Page 1 of 1
How Secure is it Really?
Posted: Fri Aug 02, 2002 11:17 am
by JPlush76
I'm about up to the intermediate php programming level but I til now I haven't really been concerned too much with security. I do my basic checks on forms for the data but thats about it.
I have all my mysql database calls/passwords in a seperate incudes folder that I include on each page.
Are there any security basics that are just a a good idea to use all the time?
thanks all!
Posted: Fri Aug 02, 2002 11:32 am
by Zmodem
- Shut register globals off. Learn to use $_GET/$_POST etc etc.
- Don't store usernames and passwords in a text file
- Don't name your include files with a *.inc extension. Always make sure it has a .php extension. (ex: *.inc.php)
Here is a great article on PHP security:
http://www.zend.com/zend/art/art-oertli.php
Hope this at least gets you started
Posted: Fri Aug 02, 2002 11:38 am
by JPlush76
ahh thanks zmodem
I name all my includes .php and I don't store usernames/pass in text files..
but I don't host my own site so I can't turn the globals off
should I use the _GET and _POST anyway? should I just use that for passing data from forms even if the form page calls itself?
Posted: Fri Aug 02, 2002 11:40 am
by twigletmac
JPlush76 wrote:should I use the _GET and _POST anyway?
and $_COOKIE and $_SERVER and $_SESSION it never hurts to know
exactly where all your variables are coming from...
Mac
Posted: Fri Aug 02, 2002 1:47 pm
by daemorhedron
Adding error_reporting(E_ALL); to your script is a good move too imho. While it has nothing directly to do with security, it will help you to identify all mistakes that can lead to security issues, or bugs in general. It can get annoying too though, I will admit, but since coding with it on, it's only helped me personally.
HTH! =)
Posted: Fri Aug 02, 2002 2:35 pm
by Zmodem
Like twigletmac said, use those arrays anyway. It will help you debug your code 6 months down the line, because you can tell where those variables are coming from.
However, with register globals on, using those arrays doesn't strenthen your security
<utopian>Perhaps you can convince your host to get with the program and shut off reg globs</utopian>
Turning on all error reporting is good for developmenet, but shut it off again when you load the gold code. Reason being, is that if something ever happens, and an error pops up, the error message might reveal something to a potential hacker he could use to compramise the system.