How Secure is it Really?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
JPlush76
Forum Regular
Posts: 819
Joined: Thu Aug 01, 2002 5:42 pm
Location: Los Angeles, CA
Contact:

How Secure is it Really?

Post by JPlush76 »

I'm about up to the intermediate php programming level but I til now I haven't really been concerned too much with security. I do my basic checks on forms for the data but thats about it.

I have all my mysql database calls/passwords in a seperate incudes folder that I include on each page.


Are there any security basics that are just a a good idea to use all the time?

thanks all!
Zmodem
Forum Commoner
Posts: 84
Joined: Thu Apr 18, 2002 3:59 pm

Post by Zmodem »

- Shut register globals off. Learn to use $_GET/$_POST etc etc.
- Don't store usernames and passwords in a text file
- Don't name your include files with a *.inc extension. Always make sure it has a .php extension. (ex: *.inc.php)

Here is a great article on PHP security:
http://www.zend.com/zend/art/art-oertli.php

Hope this at least gets you started
JPlush76
Forum Regular
Posts: 819
Joined: Thu Aug 01, 2002 5:42 pm
Location: Los Angeles, CA
Contact:

Post by JPlush76 »

ahh thanks zmodem

I name all my includes .php and I don't store usernames/pass in text files..

but I don't host my own site so I can't turn the globals off :(

should I use the _GET and _POST anyway? should I just use that for passing data from forms even if the form page calls itself?
User avatar
twigletmac
Her Royal Site Adminness
Posts: 5371
Joined: Tue Apr 23, 2002 2:21 am
Location: Essex, UK

Post by twigletmac »

JPlush76 wrote:should I use the _GET and _POST anyway?
and $_COOKIE and $_SERVER and $_SESSION it never hurts to know exactly where all your variables are coming from...

Mac
daemorhedron
Forum Commoner
Posts: 52
Joined: Tue Jul 23, 2002 11:03 am

Post by daemorhedron »

Adding error_reporting(E_ALL); to your script is a good move too imho. While it has nothing directly to do with security, it will help you to identify all mistakes that can lead to security issues, or bugs in general. It can get annoying too though, I will admit, but since coding with it on, it's only helped me personally.

HTH! =)
Zmodem
Forum Commoner
Posts: 84
Joined: Thu Apr 18, 2002 3:59 pm

Post by Zmodem »

Like twigletmac said, use those arrays anyway. It will help you debug your code 6 months down the line, because you can tell where those variables are coming from.

However, with register globals on, using those arrays doesn't strenthen your security :(

<utopian>Perhaps you can convince your host to get with the program and shut off reg globs</utopian> :)

Turning on all error reporting is good for developmenet, but shut it off again when you load the gold code. Reason being, is that if something ever happens, and an error pops up, the error message might reveal something to a potential hacker he could use to compramise the system.
Post Reply