sklar.com— These vulnerabilities can, of course, exist in PHP applications. Here are some tips on how to avoid them. I've included related links and references where relevant.
Jun 13, 2006View in Crawl 4
there are some good tips there but some seem overkill. If you run your own server or host from a good company things like "register_globals" can and should be turned off so you don't need to worry about them.These are good tips for anyone who wants to make there source code public. Many open source projects have failed at even the most basic security in the past.good artible +digg
The -- denotes the start of a comment, so it effectively terminates the query at that point.My favorite username is something like:chris' --I say that only in jest, but a surprising number of web applications would let me basically hijack the chris account with this username. Of course, this technique also lets you target specific accounts.
Hidden fields are submitted just like visible ones - the server never knows the difference, so anything can be done with them clientside. A JavaScript can be inserted to change the value for instance, or the user can use some tool to edit the HTML on the fly, or one can simply download and save the html-file locally, edit it, and open it in the browser.The rule of thumb is, never ever trust user input. Even if you use JavaScript to validate the fields client-side before the form is submitted, a user can easily bypass that, so everything should be validated on the serverside.
chris9902Jun 14, 2006
there are some good tips there but some seem overkill. If you run your own server or host from a good company things like "register_globals" can and should be turned off so you don't need to worry about them.These are good tips for anyone who wants to make there source code public. Many open source projects have failed at even the most basic security in the past.good artible +digg
Closed AccountJun 14, 2006
Someone dugg that down?LOSER.
shiflettJun 14, 2006
The -- denotes the start of a comment, so it effectively terminates the query at that point.My favorite username is something like:chris' --I say that only in jest, but a surprising number of web applications would let me basically hijack the chris account with this username. Of course, this technique also lets you target specific accounts.
ensnaredJun 14, 2006
Hidden fields are submitted just like visible ones - the server never knows the difference, so anything can be done with them clientside. A JavaScript can be inserted to change the value for instance, or the user can use some tool to edit the HTML on the fly, or one can simply download and save the html-file locally, edit it, and open it in the browser.The rule of thumb is, never ever trust user input. Even if you use JavaScript to validate the fields client-side before the form is submitted, a user can easily bypass that, so everything should be validated on the serverside.
Closed AccountJun 14, 2006
The list:1. Using PHP.2. See #1.