Posted by R. Rajesh Jeba Anbiah on 02/04/07 06:54

[My previous reply is messed up; please ignore that]

On Feb 3, 9:38 pm, "Karl Nierler" <mr_mil...@gmx.net> wrote:
<snip>
> My customers are worried abour security in PHP. I have written many
> small PHP applications before where security wasn't a major concern.

Some customers may not be willing to spend $ and so they may prefer
shared host.

Shared host are viable to session related attacks if default file
based session is used--so you may want to add db based session
handler.

> I have always checked user input and posted variables and used
> mysql_real_escape_string() or intval() to prevent SQL-injection and
> htmlentities() to prevent CSS.
<snip>

mysql_real_escape_string() is no more secure; use prepared statements
<http://ilia.ws/archives/103-mysql_real_escape_string-versus-Prepared-
Statements.html>

Unlike XSS, new common attack is session riding--so you may have to
add secret tokens in every forms and Ajax based user info retrieval
(remember GMail's contact list attack)

--
<?php echo 'Just another PHP saint'; ?>
Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com/

[Back to original message]