WebApp Sec mailing list archives
RE: Anyone have some basic security tips for PHP-programmers?
From: exon <exon () home se>
Date: Mon, 24 Nov 2003 08:54:07 +0100
Hmm. Not the most accurate post I've seen so far, but it reaches quite high on the other side of the scale.
First of all, PHP is a scripting language with built-in overflow checking. Not trusting user data (from $_POST, $_GET, or $_COOKIE) is ofcourse healthy, but PHP is NOT vulnerable to buffer overflows from PHP scripts.Second of all, PHP is a scripting language (heard it before?), which means that the code doesn't GET compiled at all. It gets interpreted at run-time by a parsing engine, just like any other scripting language.
Third of all, 'placing' a website on a server with a lot of memory doesabsolutely nothing to improve security. It addresses performance and nothing else.
Fourth of all, placing 'website code' (I suppose you mean HTML, PHP andcgi-scripts) on a CD does NOT prevent it from being defaced. If the system runs on writable media it's childsplay to anyone with root access, half a brain and a friggin palm pilot to make the webserver daemon read any directory they damn well please. Running the entire system from a CD is a different matter, but it makes for extremely cumbersome management and is generally not an option.
... /Andreas Ericsson Herbold, John W. wrote: > A simple one, but watch for overflow. If you allow a user to input, > use edits. Do not rely on HTML or Java edits, as they can bypass > those by typing in the URL. It has also been recommended that all > code gets compiled, so the code can not be compromised. I have also > heard of placing the website code on a server with a lot of memory, > and placing the entire website on a CD-ROM, so it can not be defaced. > > > Thanks, > > John W. Herbold Jr. > Security Specialist > 501-399-3939 -- If riding in a plane is flying, then riding in a boat is swimming. If you want to experience the element; get out of the vehicle!
Current thread:
- Re: Anyone have some basic security tips for PHP-programmers?, (continued)
- Re: Anyone have some basic security tips for PHP-programmers? James Mitchell (Nov 20)
- RE: Anyone have some basic security tips for PHP-programmers? arek (Nov 20)
- Re: Anyone have some basic security tips for PHP-programmers? James Mitchell (Nov 22)
- Re: Anyone have some basic security tips for PHP-programmers? James Mitchell (Nov 20)
- Re: Anyone have some basic security tips for PHP-programmers? DownBload (Nov 18)
- RE: Anyone have some basic security tips for PHP-programmers? Keifer, Trey (Nov 18)
- Re: Anyone have some basic security tips for PHP-programmers? tim (Nov 22)
- Re: Anyone have some basic security tips for PHP-programmers? Härnhammar , Ulf (Nov 22)
- Re: Anyone have some basic security tips for PHP-programmers? Tommy Gildseth (Nov 23)
- Re: Anyone have some basic security tips for PHP-programmers? Härnhammar , Ulf (Nov 23)
- Re: Anyone have some basic security tips for PHP-programmers? Härnhammar , Ulf (Nov 22)
- RE: Anyone have some basic security tips for PHP-programmers? Härnhammar , Ulf (Nov 24)
- Re: Anyone have some basic security tips for PHP-programmers? Andreas (Nov 25)
- Re: Anyone have some basic security tips for PHP-programmers? Härnhammar , Ulf (Nov 25)
- Re: Anyone have some basic security tips for PHP-programmers? Sverre H. Huseby (Nov 25)