Groups | Search | Server Info | Keyboard shortcuts | Login | Register

Groups > alt.php > #3191

Re: Do you know of a guide on how to idiot proof php for use on the public web?

From "J.O. Aho" <user@example.net>
Newsgroups alt.php
Subject Re: Do you know of a guide on how to idiot proof php for use on the public web?
Date 2017-03-01 21:21 +0100
Message-ID <ehooq4Fnft1U1@mid.individual.net> (permalink)
References <79516aa6-5f60-4795-836a-b2ce7cb47dbf@googlegroups.com>

Show all headers | View raw

On 03/01/17 19:17, reply@mynetblog.com wrote:
> Do you know of a guide on how to idiot proof php for use on the public web?
> 
> I have great concerns about people XSS'ing my site or other serious stuff.
> My problem is that I assume everything is going to get attacked and am afraid
> to put any php where people can access it.

The best source is owasp.org you, there is a page with more php specific
stuff (not completed): https://www.owasp.org/index.php/Category:PHP

Here is another site looking at the owasp top 10 and giving you some php
related information: http://www.sklar.com/page/article/owasp-top-ten



> I just recently found out about the proxy variable where people set a "proxy"
> variable in their request header that when sent to a CGI script turns into http_proxy
> environment variable. So, I blocked that. (I think.)

Always disable those things you don't use, both in the php.ini and in
the server configuration, if you are administrator of the server.


> Attackers are actively scanning my site for vulnerabilities so I am fearful of putting
> anything on my site that they can attack because I know they will exploit any hole they find.

Just remember to validate data before you use it, say for example you
are expecting a numeric value be posted, then use

if(is_numeric($_POST['postedvaraible'])) {
	//only now assign this value to a variable
	$variableiwilluselaterinmycode = $_POST['postedvaraible'];
}

Look at the page at sklar.com for some good advices, don't forget to
read the documentation at php.net and there are many good comments to
read too on those pages.


-- 

 //Aho

Back to alt.php | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

Do you know of a guide on how to idiot proof php for use on the public web? reply@mynetblog.com - 2017-03-01 10:17 -0800
  Re: Do you know of a guide on how to idiot proof php for use on the public web? "J.O. Aho" <user@example.net> - 2017-03-01 21:21 +0100
    Re: Do you know of a guide on how to idiot proof php for use on the public web? "mynetblog.com" <reply@mynetblog.com> - 2017-03-07 00:37 -0800

csiph-web