Gustavo Narea wrote:
By the way, I liked the link that Pablo suggested:
http://www.devshed.com/c/a/PHP/PHP-Security-Mistakes/
Be careful. There is a lot of misinformation out there regarding PHP
security, and this article is a good example.
Here's something that caught my eye:
"The second solution is to only store their username and password in a
cookie, and with every call to the script, validate the username and
password and verify if the user is an administrator."
If the problem is how to expose a user's sensitive data as much as
possible, then this is a solution. However, I doubt that's the intent.
This is such a common mistake that it is something I specifically search
for when auditing a PHP application, as I mention in this talk:
http://brainbulb.com/talks/php-security-audit-howto.pdf
The PHP Security Consortium is trying to resolve this problem of
misinformation in a positive way (we don't want to disparage people's
hard work and spread bad vibes). We've created a library of links to
approved resources that we've read through to make sure the advice given
is sound. You can find this library here:
http://phpsec.org/library/
Hope that helps.
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
