March 22nd, 2003, 09:26 AM
Securing Web apps
Ok I thought this was the perfect place for this if it has been posted before let me know.
Stumbled across the atricle while surfing today. Concerning security with php I don't know that much about php but, would love to hear more from those that do. Is variables use to access files in php the best solution or would there be a better alternative to used besides php the following link was a good read to demostrate what I was talking about. Instead of using a workaround with php wouldn't it be better to use perl or python instead. Though I know perl has some vuln functions as well what do the ppl here think
Just thought this would be a great topic for this forum#!*
March 22nd, 2003, 10:56 AM
If coded correctly, PHP is a very safe language. Just look at AntiOnline!
The page you linked to was something good to read. PHP.net has also got their own security manual that every php-programmer should read. The manual covers the following topics:
Installed as CGI binary
Installed as an Apache module
Using Register Globals
User Submitted Data
Q: Why do computer scientists confuse Christmas and Halloween?
A: Because Oct 31 = Dec 25
March 22nd, 2003, 12:17 PM
One really great thing I like about PHP is the ability to hide your code. People don't think much about this, but code is something in design that is often 'borrowed'. So if you're doing something really unique and you don't want to make it easy for the person to get a hold of it at all, PHP is the way.
March 23rd, 2003, 11:45 PM
This stuff is all pretty good and relevant.
The most important thing is to turn off register_globals. register_globals is evil and makes php inherently insecure. Just say no.
If you're distributing a web app to others' servers, put a check in at the top of a globally included file that tests register_globals and refuses to proceed if it's on. That way your app is safe from administrators who erroneously turn register_globals on.
register_globals can be turned on and off on a per-directory basis (if using Apache anyway), so there's no excuse to turn it on across the entire server just because one broken application requires it.
Also, magic_quotes is evil. It is hugely misguided, and although it improves security, it decreases data integrity. I.e. backslashes, quotes, etc generally seem to get mangled and thrown around everywhere.