Hello, Chris.
I will take into account what you said.
It is right what you mentioned regarding that example. We have to take
into account that cookies can be stolen.
Thanks for the URLs, I will visit them.
Cheers.
Chris Shiflett wrote:
Gustavo Narea wrote:
By the way, I liked the link that Pablo suggested:
http://www.devshed.com/c/a/PHP/PHP-Security-Mistakes/
Be careful. There is a lot of misinformation out there regarding PHP
security, and this article is a good example.
Here's something that caught my eye:
"The second solution is to only store their username and password in a
cookie, and with every call to the script, validate the username and
password and verify if the user is an administrator."
If the problem is how to expose a user's sensitive data as much as
possible, then this is a solution. However, I doubt that's the intent.
This is such a common mistake that it is something I specifically search
for when auditing a PHP application, as I mention in this talk:
http://brainbulb.com/talks/php-security-audit-howto.pdf
The PHP Security Consortium is trying to resolve this problem of
misinformation in a positive way (we don't want to disparage people's
hard work and spread bad vibes). We've created a library of links to
approved resources that we've read through to make sure the advice given
is sound. You can find this library here:
http://phpsec.org/library/
Hope that helps.
Chris
--
Best regards,
Gustavo Narea.
PHP Documentation - Spanish Translation Team.
Valencia, Venezuela.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
