[ale] Seven Deadly Sins - PHP

[George Carless]

At 09:40 PM 6/10/2003 -0400, you wrote:
>I'm going to have to touch on this and then read the article later. I
>have been working with PHP for roughly 4 years now. Here's my findings.

><snip>

The thing is, all of the potential problems that you detail are things that 
should largely be addressed at a lower level, anyhow: don't give PHP (or 
Apache) permissions that it doesn't need.  Use safe_mode.  Don't allow 
untrusted users to run PHP -- or anything else -- on an arbitrary 
basis.  If you must support clueless users, stick 'em in a sandbox.  Leave 
register_globals turned off.  Leave file uploads turned off.  etc. etc.


>I do have some snippets of PHP at www.tqlabs.com and invite anyone to
>look at them. They are the "frontdoor and keys" to www.myroads.net. Feel
>free to poke around and either prove or disprove my points. I am
>interested in hearing other opinions on this matter.

I couldn't quite tell from the context whether this was your own code, or 
someone else's code which you're using to support your cautions.  Assuming 
the former - I've only taken a very brief look, but it seems as though your 
config file with your login and password for the database is sitting in a 
web-accessible location.. this is clearly a no-no.  You also don't seem to 
be escaping your variables before passing them to mysql, though I'm not 
sure off-hand whether DB.php does this for you, or if you have quotes being 
"automagically escaped" by PHP.

Finally, I don't see anywhere that you expire sessions in your 
database.  Of course, you may not wish to be doing so.

Cheers,
--George

_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale