|
|
Posted by Rik Wasmus on 01/12/08 21:07
On Sat, 12 Jan 2008 22:02:24 +0100, <larry@portcommodore.com> wrote:
> On Jan 12, 10:15 am, firewood...@yahoo.com wrote:
>> ... However, what methods would someone visiting my site use to
>> get to the command line, without having an account on the same server?
>> How can I guard against such intrusions?
>
> There are many on-line guides to PHP security, I would recommend every
> PHP guy to check them out, and keep up to date on PHP news regularly.
> Mainly what you wnt to guard against is someone doing making your site
> do things it wasn't intended to do. None of them are overly hard to
> implement mainly a case of doing good coding practices.
>
> One of the more popular are the "Top 7 PHP Security Blunders"
> http://www.sitepoint.com/article/php-security-blunders
>
> and the Zend PHP Security Tips are good too:
> http://devzone.zend.com/tag/Security_Tips
>
> The main points of vulnerability are:
>
> - GET, POST, COOKIE data, (anything that could potentially come from
> the user) make sure it is clean, not only from bad code that could
> compromise PHP/HTML or bad URLS that will redirect output, but also
> from code that might comprimise your SQL databases (if you use any).
Add a lot of the items of $_SERVER data to the list, and don't forget the
session id is derived from one of the request variables...
--
Rik Wasmus
Navigation:
[Reply to this message]
|