On Wed, Jan 12, 2011 at 12:00 PM, <[email protected]> wrote: > > Came across this on Twitter this morning: > > http://www.smashingmagazine.com/2011/01/11/keeping-web-users-safe-by-sanitizing-input-data/ > > Makes some good points about not relying on inputs to be safe. Personally, > I've been using PHPIDS (http://php-ids.org/) to provide some extra > security > in recent projects, and it seems to be working pretty well for that. Does > anyone on the list have experience with that library (or doing some > bulletproof security protection in general)? The IDS project seems to do a > good job of catching several types of XSS attacks, exploits and SQL > injections and can be done pretty transparently if set up right. But, it's > not perfect -- it seems to occasionally think one of the auto-generated > cookies coming from Chrome is an attack, and it may be overkill for some > projects that don't have a lot of public facing interfaces. > > > ------------------------------ >
We have been using php-ids at work for the past couple of weeks, and are having the same issues with some cookies being tagged as possible attacks. With a little bit of tweaking we created a list of names and values that it should not log, and that seems to work really well. We were especially having problems with cookies from Google Analytics. I learned about php-ids by reading the OWASP web site and its list of the top 5 PHP security problems - very good reading if you haven't seen it before: http://www.owasp.org/index.php/PHP_Top_5 Let us know how php-ids turns out for you. _______________________________________________ UPHPU mailing list [email protected] http://uphpu.org/mailman/listinfo/uphpu IRC: #uphpu on irc.freenode.net
