copy()

Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.

Moderator: General Moderators

Post Reply
User avatar
wtf
Forum Contributor
Posts: 331
Joined: Thu Nov 03, 2005 5:27 pm

copy()

Post by wtf »

I was listing some PHP book at the store few days ago and I've come up over a paragraph that was talking about file upload security issues. The article stated that copy() opens up security hole and it's not recommended for use with file uploads. Does anyone have/know of a list of potentionally unsafe functions that are commonly used around in the PHP?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

copy() should never be used against a file upload. move_uploaded_file() should instead be used.
User avatar
wtf
Forum Contributor
Posts: 331
Joined: Thu Nov 03, 2005 5:27 pm

Post by wtf »

yes, I understand that. I also wasn't aware of the potential issues with $_SERVER['PHP_SELF']. What else do you have in your sleve?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

typical common sense stuff
  • IP reliance is silly.
  • security through obscurity isn't security
  • If Ajax is the "only" answer, it probably needs a rethink
  • header() redirection should always be full URL
  • rarely, if ever, test for the existence of a submit button to see if the form has been submitted
  • user input is poison until it passes validation, verification and
  • if page referral information is integral to the code, your code needs a rethink
  • eval() is often the devil.
  • including a remote file is a bad smell
  • blindly using all user input is likely bad (e.g. foreach $_POST) without filtering first due to the often tying into a database. This stems from validation and verification.
  • register globals are the worst invention, after short tags.
  • separation of presentation logic from processing logic is paramount until I see proof of another, better, methodology.
  • basename() should always be used against the original filename of an uploaded file (if it's even.)
  • there are few valid reasons to store files in a database over the file system
  • when storing dates and/or times in a database use the native formats and types or integers (php native unix timestamps) which are corrected to GMT or UTC.
  • storing session id's in the session they are associated with makes little sense.
  • consolidate database requests into as compact a span of code as realistically possible and close the connection immediately after finishing
  • OOP is your friend, but if it's the "only" solution, you're silly
  • arrogance is required to do our jobs, but too much of it makes you a fool or simply a jerk.
  • children should be allowed to play in dirt and allowed to get dirty.
  • Ideas are worthless. Actions are priceless.
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

nice list feyd... :D

How the hell do you ever have any time to do anything?? (Other than code I mean) :D :?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

The Ninja Space Goat wrote:nice list feyd... :D

How the hell do you ever have any time to do anything?? :D :?
I barely code anymore, if that's what you're asking about. Mostly because I just don't feel like doing it since retiring from the professional world.

I try to read a lot on the field still however. When I do sit down to write some code I move quite slow and deliberately. It took me about two to three hours to flesh out a Stream interface the other day. :) It's nice not being rushed, but I would like to get the project(s) I've got cooking in my head done. But with school life occupying a lot of my brain right now, I hardly do much else other than thinking. Although for some reason I'm almost always compelled to lurk here.

Anyways, I'm going off topic. If you want to know more about this post's nonsense, hit me up on PM.
User avatar
onion2k
Jedi Mod
Posts: 5263
Joined: Tue Dec 21, 2004 5:03 pm
Location: usrlab.com

Post by onion2k »

Ideas are worthless. Actions are priceless.
Nice.
User avatar
m3mn0n
PHP Evangelist
Posts: 3548
Joined: Tue Aug 13, 2002 3:35 pm
Location: Calgary, Canada

Post by m3mn0n »

This forum is not for asking programming related questions.
Moved to PHP Theory & Design.
wei
Forum Contributor
Posts: 140
Joined: Wed Jul 12, 2006 12:18 am

Post by wei »

the internet is one of the most hostile environments for a web application.

http://video.google.com/videoplay?docid ... 0663884360

fear input, fear output.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

m3mn0n wrote:
This forum is not for asking programming related questions.
Moved to PHP Theory & Design.
I probably should have thought of this. :)

I should have mentioned that I was watching my very own 24 marathon while writing the Stream. :D
Post Reply