|
|
Posted by Gustavo Narea on 10/19/46 11:31
Hello, Chris.
I will take into account what you said.
It is right what you mentioned regarding that example. We have to take
into account that cookies can be stolen.
Thanks for the URLs, I will visit them.
Cheers.
Chris Shiflett wrote:
> Gustavo Narea wrote:
>
>> By the way, I liked the link that Pablo suggested:
>> http://www.devshed.com/c/a/PHP/PHP-Security-Mistakes/
>
>
> Be careful. There is a lot of misinformation out there regarding PHP
> security, and this article is a good example.
>
> Here's something that caught my eye:
>
> "The second solution is to only store their username and password in a
> cookie, and with every call to the script, validate the username and
> password and verify if the user is an administrator."
>
> If the problem is how to expose a user's sensitive data as much as
> possible, then this is a solution. However, I doubt that's the intent.
> This is such a common mistake that it is something I specifically search
> for when auditing a PHP application, as I mention in this talk:
>
> http://brainbulb.com/talks/php-security-audit-howto.pdf
>
> The PHP Security Consortium is trying to resolve this problem of
> misinformation in a positive way (we don't want to disparage people's
> hard work and spread bad vibes). We've created a library of links to
> approved resources that we've read through to make sure the advice given
> is sound. You can find this library here:
>
> http://phpsec.org/library/
>
> Hope that helps.
>
> Chris
>
--
Best regards,
Gustavo Narea.
PHP Documentation - Spanish Translation Team.
Valencia, Venezuela.
Navigation:
[Reply to this message]
|