Sorry didn't quite get that finished - hit send by accident ( and had
it go to one person, instead of to the list ).
------------------------------------------------------------------------------------------------
Few quick tips - not all strictly security related, but may affect security.
Develop with E_ALL. Good code can run under E_ALL without complaining.
On your development build, E_ALL errors should be echoed to the
screen, whilst in a production enviornment, they should be logged (
and checked regularly by ( or emailed to ) the administrator ).
Don't allow include files to execute if called. Everything in an
included file should either be an assignment ( to a static value - not
the return value of a function), or inside a function.
In an included file:
<?php
// ok
$variable = "Value";
// unsafe - attacker if he can execute your include files directly
// can cause the getValue() function to be run, outside your defined
// enviornment.
$variable = getValue();
function thisfunc(){
// ok - inside function
$variable = getValue();
}
?>
of course as well as this, your include files should be (a) outside
your web directory, and (b) protected by a "Deny to all" in your
Apache config file ( or similar equivlent for other webservers ) and
.htaccess.
These are all of course different layers of security. You work on the
assumption that an attacker can get through any one of them, but hope
that they can't get through them all.
These aren't hard and fast rules - they're just techniques that I use
myself. Just because someone else doesn't use these techniques,
doesn't mean that their techniques are any worse than mine.
Rory
On 11/23/06, Robert Cummings <robert@xxxxxxxxxxxxx> wrote:
> On Wed, 2006-11-22 at 22:45 -0600, Larry Garfield wrote:
> > On Wednesday 22 November 2006 22:38, Robert Cummings wrote:
> >
> > > > maybe we should all refer to forum and google
> > >
> > > Teach a man to fish...
> >
> > And you lose your monopoly on fisheries.
>
> Yeah, but I got Park Place and Boardwalk!!! *nyah nyah* :B
>
> Cheers,
> Rob.
> --
> .------------------------------------------------------------.
> | InterJinn Application Framework - http://www.interjinn.com |
> :------------------------------------------------------------:
> | An application and templating framework for PHP. Boasting |
> | a powerful, scalable system for accessing system services |
> | such as forms, properties, sessions, and caches. InterJinn |
> | also provides an extremely flexible architecture for |
> | creating re-usable components quickly and easily. |
> `------------------------------------------------------------'
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
