Re: [PHP] Secuirity issues? From: Ignacio Vazquez-Abrams (ignacio <email protected>)
Date: 11/15/00

On Wed, 15 Nov 2000, Lauri Vain wrote:

> Hello,
> What is a bad thing to miss (that could become a secuirity issue) while writing
> some PHP/SQL code?
>
> I figure that I shouldn't put my config.inc.php (containing SQL passes) files in
> a publically readable dir because people could use include() to get the
> password.
> The fix? Putting config.inc.php files outside of the web tree? Using a .htaccess
> file in the .in dir?
>
> Will PHP execute the PHP/SQL code inserted in text boxes? I've heard it does,
> will it be fixed when I use just the addslashes() or will I need to use
> something more? How about the escapeshellcmd(), should I use this too?
>
> Does anybody know more about writing "secure" PHP scripts?
>
> Yours,
> Lauri
>

General security issues:

1) Turn register_globals off and use $HTTP_*_VARS instead.
2) Store passwords in a hashed format on the SB side.
3) Use sessions to store data instead of cookies.

include() only works if it can see the php code. If you include() a remote
script that doesn't print anything, well, it includes nothing. That's more
of an issue for local scripts and users. Securing the file with .htaccess
might be useful nonetheless.

PHP won't execute any PHP code stored in variables unless you tell it to
explicitly. It will, however, show HTML/CSS/JavaScript/JScript/VBScript
code if the variable is printed out. Use htmlentities() or
htmlspecialchars() for this. 

-- 
Ignacio Vazquez-Abrams  <ignacio <email protected>>

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: php-general-unsubscribe <email protected>
For additional commands, e-mail: php-general-help <email protected>
To contact the list administrators, e-mail: php-list-admin <email protected>