philip Wed Feb 28 16:49:49 2007 UTC
Modified files:
/phpdoc/en/security variables.xml
Log:
WS
http://cvs.php.net/viewvc.cgi/phpdoc/en/security/variables.xml?r1=1.3&r2=1.4&diff_format=u
Index: phpdoc/en/security/variables.xml
diff -u phpdoc/en/security/variables.xml:1.3
phpdoc/en/security/variables.xml:1.4
--- phpdoc/en/security/variables.xml:1.3 Sun Aug 8 16:11:36 2004
+++ phpdoc/en/security/variables.xml Wed Feb 28 16:49:48 2007
@@ -1,17 +1,17 @@
<?xml version="1.0" encoding="iso-8859-1"?>
-<!-- $Revision: 1.3 $ -->
+<!-- $Revision: 1.4 $ -->
<!-- splitted from ./index.xml, last change in rev 1.66 -->
- <chapter id="security.variables">
- <title>User Submitted Data</title>
- <para>
- The greatest weakness in many PHP programs is not inherent in the
- language itself, but merely an issue of code not being written with
- security in mind. For this reason, you should always take the time
- to consider the implications of a given piece of code, to ascertain
- the possible damage if an unexpected variable is submitted to it.
- <example>
- <title>Dangerous Variable Usage</title>
- <programlisting role="php">
+<chapter id="security.variables">
+ <title>User Submitted Data</title>
+ <para>
+ The greatest weakness in many PHP programs is not inherent in the
+ language itself, but merely an issue of code not being written with
+ security in mind. For this reason, you should always take the time
+ to consider the implications of a given piece of code, to ascertain
+ the possible damage if an unexpected variable is submitted to it.
+ <example>
+ <title>Dangerous Variable Usage</title>
+ <programlisting role="php">
<![CDATA[
<?php
// remove a file from the user's home directory... or maybe
@@ -27,55 +27,59 @@
?>
]]>
- </programlisting>
- </example>
- You should always carefully examine your code to make sure that any
- variables being submitted from a web browser are being properly
- checked, and ask yourself the following questions:
- <itemizedlist>
- <listitem>
- <simpara>
- Will this script only affect the intended files?
- </simpara>
- </listitem>
- <listitem>
- <simpara>
- Can unusual or undesirable data be acted upon?
- </simpara>
- </listitem>
- <listitem>
- <simpara>
- Can this script be used in unintended ways?
- </simpara>
- </listitem>
- <listitem>
- <simpara>
- Can this be used in conjunction with other scripts in a negative
- manner?
- </simpara>
- </listitem>
- <listitem>
- <simpara>
- Will any transactions be adequately logged?
- </simpara>
- </listitem>
- </itemizedlist>
- By adequately asking these questions while writing the script,
- rather than later, you prevent an unfortunate re-write when you
- need to increase your security. By starting out with this mindset,
- you won't guarantee the security of your system, but you can help
- improve it.
- </para>
- <para>
- You may also want to consider turning off register_globals,
- magic_quotes, or other convenience settings which may confuse
- you as to the validity, source, or value of a given variable.
- Working with PHP in error_reporting(E_ALL) mode can also help warn
- you about variables being used before they are checked or
- initialized (so you can prevent unusual data from being
- operated upon).
- </para>
- </chapter>
+ </programlisting>
+ </example>
+ </para>
+ <para>
+ You should always carefully examine your code to make sure that any
+ variables being submitted from a web browser are being properly
+ checked, and ask yourself the following questions:
+ <itemizedlist>
+ <listitem>
+ <simpara>
+ Will this script only affect the intended files?
+ </simpara>
+ </listitem>
+ <listitem>
+ <simpara>
+ Can unusual or undesirable data be acted upon?
+ </simpara>
+ </listitem>
+ <listitem>
+ <simpara>
+ Can this script be used in unintended ways?
+ </simpara>
+ </listitem>
+ <listitem>
+ <simpara>
+ Can this be used in conjunction with other scripts in a negative
+ manner?
+ </simpara>
+ </listitem>
+ <listitem>
+ <simpara>
+ Will any transactions be adequately logged?
+ </simpara>
+ </listitem>
+ </itemizedlist>
+ </para>
+ <para>
+ By adequately asking these questions while writing the script,
+ rather than later, you prevent an unfortunate re-write when you
+ need to increase your security. By starting out with this mindset,
+ you won't guarantee the security of your system, but you can help
+ improve it.
+ </para>
+ <para>
+ You may also want to consider turning off register_globals,
+ magic_quotes, or other convenience settings which may confuse
+ you as to the validity, source, or value of a given variable.
+ Working with PHP in error_reporting(E_ALL) mode can also help warn
+ you about variables being used before they are checked or
+ initialized (so you can prevent unusual data from being
+ operated upon).
+ </para>
+</chapter>
<!-- Keep this comment at the end of the file
Local variables:
