PHPBuilder.com, the best resource for PHP tutorials, templates, PHP manuals, content management systems, scripts, classes and more.

Linux Today
Enterprise Linux Today
Apache Today
JustLinux.com
Linux Planet
PHPBuilder
All Linux Devices
Hiermenus
DatabaseJournal
Technology Jobs

IT
Developer
Internet News
Small Business
Personal Technology
International

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers

Covalent Extends Apache 2.0 to Microsoft ASP.NET
ShopWorX - Support for Windows
PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1
Network Risk Assessment
Full-Featured, Java-Based Apache GUI

Partners & Affiliates

PHP and Adobe Flex
Email with an unstoppable "Return Receipt Requested"
How to import Excel, Access or XML data into a MySQL db
Using PHP and MySQL with Flash
Professional PHP4 Multimedia Programming

Re: [phplib] Security issue with PHPLib? From: Alex Black (enigma <email protected>)
Date: 05/09/01

Next message: Alex Black: "Re: [phplib] Auth Class/User Class"
Previous message: Layne Weathers: "RE: [phplib] templates problem"
In reply to: fabrizio.ermini <email protected>: "Re: [phplib] Security issue with PHPLib?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>> from the client. Shouldn't the above problem be caught before
>> the SQL query?
>>
> You're right about the "never trust" paradigm, and for this reason
> "get" method session management should NEVER be used
> whenever there is even a minor worry about security, since it's
> extremely insecure by itself. Neither cookie method it's particularly
> safe, but at least it's harder to tamper with.
> Indeed, as it's stated in the docs, high security on the web requires
> completely different techniques than those offered by PHPlib.

Well, really all that requires is a custom error handler that is trained not
to show errors to the client.

That way, you don't end up giving out a field list for one of your tables if
there's a problem.

We do this in binarycloud (well actually we show errors only to the
administrative group) and it works quite well.

I agree about the get thing, I just dislike the session appended to the URL,
and besides, it's a pain in the a** to code html links when you have to use
a php function for every single one :)

>> A second question. I only use PHPLib for sessions and authentication,
>> not any of the other stuff. What other options are available if you
>> just want that functionality? Anyone know of any simpler classes
>> that do the two things I require? I guess the ideal would be to use
>> a backport of PHP4 sessions (such as that in Tobias Ratschiller's
>> book Web App. Dev. with PHP4) with a suitable authentication/
>> authorization class - that would give maximum flexibility using both
>> PHP3 and 4. Any ideas?
>>
> I really am not able to think of a sess/auth approach simpler and
> more general than PHPlib's, sorry :-)

Agreed, you will not find anything more simple and robust than phplib.

There are more complex things, but you wouldn't want anything more simple.

_alex

-- alex black, ceo enigma <email protected>

the turing studio, inc. http://www.turingstudio.com

vox+510.666.0074 fax+510.666.0093

--------------------------------------------------------------------- To unsubscribe, e-mail: phplib-unsubscribe <email protected> For additional commands, e-mail: phplib-help <email protected>

Next message: Alex Black: "Re: [phplib] Auth Class/User Class"
Previous message: Layne Weathers: "RE: [phplib] templates problem"
In reply to: fabrizio.ermini <email protected>: "Re: [phplib] Security issue with PHPLib?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]