8:47 AM - PHP Security
Here's an interesting post from slashdot outlining php security.
As short summary, what every (PHP) developer should do is:
* limit the session to the IP-address of the visiting user.
* use htmlentities() [php.net] on all outputted HTML
* secure file uploads to avoid uploading PHP code
And most important (but not relevant for TFA):
* use mysql_real_escape_string() [php.net] on all database input, or better: the variable binding feature of PEAR::DB
* disable register_globals, use $_GET, $_POST and $_COOKIE instead.
* Use preg_replace( '/[^a-zA-Z0-9-_]', '', $input ) on all input used in file names.
Things like require_once("files/" + $input + ".html") actually read php files when it's called as ?input=file.php%00
As short summary, what every (PHP) developer should do is:
* limit the session to the IP-address of the visiting user.
* use htmlentities() [php.net] on all outputted HTML
* secure file uploads to avoid uploading PHP code
And most important (but not relevant for TFA):
* use mysql_real_escape_string() [php.net] on all database input, or better: the variable binding feature of PEAR::DB
* disable register_globals, use $_GET, $_POST and $_COOKIE instead.
* Use preg_replace( '/[^a-zA-Z0-9-_]', '', $input ) on all input used in file names.
Things like require_once("files/" + $input + ".html") actually read php files when it's called as ?input=file.php%00