WS-Security
I am currently using NuSOAP to create a web service, but I'd like to use WS-Security. AFAIK, NuSOAP doesn't support this. Is there anything else for PHP I can use that does implement WS-Security?
View Complete Forum Thread with Replies
Related Forum Messages:
PHP Security - Some Common Security Pitfalls That Are Inherent In The Language?
I'm working on developing an application in PHP4/MySQL and I've got very little experience with either. Most of my work is in ASP/Access and compiled programs. The app that I'm developing doesn't need to be perfectly secure, but I want to avoid common pitfalls, and I have no idea where to start. From your experience, what are some common security pitfalls that are inherent in the language? I shouldn't have any trouble with program logic being an issue, just stuff that may be PHP specific. (Like the User being able to put anything that they'd like in the QueryString and having that show up as a variable in the script).
View Replies !
How Would Php Security Compare To Java Security?
I just want to know how would php security compare to java security? Its because that me and my officemate are developing a site which would handle confidential documents and we just cant decide on whether we should use php or java. Please do post you opinions regarding this and it would even be better if you could also post links to write-ups about php security.
View Replies !
Security - What Security Dangers Should I Be Aware Of?
I am quite new to PHP but I have managed to write a simple page create script. So far the script does not have any user input. It does open/write files and it also accesses my MySQL database. No variables are passed from script to script either. My question is, what security dangers should I be aware of? My other question is, can you download a php file and view the contents?
View Replies !
PHP And Security??
I am very new with php and web content in general, and my concern is with my novice ability leaving huge secuirty holes for any joker to have there way with. Here is my current thought. If I have a php script in a public html fodler named index.php3 how secure is this if at all. Say I have a line like: MySql_pconnect("host","account","passowrd"); How easy is it for people to get the host,account,password.
View Replies !
Security
For security reasons I want to know more about (1)where session store its info and (2)what "single sign on" is. Does anybody know any articles about these subjects, or does anyone know the answers to these 2 questions?
View Replies !
PDF Security
This is where the security problem is POSTED Is there anything we could server side? In the meanwhile I am turning off on each client's domain the user PDF uploading capability (where it is allowed) and restrict to the domain admin side that capability.
View Replies !
Security In Php
I'm doing ok for a newbie in php, but i just have a few questions as far as security goes. i am actually a java programmer, so from my experience with an object oriented language i would like to use encapsulation and other methods used in java with php for example i would like to make a php page that handles my database connection and has a whole lot of functions that i can call as i need them instead of re-coding the connection each time. i know that i can use 'require('****.php')' and 'include('xxx.php')' to get access to the code in xxx.php but can i extend and override the functions in xxx.php and is it safe to connect to a database in this way? i also wanted to know if it more secure to put a php script in the same web page or to make a page that contains the script and another html page that uses a form to goto the the php page? and finally i just want to know if anyone knows of any good reading material on the topic of intergrating java with php (except the php manual) ....
View Replies !
PHP Security
I am fairly new to the php scene but have managed to learn quite a bit from you folks and other resources on the web. I have developed a few scripts that actually work. LOL. I ran across a post on here mentioning Chris Shiflett and took a trip over to his site. He has some intriguing articles on the security of php scripts. However, he doesn't get into much detail as it would seem he writes for a more advanced crowd. Anyway, what I am looking for now is more information on securing these scripts. Know a good book? Maybe a good website? By all means, let me know!
View Replies !
Security: SSL And Other
i got a few questions here: a) With sessions is it worth the code hastle to hash the session file before any writing or reading to be done. to check that the data is valid ? b) Does anyone know any basic introductions to SSL as I want to use it as its most effective against session hijacking and other attacks.
View Replies !
PDF Security?
I have a portal secured through php scripts. I want to have a pdf document online. Is there a way to secure a pdf document though php? If not how else would i do that?
View Replies !
.inc Security
I'm trying to start learning PHP security and recently read this: Don't store includes under document root. The only resources you should store under document root are those that must be accessible via URL. Making anything else available to the public is an unnecessary risk. If you must: <Files ~ ".inc$"> Order allow,deny Deny from all </Files> If I can't install .inc files under my root, why would a related directory be any more secure? Couldn't the user, if they knew enough to search the .inc path to begin with, follow the second .inc path? Sorry if this is obvious and I'm missing the obvious.
View Replies !
Ip Security
what i am trying to do is when u go to vote to check ur ip based upon a subid and compare that to the remote address to prevent double votes. here is the coding. PHP Code: /* BEGIN ANTI CHEATING VERIFICATION PROTOCAL */ $sql = "SELECT * FROM voted WHERE subid = $subid"; $r = mysql_query($sql) or die('Error, query failed'); $arr = mysql_fetch_array($r);          $ip = $arr['ip_address'];          if ($ip = $REMOTE_ADDR) {                   echo "<p align=center  class=contest_small>SORRY YOU HAVE ALREADY VOTED";                   exit;          } /*END ANTI CHEATING PROTOCAL */
View Replies !
CSS, PHP And Security
I am thinking about opening a web site which will allow people to register and then have direct access to a stylesheet in order to brand their page. When a user saves their stylesheet, the system will reject it if it includes any of the '<', '>' or '?' characters. I know this restricts some CSS, but that's fine for my purposes. Is there anything else I should check for? How vulnerable does having this option leave me?
View Replies !
CMS Security
I'm here still learning about PHP and MySQL, from alot of different sources right now. One of my goals is to get the simplest type of CMS up and running, If I really needed one I would probably use something like Wordpress, but I'm just interested in learning how they function. I have some basics down.. Looking into regular expressions at the moment. But I was wondering if anyone here had some good links they could share, regarding how to implement techniques for preventing security issues and such. As of the moment I only know of like, query injection but I've heard of other things like session stealing and some others I cannot remember.
View Replies !
Security
I dont know ifthis is the right forum, but I was wondering if you store your mysql database connection details in a php file that you then include() on each page, is that a secure way to goabout it? I thought about this because if someone knows your filename they could just type to get your username and password. Would changing the permissions to this file work or is there a generally much more secure way to do this sort of thing?
View Replies !
Md5() And Security
I have created a form with the help from Houdini and I need some assistance with security. In the application customers will be inputting ssn#'s and checking account#'s. I want this information to be secure when its submitted. The form will be processed to an email address. How would I set up this security to work with my form?
View Replies !
Security Measures!!!
Can I use session_is_registered() to track if the user has already logged in before using any pages on my web?Or is there a much easier and efficient way?
View Replies !
Include() Via URL And Security
I have written an web based application that uses a header and footer files to provide a co branded look for customers. every page is like this example include customer's header print generated content include customer's footer Here is the problem. I want to let users keep the header and footer files on their webservers so they can edit them and not have to bother me when they make changes. How do I ensure that they are not going to pass me a file that contains malecious code. for example if the header file is like this, bad things would happen <html> <body> Stuff <? exec (cat /etc/passwd) ?> </html> I want to escape all php code that is in the include file because the include should only have html in it. Should I use fopen and find/replace the php code. The two important considerations for the solution are speed and security. The header and footer are included on every page and I do not want something that is going to slow down the process very much. Currently pages load very quickly using a regular include via URL.
View Replies !
Wht Are Different Security Methods In Php
What are the different USER security methods which we can follow and how to manage them, it will be helpful for all of us. like what i know is to manage session id and to manage the user security along with it only. What would you like to suggest to have a user managed security. I please all to share your views on different methods.
View Replies !
PHP Website Security
We have developed an ads network script for running ads network site. Can someone please guide us on security features that we must implement to prevent hecking and exploits...? We have looked into major security problems commonly known like image uploads checks but I would like to know more on other security checks that are generally over looked.
View Replies !
Is This A Security Issue
While trying to sign on at a website, I got the following PHP code back. I suppose that their apache was mistakenly returning php text instead of executing it....
View Replies !
Security Question
If I have a file in the public html directory (e.g. mypage.php) then can anyone read this file (i.e. read its actual content rather then the interpreted contents it returns when someone opens www.myurl.com/mypage.php)?
View Replies !
Security Through Obscurity
I've got some security through obscurity questions - not directly related to PHP programming per se, but indirectly related, as most php programmers are also server admins of their servers. I want to restrict what my box reports back to the likes of scanners like Nmap & Nessus. I know how to get PHP to not report its version number, and the same with Apache. My question is: a) how to I prevent MySQL from reporting its version number? b) My Apache now reports itself as just "Apache" - can I fake that, and just get it to report as ,say, "MyWebServer" c) Is it possible to get MySQL to report back as say "Oracle"? d) What about PHP - can I fake the reporting of it to say "Tomcat version 2" or something?
View Replies !
Security About POST!
I need to check and make sure users don't "hack" my post values. but im not really sure if i need to check these post values.. The values are coming from a registration form, and are the following... I will obviously check the database for existing users, or exisiting email addresses, but other then that, this code can't really be used to hack me, can it?? PHP Code:
View Replies !
Security Advice On My Cms
I am using the following code to make module system cms. Code: //index.php require_once("mainfile.php"); global $site_path; if (!isset($_GET["file"])) { $file="index"; } else { $file=$_GET["file"];} if (!isset($_GET["mod"])) { $mod="home"; } else { $mod=$_GET["mod"]; } if(ereg("..",$mod) || ereg("..",$file)) { echo "Bad boy"; exit(); } $file ="$site_path/modules/$mod/$file.php"; if (file_exists("$file")) { include($file); } else { die("sorry, File does not exist");} You can see that I am using this concept http://www.mysite.com/ index.php?mod=$modulename&file=$modulefilename I just want to know is there any security hole in the code.How to stop direct access to a file withouth my main index.php file ?let say i have module call"member" and inside i have index.php,myprofile.php etc... and I want to stop direct access to these file(ie.http://www.mysite.com/member/index.php) onlyway, http://www.mysite.com/index.php?mod=member&file=index is allowed in this case.
View Replies !
Security Issues?
I'm new to PHP but have read enough to know to ask the experts before implementing anything. I want to allow non-registered visitors to submit data via a form. That data would not be immediately viewable on the website (I would review and edit before adding the data to the rotation). The visitor would get a 'thank you' page upon submission (no posted data displayed back to them). Is there any danger to my database in allowing just text to be inserted? In other words, are there malicious things that malicious people could do with a text form? I'm not allowing image or file uploads or anything else.
View Replies !
Security Sql Injections
I've been doing some reading up on sql injections, but I'm still not clear on them. Can they only occur when a user inputs information into a form? What about in a url that uses a $_GET thingy? Does my code look like it could be vulnerable to a sql injection or anything else? (Also, can it be optimized or does it look pretty good the way it is?) What the page does is, after someone clicks on a release name from a discography list, they are sent to this page and the data matching the release_id is extracted and displayed.
View Replies !
Some Simple Security
I want to be able to add some simple security to one of my pages, basically my page allows users to submit a text field which gets parsed into MySQL db and displayed on other pages. At the moment anyone can submit text which opens the page to abuse. I don't want to implement a user login system. I had envisaged the addition of a password entry box which the Submit button checks against the db before proceeding, so if any user has the correct password then they can submit. Having never done password stuff before, could somebody please point me in the right direction? Also, if I have the config data to connect to the mysql db in a PHP file on my server, can anybody just open it?
View Replies !
Sessions And Security
I was reading a few posts about sessions and security, and it seems that the best way to address sessions security is to require authentication every time the user needs to get to sensitive data (or protect the session data with SSL). In other words, assume that the world can see your session data stored in cookies if you're not using SSL. So, I started looking for exceptions to this rule of thumb (requiring authentication for sensitive data, even if the user has already logged in and has session data in a cookie), and I found one on ebay. If you log on to ebay, and then go to your personal information, and then try to edit, say, your credit card information, you are asked to log in. However, if you check the check box that says "keep me logged in for 1 day unless I log out" (or whatever), you no longer have to log in to get to your credit card information. So obviously, they have secured the session data without SSL (or https). How is this accomplished? Is there an equivalent construct in PHP?
View Replies !
Regarding Session Security
I've been delving into persistent sessions more, and I'm just wondering... To prevent session-snatching (by someone else using the same session ID), would putting the IP address as a session variable, and checking that on every page, be an effective deterrent? This still allows for IP spoofing, but anyone going that far can have it,
View Replies !
Security Matrix
I need to Security Matrix in my php project. The Security Matrix are Administrator , Engineer, Storeman and Customer. One of my peers said to make php project more robust, he asked me to use byte value as security matrix. For example as shown below: User id Name Security Matrix 1 A 15 2 B 1 3 C 2 from table above user A is 1111 (Administrator,Engineer,Storeman,Customer) , B is 0001 (Customer) and C is 0010 ( Storeman) My question is how i am going to check if the user is Administrator or Customer or etc ? Any php function to check it?
View Replies !
Upload Security
I have a question concerning security of my file upload script. I'm using the php upload routines (move_uploaded_file,...) and variables ($_FILES) to upload images to a webdirectory. Everything works fine, meaning that I can upload images BUT only if I change the permission of the directory to which the uploaded images are moved to 777. I guess that this is not such a good thing from security point of view. So here are some questions I have: 1) is this really that dangerous? How could this be exploited by an attacker? 2)using chmod in my php script (to switch back and forth between 700 and 777) is not an option since I'm on a virtual host and PHP is in safe mode 3)creating a directory which is not reachable by webbrowser does not seem to be possible either since outside my webdirectory; everything is root-owned and obviously only my ISP has root permission ;-) 4)I know that changing to ftp functions might solve this problem but I want to do image resize operations on the uploaded image afterwards anyway so I would prefer solutions allowing the creation of safe directories or something similar
View Replies !
Security With PHP Sessions?
I just had a question regarding the use of PHP session functions in regards to security. I am sorry if this may have already been covered, but it just popped into my head as I read another post regarding security. Anyway... If a webserver is considered to be "nobody/everybody" (network security reasons), and has specific permissions to read/write/execute in the default session folder (php.ini), then wouldn't that open up a door for anyone knowing your default session folder to "read/write/execute" as well? I mean, if this is true, then wouldn't any special session data stored in this directory regarding authentication or whatever be exposed to anyone/everyone that thinks to look in the session directory? Making sites using the php session functions exposed? All that it would take would be to append a querystring of "sid='whatever'" to a URL and boom your in...
View Replies !
Security Suggestions
I was wondering if any of you folks out there who've been around for awhile have any suggestions for someone just starting out on how to insure that your site couldn't be cracked by the first script-kiddie who comes along with a case of mountain dew. I'm not very familiar with http security at al, was hoping some of y'all might have some tips.
View Replies !
Security With PHP (register_globals)
i've read that register_globals should be turned off for security reasons. this is because you can never be sure where a variable created from register_globals is coming from. it can either come from a cookie, or a form object, or a file, anything. i have a question though, does this only apply to poorly named variables? for example, if my form name is "forms_username", then i'd be 100% sure that $forms_username came from a submitted form. likewise, if i named my cookie "cookies_username" then i'd know that it came from a cookie. if i also check all incoming data, would there still be a potential for a leak in the program somewhere. i ask because i don't know all the in's and out's of PHP and maybe i might be missing something. it just seems that using the register_globals variables is looked down upon and i thought i'd get some good insight before i "went in too far to turn back".
View Replies !
Implementing Security
Does any body know how to implement encryption in a web tranaction ,i mean credit card transactions using PHP ,is it advisible to do so or rather should i go for security certificates like verisign etc.Awaiting for your valid response.
View Replies !
Uploads And Security
On my server I have defined several users and given them full rights to two different folders. The rights for Anon on both folders is set to none - this produces a username / password dialog upon trying to access the folder. The two folder names are backdraft and images - both are off the root of my web folder. I go to my backdraft folder and login, everything is fine - the index page appears as it should. I can then jump into the images folder and the server allows me... good. Now, within the backdraft folder is a script folder containing fileup.php: <?PHP $folder = $_POST["folder"]; move_uploaded_file($_FILES['Filedata']['tmp_name'], "$folder/".basename($_FILES['Filedata']['name'])); ?> That's all it is... What I want to do is upload a file and then move it into a subfolder within the images folder. I keep running into 401 errors though... which I can't understand as I'm logged in with full rights. I figured if I can login and then jump to the images folder - my upload script should allow moving to that folder.
View Replies !
Application Security
I've been developping PHP alongside MySQL for over a year now. I just downloaded this application from SourceForge.net called PHPAdsNew. It's pretty neat, work fine and all, but there's a security concern I think. How the application works is in the following manner: Let's say it's installed on http://127.0.0.1/phpadsnew/ Let's say my browser points to http://127.0.0.1/phpadsnew/ Then the index.php redirects to http://127.0.0.1/phpadsnew/admin/login.php for people to login. The problem is that the password-containing file "config.inc.php" (for the mysql database) is located in the "phpadsnew" directory, not in an -os-secured folder accessible only by php. I guess if somebody somehow knows about phpadsnew, somehow remotely accesses the config file, even though my server parses .php files with php, he could attack my mysql server and wreck havoc. Is this secure even though I have doubts? If not, is there a way to counter this?
View Replies !
Security Compromised
it appears someone has broken into my site. This morning I found about 20 files (each called index.htm) suddenly featured this line: <IFRAME SRC="url-of-bad-site" WIDTH=1 HEIGHT=1></IFRAME> and their last modified date was set to today between midnight and 1 GMT. In some files, this line was placed directly after the body opening tag, in others it was just before </body>. In one file where the whole document is written in javascript, they had even escaped their quotes! The malicious url is www.b00gle.com/fa/?d=get I have no access to the raw server logs and my own log script shows no strange hits around that time. How have they done this? And what can I do about it? I ask here because the site uses PHP a lot.
View Replies !
General Security
I'm still somewhat new with php, only able to play with it now and again. Anyway, I was recently sent an email about poss security flaws, not in php itself but in my code on a site that I am working on. Here is a list of security issues that poss exist and I'm just looking for other ways to improve the overall security of the site. *transactions this site accepts transactions through IBILL. I need a way to validate that after the client goes to ibill's site and gets sent to back to my site, that it really is coming from Ibill. I hear that 'http_referrer' can be spoofed and should therefore not be trusted, at least not by itself. Right now I am just using a hidden form field and passing through a var from my site, to ibill, and back to my site. Problem is of course that someone could just copy and paste my source and change the action of the form to just bypass ibill and go directly to the processing page after ibill, should they find a way to know what it is. This is all assuming they know how of course. I just need a good way of validating that they actually payed through ibill and did not get a free account. I thought about registering that hidden form field var within the session and comparing it to the returned var from ibill, if that makes any sense to you guys..any idea's here? *file uploads after paying, clients can upload images via thier personal control panel. I perform a mime check only at this time. I recently found: is_uploaded_file() and move_uploaded_file() and will incorparate them into the code rather than just using copy. Should I also set permissions, or will they be set correctly after the move allready. The uploads are just images. I am also thinking of setting file set checks also. *client supplied text I am also worried about "sql injection" and things of that nature. I found add_slashes(), strip_tags(), htmlspeacialchars() and will start to use those on user supplied text. Any other functions that I might want to include and run my text vars through.
View Replies !
PHP Session Security
I previously logged a question asking how to automatically log a user into Apache Basic Authentication without displaying the standard username/password dialog from the browser. I have since come to realise this is not possible, I'll have to use my own system with session cookies etc. Kewl My question now is, if I'm managing the login with php sessions, whats to stop somebody coming along and directly accessing an image without a username/password? I should probably expand, what I want to do is set up a simple login so customers can login and view there own content, a preview. This obviously needs some level of security. I'm not looking to set up Fort Knox, but I would like a reasonable amount of security so that I can restrict who looks at the content. Can anybody point me in the direction of a reasonable solution.
View Replies !
CMS Database Security
I'm creating a CMS, however, there is one thing I need help with. I have been looking up information on Security with PHP, because the site I'm making the CMS for is very large, and chances of something happening are very high. However, there are sessions, cookies, and other things but which is best/more secure. Cookies? Sessions? And should I have a var with an encrpyt password and use the crypt function to get the password I typed in the form and encrpyt that, to match the var with the encrpyted password.
View Replies !
Log File Security
I am using the following code to write the details of a form to a text file: Code: $fp = fopen ("info/info.txt", "a"); fputs ($fp, "$name|$address|$creditcard|$email"); fclose ($fp); The file will include credit card details so it needs to only be writable by users. However, I also want to be able to create the file if it does not exist. My understanding was that using the "a" in the fopen line would create a file which was writable only. However this is not working (permission denied). I then made the 'info' directory executable and writable which enabled me to create the file (if it didn't already exist) but made the file readable to the user (not a good idea).
View Replies !
File Security
I'm "playing around" with a XP, apache and php. There's some user subdomains. If a user create a file to make up and download, deleting files o.a. he can also view/delete files outside his documentroot. How can I make sure he isn't able to do that? Without disable the features in php.ini?
View Replies !
Another Question About Security
let's go again. I was surfing in Internet and I was trying to find some good code about security. There is a lot of them, using cookies and sessions. Anothers hiding variables an others stuffs. Question is: What is best way that you use (technique) to get safe (may be your site or system)?
View Replies !
Post Security
I can't get my head around form mail scripts and people injecting extra code in there. I don't know if they actually achieve anything or not. I am using a script from Web4Future Easiest Form2Mail (GPL). Copyright (C) 1998-2005 Web4Future.com All Rights Reserved. http://www.Web4Future.com/ Does anyone know if that script is supposed to be secure. ? Anyway... my point is not that much just the formmail script but any post form and post handling script. Is there a standard checklist of security threats I should be looking regarding forms that send crucial data ? For example when you send something to paypall or worldpay you have to send an id that uniquely identifies you ok ? Now that is visible to everyone. But it doesn't really produce any security threat at all. BUT if I need someone to send an id to my script and use it as a signature to use the site services that means that someone can fake it easily and start using the website without signing up. I don't want people to login because they would have allready loged in elsewhere. Using post variables seems to be the easiest way to store data in my DB from any other site cross platform.
View Replies !
|
TRACKER
