LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General > LinuxAnswers Discussion
User Name
Password
LinuxAnswers Discussion This forum is to discuss articles posted to LinuxAnswers.

Notices

Reply
 
Search this Thread
Old 02-09-2010, 02:26 PM   #1
Web31337
Member
 
Registered: Sep 2009
Location: Russia
Distribution: Gentoo, LFS
Posts: 399
Blog Entries: 71

Rep: Reputation: 65
PHP - basics of writing secure code


A new la entry has been added:

PHP - basics of writing secure code

Quote:
PHP is a poweful language for developing web-sites. Many sites on the net using it as a core.

And, of course, any power can be used in both ways. When most beginner(and even not beginner already) programmers create websites with some input forms, they usually never think about security here.
 
Old 02-09-2010, 04:14 PM   #2
rweaver
Senior Member
 
Registered: Dec 2008
Location: Louisville, OH
Distribution: Debian, CentOS, Slackware, RHEL, Gentoo
Posts: 1,833

Rep: Reputation: 163Reputation: 163
Really good article, I hope a lot of people read and follow it. The number one problem I see with php apps that get exploited is lack of sanitized inputs for databases (injection). The only thing that scares me more than unsanitized database inputs are unsanitized inputs used in system calls... someone killing the database or injecting things you don't want is bad news, someone wiping out or root kiting your server out is worse news.
 
1 members found this post helpful.
Old 02-11-2010, 04:53 AM   #3
Web31337
Member
 
Registered: Sep 2009
Location: Russia
Distribution: Gentoo, LFS
Posts: 399
Blog Entries: 71

Original Poster
Rep: Reputation: 65
Oh yes, shell commands injection is the worst. I forgot to add it.
I've seen much of those vulnerabilities, but it actually points more to PHP security itself(configuring PHP), rather than coding. Of course, it's the same rule again: don't trust user inputs. But here you gotta be more restrictive, in case you allow shell_exec(), etc, you shall not pass anything taken from user input to shell at all, until you know what are you doing.
I have it disabled everywhere and I suggest everyone do the same, disable all dangerous functions of PHP. If you need shell to act in your applications, use either standalone daemon or cron, that will verify and execute pending tasks from a shared file. Be sure to apply this rule "don't trust user inputs" everywhere.
 
Old 11-23-2010, 01:15 AM   #4
jcelle
LQ Newbie
 
Registered: Nov 2010
Location: Nowhere
Distribution: Debian
Posts: 16

Rep: Reputation: 2
Really good article indeed.
For those that want to go even deeper into this subject, I suggest you get a look at OWASP (http://www.owasp.org/). Even though it is not specially for PHP, it gives good examples of what to do and what to avoid and an excellent framework for developing secure applications.
And again, DON'T TRUST USER INPUT !
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Code Craft: The Practice of Writing Excellent Code LXer Syndicated Linux News 0 01-09-2007 04:03 AM
LXer: Democratization, Writing and Writing Code LXer Syndicated Linux News 0 11-22-2006 05:03 AM
php code not writing or working? ati Programming 4 05-11-2006 07:51 AM
LXer: Cheat Knoppix 4 to Improve Performance: Part 1. Cheat Code Basics and the ALSA Cheat Code LXer Syndicated Linux News 0 01-10-2006 07:16 AM
Book about writing secure code Covel Linux - Security 1 06-12-2004 01:53 AM


All times are GMT -5. The time now is 02:49 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration