PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Mon Mar 27, 2017 7:36 am

All times are UTC - 5 hours




Post new topic Reply to topic  [ 37 posts ]  Go to page Previous  1, 2, 3  Next
Author Message
 Post subject:
PostPosted: Tue Jan 09, 2007 12:57 am 
Offline
Forum Regular
User avatar

Joined: Fri Mar 19, 2004 2:51 pm
Posts: 873
Didn't see this posted, this cheat sheet covers more than just PHP:

http://www.secguru.com/files/cheatsheet ... sheet2.pdf


Top
 Profile  
 
 Post subject:
PostPosted: Tue Jul 03, 2007 5:16 am 
Offline
DevNet Master
User avatar

Joined: Wed Jun 27, 2007 9:44 am
Posts: 4294
Location: Sofia, Bulgaria
http://ha.ckers.org/xss.html


Top
 Profile  
 
 Post subject:
PostPosted: Wed Aug 15, 2007 10:35 am 
Offline
DevNet Master
User avatar

Joined: Wed Jun 27, 2007 9:44 am
Posts: 4294
Location: Sofia, Bulgaria
Php Endangers - Remote Code Execution: http://milw0rm.com/papers/176

_________________
Image
http://openfmi.net/projects/flattc/ Linux is better :)


Top
 Profile  
 
 Post subject:
PostPosted: Mon Sep 17, 2007 2:13 pm 
Offline
DevNet Resident
User avatar

Joined: Sun Sep 03, 2006 5:19 am
Posts: 1579
Location: Sofia, Bulgaria
The Unexpected SQL Injection
(When Escaping Is Not Enough)
by yours trully

Quote:
Abstract: We will look at several scenarios under which SQL injection may occur, even though mysql_real_escape_string() has been used. There are two major steps at writing SQL injection resistant code: correct validation and escaping of input and proper use of the SQL syntax. Failure to comply with any of them may lead to compromise. Many of the specific issues are already known, but no single document mentions them all.
Although the examples are built on PHP/MySQL, the same principles apply to ASP/MSSQL and other combinations of languages and databases.


http://www.webappsec.org/projects/articles/091007.shtml


Last edited by Mordred on Mon Sep 17, 2007 3:32 pm, edited 1 time in total.

Top
 Profile  
 
 Post subject:
PostPosted: Mon Sep 17, 2007 3:13 pm 
Offline
Site Administrator
User avatar

Joined: Tue Sep 09, 2003 6:04 pm
Posts: 14293
Location: Fremont, CA, USA
For those that are looking for mordred's article... http://www.webappsec.org/projects/articles/091007.shtml


Top
 Profile  
 
 Post subject:
PostPosted: Mon Sep 17, 2007 3:31 pm 
Offline
DevNet Resident
User avatar

Joined: Sun Sep 03, 2006 5:19 am
Posts: 1579
Location: Sofia, Bulgaria
Everah wrote:
For those that are looking for mordred's article... http://www.webappsec.org/projects/articles/091007.shtml


Oh, drats, I forgot the link?! I should have my forum license revoked ;) Thanks, Everah!


Top
 Profile  
 
 Post subject:
PostPosted: Mon Sep 17, 2007 4:28 pm 
Offline
Site Administrator
User avatar

Joined: Tue Sep 09, 2003 6:04 pm
Posts: 14293
Location: Fremont, CA, USA
You're welcome dude. It didn't take much to find it, but I figured I'd save the members that time...


Top
 Profile  
 
 Post subject: Re: Security Resources
PostPosted: Fri Jul 10, 2009 6:09 pm 
Offline
Forum Newbie

Joined: Wed Aug 03, 2005 3:21 am
Posts: 3
Location: India
One of the major source for information about PHP Security is the mailing lists at php.net, people normally face issues and report them and then community members gives their views and it sometime become very interesting ... :)


Top
 Profile  
 
 Post subject: Re: Security Resources
PostPosted: Fri Nov 13, 2009 4:25 am 
Offline
Forum Newbie

Joined: Mon Nov 03, 2008 5:11 am
Posts: 4
Location: Abuja, Nigeria
Thanks :D


Top
 Profile  
 
 Post subject: Re: Security Resources
PostPosted: Mon Aug 23, 2010 6:22 am 
Offline
Forum Newbie
User avatar

Joined: Sun Jul 18, 2010 11:27 pm
Posts: 18
This is an excellent source for PHP security. I'm impressed.


Top
 Profile  
 
 Post subject: Re: Security Resources
PostPosted: Tue Apr 26, 2011 1:16 am 
Offline
Forum Newbie

Joined: Sun Mar 20, 2011 9:55 pm
Posts: 3
there are so many master here that i can learn more,thank you!


Top
 Profile  
 
 Post subject: Re: Security Resources
PostPosted: Mon Jul 25, 2011 11:59 am 
Offline
Forum Newbie

Joined: Sat Jul 16, 2011 12:13 am
Posts: 10
Nice article


Top
 Profile  
 
 Post subject: Re: Security Resources
PostPosted: Wed Dec 28, 2011 2:05 pm 
Offline
Forum Newbie

Joined: Wed Dec 28, 2011 1:29 pm
Posts: 1
hi every body
how can i abstract url in php? for example, i want abstarct "www.belabela.com/about.php" to "www.belabela.com/about" or some things like this, it must change some thing in .httpaccess file?? or it is other thing?

the next question is for code source, how can prevent to save or show source code?

thx


Top
 Profile  
 
 Post subject: Re: Security Resources
PostPosted: Tue Mar 13, 2012 8:06 am 
Offline
DevNet Resident
User avatar

Joined: Sun Sep 03, 2006 5:19 am
Posts: 1579
Location: Sofia, Bulgaria
A detailed and humorous account on how to (and how not to) do escaping in PHP, by our own Maugrim (aka Pádraic Brady)

A Hitchhiker’s Guide to Cross-Site Scripting (XSS) in PHP (Part 1): How Not To Use Htmlspecialchars() For Output Escaping


Top
 Profile  
 
 Post subject: Re: Security Resources
PostPosted: Tue Mar 13, 2012 4:31 pm 
Offline
Site Administrator
User avatar

Joined: Wed Aug 25, 2004 7:54 pm
Posts: 13385
Location: New York, NY, US
Hey Mordred, perhaps you could give us a little clearer (and less humorous) tutorial, or point us to one of yours, on how to correctly use htmlspecialchars() for output escaping and what other code is needed to ensure it is done right. For example, do you recommended using mb_convert_encoding() to convert everything to UTF8?

_________________
(#10850)


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 37 posts ]  Go to page Previous  1, 2, 3  Next

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group