RE: [PHP] help create community newbie guide to security

--- Jay Blanchard <[EMAIL PROTECTED]> wrote: > [snip] > If you code properly, you could get away with turning register_globals > on, but this requires you to be very careful when thinking about the > logic of your code. > [/snip] > > I really do hate to see the misconception about register globals

RE: [PHP] help create community newbie guide to security

[snip] If you code properly, you could get away with turning register_globals on, but this requires you to be very careful when thinking about the logic of your code. [/snip] I really do hate to see the misconception about register globals continue. The bottom line is variable handling, especially

RE: [PHP] help create community newbie guide to security

[snip] > All these responses and nobody has said anything about > register_globals? heh, I guess you're right. Feel free to elaborate on what you mean for those of us that don't know what's up with register_globals. [/snip] Well it's all at http://www.php.net/register_globals for anyone that w

RE: [PHP] help create community newbie guide to security

Andre Volmensky on Wednesday, November 12, 2003 2:17 PM said: > All these responses and nobody has said anything about > register_globals? heh, I guess you're right. Feel free to elaborate on what you mean for those of us that don't know what's up with register_gl

RE: [PHP] help create community newbie guide to security

--- Pablo Gosse <[EMAIL PROTECTED]> wrote: > [snip] It might be best to not try and definitely declare what counts as > foreign data, because it's a sort of "everything else" type of thing. If > it doesn't originate within the PHP script itself, it is foreign.[/snip] > > What about data from a dat

RE: [PHP] help create community newbie guide to security

[snip] Hmmm... ok so that's all I can think of. I think it'd be a really great thing for the community if this list was corrected and added too in a detailed way (such as I've tried to do here). Looking forward to all the responses. [/snip] All these responses and nobody has said anything about r

RE: [PHP] help create community newbie guide to security

[snip] It might be best to not try and definitely declare what counts as foreign data, because it's a sort of "everything else" type of thing. If it doesn't originate within the PHP script itself, it is foreign.[/snip] What about data from a database which is retrieved within the PHP script? Would

RE: [PHP] help create community newbie guide to security

--- "Chris W. Parker" <[EMAIL PROTECTED]> wrote: > My original thinking was that I wouldn't be using the session id as I > would the unique identifier because of point #2 (you shouldn't store the > session id on the client). But since you point out that storing the > session id is a necessary evil

RE: [PHP] help create community newbie guide to security

Chris Shiflett on Monday, November 10, 2003 8:21 PM said: > It would probably need to be either very short or very long. Yes, I would prefer very long so as to be as complete as possible. >> 2. The session id should not be stored on the client. > > I'm not sure I

Re: [PHP] help create community newbie guide to security

> Lawrence Kennon wrote: >> For a BBS I would like to let users post links to >> various resources. They 'post' a message to the BBS >> via a form and that is stored in a MySQL db, then the >> content of their 'post' is available to other users on >> the BBS. Currently I strip out all PHP/HTML with

Re: [PHP] help create community newbie guide to security

Lawrence Kennon wrote: For a BBS I would like to let users post links to various resources. They 'post' a message to the BBS via a form and that is stored in a MySQL db, then the content of their 'post' is available to other users on the BBS. Currently I strip out all PHP/HTML with the strip_t

Re: [PHP] help create community newbie guide to security

--- Adam i Agnieszka Gasiorowski FNORD <[EMAIL PROTECTED]> wrote: > "Chris W. Parker" wrote: > > 10. Use htmlentities() on data that will be put through a SQL query to > > prevent XSS attacks. http://php.net/htmlentities > > How is it going to interact with MySQL FULLTEXT > search SQL quer

Re: [PHP] help create community newbie guide to security

"Chris W. Parker" wrote: > 10. Use htmlentities() on data that will be put through a SQL query to > prevent XSS attacks. http://php.net/htmlentities How is it going to interact with MySQL FULLTEXT search SQL queries, where the characters ">" and "<" are in use as modifiers? -- Seks,

Re: [PHP] help create community newbie guide to security

--- Lawrence Kennon <[EMAIL PROTECTED]> wrote: > For a BBS I would like to let users post links to various resources. > They 'post' a message to the BBS via a form and that is stored in a > MySQL db, then the content of their 'post' is available to other users > on the BBS. Currently I strip out al

Re: [PHP] help create community newbie guide to security

Chris Shiflett wrote: > In some cases, the developer may want certain > HTML elements interpreted rather than escaped > in this way. Perhaps you could mention that > something like str_replace() can be used to > convert specific HTML entities back to their > original form. This method shoul

Re: [PHP] help create community newbie guide to security

Nice work chris, you have left precious little for the others to comment on :-) 10. Use htmlentities() on data that will be put through a SQL query to prevent XSS attacks. http://php.net/htmlentities This is a nice suggestion. While htmlentities() cannot be guaranteed to defend against all X

Re: [PHP] help create community newbie guide to security

--- "Chris W. Parker" <[EMAIL PROTECTED]> wrote: > What I'd like to do is gather enough info to be able to write a good, > short (heck in can be long, I don't care) write up on what it takes to > write a secure app and be able to post a link to said document any time > someone asks a question secur

[PHP] help create community newbie guide to security

Ok. I know this has been asked a MILLION times in one form or another but still I have a few holes in my understanding of how to write a secure app*. What I'd like to do is gather enough info to be able to write a good, short (heck in can be long, I don't care) write up on what it takes to write