RE: Anyone have some basic security tips for PHP-programmers?

[exon <exon () home se>]

Hmm. Not the most accurate post I've seen so far, but it reaches quite 
high on the other side of the scale.

First of all, PHP is a scripting language with built-in overflow checking.
Not trusting user data (from $_POST, $_GET, or $_COOKIE) is ofcourse
healthy, but PHP is NOT vulnerable to buffer overflows from PHP scripts.

Second of all, PHP is a scripting language (heard it before?), which 
means that the code doesn't GET compiled at all. It gets interpreted at 
run-time by a parsing engine, just like any other scripting language.

Third of all, 'placing' a website on a server with a lot of memory does
absolutely nothing to improve security. It addresses performance and 
nothing else.

Fourth of all, placing 'website code' (I suppose you mean HTML, PHP and
cgi-scripts) on a CD does NOT prevent it from being defaced. If the 
system runs on writable media it's childsplay to anyone with root 
access, half a brain and a friggin palm pilot to make the webserver 
daemon read any directory they damn well please. Running the entire 
system from a CD is a different matter, but it makes for extremely 
cumbersome management and is generally not an option.

...

/Andreas Ericsson


Herbold, John W. wrote:

> A simple one, but watch for overflow.  If you allow a user to input,
> use edits.  Do not rely on HTML or Java edits, as they can bypass
> those by typing in the URL.  It has also been recommended that all
> code gets compiled, so the code can not be compromised.  I have also
> heard of placing the website code on a server with a lot of memory,
> and placing the entire website on a CD-ROM, so it can not be defaced.
>
>
> Thanks,
>
> John W. Herbold Jr.
> Security Specialist
> 501-399-3939


--
If riding in a plane is flying, then riding in a boat is swimming.
If you want to experience the element; get out of the vehicle!