|
|
Posted by larry on 01/12/08 21:02
On Jan 12, 10:15 am, firewood...@yahoo.com wrote:
>... However, what methods would someone visiting my site use to
> get to the command line, without having an account on the same server?
> How can I guard against such intrusions?
There are many on-line guides to PHP security, I would recommend every
PHP guy to check them out, and keep up to date on PHP news regularly.
Mainly what you wnt to guard against is someone doing making your site
do things it wasn't intended to do. None of them are overly hard to
implement mainly a case of doing good coding practices.
One of the more popular are the "Top 7 PHP Security Blunders"
http://www.sitepoint.com/article/php-security-blunders
and the Zend PHP Security Tips are good too:
http://devzone.zend.com/tag/Security_Tips
The main points of vulnerability are:
- GET, POST, COOKIE data, (anything that could potentially come from
the user) make sure it is clean, not only from bad code that could
compromise PHP/HTML or bad URLS that will redirect output, but also
from code that might comprimise your SQL databases (if you use any).
- The next one is how pages interact with each other - sure everything
works fine when Page A calls or includes Page B but what happens if
outside Badguy Page X tries to call Page B?
- Authentication - make sure you know who you are dealing with and
don't let them have the opportunity to do more then what you want them
to.
- Other websites on shared servers pose other risks in that they may
have an advantage of being on the same webhost and able to mess with
things on the inside (Session data).
Navigation:
[Reply to this message]
|