PHP Security Article
I've released part one of what I hope will be a series of PHP security articles — a PHP Script Checklist for those developing or looking to develop their own scripts. If you have any thoughts on PHP security problems that you'd like to be covered in part 2, or you're an 'expert' and want to correct part of my article, feel free to comment.
On a similar note, I'm becoming more and more aware of 'teen' (that is, developed by teens) PHP scripts with major security holes and will hopefully be releasing a series of security reviews and suggestions on them either via my blog or via my Scribblings section.
On Thu 3rd Aug 2006 @ 20:28, Rosemarie said:
:O
On Thu 3rd Aug 2006 @ 20:30, Jem said:
Be gone, foul spam.
On Thu 3rd Aug 2006 @ 20:32, Rosemarie said:
A face is worth a thousand words! :O = Oh my, security and teen scripts!
= A private wink about security pages. See? My madness has two methods!
On Thu 3rd Aug 2006 @ 20:34, Jem said:
That's not a wink, it's a tongue!
On Thu 3rd Aug 2006 @ 20:45, Anne said:
:P Thanks for putting this together! When I finally get my butt into gear and learn PHP, I'm sure it will be useful!
On Thu 3rd Aug 2006 @ 20:50, Jim said:
Just thought I'd note that if your reviews contain vulnerabilities that can be exploited, you should notify the author and give them some time to patch it before you go public. That's the 'ethical' approach.
On Thu 3rd Aug 2006 @ 20:52, Jem said:
@Jim: Yeah, I was planning to. That's the only reason why I've not got a links list of bad scripts already.
On Fri 4th Aug 2006 @ 02:44, John Malloc said:
Probably worth adding, i've seen a lot of "teen" php scripts that don't do extension or filetype checking with their upload forms.
On Fri 4th Aug 2006 @ 02:52, Amanda said:
Currently? I have zero plans to venture into PHP, but I can see how this will be helpful. Oh, and what happened to releasing BellaBuffs on the 1st of August?
On Fri 4th Aug 2006 @ 03:24, Jenny said:
As usual, great security overview! The only thing I might add (although I admit I almost never use it) is truncating user data to an expected length. Say, if you expect a username to be no more than 20 characters, the first step would be to use substr() to ensure that it is
On Fri 4th Aug 2006 @ 03:28, Jenny said:
Sorry about the double posts -- it looks like your validation doesn't like the less than or equal to symbol. Continuing: As to the $_SERVER variables, I know the user can manipulate the reported HTTP_USER_AGENT and HTTP_REFERER, but can they do anything to REMOTE_ADDR (other than using a proxy) or REQUEST_URI? PS -- And again as usual, I love the new look!
On Fri 4th Aug 2006 @ 09:45, Jem said:
@Amanda: I typoed. I meant the 4th.. which incidently is today
@Jenny: I'll hopefully be covering things like substr() in part two when I talk about why form attributes like type=hidden and maxlength=25 don't work. And most of the $_SERVER global array can be manipulated so it's easier to sanitise the whole lot than try and figure out which 'parts' individually.
On Fri 4th Aug 2006 @ 10:22, Vixx said:
A useful resource - thanks for sharing, Jem.
V xx
On Fri 4th Aug 2006 @ 14:19, Shannon said:
Oh... Jem. You used that excuse of 'I typo-ed.' It's all cool, though. I didn't notice at all. I'll read the durned security list. Thing.
On Sun 6th Aug 2006 @ 10:34, Katie said:
Mm, the whole "teen" thing is a little bit of a generalization. I'm a teen, and I don't write crap scripts or anything like that. Besides, people who are not teens can still write bad scripts with security holes. Still, I shall be reading that article.
On Sun 6th Aug 2006 @ 11:51, Jem said:
@Katie: I didn't say that teens automatically write bad scripts, nor am I ignoring the fact that adults can write bad scripts too - I am just writing at *my* audience - generally teenagers and young adults, a large amount of whom are getting into php scripting. I was a teen not long ago myself, I'm not going to stick them all in the same basket.
On Mon 7th Aug 2006 @ 19:51, Mandolin said:
Oh Jem, always and forever protecting the internet from security holes. What would the Internet do without you??