[PHP] PHP Security: Best Practices
Hello all, I am currently researching security best practices/methods. Can anyone offer any current resources/recommendations? My research thus far has included password hashing with salting/stretching, session hash defaults, session management & authentication, and prepared statements via PDO in addition to basic PHP.ini and .htaccess server settings and properly escaping and validating input/output. On a side note, PHP versions prior to 5.3+ do not allow to set the httponly flag as a cookie parameter, is there any acceptable alternative for this? Thanks in advance, Jen Rasmussen | Web Development Manager Cetacea Sound Corp P: 763-225-8465 P Before printing this message, make sure that it's necessary. The environment is in your hands
Re: [PHP] PHP Security: Best Practices
On Mon, Aug 8, 2011 at 10:08 AM, Jen Rasmussen wrote: [snip] > > On a side note, PHP versions prior to 5.3+ do not allow to set the httponly > flag as a cookie parameter, is there any acceptable alternative for this? I believe that has been supported since 5.2.0. As for a workaround for versions before that, I found this pretty quickly through Google: http://stackoverflow.com/questions/36877/how-do-you-set-up-use-httponly-cookies-in-php Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] PHP Security: Best Practices
Thanks, Andrew! I am unfortunately not even running 5.2..so that helps. Jen -Original Message- From: Andrew Ballard [mailto:aball...@gmail.com] Sent: Monday, August 08, 2011 9:57 AM To: j...@cetaceasound.com Cc: php-general@lists.php.net Subject: Re: [PHP] PHP Security: Best Practices On Mon, Aug 8, 2011 at 10:08 AM, Jen Rasmussen wrote: [snip] > > On a side note, PHP versions prior to 5.3+ do not allow to set the httponly > flag as a cookie parameter, is there any acceptable alternative for this? I believe that has been supported since 5.2.0. As for a workaround for versions before that, I found this pretty quickly through Google: http://stackoverflow.com/questions/36877/how-do-you-set-up-use-httponly-cookies-in-php Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP Security: Best Practices
> I am currently researching security best > practices/methods. Can anyone offer > any current resources/recommendations? That is a huge arena and the question can not be answered very well without describing what you are needing to protect. Security in debth depends upon what you are protecting and who you are protecting it from, and also entails your expenses and potential loses compared to what you are willing to pay for protecting your assets. If all you're protecting is a database from unauithorized access, improper access, or accidental sabotage, the answers for what constitute best practices are merely a matter of doing Google searches for what the typical database threats are and avoiding the pitfalls. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP Security: Best Practices
On 8 August 2011 15:08, Jen Rasmussen wrote: > Hello all, > > > > I am currently researching security best practices/methods. Can anyone offer > any current resources/recommendations? > > My research thus far has included password hashing with salting/stretching, > session hash defaults, session management & authentication, and prepared > statements via PDO in addition to basic PHP.ini and .htaccess server > settings and properly escaping and validating input/output. Best practise can change as new threats and forms of attack become prominent. So. At the top of this list, I'd add "This is list is subject to change". Anything you to today may well be circumvented tomorrow. But the principle of Poka-Yoke does suggest that by only allowing valid and appropriate data in to your code, you are drastically reducing the attack vectors. I work in a multi-database and multi-DB Server environment. Nearly/almost always, I use stored procedures rather than building complex queries in PHP. I only allow me and users in the development team direct access to the tables. So, for the application to alter the DB, a stored procedure is written (my apps are accounting related so maybe some flexibility has been sacrificed - but the security is very strong). I use Views either to simple result sets or to XML results depending upon the requirement - again - no access to the underlying tables. The user credentials used for connecting to the DB is different to other user details and it is forced to a specific machine. All this sort of thing is setup once and done. It makes it very difficult for anyone to be able to fake the credentials, gain access to the DB tables or inject data outside of the constraints provided by the stored procedures. -- Richard Quadling Twitter : EE : Zend : PHPDoc @RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY : bit.ly/lFnVea -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] A php bug or?..
Hi everyone,
As we all know, count() returns 1 if the variable
is not an array.
Question is: why in the world does it this? If a variable is *notA* an array,
it contains *zero* array elements.
You can answer: "but no, man, you can say
$x="world";
$y=$x{3}; // $y="l"
so the variable is treated or can be treated as an array".
Well. If strings are treated like arrays, why count($x) doesn't return 5
instead of 1?
Just asking.
--
With best regards from Ukraine,
Andre
Skype: Francophile
Blog: http://oire.org/menelion
Twitter: http://twitter.com/m_elensule
Facebook: http://facebook.com/menelion
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] A php bug or?..
On 9/08/2011, at 8:20 AM, Andre Polykanine wrote:
> Hi everyone,
>
>As we all know, count() returns 1 if the variable
> is not an array.
> Question is: why in the world does it this? If a variable is *notA* an array,
> it contains *zero* array elements.
> You can answer: "but no, man, you can say
> $x="world";
> $y=$x{3}; // $y="l"
>
> so the variable is treated or can be treated as an array".
> Well. If strings are treated like arrays, why count($x) doesn't return 5
> instead of 1?
> Just asking.
>
> --
> With best regards from Ukraine,
> Andre
I'm assuming it has to do with the value, if not an array or object, being cast
as an array. Thus, non-false equivalent values get cast into an array of size 1:
int(1)
}
array(0) {
}
---
Simon Welsh
Admin of http://simon.geek.nz/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] A php bug or?..
On Mon, Aug 8, 2011 at 16:20, Andre Polykanine wrote:
> Hi everyone,
>
> As we all know, count() returns 1 if the variable
> is not an array.
> Question is: why in the world does it this? If a variable is *notA* an array,
> it contains *zero* array elements.
> You can answer: "but no, man, you can say
> $x="world";
> $y=$x{3}; // $y="l"
>
> so the variable is treated or can be treated as an array".
> Well. If strings are treated like arrays, why count($x) doesn't return 5
> instead of 1?
> Just asking.
Using count() will return the number of items passed in the first
parameter. If it's an array, each element is an item. If it's a
string, the string is an item. If it's an object, logically, the
items depend on what is contained in the object. However, at no time
does it return the number of characters within a string --- instead,
as you likely know, you'd use strlen().
--
Dedicated Servers, Cloud and Cloud Hybrid Solutions, VPS, Hosting
(866-) 725-4321
http://www.parasane.net/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] A php bug or?..
Hello Daniel, DPB> does it return the number of characters within a string --- instead, DPB> as you likely know, you'd use strlen(). For sure. But I'm asking: why it doesn't return 0 if it is not an array? Logically: no array - no items! -- With best regards from Ukraine, Andre Skype: Francophile My blog: http://oire.org/menelion (mostly in Russian) Twitter: http://twitter.com/m_elensule Facebook: http://facebook.com/menelion -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] A php bug or?..
On 8 Aug 2011, at 21:41, Andre Polykanine wrote: > DPB> does it return the number of characters within a string --- instead, > DPB> as you likely know, you'd use strlen(). > > For sure. But I'm asking: why it doesn't return 0 if it is not an array? > Logically: no array - no items! The manual explains what the function does - you may want to check it out cos it does the same for all the other functions too. "Returns the number of elements in var. If var is not an array or an object with implemented Countable interface, 1 will be returned. There is one exception, if var is NULL, 0 will be returned." IOW, if you pass it a variable, that has one element, so it returns 1. An array may have 0 to many elements, and null, logically, has none. Rocket science this ain't! -Stuart -- Stuart Dallas 3ft9 Ltd http://3ft9.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] A php bug or?..
On Mon, Aug 8, 2011 at 16:41, Andre Polykanine wrote: > > For sure. But I'm asking: why it doesn't return 0 if it is not an array? > Logically: no array - no items! No, actually, if it's a string, it's a single item --- thus, 1. The documentation should probably reflect that as well. It wasn't always this way before, though --- in older version of PHP5 it returned 0, and in all versions of PHP4 it did as well. Also, keep in mind that a blank string still constitutes a string and will return 1, but null or nonexistent variables will still return 0. -- Dedicated Servers, Cloud and Cloud Hybrid Solutions, VPS, Hosting (866-) 725-4321 http://www.parasane.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] form hidden value
I'm trying to pass a hidden value with my form submission. Not sure what I
am doing woring, but the value is not being passed.
Query is___
$query = "SELECT id, store_name FROM store_list WHERE store_type =
'$type' AND id_market = '$market' " ;
$result = mysql_query($query) or die(report($query,__LINE__ ,__FILE__));
while($row = mysql_fetch_array($result))
{
$store_name[] = $row['store_name'];
$id[] = $row['id'];
}
sort($store_name);
}
Form portion is
Any help is greatly appreciated. Thank you.
Re: [PHP] form hidden value
On Mon, Aug 8, 2011 at 17:23, Chris Stinemetz wrote: > > You should drop the quotes around the $id[] array, and also figure out how you want to extract the element from the array. For example: -- Dedicated Servers, Cloud and Cloud Hybrid Solutions, VPS, Hosting (866-) 725-4321 http://www.parasane.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] form hidden value
First: use firebug, or something like that, and check what's get "written"
in the page's source!
Second: dump $_POST/$_GET, and check, whether "id" is set at all
Is your input field between the and tags?
Cheers,
Tamas
-Original Message-
From: Chris Stinemetz [mailto:chrisstinem...@gmail.com]
Sent: Monday, August 08, 2011 11:23 PM
To: PHP General
Subject: [PHP] form hidden value
I'm trying to pass a hidden value with my form submission. Not sure what I
am doing woring, but the value is not being passed.
Query is___
$query = "SELECT id, store_name FROM store_list WHERE store_type =
'$type' AND id_market = '$market' " ;
$result = mysql_query($query) or die(report($query,__LINE__ ,__FILE__));
while($row = mysql_fetch_array($result))
{
$store_name[] = $row['store_name'];
$id[] = $row['id'];
}
sort($store_name);
}
Form portion is
Any help is greatly appreciated. Thank you.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] pass text variables to next page
I am trying to pass text strings from on page to a next to populate
the queries on the passed to page.
The only way I can get the query to work is if I am able to put single
ticks around the string to make it literal, but I can't seem to figure
out how to do it for the following line of code.
echo '' .
$row['store_name'] . '' . $row['store_type'];
When i do a dump the query and
print("".print_r($_GET,true)."");
I get the following respectively:
SELECT store_id, store_subject FROM stores WHERE store_subject = Loma
Vista 8712 Blue Ridge BlvdThe topic could not be displayed, please try
again later.You have an error in your SQL syntax; check the manual
that corresponds to your MySQL server version for the right syntax to
use near 'Vista 8712 Blue Ridge Blvd' at line 3
The PHP code for the query is:
Array
(
[id] => Loma Vista 8712 Blue Ridge Blvd
)
$sql = "SELECT store_id, store_subject
FROM stores
WHERE store_subject = " . mysql_real_escape_string($_GET['id']);
The query works fine When I run the command in console and place ''
around Loma Vista 8712 Blue Ridge Blvd
Thank you,
Chris
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] pass text variables to next page
On Aug 8, 2011, at 11:58 PM, Chris Stinemetz wrote:
I am trying to pass text strings from on page to a next to populate
the queries on the passed to page.
The only way I can get the query to work is if I am able to put single
ticks around the string to make it literal, but I can't seem to figure
out how to do it for the following line of code.
echo '' .
$row['store_name'] . '' . $row['store_type'];
When i do a dump the query and
print("".print_r($_GET,true)."");
I get the following respectively:
SELECT store_id, store_subject FROM stores WHERE store_subject = Loma
Vista 8712 Blue Ridge BlvdThe topic could not be displayed, please try
again later.You have an error in your SQL syntax; check the manual
that corresponds to your MySQL server version for the right syntax to
use near 'Vista 8712 Blue Ridge Blvd' at line 3
The PHP code for the query is:
Array
(
[id] => Loma Vista 8712 Blue Ridge Blvd
)
$sql = "SELECT store_id, store_subject
FROM stores
WHERE store_subject = " . mysql_real_escape_string($_GET['id']);
Here, you need to insert single quotes around the search value in the
WHERE cause:
WHERE store_subject = '".mysql_real_escape_string($_GET['id']."'");
If that's hard to read like it is on my mailer, it's:
<
SINGLEQUOTE
>
<
DOUBLEQUOTE
>
<
PERIOD
>
mysql_escape_string
($_GET['id']]
This then surrounds the data in the search string with single quotes
for the SQL query.
The query works fine When I run the command in console and place ''
around Loma Vista 8712 Blue Ridge Blvd
Thank you,
Chris
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
