Securing Web apps
Results 1 to 4 of 4

Thread: Securing Web apps

  1. #1
    Join Date
    Dec 2002

    Securing Web apps

    Ok I thought this was the perfect place for this if it has been posted before let me know.
    Stumbled across the atricle while surfing today. Concerning security with php I don't know that much about php but, would love to hear more from those that do. Is variables use to access files in php the best solution or would there be a better alternative to used besides php the following link was a good read to demostrate what I was talking about. Instead of using a workaround with php wouldn't it be better to use perl or python instead. Though I know perl has some vuln functions as well what do the ppl here think


    Just thought this would be a great topic for this forum#!*

  2. #2
    Senior Member
    Join Date
    Oct 2001
    Helsinki, Finland
    If coded correctly, PHP is a very safe language. Just look at AntiOnline!

    The page you linked to was something good to read. has also got their own security manual that every php-programmer should read. The manual covers the following topics:
    General considerations
    Installed as CGI binary
    Installed as an Apache module
    Filesystem Security
    Database Security
    Error Reporting
    Using Register Globals
    User Submitted Data
    Hiding PHP
    Keeping Current
    Q: Why do computer scientists confuse Christmas and Halloween?
    A: Because Oct 31 = Dec 25

  3. #3
    One really great thing I like about PHP is the ability to hide your code. People don't think much about this, but code is something in design that is often 'borrowed'. So if you're doing something really unique and you don't want to make it easy for the person to get a hold of it at all, PHP is the way.

  4. #4
    Senior Member
    Join Date
    Jan 2002
    This stuff is all pretty good and relevant.

    The most important thing is to turn off register_globals. register_globals is evil and makes php inherently insecure. Just say no.

    If you're distributing a web app to others' servers, put a check in at the top of a globally included file that tests register_globals and refuses to proceed if it's on. That way your app is safe from administrators who erroneously turn register_globals on.

    register_globals can be turned on and off on a per-directory basis (if using Apache anyway), so there's no excuse to turn it on across the entire server just because one broken application requires it.

    Also, magic_quotes is evil. It is hugely misguided, and although it improves security, it decreases data integrity. I.e. backslashes, quotes, etc generally seem to get mangled and thrown around everywhere.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts