WebApp Sec mailing list archives
RE: Ten Security Checks for PHP, Part 1
From: "Michael Howard" <mikehow () microsoft com>
Date: Sun, 23 Mar 2003 15:57:11 -0800
Anyone auditing a PHP program should "look for" those functions
this assumes you know ALL the 'bad' functions... and you don't what you SHOULD do is determine if the data is correct or not, then it doesn't matter what functions you call (with the possible of exception of gets() if you're doing C - it's plain evil :-) ________________________________ From: Sverre H. Huseby [mailto:shh () thathost com] Sent: Sat 3/22/2003 12:41 PM To: Michael Howard Cc: Bob Auger; webappsec () securityfocus com Subject: Re: Ten Security Checks for PHP, Part 1 [Michael Howard] | Aaarrrgggg... [...] | | This is just wrong. The security issue is NOT THESE FUNCTIONS - | it's the data, the fact that $page is untrusted is the issue.... Eh, from the "Ten Security Checks for PHP, Part 1", I can't see that anyone says that those functions are wrong. The functions are listed in the "what to look for" section. Anyone auditing a PHP program should "look for" those functions, and check that they do what is mentioned in the "Possible fixes or improvement" section. Sverre. -- shh () thathost com http://shh.thathost.com/
Current thread:
- Ten Security Checks for PHP, Part 1 Bob Auger (Mar 21)
- <Possible follow-ups>
- RE: Ten Security Checks for PHP, Part 1 Michael Howard (Mar 22)
- RE: RE: Ten Security Checks for PHP, Part 1 {Very usefull sugestions....} Ing. Bernardo Lopez (Mar 23)
- Re: Ten Security Checks for PHP, Part 1 Sverre H. Huseby (Mar 23)
- RE: Ten Security Checks for PHP, Part 1 Michael Howard (Mar 23)