copy()
Moderator: General Moderators
copy()
I was listing some PHP book at the store few days ago and I've come up over a paragraph that was talking about file upload security issues. The article stated that copy() opens up security hole and it's not recommended for use with file uploads. Does anyone have/know of a list of potentionally unsafe functions that are commonly used around in the PHP?
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
copy() should never be used against a file upload. move_uploaded_file() should instead be used.
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
typical common sense stuff
- IP reliance is silly.
- security through obscurity isn't security
- If Ajax is the "only" answer, it probably needs a rethink
- header() redirection should always be full URL
- rarely, if ever, test for the existence of a submit button to see if the form has been submitted
- user input is poison until it passes validation, verification and
- if page referral information is integral to the code, your code needs a rethink
- eval() is often the devil.
- including a remote file is a bad smell
- blindly using all user input is likely bad (e.g. foreach $_POST) without filtering first due to the often tying into a database. This stems from validation and verification.
- register globals are the worst invention, after short tags.
- separation of presentation logic from processing logic is paramount until I see proof of another, better, methodology.
- basename() should always be used against the original filename of an uploaded file (if it's even.)
- there are few valid reasons to store files in a database over the file system
- when storing dates and/or times in a database use the native formats and types or integers (php native unix timestamps) which are corrected to GMT or UTC.
- storing session id's in the session they are associated with makes little sense.
- consolidate database requests into as compact a span of code as realistically possible and close the connection immediately after finishing
- OOP is your friend, but if it's the "only" solution, you're silly
- arrogance is required to do our jobs, but too much of it makes you a fool or simply a jerk.
- children should be allowed to play in dirt and allowed to get dirty.
- Ideas are worthless. Actions are priceless.
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
I barely code anymore, if that's what you're asking about. Mostly because I just don't feel like doing it since retiring from the professional world.The Ninja Space Goat wrote:nice list feyd...![]()
How the hell do you ever have any time to do anything??![]()
I try to read a lot on the field still however. When I do sit down to write some code I move quite slow and deliberately. It took me about two to three hours to flesh out a Stream interface the other day.
Anyways, I'm going off topic. If you want to know more about this post's nonsense, hit me up on PM.
the internet is one of the most hostile environments for a web application.
http://video.google.com/videoplay?docid ... 0663884360
fear input, fear output.
http://video.google.com/videoplay?docid ... 0663884360
fear input, fear output.