WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Ten Security Checks for PHP, Part 1

From: "Michael Howard" <mikehow () microsoft com>
Date: Sun, 23 Mar 2003 15:57:11 -0800
Anyone auditing a PHP program should "look for" those functions

this assumes you know ALL the 'bad' functions... and you don't
 
what you SHOULD do is determine if the data is correct or not, then it doesn't matter what functions you call (with the 
possible of exception of gets() if you're doing C - it's plain evil :-)

________________________________

From: Sverre H. Huseby [mailto:shh () thathost com]
Sent: Sat 3/22/2003 12:41 PM
To: Michael Howard
Cc: Bob Auger; webappsec () securityfocus com
Subject: Re: Ten Security Checks for PHP, Part 1



[Michael Howard]

|   Aaarrrgggg... [...]
|  
|   This is just wrong. The security issue is NOT THESE FUNCTIONS -
|   it's the data, the fact that $page is untrusted is the issue....

Eh, from the "Ten Security Checks for PHP, Part 1", I can't see that
anyone says that those functions are wrong.  The functions are listed
in the "what to look for" section.  Anyone auditing a PHP program
should "look for" those functions, and check that they do what is
mentioned in the "Possible fixes or improvement" section.



Sverre.

--
shh () thathost com
http://shh.thathost.com/
Previous By Date Next
Previous By Thread Next

Current thread: