Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Page 2 of 2 FirstFirst 12
Results 16 to 26 of 26
  1. #16
    Senior Coder tomws's Avatar
    Join Date
    Nov 2007
    Location
    Arkansas
    Posts
    2,644
    Thanks
    29
    Thanked 330 Times in 326 Posts

    Are you vulnerable to file inclusion exploits?

    Useful read for those who blindly include from the GET string.

    http://blogs.sans.org/appsecstreetfi...ile-inclusion/
    Are you a Help Vampire?

  2. #17
    New Coder
    Join Date
    May 2010
    Location
    kavoir.com
    Posts
    13
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Sorry for digging up the thread, but I believe here's a much better PHP / web security checklist.

  3. #18
    New Coder
    Join Date
    May 2009
    Location
    Pennsylvania, United States
    Posts
    54
    Thanks
    16
    Thanked 0 Times in 0 Posts
    Jem is a self-proclaimed l33t PHP ninja, and she knows what she's talking about. :P

    Keep an eye on her website, she's very helpful on the subject and has many posts concerning it.

    My list:

    1. Only use error_reporting(E_ALL) while developing, in the release use error_reporting(0)
    2. Don't be afraid to ask questions and get help
    3. Report ANY errors/warnings
    4. Never trust $_SERVER as it can be modified
    5. Never trust anybody
    6. The PHP manual can be very useful; don't be afraid, it's your friend.
    7. Have people test your projects
    8. XSS/CSRF etc attacks
    9. Sanitize any user input (Forms, Get, Post, etc..)
    10. Be especially careful if you use HTML selects, checkboxes, or radio buttons in forms, they can be changed by the user
    11. Time and patients can make the biggest difference
    12. You should probably make sure you're comfortable with any language you write a script/program in.
    13. Lean by example -- look at other people's script.
    14. Try to "break" the script on test runs
    15. Password encryption
    16. Never store sensitive stuff in .inc.php files
    17. Place all config files, .ht* files out of your root directory
    18. Ask questions: What could I have done differently? Why does X do this? Why does Y do that.

    Sorry if the wording of these tips is a bit odd. :P

    Kinda posted this in a hurry!
    Last edited by johnnnn; 08-09-2010 at 11:17 PM.

  4. #19
    New to the CF scene
    Join Date
    May 2011
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts
    To add to this, don't forget that % and _ are both special characters in SQL. It is, however, much safer (harder to make mistakes) to limit input to the characters you want (e.g. [a-zA-Z0-9]) than to hope that you have a complete list of all SQL special characters.

    IPTables can limit the number of connections an IP address can make in a given time limit and will simply drop packets until the IP address is below the limit again. You can also limit IP addresses by bandwidth in a given time limit. I'm sure other firewalls will have similar capabilities. Filtering such as this should be done as early as possible in the path through your system as that is where it has already had the least impact on the other users of your system.

    I don't have a problem with calling your super user "root" but there is no harm in changing it. You should, however, definitely not allow this user to log in over the network. If the root user can log in over the network then an attacker brute forcing his way in already knows one username (and it's the most powerful user to boot)

    Strangely enough, this post is almost not about PHP at all, but security involves the entire system so we shouldn't just focus on PHP anyway.

    Thanks for the tips.

  5. #20
    New Coder
    Join Date
    Jul 2011
    Location
    Kediri - Indonesia
    Posts
    61
    Thanks
    2
    Thanked 19 Times in 19 Posts
    hey, this is nice post.

    i have a simple way to prevent sql injection attact. usually, hacker test if sql vulnerable by adding a single or doble quote in input variable. like this:

    ?id=1' or ?id=1"

    so, i remove any quote in all variable. i use str_replace().

    i see why hacker do to attack sqlinjection vulnerability. like this:

    ?id=1+order+by+1--
    ?id=1+union+select+1,2,3--

    so, i remove the +,-,%20,*.

    i feel this is just little trick, but this so helpfull to prevent sql injection attact :-)
    I am sorry my english is very bad. But I am very interest to discusse here :-)

  6. #21
    Regular Coder
    Join Date
    Oct 2012
    Location
    mother land --india
    Posts
    165
    Thanks
    38
    Thanked 2 Times in 2 Posts
    Lovely tut....This type of sticky notes can help beginners like me......

    Regards,
    nani
    Last edited by VIPStephan; 01-31-2013 at 07:59 PM. Reason: removed huge quote

  7. #22
    New to the CF scene
    Join Date
    Aug 2013
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Thumbs up instruction

    When developing your own PHP scripts, be aware of security issues. Also view the OWASP Top 10 Security Vulnerabilities. Listed below are some things you can do which will make your web application more secure. For more information, visit the links above.

    Always validate user input before using it to do anything in your script. Even form variables such as select boxes need to be validated to ensure that the value chosen is in the original list of values.
    Always escape characters such as single or double quotes, backslashes (\), percent symbols, and other characters which could result in an unexpected use of your script.
    Take extra precaution when executing commands with user input in them. It is possible for an attacker to inject a malicious command in this way.
    When dealing with secure information (such as passwords), be sure to use a good password that will be hard (or better yet, impossible) to guess. Generic passwords such as 'admin', should never be used. The same goes for dictionary words. Secure passwords will be at least 8 characters long, contain at least one (1) numeric digit in them, and do not contain dictionary words. Never store passwords in plain text, always encrypt then with an irreversible encryption algorithm such as MD5.
    Stay away from using default filenames, such as putting administrative functionality in the admin/ folder. Generic names such as this are easy targets for hackers to attempt to access.
    When instantiating PHP on a page, always use the full <?php and ?> tags. Using shortcut tags such as <? to instantiate php could result in your script being displayed as plain text if the server configuration is changed.

  8. #23
    New Coder
    Join Date
    Jan 2014
    Location
    Bangladesh
    Posts
    10
    Thanks
    0
    Thanked 0 Times in 0 Posts
    you will need to put it towards document too should you have probably not up-to-date that nonetheless.

  9. #24
    New Coder
    Join Date
    Jul 2014
    Location
    Athens, Greece
    Posts
    38
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Great work!
    Thanks for sharing this list!

    i disagree with one point. I use md5() instead of hash.
    If someone is using md5, always with some "strange" salt (a big unique word) what problem will have ????

  10. #25
    Senior Coder chump2877's Avatar
    Join Date
    Dec 2004
    Location
    the U.S. of freakin' A.
    Posts
    2,778
    Thanks
    19
    Thanked 155 Times in 146 Posts
    Quote Originally Posted by jonathanesliot View Post
    Great work!
    Thanks for sharing this list!

    i disagree with one point. I use md5() instead of hash.
    If someone is using md5, always with some "strange" salt (a big unique word) what problem will have ????
    Generally, the degree to which you hash, salt, and protect sensitive data really depends on how sensitive your data is. How much do you stand to lose if this data is hacked or exposed?

    These days, md5 is outdated and easily reverse engineered. See this: PHP: Password Hashing - Manual. Other, more secure PHP hashing functions exist. For example: PHP: hash - Manual. And this function allows you to see available hashing algorithms: PHP: hash_algos - Manual. So if a function like hash() exists that enables you to pick and choose a more secure hashing algorithm for your application, and it is easily consumed, then why wouldn't you use it? In my opinion, there is no such thing as too much security in web applications. The tradeoff between usability/cost of development and security is negligible when the cost of having your data compromised grows bigger every day! And with computers getting faster and more adept at brute force attacks, there can and should be no shortage of security in your web application.

    In general, this is a good read for anyone interested in PHP best practices for hashing and salting data: PHP: Password Hashing - Manual

    Edit: For password hashing, this looks to be ideal: http://php.net/manual/en/function.password-hash.php. Looks like the PHP manual endorses the Blowfish algorithm for use with this function.
    Last edited by chump2877; 07-22-2014 at 07:08 PM.
    Regards, R.J.

    ---------------------------------------------------------

    Help spread the word! Like my YouTube-to-Mp3 Conversion Script on Facebook !! :)
    [Related videos and tutorials are also available at my YouTube channel and on Dailymotion]
    Get free updates about new software version releases, features, and bug fixes!

  11. #26
    New Coder
    Join Date
    Jul 2014
    Location
    Athens, Greece
    Posts
    38
    Thanks
    0
    Thanked 0 Times in 0 Posts
    ok...Thanks for your link/info. I'll check and study it thoroughly!


 
Page 2 of 2 FirstFirst 12

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •