On 20 February 2004 22:29, Ed Lazor wrote: > PHP include statements default to the current directory. If > the path to > my PHP files is /home/osmosis/public_html, why would users visiting my > site occasionally get an error that the include file wasn't found in > /home/budguy/public_html? > >

RE: [PHP] Security Question

2004-02-20 Thread Ed Lazor
You're not being rude. I contacted them immediately about the script errors and described what seemed to be a security hole. The tech I spoke with didn't know what I was talking about, so I asked them to notify the owner of the problem and that I'd research it more and let them know of anything I

RE: [PHP] Security Question

2004-02-20 Thread Chris W. Parker
Ed Lazor on Friday, February 20, 2004 2:29 PM said: > It's like PHP is somehow confused and running my script with the > account settings (and permissions, possibly) for another user on my > host provider's server. If that's true, wouldn't this quality as a > securi

[PHP] Security Question

2004-02-20 Thread Ed Lazor
PHP include statements default to the current directory. If the path to my PHP files is /home/osmosis/public_html, why would users visiting my site occasionally get an error that the include file wasn't found in /home/budguy/public_html? It's like PHP is somehow confused and running my script wit

Re: [PHP] Security Question

2003-12-18 Thread David Otton
On Thu, 18 Dec 2003 10:43:14 -0500, you wrote: >I'm trying to develop a secure web based application and my only tools are >php, mysql, and a SSL connection. > >Does anyone know of any good references for this kind of development? > >What I really need to do is to make sure that given users only g

[PHP] Security Question

2003-12-18 Thread Thomas Andersen
Hello, I'm trying to develop a secure web based application and my only tools are php, mysql, and a SSL connection. Does anyone know of any good references for this kind of development? What I really need to do is to make sure that given users only gain access to the parts of the application the

[PHP] security question

2003-07-04 Thread Paul Chvostek
Can anyone think of any security caveats with regard to turning output_buffering on? I can't, but it's too hot to think straight these days Tnx. -- Paul Chvostek <[EMAIL PROTECTED]> it.canadahttp://

Re: [PHP] Security question with PHP on Unix / Linux.

2003-02-05 Thread Maxim Maletsky
"Ananth Kesari" <[EMAIL PROTECTED]> wrote... : > Thanks for your inputs. Will proceed from here. > > Well, if you did not know, NetWare is an operating system brought out > by Novell. I know :) > We are working on porting PHP onto NetWare. In fact, we > already have ported PHP 4.2.3 onto NetW

Re: [PHP] Security question with PHP on Unix / Linux.

2003-02-04 Thread Ananth Kesari
Thanks for your inputs. Will proceed from here. Well, I first posted this query on this list. But seeing no response, I thought probably it should have gone into PHP-dev list. When I posted there, I was discouraged to post such mails there. So, I came back to the general list. Thanks, Ananth. >>

Re: [PHP] Security question with PHP on Unix / Linux.

2003-02-04 Thread Ananth Kesari
Thanks for your inputs. Will proceed from here. Well, if you did not know, NetWare is an operating system brought out by Novell. We are working on porting PHP onto NetWare. In fact, we already have ported PHP 4.2.3 onto NetWare and we have synched up our souces for the 4.3 branch. Thanks, Ananth.

Re: [PHP] Security question with PHP on Unix / Linux.

2003-02-04 Thread Chris Shiflett
--- Miles Thompson <[EMAIL PROTECTED]> wrote: > Ananth, > > For starters, you are probably on the wrong list - > the PHP developers list is probably where you should > be asking this question. Please do not go around saying this. We have enough problems with these types of posts winding up on php

Re: [PHP] Security question with PHP on Unix / Linux.

2003-02-04 Thread Miles Thompson
Ananth, For starters, you are probably on the wrong list - the PHP developers list is probably where you should be asking this question. Second, PHP runs through the web server, so the user is the same user the web server, usually "nobody", although that depends on the how the web server is in

Re: [PHP] Security question with PHP on Unix / Linux.

2003-02-04 Thread Maxim Maletsky
"Ananth Kesari" <[EMAIL PROTECTED]> wrote... : > I am working on porting PHP onto NetWare. What exactly do you mean? > I am newbie to Unix / Linux systems and at this point of time, I am > trying to understand the way security is implemented for PHP on Unix / > Linux. I mean, how are the diffe

[PHP] Security question with PHP on Unix / Linux.

2003-02-04 Thread Ananth Kesari
Hi, I mailed this earlier, but got no response. Maybe it went unnoticed. So, resending it again. Please read below. Your help in this is appreciated. Thanks, Ananth. Hi, I am working on porting PHP onto NetWare. I am newbie to Unix / Linux systems and at this point of time, I am trying to un

[PHP] Security question with PHP on Unix / Linux.

2003-02-04 Thread Ananth Kesari
Hi, I am working on porting PHP onto NetWare. At this point of time, I am trying to understand the way security is implemented for PHP on Unix / Linux. I mean, how are the different users distinguished from Unix / Linux. Do they get to login into the Unix / Linux system? Do they have separate dat

Re: [PHP] security question regarding including files..

2003-01-21 Thread Sean Burlington
Chris Shiflett wrote: --- Sean Burlington <[EMAIL PROTECTED]> wrote: I'm not sure what harm could be done by this though. if a broswer attempts to load an image reference by an I sent a response about this earlier, but you should research CSRF and XSS. It does not matter that the browser sh

Re: [PHP] security question regarding including files..

2003-01-21 Thread Chris Shiflett
--- Sean Burlington <[EMAIL PROTECTED]> wrote: > is there really any site which will accept a book > order based an a sigle GET? Well, yes, but that is not the point really. The example of the tag is just one way you can forge an HTTP request from another user (the victim). Also consider that ma

Re: [PHP] security question regarding including files..

2003-01-21 Thread Chris Shiflett
--- Sean Burlington <[EMAIL PROTECTED]> wrote: > I'm not sure what harm could be done by this though. > > if a broswer attempts to load an image reference by > an I would expect it simply to ignore it... I sent a response about this earlier, but you should research CSRF and XSS. It does not mat

Re: [PHP] security question regarding including files..

2003-01-21 Thread Sean Burlington
Gibbs, Liam - SXIA wrote: I agree that there are risks - but I do think this can be done safely Couldn't you just check the submitted URL and find out if it's a gif or jpeg? I don't think even PHP-enabled servers will run a gif or jpeg. please send replies to the list ... and you cant tel

Re: [PHP] security question regarding including files..

2003-01-21 Thread Jason Wong
On Wednesday 22 January 2003 01:40, Sean Burlington wrote: > is there really any site which will accept a book order based an a sigle > GET ? Amazon makes a big deal of their "one-click" shopping feature. It's so good they've even patented it. -- Jason Wong -> Gremlins Associates -> www.gremli

Re: [PHP] security question regarding including files..

2003-01-21 Thread Sean Burlington
Chris Shiflett wrote: --- Chad Day <[EMAIL PROTECTED]> wrote: I want to give my users the ability to submit a URL to a database, then when they pull up their page, their photo is included .. what I'm worried about is them pointing the link to some malicious code or something.. Your instincts

Re: [PHP] security question regarding including files..

2003-01-21 Thread Chris Shiflett
--- Chad Day <[EMAIL PROTECTED]> wrote: > I want to give my users the ability to submit a URL > to a database, then when they pull up their page, > their photo is included .. what I'm worried about > is them pointing the link to some malicious code or > something.. Your instincts serve you well.

Re: [PHP] security question regarding including files..

2003-01-21 Thread Stephan Seidt
I guess you use some webserver, let's take apache. Apache's mime.conf has set several extensions, also php extensions. So only .php, .php3, .php4 files will be parsed by php. Chad Day wrote: I want to give my users the ability to submit a URL to a database, then when they pull up their page, the

[PHP] security question regarding including files..

2003-01-21 Thread Chad Day
I want to give my users the ability to submit a URL to a database, then when they pull up their page, their photo is included .. what I'm worried about is them pointing the link to some malicious code or something.. Obviously I can validate the file extension (.gif or .jpg) .. and I'm going to for

[PHP] Security question: getenv()

2001-11-09 Thread Johnson, Kirk
Happy Friday! I don't know anything about the innards of the PHP/Apache relationship. I am wondering if there is a security advantage to using the getenv() function to access an environment variable, instead of using the $HTTP_SERVER_VARS array, or, if register_globals is on, the global version o

RE: [PHP] security question

2001-10-17 Thread Daniel Goldin
bject: Re: [PHP] security question On Wednesday 17 October 2001 19:14, Daniel Goldin wrote: > But I need to protect the files themselves. Is > their a way to protect the files without adding another level of > authorization when someone does access them from the browser? Move these

Re: [PHP] Security Question

2001-07-25 Thread Aral Balkan
Shrout, Ryan" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, July 25, 2001 8:48 AM Subject: [PHP] Security Question > In a lot of PHP code that I have seen, there are lines such as this: > > mysql_connect('localhost', 'mysql_login()', 

Re: [PHP] Security Question

2001-07-25 Thread B. van Ouwerkerk
>somehow view the code instead of the output of the PHP file. My question >is, how do I set up those "functions" mysql_login and mysql_password? Are >they just standard functions defined in a header someplace? Or is this even >the best, most secure way of handling it? Include your login and p

[PHP] Security Question

2001-07-25 Thread Shrout, Ryan
In a lot of PHP code that I have seen, there are lines such as this: mysql_connect('localhost', 'mysql_login()', 'mysql_password()'); that is used to "hide" the login and password from someone should they somehow view the code instead of the output of the PHP file. My question is, how do I set

Re: [PHP] security question

2001-02-12 Thread Ankur Verma
agnou" <[EMAIL PROTECTED]> To: "PHP Lists" <[EMAIL PROTECTED]> Sent: Tuesday, February 13, 2001 6:00 AM Subject: [PHP] security question > Hello there, > > I'm posting a username and a password with: > > > > > When I check $HTTP_POST_VARS I c

Re: [PHP] security question

2001-02-12 Thread Augusto Cesar Castoldi
I think you should encrypt (crypt). On Tue, 13 Feb 2001, Marc Aragnou wrote: > Hello there, > > I'm posting a username and a password with: > > > > > When I check $HTTP_POST_VARS I can see the values as they're plain text. Is > this still safe to do or should I encrypt the strings before po

[PHP] security question

2001-02-12 Thread Marc Aragnou
Hello there, I'm posting a username and a password with: When I check $HTTP_POST_VARS I can see the values as they're plain text. Is this still safe to do or should I encrypt the strings before posting them between pages? Thanks for your help. -Original Message- From: Brian V Bonini

[PHP] SECURITY: Question about PHP Wrappers - What to do without them?

2001-01-10 Thread brunatex
I have an account on JTLNET ... I have decided to install Phorum (from Phorum.org), but this requires the scripts to be run inside a PHP CGI wrapper .. JTLNET although supporting php very nicely indeed, do not provided CGI Wrappers for scripts... hence if i were to run the scripts, i would b