php-general Digest 9 Apr 2011 03:21:05 -0000 Issue 7264
Topics (messages 312311 through 312315):
Security Question
312311 by: nighthawk1256
312312 by: Jay Blanchard
312313 by: Alex Nikitin
312314 by: Adam Richardson
pick a card, any card...
312315 by: Kirk Bailey
Administrivia:
To subscribe to the digest, e-mail:
[email protected]
To unsubscribe from the digest, e-mail:
[email protected]
To post to the list, e-mail:
[email protected]
----------------------------------------------------------------------
--- Begin Message ---
hey guys/girls,
whats the best way to learn about security in php?
--- End Message ---
--- Begin Message ---
[snip]
whats the best way to learn about security in php?
[/snip]
Study, study, study!
Chris Shiflett is a recognized expert on PHP security -
http://shiflett.org/
He has a great book on PHP Security -
http://www.amazon.com/exec/obidos/ASIN/059600656X/ref=nosim/chrisshiflet
t-20
--- End Message ---
--- Begin Message ---
Best way to learn about security of something is to learn how to break it...
On Apr 8, 2011 3:55 PM, "Jay Blanchard" <[email protected]> wrote:
>
> [snip]
> whats the best way to learn about security in php?
> [/snip]
>
> Study, study, study!
>
> Chris Shiflett is a recognized expert on PHP security -
> http://shiflett.org/
>
> He has a great book on PHP Security -
> http://www.amazon.com/exec/obidos/ASIN/059600656X/ref=nosim/chrisshiflet
> t-20
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
--- End Message ---
--- Begin Message ---
On Fri, Apr 8, 2011 at 3:24 PM, nighthawk1256 <[email protected]> wrote:
> hey guys/girls,
>
> whats the best way to learn about security in php?
Here are some relevant topics to consider:
- Validate input (only accept what you're expecting, via GET, POST, and
COOKIE, and don't try to fix an invalid value, throw it out.)
- Use prepared statements (PDO makes this easy and generalizes quite well
across popular DB's.)
- Only give the bare minimum permissions required to accomplish a task
(e.g., I usually have one SQL user account for reads, and one that allows
for reads and writes.)
- When errors occur, don't leak important system information to your
users.
- Hash passwords (with a salt) that are stored so you're never storing
the literal value.
- If you use an authentication system that's implemented with cookies
(sessions-based or custom), all requests should run over https instead of
http.
- Escape output according to context (html, attribute, or url.)
If you google the above topics, you'll find some great sites/blogs that
address these topics in detail.
Adam
P.S. - Or, you can just use my one-file web framework which helps you
automatically address all but the https issue above :) Sorry, it's a Friday
so I couldn't resist the shameless plug.
--
Nephtali: A simple, flexible, fast, and security-focused PHP framework
http://nephtaliproject.com
--- End Message ---
--- Begin Message ---
in otherwords, the entire idea of picking one of N objects, whatever
they are- strings, numbers, gummybears, lined up in a listing, and
return the one item selected. This seems a common enough function
there should be a simple way to do it already in php. HOWEVER, I
ain't findin' it that way, no sir/maam/other.
Maybe I am missing the obvious SIMPLE way to get the job done. So if
we have a listing of foo's, we can title this $listing, and we want
1 of them to be returned, we should see something like:
randmember($listing)
and if the listing was "A","B","C","D","F"
and it defaulted to return one of them, a valid return would be "C"
for example.
opho does not seem to have a function in it, or loadable into it, to
accomplish this; I have to write some long winded and complex thing
to get the job done, and that's a bloody shame.
Any discussion?
--
end
Very Truly yours,
- Kirk Bailey,
Largo Florida
kniht
+-----+
| BOX |
+-----+
think
--- End Message ---
