473,382 Members | 1,165 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > php > questions > general security

Join Bytes to post your question to a community of 473,382 software developers and data experts.

general security

I'm still somewhat new with php, only able to play with it now and again.
Anyway, I was recently sent an email about poss security flaws, not in php
itself but in my code on a site that I am working on. Here is a list of
security issues that poss exist and I'm just looking for other ways to
improve the overall security of the site.

*transactions
this site accepts transactions through IBILL. I need a way to validate
that after the client goes to ibill's site and gets sent to back to my site,
that it really is coming from Ibill. I hear that 'http_referrer' can be
spoofed and should therefore not be trusted, at least not by itself. Right
now I am just using a hidden form field and passing through a var from my
site, to ibill, and back to my site. Problem is of course that someone
could just copy and paste my source and change the action of the form to
just bypass ibill and go directly to the processing page after ibill, should
they find a way to know what it is. This is all assuming they know how of
course. I just need a good way of validating that they actually payed
through ibill and did not get a free account. I thought about registering
that hidden form field var within the session and comparing it to the
returned var from ibill, if that makes any sense to you guys..any idea's
here?????????????

*file uploads
after paying, clients can upload images via thier personal control
panel. I perform a mime check only at this time. I recently found:
is_uploaded_file() and move_uploaded_file() and will incorparate them into
the code rather than just using copy. Should I also set permissions, or
will they be set correctly after the move allready. The uploads are just
images. I am also thinking of setting file set checks also.

*client supplied text
I am also worried about "sql injection" and things of that nature. I
found add_slashes(), strip_tags(), htmlspeacialchars() and will start to use
those on user supplied text. Any other functions that I might want to
include and run my text vars through.

PS: I'm also open to any other issues that may not be covered here. I just
read through some old posts but just don't want to miss anything.

-thnx
Chris Mosser
Jul 17 '05 #1
1 1611
Chris Mosser wrote:
*file uploads
after paying, clients can upload images via thier personal control
panel. I perform a mime check only at this time. I recently found:
is_uploaded_file() and move_uploaded_file() and will incorparate them into
the code rather than just using copy. Should I also set permissions, or
will they be set correctly after the move allready. The uploads are just
images. I am also thinking of setting file set checks also. 1. Avoid using the upload's original filename as the new filename.
2. Have the uploaded files reviewed by a human before they are made
available to the public.

*client supplied text
I am also worried about "sql injection" and things of that nature. I
found add_slashes(), strip_tags(), htmlspeacialchars() and will start to use
those on user supplied text. Any other functions that I might want to
include and run my text vars through. This is a very important security topic because it seems to be so often
ignored. Besides sql injection, cross-site scripting is another
malicious type of attack.

Pay close attention to the way magic_quotes_gpc, addslashes(), and
stipslashes() relate. That will help make your applications treat user
input more consistently.

PS: I'm also open to any other issues that may not be covered here. I just
read through some old posts but just don't want to miss anything.

There are two classic security problems with scripting technologies on a
shared hosting environment:
1. If my script will be opening a database connection, how do I securely
store my database password?
2. If my script will be writing files, how do I securely give it
permission to do so without giving permission to everybody else to do it
too?

--
-Moxley
moxleystratton.com
Jul 17 '05 #2
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

6
General use of java.io.File
by: Jamie | last post by:
I'm writing this routine that calls the length() member of java.io.File. Is this object generally available in most mainstream browsers, or do some of them lock it down?
Javascript
2
General Network Error
by: SteveS | last post by:
Hello all. This problem is stumping me.... I run a page called "default.aspx". For some reason when I execute this page, I get the error below. It seems to run through the entire code behind...
.NET Framework
10
General Enquiry on Privacy Policy
by: Hermit Dave | last post by:
Hi, Depending upon their security settings some users can not login due to their machine's Privacy Settings some how blocking the cookie (no privacy policy available)... which is encrypted......
ASP.NET
2
System.Data.SqlClient.SqlException: General network error. Check y
by: Kalyan | last post by:
Hello, System.Data.SqlClient.SqlException: General network error. Check your network documentation. What does this error means? My web app, suddenly started to show this error today in my...
ASP.NET
2
General Security Question
by: roy anderson | last post by:
Hey all, I'm not new to web development, but totally clueless regarding web security/logins and such. I have a website which requires users to login, checks their info against a SQL Server...
ASP.NET
4
general architecture question
by: alex | last post by:
I'm setting up a c# client/server application in a 3tier system. Everything from the business objects down through the DAL is stateless. This seems to work great for clustering but the...
C# / C Sharp
4
Looking for general advice on security
by: tony | last post by:
I'm designing a survey form page that will be fairly complex and am becoming confident enough with PHP now to tackle most things. (Thanks to everyone here who has helped) Before I go too far...
PHP
1
Code Access Security - General Question
by: Jeremy S. | last post by:
..NET's code Access Security enables administrators to restrict the types of things that a .NET application can do on a local computer. For example, a ..NET Windows Forms application can be...
.NET Framework
1
Cloud Servers without Credit Card and Email Registration: A Simpler Way to Get on the Cloud
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
General
0
Wordpress or something else?
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
Content Management Systems
0
isladogs
Access Europe: Command bars, the Access Shortcut Tool and a simple Audit Log - Wed 3 April
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...
General
0
One-click Importing Excel Data into a*Database
by: ryjfgjl | last post by:
In our work, we often need to import Excel data into databases (such as MySQL, SQL Server, Oracle) for data analysis and processing. Usually, we use database tools like Navicat or the Excel import...
Microsoft Excel
0
How to turn on java script in a villaon keypad mobile phone
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
Java
0
Basic Javascript concepts
by: aa123db | last post by:
Variable and constants Use var or let for variables and const fror constants. Var foo ='bar'; Let foo ='bar';const baz ='bar'; Functions function $name$ ($parameters$) { } ...
Javascript
0
Merging data from multiple Excel files
by: ryjfgjl | last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
Data Management
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!