Well, there's Chris Shifflett's book on PHP Security, which is probably linked somewhere from that site, as he's the lead developer on that site as well... I'm not sure I'd go so far as to call it a Bible for PHP Security, though, as there are simply too many disparate related technologies with their own "gothchas" for it all to be in one nice easy place for you... But it's for sure a good starting point! On Tue, August 7, 2007 6:55 pm, FrozenDice wrote: > Thanks for the info Richard. I'll check out that website. Do they > recommend any literature about PHP security, or is there a "bible"(one > book > that everyone recomends, in EE it's > http://www.amazon.com/Elements-Analysis-Electrical-Electronic-Engineering/dp/0070612854) > for PHP security like there usually is for whatever field you're in. > > On 8/7/07, Richard Lynch <ceo@xxxxxxxxx> wrote: >> >> On Tue, August 7, 2007 4:57 pm, Dan wrote: >> > I've always heard it is bad if you let a user type some input, >> then >> > show it >> > back to them w/o sanatizing the code. Eg. I have a form, where >> the >> > user >> > types something, they hit submit and it submits to itself then >> prints >> > back >> > to the user something like, account created with password: >> whatever >> > they >> > typed. >> > >> > Why and how do you sanatize what they typed before echoing it back >> to >> > them? >> > I figured it was something like they could type in PHP commands >> but I >> > tried >> > typeing phpinfo(); into the box and submitting. All that happened >> is >> > that >> > it echoed phpinfo(); >> > >> > Can someone explain this? >> >> You're actually conflating not one, but TWO (!) different problems. >> >> Number 1 is to "filter input". >> What that means specifically is to be sure that the user input looks >> EXACTLY the way you expect. >> >> Number 2 is to "escape output" >> What that means specifically is to transform any given chunk of data >> to a format suitable for its output medium. >> >> For example, ANY output headed to the browser should have >> http://php.net/htmlentities called on it. >> >> If it's headed out to a database, it should have a database-specific >> function called, such as http://php.net/mysql_real_escape_string >> >> If it's going to be data in a GET parameter in a URL, it needs >> http://php.net/urlencode called FIRST, and then htmlentities. >> >> If it's headed to XML, however, it should have some kind of XML >> function called to wrap it into CDATA or a pre-defined data type / >> format. >> >> If it's headed out to Javascript, I think you want >> http://php.net/json >> >> So, you've really got TWO phases: >> >> filter input; escape output >> >> >> Why it matters is that Evil People do exist, and they WILL find a >> way >> to cause damage to you or even to others, if you fail to do this. >> >> Common hacks include executing SQL to damage databases, or adding >> Javascript to deface websites, or even adding Javascript to use YOUR >> web-site in an attack upon another website. >> >> Here is a good starting point for some of the details of what to do >> and why: >> http://phpsec.org/ >> >> -- >> Some people have a "gift" link here. >> Know what I want? >> I want you to buy a CD from some indie artist. >> http://cdbaby.com/browse/from/lynch >> Yeah, I get a buck. So? >> >> > -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
