I was going to reply to Phil Driscoll's post (from Friday) about
E_SECURITY warning level, but thought it might belong better in a
different thread.
This thread is for collecting some ideas for security enhancements that
can happen in PHP, besides the already-known register_globals.
My idea:
Have PHP reject (fail to process, die, whatever) a hit that is
anomalous. Definitions of anomalous:
1. GET variables set while METHOD != GET
i.e.
<form action="foo.php?x=1" method=POST>
...
</form>
This is a major point of attack identified in the "study in
Scarlet". Although I can imagine the above being a programming
technique someone, somewhere, has used, future releases might
reasonably default to rejecting hits that attempt it.
2. when a uploaded file fails is_uploaded_file().
I felt bad when I saw is_uploaded_file() introduced - it is such a
cheezy function call; people shouldn't even have to call it themselves,
and I can imagine no situation (except for laziness) that you would not
call it.
Other ideas?
--
,,,
(. .)
+--ooO-(_)-Ooo----------------- ----- ---- -- - - - -
| rec.arts.int-fiction archive and research library:
| http://bang.dhs.org/if/
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
