Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Page 2 of 2 FirstFirst 12
Results 16 to 22 of 22
  1. #16
    Senior Coder tomws's Avatar
    Join Date
    Nov 2007
    Location
    Arkansas
    Posts
    2,644
    Thanks
    29
    Thanked 330 Times in 326 Posts

    Are you vulnerable to file inclusion exploits?

    Useful read for those who blindly include from the GET string.

    http://blogs.sans.org/appsecstreetfi...ile-inclusion/
    Are you a Help Vampire?

  2. #17
    New Coder
    Join Date
    May 2010
    Location
    kavoir.com
    Posts
    13
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Sorry for digging up the thread, but I believe here's a much better PHP / web security checklist.

  3. #18
    New Coder
    Join Date
    May 2009
    Location
    Pennsylvania, United States
    Posts
    54
    Thanks
    16
    Thanked 0 Times in 0 Posts
    Jem is a self-proclaimed l33t PHP ninja, and she knows what she's talking about. :P

    Keep an eye on her website, she's very helpful on the subject and has many posts concerning it.

    My list:

    1. Only use error_reporting(E_ALL) while developing, in the release use error_reporting(0)
    2. Don't be afraid to ask questions and get help
    3. Report ANY errors/warnings
    4. Never trust $_SERVER as it can be modified
    5. Never trust anybody
    6. The PHP manual can be very useful; don't be afraid, it's your friend.
    7. Have people test your projects
    8. XSS/CSRF etc attacks
    9. Sanitize any user input (Forms, Get, Post, etc..)
    10. Be especially careful if you use HTML selects, checkboxes, or radio buttons in forms, they can be changed by the user
    11. Time and patients can make the biggest difference
    12. You should probably make sure you're comfortable with any language you write a script/program in.
    13. Lean by example -- look at other people's script.
    14. Try to "break" the script on test runs
    15. Password encryption
    16. Never store sensitive stuff in .inc.php files
    17. Place all config files, .ht* files out of your root directory
    18. Ask questions: What could I have done differently? Why does X do this? Why does Y do that.

    Sorry if the wording of these tips is a bit odd. :P

    Kinda posted this in a hurry!
    Last edited by johnnnn; 08-09-2010 at 11:17 PM.

  4. #19
    New to the CF scene
    Join Date
    May 2011
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts
    To add to this, don't forget that % and _ are both special characters in SQL. It is, however, much safer (harder to make mistakes) to limit input to the characters you want (e.g. [a-zA-Z0-9]) than to hope that you have a complete list of all SQL special characters.

    IPTables can limit the number of connections an IP address can make in a given time limit and will simply drop packets until the IP address is below the limit again. You can also limit IP addresses by bandwidth in a given time limit. I'm sure other firewalls will have similar capabilities. Filtering such as this should be done as early as possible in the path through your system as that is where it has already had the least impact on the other users of your system.

    I don't have a problem with calling your super user "root" but there is no harm in changing it. You should, however, definitely not allow this user to log in over the network. If the root user can log in over the network then an attacker brute forcing his way in already knows one username (and it's the most powerful user to boot)

    Strangely enough, this post is almost not about PHP at all, but security involves the entire system so we shouldn't just focus on PHP anyway.

    Thanks for the tips.

  5. #20
    New Coder
    Join Date
    Jul 2011
    Location
    Kediri - Indonesia
    Posts
    61
    Thanks
    2
    Thanked 19 Times in 19 Posts
    hey, this is nice post.

    i have a simple way to prevent sql injection attact. usually, hacker test if sql vulnerable by adding a single or doble quote in input variable. like this:

    ?id=1' or ?id=1"

    so, i remove any quote in all variable. i use str_replace().

    i see why hacker do to attack sqlinjection vulnerability. like this:

    ?id=1+order+by+1--
    ?id=1+union+select+1,2,3--

    so, i remove the +,-,%20,*.

    i feel this is just little trick, but this so helpfull to prevent sql injection attact :-)
    I am sorry my english is very bad. But I am very interest to discusse here :-)

  6. #21
    Regular Coder
    Join Date
    Oct 2012
    Location
    mother land --india
    Posts
    159
    Thanks
    37
    Thanked 2 Times in 2 Posts
    Lovely tut....This type of sticky notes can help beginners like me......

    Regards,
    nani
    Last edited by VIPStephan; 01-31-2013 at 07:59 PM. Reason: removed huge quote

  7. #22
    New to the CF scene
    Join Date
    Aug 2013
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Thumbs up instruction

    When developing your own PHP scripts, be aware of security issues. Also view the OWASP Top 10 Security Vulnerabilities. Listed below are some things you can do which will make your web application more secure. For more information, visit the links above.

    Always validate user input before using it to do anything in your script. Even form variables such as select boxes need to be validated to ensure that the value chosen is in the original list of values.
    Always escape characters such as single or double quotes, backslashes (\), percent symbols, and other characters which could result in an unexpected use of your script.
    Take extra precaution when executing commands with user input in them. It is possible for an attacker to inject a malicious command in this way.
    When dealing with secure information (such as passwords), be sure to use a good password that will be hard (or better yet, impossible) to guess. Generic passwords such as 'admin', should never be used. The same goes for dictionary words. Secure passwords will be at least 8 characters long, contain at least one (1) numeric digit in them, and do not contain dictionary words. Never store passwords in plain text, always encrypt then with an irreversible encryption algorithm such as MD5.
    Stay away from using default filenames, such as putting administrative functionality in the admin/ folder. Generic names such as this are easy targets for hackers to attempt to access.
    When instantiating PHP on a page, always use the full <?php and ?> tags. Using shortcut tags such as <? to instantiate php could result in your script being displayed as plain text if the server configuration is changed.


 
Page 2 of 2 FirstFirst 12

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •