Comments on Writing Secure PHP, Part 2 - AddedBytes.com

Comment on Writing Secure PHP, Part 2

Comment by Web ( )

Thank you so much for the posts! Very very helpful, I appreciate you for writing these security issues in PHP, I've learned quite a bit! CHEERS!

Comment on Writing Secure PHP, Part 2

Comment by Jamie ( )

Great article! Thanks for sharing your knowledge!

Is there any reason you can't use .htaccess to protect your .inc files (like below) without putting them in an /include folder?

.htaccess file:

Order allow,deny
Deny from all

I was under the impression this was safe...

Comment on Writing Secure PHP, Part 2

Comment by Malanie ( http://aber-natuerlich.de )

Good article. Event it is from 2005 the issues are still there. Advanced search technics like google's inurl makes it realy easy to find sites which use include folder, .inc files or whatever you are interestet in.

Comment on Writing Secure PHP, Part 2

Comment by Alan Walker ( http://www.highforce.com )

I have found the best way for looking at input, is to check the value for http or the length of the input as well as commands that should not be in there like ? = , as these script kiddies will do anything to hack your programs.
All the best from Alan

Comment on Writing Secure PHP, Part 2

Comment by Anonymous ( )

I do like this.. at the top of the include file.

if ($ping != "pong")
{
echo 'Redirect here, or print something :p';
exit;
}

then in the script that's including it:

$ping = "pong";
include(yourfile.....);

Seems to work fine too.

Comment on Writing Secure PHP, Part 2

Comment by Frederik ( http://www.misterbob.nl )

Don't use safe mode, it will be dropped in PHP6

Comment on Writing Secure PHP, Part 2

Comment by alex boia ( )

ok..so there are a lot of comments and so little time for me to read them. so i'm sorry if what that the topic this reply adresses has been already covered. but enough with the smalltalk.:)
what i wnat to say is that if you want to protect your inlcuded php files to be executed from outside the script that uses them you can use something like:
define ('IS_INCLUDED_SOMEFILE', true);
require_once 'somefile.php';
?>
in the script that requires the file and
if (!defined('IS_INCLUDED_SOMEFILE')) exit;
if (IS_INCLUDED_SOMEFILE !== true) exit;
?>
in the required file.
works very fine, as you define this constant only where you need to include the files
?>

Comment on Writing Secure PHP, Part 2

Comment by shopje ( http://www.shopje.net )

This one is a bit an expansion and elaboration to former part1 .
I missed the usefull code examples you used in part 1.
How about buffer overflows?
Maybe you could be elaborating cross site scripting attacks?
More methods of sql injection?
Maybe a "best way to secure" part with the code examples to use for the newbies among us.
And please get that link for a printable version.
I of to read part 3

Comment on Writing Secure PHP, Part 2

Comment by Dave Child ( http://www.addedbytes.com )

Hi Keith.

It's not the code that is the risk, it's what the code can do. Administration files can delete and modify information, and administration areas have the same capabilities - someone managing to access these files could cause serious problems to a site.

Comment on Writing Secure PHP, Part 2

Comment by Keith ( )

Quote: "Placing important files in predictable places with predictable names is a recipe for disaster."

As long as I name my files .php what is the problem? I have seen several sites that tell you to put the includes outsite of the root, but I have not seen an explanation as to why this is critical - as long as the file is parsed?

Thanks.