Topic awaiting preservation: Site security with PHP (Page 1 of 1) $Pages that link to <a href="https://ozoneasylum.com/backlink?for=11977" title="Pages that link to Topic awaiting preservation: Site security with PHP (Page 1 of 1)" rel="nofollow" >Topic awaiting preservation: Site security with PHP <span class="small">(Page 1 of 1)</span>\$

butcher Paranoid (IV) Inmate From: New Jersey, USA Insane since: Oct 2000	posted 12-29-2001 22:55 I have been coding a site that uses flat text files for holding content, and allows user input to those same txt files. In my code I have used strip_tags() on all user input. I'm not using the URL to append any information or variable transfer. I have used sessions to keep unauthorized people out of the admin section, and I'm using @ on the appropriate functions in conjunction with or die() to keep anyone from getting any information from error messages. My question would be... What am I missing? This is not an e-commerce site or anything like that, but there's no accounting for what people will try to do to an unsuspecting website if they can these days. Also, Can anyone share their experiences with naming other site files. I have my content files with a .txt extention and all my headers and footers, ect. named with a .inc and I am using the standard include function with my .inc files. Any thoughts? As always, Thanks -Butcher-
u-neek Bipolar (III) Inmate From: Berlin, Germany Insane since: Jan 2001	posted 12-29-2001 23:00 http://www.php.net/manual/en/security.registerglobals.php The last example. And http://www.php.net/manual/en/security.php [This message has been edited by u-neek (edited 12-29-2001).]
WarMage Maniac (V) Mad Scientist From: Rochester, New York, USA Insane since: May 2000	posted 12-29-2001 23:06 Just make sure all of the variables you are using are not open to be used by some other illict calls.
mr.maX Maniac (V) Mad Scientist From: Belgrade, Serbia Insane since: Sep 2000	posted 12-30-2001 10:03 http://www.ozoneasylum.com/Forum12/HTML/000463.html http://www.securereality.com.au/studyinscarlet.txt http://zez.org/article/view/69/
bitdamaged Maniac (V) Mad Scientist From: 100101010011 <-- right about here Insane since: Mar 2000	posted 12-30-2001 20:53 A couple of thngs If you are setting the path to the text files in the PHP script itself you can unset any variables before setting them so to prevent anyone from setting them in the URL If you are passing info via CGI you can use the HTTP_POST_VARS environment array to make sure the vars are passed via a POST method especially when used with the HTTP_REFFERER var to make sure things are coming from your script Also I like to put most of my files outside of my htdocs directory and reference them via the server root to make sure they are not viewable :[ Computers let you make more mistakes faster than any other invention in human history, with the possible exceptions of handguns and tequila. ]:
butcher Paranoid (IV) Inmate From: New Jersey, USA Insane since: Oct 2000	posted 01-01-2002 13:57 Thanks for all your responses!!! That's a lot of great information. I have to go back through all my scripts and make a few changes. I just wanted to ask one more question. I know that if I'm using post to send my form variables I can use HTTP_POST_VARS[] to access all my form variables, but is there a predefined variable that encompasses all variables being sent to my script, post or otherwise? Thanks again -Butcher-

Topic awaiting preservation: Site security with PHP (Page 1 of 1) $Pages that link to <a href="https://ozoneasylum.com/backlink?for=11977" title="Pages that link to Topic awaiting preservation: Site security with PHP (Page 1 of 1)" rel="nofollow" >Topic awaiting preservation: Site security with PHP <span class="small">(Page 1 of 1)</span>\$

butcher
Paranoid (IV) Inmate

From: New Jersey, USA
Insane since: Oct 2000

posted 12-29-2001 22:55

I have been coding a site that uses flat text files for holding content, and allows user input to those same txt files. In my code I have used strip_tags() on all user input. I'm not using the URL to append any information or variable transfer. I have used sessions to keep unauthorized people out of the admin section, and I'm using @ on the appropriate functions in conjunction with or die() to keep anyone from getting any information from error messages.

My question would be... What am I missing?

This is not an e-commerce site or anything like that, but there's no accounting for what people will try to do to an unsuspecting website if they can these days.

Also,

Can anyone share their experiences with naming other site files. I have my content files with a .txt extention and all my headers and footers, ect. named with a .inc and I am using the standard include function with my .inc files.

Any thoughts?

As always, Thanks

-Butcher-

u-neek
Bipolar (III) Inmate

From: Berlin, Germany
Insane since: Jan 2001

posted 12-29-2001 23:00

http://www.php.net/manual/en/security.registerglobals.php

The last example.

And http://www.php.net/manual/en/security.php

[This message has been edited by u-neek (edited 12-29-2001).]

WarMage
Maniac (V) Mad Scientist

From: Rochester, New York, USA
Insane since: May 2000

posted 12-29-2001 23:06

Just make sure all of the variables you are using are not open to be used by some other illict calls.

mr.maX
Maniac (V) Mad Scientist

From: Belgrade, Serbia
Insane since: Sep 2000

posted 12-30-2001 10:03

bitdamaged
Maniac (V) Mad Scientist

From: 100101010011 <-- right about here
Insane since: Mar 2000

posted 12-30-2001 20:53

A couple of thngs

If you are setting the path to the text files in the PHP script itself you can unset any variables before setting them so to prevent anyone from setting them in the URL

If you are passing info via CGI you can use the HTTP_POST_VARS environment array to make sure the vars are passed via a POST method especially when used with the HTTP_REFFERER var to make sure things are coming from your script

Also I like to put most of my files outside of my htdocs directory and reference them via the server root to make sure they are not viewable

:[ Computers let you make more mistakes faster than any other invention in human history, with the possible exceptions of handguns and tequila. ]:

butcher
Paranoid (IV) Inmate

From: New Jersey, USA
Insane since: Oct 2000

posted 01-01-2002 13:57

Thanks for all your responses!!!

That's a lot of great information. I have to go back through all my scripts and make a few changes.

I just wanted to ask one more question.

I know that if I'm using post to send my form variables I can use HTTP_POST_VARS[] to access all my form variables, but is there a predefined variable that encompasses all variables being sent to my script, post or otherwise?

Thanks again
-Butcher-