Security Resources

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

User avatar
Buddha443556
Forum Regular
Posts: 873
Joined: Fri Mar 19, 2004 1:51 pm

Post by Buddha443556 »

Didn't see this posted, this cheat sheet covers more than just PHP:

http://www.secguru.com/files/cheatsheet ... sheet2.pdf
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Post by VladSun »

User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Post by VladSun »

Php Endangers - Remote Code Execution: http://milw0rm.com/papers/176
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Post by Mordred »

The Unexpected SQL Injection
(When Escaping Is Not Enough)
by yours trully
Abstract: We will look at several scenarios under which SQL injection may occur, even though mysql_real_escape_string() has been used. There are two major steps at writing SQL injection resistant code: correct validation and escaping of input and proper use of the SQL syntax. Failure to comply with any of them may lead to compromise. Many of the specific issues are already known, but no single document mentions them all.
Although the examples are built on PHP/MySQL, the same principles apply to ASP/MSSQL and other combinations of languages and databases.
http://www.webappsec.org/projects/articles/091007.shtml
Last edited by Mordred on Mon Sep 17, 2007 3:32 pm, edited 1 time in total.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

For those that are looking for mordred's article... http://www.webappsec.org/projects/articles/091007.shtml
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Post by Mordred »

Everah wrote:For those that are looking for mordred's article... http://www.webappsec.org/projects/articles/091007.shtml
Oh, drats, I forgot the link?! I should have my forum license revoked ;) Thanks, Everah!
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

You're welcome dude. It didn't take much to find it, but I figured I'd save the members that time...
zareef
Forum Newbie
Posts: 3
Joined: Wed Aug 03, 2005 3:21 am
Location: India

Re: Security Resources

Post by zareef »

One of the major source for information about PHP Security is the mailing lists at php.net, people normally face issues and report them and then community members gives their views and it sometime become very interesting ... :)
cygital
Forum Newbie
Posts: 4
Joined: Mon Nov 03, 2008 4:11 am
Location: Abuja, Nigeria
Contact:

Re: Security Resources

Post by cygital »

Thanks :D
User avatar
carnavia
Forum Newbie
Posts: 18
Joined: Sun Jul 18, 2010 11:27 pm

Re: Security Resources

Post by carnavia »

This is an excellent source for PHP security. I'm impressed.
zoe1adela
Forum Newbie
Posts: 3
Joined: Sun Mar 20, 2011 9:55 pm

Re: Security Resources

Post by zoe1adela »

there are so many master here that i can learn more,thank you!
srikanth03565
Forum Newbie
Posts: 10
Joined: Sat Jul 16, 2011 12:13 am

Re: Security Resources

Post by srikanth03565 »

Nice article
meshkin
Forum Newbie
Posts: 1
Joined: Wed Dec 28, 2011 12:29 pm

Re: Security Resources

Post by meshkin »

hi every body
how can i abstract url in php? for example, i want abstarct "www.belabela.com/about.php" to "www.belabela.com/about" or some things like this, it must change some thing in .httpaccess file?? or it is other thing?

the next question is for code source, how can prevent to save or show source code?

thx
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Security Resources

Post by Mordred »

A detailed and humorous account on how to (and how not to) do escaping in PHP, by our own Maugrim (aka Pádraic Brady)

A Hitchhiker’s Guide to Cross-Site Scripting (XSS) in PHP (Part 1): How Not To Use Htmlspecialchars() For Output Escaping
User avatar
Christopher
Site Administrator
Posts: 13592
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: Security Resources

Post by Christopher »

Hey Mordred, perhaps you could give us a little clearer (and less humorous) tutorial, or point us to one of yours, on how to correctly use htmlspecialchars() for output escaping and what other code is needed to ensure it is done right. For example, do you recommended using mb_convert_encoding() to convert everything to UTF8?
(#10850)
Post Reply