|
Posted by nancy on 11/27/06 16:42
I am new to PHP but have done other programming
can someone please hold my hand and slowly talk me through some simple
security issues?
I have seen in PHP documents that there are 'strip slashes' commands and
so on but I dont understand where the security issues actually are.
i am writing some scripts that will shell out and call different linux
shell programs such as 'ls' or 'grep' or 'sed' and so on and possibly
update a 'mysql' database.
can you tell me at what point in this procedure security is needed and
what exactly as ideally I would like to not hamper anything I send to
grep and so on? In other words I would like any security modification of
my parameters to happen as late in the process as possible.
I am obviously interested in how to stop someone using pipes '||' or
redirecting the output '>' or entering anything that might trigger the
database to think i was getting code or a varialble of some sort - I
think that may just be '$' but dont really know. Are there any actual
strings rather than characters that must be watched for?
can someone explain what point the issues take effect - is it php, or
when php passes the parameters or is it the (eg) 'grep' program itself
that is written to do things that must be prevented or is it linux
itself when it passes the parameters?
and is there anything else I need to watch out for?
can anyone explain in simple terms please (perhaps a security table ?)
nancy
Navigation:
[Reply to this message]
|