Posted by R. Rajesh Jeba Anbiah on 02/04/07 06:50

On Feb 3, 9:38 pm, "Karl Nierler" <mr_mil...@gmx.net> wrote:
<snip>
> My customers are worried abour security in PHP. I have written many
> small PHP applications before where security wasn't a major concern.

Some customers may not be willing to spend $ and so they may prefer
shared host.

Shared host are viable to session related attacks if default file
based session is used--so you may want to add db based session
handler.

>I have always checked user input and posted variables and used
> mysql_real_escape_string() or intval() to prevent SQL-injection and
> htmlentities() to prevent CSS.

Some customers may not be willing to spend $ and so they may prefer
shared host.

Shared host are viable to session related attacks if default file
based session is used--so you may want to add db based session
handler.

Unlike XSS, new common attack is session riding--so you may have to
add secret tokens in every forms and Ajax based user info retrieval
(remember GMail's contact list attack)

--
<?php echo 'Just another PHP saint'; ?>
Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com/

• Next in forum: Re: Looking for PHP security tips
• Prev in forum: Re: I have sub-categories but want to display full category path
• Thread view: Re: Looking for PHP security tips

[Reply to this message]