PHP Website Security
We have developed an ads network script for running ads network site. Can someone please guide us on security features that we must implement to prevent hecking and exploits...?
We have looked into major security problems commonly known like image uploads checks but I would like to know more on other security checks that are generally over looked.
View Complete Forum Thread with Replies
Related Forum Messages:
Website Security
i dont know anythings about website security. i want to know about the script in .htaccess, to denied *.html/htm file. and the script in .htaccess to make sure the security in our web. coz my website often got hacked... Beside use .htaccess....what should we do to make sure our website is secure??
View Replies !
Website Security With PHP
I'm developing a program that uses an email and password to login. Does anyone know of any security features that i can put in to prevent users from giving out there password or at least preventing the unauthorized user from using my site without signing up .
View Replies !
Website Security + Htaccess Tricks
i am trying to redirect websitehere.com/controlpanel to the index page rather then a login for cpanel, i'm thinking this could be done through htaccess? ive contacted my web host, but they were no help. after the redirection is there any other way i can access my control panel?
View Replies !
PHP Security - Some Common Security Pitfalls That Are Inherent In The Language?
I'm working on developing an application in PHP4/MySQL and I've got very little experience with either. Most of my work is in ASP/Access and compiled programs. The app that I'm developing doesn't need to be perfectly secure, but I want to avoid common pitfalls, and I have no idea where to start. From your experience, what are some common security pitfalls that are inherent in the language? I shouldn't have any trouble with program logic being an issue, just stuff that may be PHP specific. (Like the User being able to put anything that they'd like in the QueryString and having that show up as a variable in the script).
View Replies !
How Would Php Security Compare To Java Security?
I just want to know how would php security compare to java security? Its because that me and my officemate are developing a site which would handle confidential documents and we just cant decide on whether we should use php or java. Please do post you opinions regarding this and it would even be better if you could also post links to write-ups about php security.
View Replies !
Security - What Security Dangers Should I Be Aware Of?
I am quite new to PHP but I have managed to write a simple page create script. So far the script does not have any user input. It does open/write files and it also accesses my MySQL database. No variables are passed from script to script either. My question is, what security dangers should I be aware of? My other question is, can you download a php file and view the contents?
View Replies !
PHP And Security??
I am very new with php and web content in general, and my concern is with my novice ability leaving huge secuirty holes for any joker to have there way with. Here is my current thought. If I have a php script in a public html fodler named index.php3 how secure is this if at all. Say I have a line like: MySql_pconnect("host","account","passowrd"); How easy is it for people to get the host,account,password.
View Replies !
Security
For security reasons I want to know more about (1)where session store its info and (2)what "single sign on" is. Does anybody know any articles about these subjects, or does anyone know the answers to these 2 questions?
View Replies !
PDF Security
This is where the security problem is POSTED Is there anything we could server side? In the meanwhile I am turning off on each client's domain the user PDF uploading capability (where it is allowed) and restrict to the domain admin side that capability.
View Replies !
Security In Php
I'm doing ok for a newbie in php, but i just have a few questions as far as security goes. i am actually a java programmer, so from my experience with an object oriented language i would like to use encapsulation and other methods used in java with php for example i would like to make a php page that handles my database connection and has a whole lot of functions that i can call as i need them instead of re-coding the connection each time. i know that i can use 'require('****.php')' and 'include('xxx.php')' to get access to the code in xxx.php but can i extend and override the functions in xxx.php and is it safe to connect to a database in this way? i also wanted to know if it more secure to put a php script in the same web page or to make a page that contains the script and another html page that uses a form to goto the the php page? and finally i just want to know if anyone knows of any good reading material on the topic of intergrating java with php (except the php manual) ....
View Replies !
PHP Security
I am fairly new to the php scene but have managed to learn quite a bit from you folks and other resources on the web. I have developed a few scripts that actually work. LOL. I ran across a post on here mentioning Chris Shiflett and took a trip over to his site. He has some intriguing articles on the security of php scripts. However, he doesn't get into much detail as it would seem he writes for a more advanced crowd. Anyway, what I am looking for now is more information on securing these scripts. Know a good book? Maybe a good website? By all means, let me know!
View Replies !
WS-Security
I am currently using NuSOAP to create a web service, but I'd like to use WS-Security. AFAIK, NuSOAP doesn't support this. Is there anything else for PHP I can use that does implement WS-Security?
View Replies !
Security: SSL And Other
i got a few questions here: a) With sessions is it worth the code hastle to hash the session file before any writing or reading to be done. to check that the data is valid ? b) Does anyone know any basic introductions to SSL as I want to use it as its most effective against session hijacking and other attacks.
View Replies !
PDF Security?
I have a portal secured through php scripts. I want to have a pdf document online. Is there a way to secure a pdf document though php? If not how else would i do that?
View Replies !
.inc Security
I'm trying to start learning PHP security and recently read this: Don't store includes under document root. The only resources you should store under document root are those that must be accessible via URL. Making anything else available to the public is an unnecessary risk. If you must: <Files ~ ".inc$"> Order allow,deny Deny from all </Files> If I can't install .inc files under my root, why would a related directory be any more secure? Couldn't the user, if they knew enough to search the .inc path to begin with, follow the second .inc path? Sorry if this is obvious and I'm missing the obvious.
View Replies !
Ip Security
what i am trying to do is when u go to vote to check ur ip based upon a subid and compare that to the remote address to prevent double votes. here is the coding. PHP Code: /* BEGIN ANTI CHEATING VERIFICATION PROTOCAL */ $sql = "SELECT * FROM voted WHERE subid = $subid"; $r = mysql_query($sql) or die('Error, query failed'); $arr = mysql_fetch_array($r);          $ip = $arr['ip_address'];          if ($ip = $REMOTE_ADDR) {                   echo "<p align=center  class=contest_small>SORRY YOU HAVE ALREADY VOTED";                   exit;          } /*END ANTI CHEATING PROTOCAL */
View Replies !
CSS, PHP And Security
I am thinking about opening a web site which will allow people to register and then have direct access to a stylesheet in order to brand their page. When a user saves their stylesheet, the system will reject it if it includes any of the '<', '>' or '?' characters. I know this restricts some CSS, but that's fine for my purposes. Is there anything else I should check for? How vulnerable does having this option leave me?
View Replies !
CMS Security
I'm here still learning about PHP and MySQL, from alot of different sources right now. One of my goals is to get the simplest type of CMS up and running, If I really needed one I would probably use something like Wordpress, but I'm just interested in learning how they function. I have some basics down.. Looking into regular expressions at the moment. But I was wondering if anyone here had some good links they could share, regarding how to implement techniques for preventing security issues and such. As of the moment I only know of like, query injection but I've heard of other things like session stealing and some others I cannot remember.
View Replies !
Security
I dont know ifthis is the right forum, but I was wondering if you store your mysql database connection details in a php file that you then include() on each page, is that a secure way to goabout it? I thought about this because if someone knows your filename they could just type to get your username and password. Would changing the permissions to this file work or is there a generally much more secure way to do this sort of thing?
View Replies !
Md5() And Security
I have created a form with the help from Houdini and I need some assistance with security. In the application customers will be inputting ssn#'s and checking account#'s. I want this information to be secure when its submitted. The form will be processed to an email address. How would I set up this security to work with my form?
View Replies !
RSS To Website
I have a client who has given me a link to some other websites RSS Feed , he want to display the data in his website from RSS FEED. Hoe to make this. Is it like reading the xml and displaying or is there some other way to do this.
View Replies !
Get Website URL
I've seen scripts which get the exact url to the path where I'm using this script. It gets the full website url with sub folders, etc.: http://www.test.com/... How can I do this in php?
View Replies !
Value From A Website
i need to get a few values from a website. <input type="hidden" name="codeid" value="06d9b659a29457953665eb06f767376b"> <input type="image" src="secImage2.php?rand=185&codeid=06d9b659a29457953665eb06f767376b" name="secCode">
View Replies !
PHP Website
I'm working on a website, and i want to display a font that is not in many machine. it is called vrinda.ttf. actually it is to show some bengali font. Can you please tell me the codes to include this font in to the php files and enable it to be universal. already put this font in the root directory, but don't know the command in php to display the font for machintosh and linux.
View Replies !
My Php Website
I have a Real-Estate website www.GreatHomeLiving.com and I am not very good with php, so I am looking for some one who can help me make some changes to my site. All I want to do is make it so when people sign up for our free listing service they can login and post there listings right away. Right now it works like this. When a new customer signs up they have to wait untill I go to my admin panal and activate there account. I would like to make this automated so I don't have to do anything and my customers will be happy. Right now I am loosing a lot of people because they won't come back and post there listings after I activate there account. It just takes to long and they go els where.
View Replies !
Website With Php
Whats the best way to sample content from other webpages so that it its format can be altered and displayed such as a google's new section takes a sample of content from news sites.
View Replies !
WebSite Pro 2.5
I downloaded the latest version of PHP and installed it on my Win XP Pro system, running O'Reilly's WebSite Pro 2.5.4. I read the specific installation manual for WebSite Pro and did everything that was necessary to run PHP as a CGI script. I also copied php4ts.dll in my system32 folder. I then created a small web page (index.php) with this content : <html> <head> <title>Test PHP</title> </head> <body> <?php echo "Hello world<p>"; ?> </body> </html>
View Replies !
Security Measures!!!
Can I use session_is_registered() to track if the user has already logged in before using any pages on my web?Or is there a much easier and efficient way?
View Replies !
Include() Via URL And Security
I have written an web based application that uses a header and footer files to provide a co branded look for customers. every page is like this example include customer's header print generated content include customer's footer Here is the problem. I want to let users keep the header and footer files on their webservers so they can edit them and not have to bother me when they make changes. How do I ensure that they are not going to pass me a file that contains malecious code. for example if the header file is like this, bad things would happen <html> <body> Stuff <? exec (cat /etc/passwd) ?> </html> I want to escape all php code that is in the include file because the include should only have html in it. Should I use fopen and find/replace the php code. The two important considerations for the solution are speed and security. The header and footer are included on every page and I do not want something that is going to slow down the process very much. Currently pages load very quickly using a regular include via URL.
View Replies !
Wht Are Different Security Methods In Php
What are the different USER security methods which we can follow and how to manage them, it will be helpful for all of us. like what i know is to manage session id and to manage the user security along with it only. What would you like to suggest to have a user managed security. I please all to share your views on different methods.
View Replies !
Is This A Security Issue
While trying to sign on at a website, I got the following PHP code back. I suppose that their apache was mistakenly returning php text instead of executing it....
View Replies !
Security Question
If I have a file in the public html directory (e.g. mypage.php) then can anyone read this file (i.e. read its actual content rather then the interpreted contents it returns when someone opens www.myurl.com/mypage.php)?
View Replies !
Security Through Obscurity
I've got some security through obscurity questions - not directly related to PHP programming per se, but indirectly related, as most php programmers are also server admins of their servers. I want to restrict what my box reports back to the likes of scanners like Nmap & Nessus. I know how to get PHP to not report its version number, and the same with Apache. My question is: a) how to I prevent MySQL from reporting its version number? b) My Apache now reports itself as just "Apache" - can I fake that, and just get it to report as ,say, "MyWebServer" c) Is it possible to get MySQL to report back as say "Oracle"? d) What about PHP - can I fake the reporting of it to say "Tomcat version 2" or something?
View Replies !
Security About POST!
I need to check and make sure users don't "hack" my post values. but im not really sure if i need to check these post values.. The values are coming from a registration form, and are the following... I will obviously check the database for existing users, or exisiting email addresses, but other then that, this code can't really be used to hack me, can it?? PHP Code:
View Replies !
Security Advice On My Cms
I am using the following code to make module system cms. Code: //index.php require_once("mainfile.php"); global $site_path; if (!isset($_GET["file"])) { $file="index"; } else { $file=$_GET["file"];} if (!isset($_GET["mod"])) { $mod="home"; } else { $mod=$_GET["mod"]; } if(ereg("..",$mod) || ereg("..",$file)) { echo "Bad boy"; exit(); } $file ="$site_path/modules/$mod/$file.php"; if (file_exists("$file")) { include($file); } else { die("sorry, File does not exist");} You can see that I am using this concept http://www.mysite.com/ index.php?mod=$modulename&file=$modulefilename I just want to know is there any security hole in the code.How to stop direct access to a file withouth my main index.php file ?let say i have module call"member" and inside i have index.php,myprofile.php etc... and I want to stop direct access to these file(ie.http://www.mysite.com/member/index.php) onlyway, http://www.mysite.com/index.php?mod=member&file=index is allowed in this case.
View Replies !
Security Issues?
I'm new to PHP but have read enough to know to ask the experts before implementing anything. I want to allow non-registered visitors to submit data via a form. That data would not be immediately viewable on the website (I would review and edit before adding the data to the rotation). The visitor would get a 'thank you' page upon submission (no posted data displayed back to them). Is there any danger to my database in allowing just text to be inserted? In other words, are there malicious things that malicious people could do with a text form? I'm not allowing image or file uploads or anything else.
View Replies !
Security Sql Injections
I've been doing some reading up on sql injections, but I'm still not clear on them. Can they only occur when a user inputs information into a form? What about in a url that uses a $_GET thingy? Does my code look like it could be vulnerable to a sql injection or anything else? (Also, can it be optimized or does it look pretty good the way it is?) What the page does is, after someone clicks on a release name from a discography list, they are sent to this page and the data matching the release_id is extracted and displayed.
View Replies !
Some Simple Security
I want to be able to add some simple security to one of my pages, basically my page allows users to submit a text field which gets parsed into MySQL db and displayed on other pages. At the moment anyone can submit text which opens the page to abuse. I don't want to implement a user login system. I had envisaged the addition of a password entry box which the Submit button checks against the db before proceeding, so if any user has the correct password then they can submit. Having never done password stuff before, could somebody please point me in the right direction? Also, if I have the config data to connect to the mysql db in a PHP file on my server, can anybody just open it?
View Replies !
Sessions And Security
I was reading a few posts about sessions and security, and it seems that the best way to address sessions security is to require authentication every time the user needs to get to sensitive data (or protect the session data with SSL). In other words, assume that the world can see your session data stored in cookies if you're not using SSL. So, I started looking for exceptions to this rule of thumb (requiring authentication for sensitive data, even if the user has already logged in and has session data in a cookie), and I found one on ebay. If you log on to ebay, and then go to your personal information, and then try to edit, say, your credit card information, you are asked to log in. However, if you check the check box that says "keep me logged in for 1 day unless I log out" (or whatever), you no longer have to log in to get to your credit card information. So obviously, they have secured the session data without SSL (or https). How is this accomplished? Is there an equivalent construct in PHP?
View Replies !
Regarding Session Security
I've been delving into persistent sessions more, and I'm just wondering... To prevent session-snatching (by someone else using the same session ID), would putting the IP address as a session variable, and checking that on every page, be an effective deterrent? This still allows for IP spoofing, but anyone going that far can have it,
View Replies !
Security Matrix
I need to Security Matrix in my php project. The Security Matrix are Administrator , Engineer, Storeman and Customer. One of my peers said to make php project more robust, he asked me to use byte value as security matrix. For example as shown below: User id Name Security Matrix 1 A 15 2 B 1 3 C 2 from table above user A is 1111 (Administrator,Engineer,Storeman,Customer) , B is 0001 (Customer) and C is 0010 ( Storeman) My question is how i am going to check if the user is Administrator or Customer or etc ? Any php function to check it?
View Replies !
Upload Security
I have a question concerning security of my file upload script. I'm using the php upload routines (move_uploaded_file,...) and variables ($_FILES) to upload images to a webdirectory. Everything works fine, meaning that I can upload images BUT only if I change the permission of the directory to which the uploaded images are moved to 777. I guess that this is not such a good thing from security point of view. So here are some questions I have: 1) is this really that dangerous? How could this be exploited by an attacker? 2)using chmod in my php script (to switch back and forth between 700 and 777) is not an option since I'm on a virtual host and PHP is in safe mode 3)creating a directory which is not reachable by webbrowser does not seem to be possible either since outside my webdirectory; everything is root-owned and obviously only my ISP has root permission ;-) 4)I know that changing to ftp functions might solve this problem but I want to do image resize operations on the uploaded image afterwards anyway so I would prefer solutions allowing the creation of safe directories or something similar
View Replies !
|
TRACKER
