Page 1 of 1
copy()
Posted: Mon Jan 08, 2007 8:50 pm
by wtf
I was listing some PHP book at the store few days ago and I've come up over a paragraph that was talking about file upload security issues. The article stated that copy() opens up security hole and it's not recommended for use with file uploads. Does anyone have/know of a list of potentionally unsafe functions that are commonly used around in the PHP?
Posted: Mon Jan 08, 2007 9:35 pm
by feyd
copy() should never be used against a file upload.
move_uploaded_file() should instead be used.
Posted: Mon Jan 08, 2007 11:18 pm
by wtf
yes, I understand that. I also wasn't aware of the potential issues with $_SERVER['PHP_SELF']. What else do you have in your sleve?
Posted: Tue Jan 09, 2007 12:11 am
by feyd
typical common sense stuff
- IP reliance is silly.
- security through obscurity isn't security
- If Ajax is the "only" answer, it probably needs a rethink
- header() redirection should always be full URL
- rarely, if ever, test for the existence of a submit button to see if the form has been submitted
- user input is poison until it passes validation, verification and
- if page referral information is integral to the code, your code needs a rethink
- eval() is often the devil.
- including a remote file is a bad smell
- blindly using all user input is likely bad (e.g. foreach $_POST) without filtering first due to the often tying into a database. This stems from validation and verification.
- register globals are the worst invention, after short tags.
- separation of presentation logic from processing logic is paramount until I see proof of another, better, methodology.
- basename() should always be used against the original filename of an uploaded file (if it's even.)
- there are few valid reasons to store files in a database over the file system
- when storing dates and/or times in a database use the native formats and types or integers (php native unix timestamps) which are corrected to GMT or UTC.
- storing session id's in the session they are associated with makes little sense.
- consolidate database requests into as compact a span of code as realistically possible and close the connection immediately after finishing
- OOP is your friend, but if it's the "only" solution, you're silly
- arrogance is required to do our jobs, but too much of it makes you a fool or simply a jerk.
- children should be allowed to play in dirt and allowed to get dirty.
- Ideas are worthless. Actions are priceless.
Posted: Tue Jan 09, 2007 1:34 am
by Luke
nice list feyd...
How the hell do you ever have any time to do anything?? (Other than code I mean)

Posted: Tue Jan 09, 2007 1:43 am
by feyd
The Ninja Space Goat wrote:nice list feyd...
How the hell do you ever have any time to do anything??

I barely code anymore, if that's what you're asking about. Mostly because I just don't feel like doing it since retiring from the professional world.
I try to read a lot on the field still however. When I do sit down to write some code I move quite slow and deliberately. It took me about two to three hours to flesh out a Stream interface the other day.

It's nice not being rushed, but I would like to get the project(s) I've got cooking in my head done. But with school life occupying a lot of my brain right now, I hardly do much else other than thinking. Although for some reason I'm almost always compelled to lurk here.
Anyways, I'm going off topic. If you want to know more about this post's nonsense, hit me up on PM.
Posted: Tue Jan 09, 2007 4:12 am
by onion2k
Ideas are worthless. Actions are priceless.
Nice.
Posted: Tue Jan 09, 2007 4:19 am
by m3mn0n
This forum is not for asking programming related questions.
Moved to PHP Theory & Design.
Posted: Tue Jan 09, 2007 5:04 am
by wei
the internet is one of the most hostile environments for a web application.
http://video.google.com/videoplay?docid ... 0663884360
fear input, fear output.
Posted: Tue Jan 09, 2007 7:45 am
by feyd
m3mn0n wrote:This forum is not for asking programming related questions.
Moved to PHP Theory & Design.
I probably should have thought of this.
I should have mentioned that I was watching my very own 24 marathon while writing the Stream.
