Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
| Path | csiph.com!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail |
|---|---|
| From | "J.O. Aho" <user@example.net> |
| Newsgroups | alt.php |
| Subject | Re: Do you know of a guide on how to idiot proof php for use on the public web? |
| Date | Wed, 1 Mar 2017 21:21:24 +0100 |
| Lines | 42 |
| Message-ID | <ehooq4Fnft1U1@mid.individual.net> (permalink) |
| References | <79516aa6-5f60-4795-836a-b2ce7cb47dbf@googlegroups.com> |
| Mime-Version | 1.0 |
| Content-Type | text/plain; charset=utf-8 |
| Content-Transfer-Encoding | 7bit |
| X-Trace | individual.net sk4N9amRI8kl0E4TRctgqwlVe25aNXvsZc0xlERciOOqoVc4kG |
| Cancel-Lock | sha1:6RUPTIWctdFJUQIVXrmeUWwELhA= |
| X-Enigmail-Draft-Status | N1110 |
| User-Agent | Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.8.0 |
| In-Reply-To | <79516aa6-5f60-4795-836a-b2ce7cb47dbf@googlegroups.com> |
| Xref | csiph.com alt.php:3191 |
Show key headers only | View raw
On 03/01/17 19:17, reply@mynetblog.com wrote:
> Do you know of a guide on how to idiot proof php for use on the public web?
>
> I have great concerns about people XSS'ing my site or other serious stuff.
> My problem is that I assume everything is going to get attacked and am afraid
> to put any php where people can access it.
The best source is owasp.org you, there is a page with more php specific
stuff (not completed): https://www.owasp.org/index.php/Category:PHP
Here is another site looking at the owasp top 10 and giving you some php
related information: http://www.sklar.com/page/article/owasp-top-ten
> I just recently found out about the proxy variable where people set a "proxy"
> variable in their request header that when sent to a CGI script turns into http_proxy
> environment variable. So, I blocked that. (I think.)
Always disable those things you don't use, both in the php.ini and in
the server configuration, if you are administrator of the server.
> Attackers are actively scanning my site for vulnerabilities so I am fearful of putting
> anything on my site that they can attack because I know they will exploit any hole they find.
Just remember to validate data before you use it, say for example you
are expecting a numeric value be posted, then use
if(is_numeric($_POST['postedvaraible'])) {
//only now assign this value to a variable
$variableiwilluselaterinmycode = $_POST['postedvaraible'];
}
Look at the page at sklar.com for some good advices, don't forget to
read the documentation at php.net and there are many good comments to
read too on those pages.
--
//Aho
Back to alt.php | Previous | Next — Previous in thread | Next in thread | Find similar
Do you know of a guide on how to idiot proof php for use on the public web? reply@mynetblog.com - 2017-03-01 10:17 -0800
Re: Do you know of a guide on how to idiot proof php for use on the public web? "J.O. Aho" <user@example.net> - 2017-03-01 21:21 +0100
Re: Do you know of a guide on how to idiot proof php for use on the public web? "mynetblog.com" <reply@mynetblog.com> - 2017-03-07 00:37 -0800
csiph-web