Comments on Writing Secure PHP, Part 2 - AddedBytes.com

Comment on Writing Secure PHP, Part 2

2008-10-27T18:15:27+00:00

Comment by Erick ( )

You mention adding a delete indicator on a record. I go beyond that on every table. I add:

update_datetime
update_user_id
create_datetime
create_user_id
delete_datetime
delete_user_id

Then, anything that is done is logged. At least the last execution of any of those. If you need more granularity in something, then create a table that logs extended or historical information.

Comment on Writing Secure PHP, Part 2

2008-09-11T15:15:08+01:00

Comment by Sandor ( )

never trust user data, should we trust a webpage as well :-)

I think banning an IP address is very dangerous, because if it's from a public provider with many users like AOL etc. than all other users from that provider will banned as well.

-ciao Sandor-

Comment on Writing Secure PHP, Part 2

2008-03-19T10:10:51+00:00

Comment by Web ( )

Thank you so much for the posts! Very very helpful, I appreciate you for writing these security issues in PHP, I've learned quite a bit! CHEERS!

Comment on Writing Secure PHP, Part 2

2008-03-03T19:22:47+00:00

Comment by Jamie ( )

Great article! Thanks for sharing your knowledge!

Is there any reason you can't use .htaccess to protect your .inc files (like below) without putting them in an /include folder?

.htaccess file:

Order allow,deny
Deny from all

I was under the impression this was safe...

Comment on Writing Secure PHP, Part 2

2008-02-24T10:31:06+00:00

Comment by Malanie ( http://aber-natuerlich.de )

Good article. Event it is from 2005 the issues are still there. Advanced search technics like google's inurl makes it realy easy to find sites which use include folder, .inc files or whatever you are interestet in.

Comment on Writing Secure PHP, Part 2

2008-02-20T14:14:22+00:00

Comment by Alan Walker ( http://www.highforce.com )

I have found the best way for looking at input, is to check the value for http or the length of the input as well as commands that should not be in there like ? = , as these script kiddies will do anything to hack your programs.
All the best from Alan

Comment on Writing Secure PHP, Part 2

2006-12-18T03:40:56+00:00

Comment by Anonymous ( )

I do like this.. at the top of the include file.

if ($ping != "pong")
{
echo 'Redirect here, or print something :p';
exit;
}

then in the script that's including it:

$ping = "pong";
include(yourfile.....);

Seems to work fine too.

Comment on Writing Secure PHP, Part 2

2006-12-08T01:04:37+00:00

Comment by Frederik ( http://www.misterbob.nl )

Don't use safe mode, it will be dropped in PHP6

Comment on Writing Secure PHP, Part 2

2006-08-20T23:28:18+01:00

Comment by alex boia ( )

ok..so there are a lot of comments and so little time for me to read them. so i'm sorry if what that the topic this reply adresses has been already covered. but enough with the smalltalk.:)
what i wnat to say is that if you want to protect your inlcuded php files to be executed from outside the script that uses them you can use something like:
define ('IS_INCLUDED_SOMEFILE', true);
require_once 'somefile.php';
?>
in the script that requires the file and
if (!defined('IS_INCLUDED_SOMEFILE')) exit;
if (IS_INCLUDED_SOMEFILE !== true) exit;
?>
in the required file.
works very fine, as you define this constant only where you need to include the files
?>

Comment on Writing Secure PHP, Part 2

2006-03-20T11:32:11+00:00

Comment by shopje ( http://www.shopje.net )

This one is a bit an expansion and elaboration to former part1 .
I missed the usefull code examples you used in part 1.
How about buffer overflows?
Maybe you could be elaborating cross site scripting attacks?
More methods of sql injection?
Maybe a "best way to secure" part with the code examples to use for the newbies among us.
And please get that link for a printable version.
I of to read part 3