PHP contains many levels of error reporting and it is a very useful addition in the developers tool kit. By reporting runtime errors, error reporting lets the developer know what problem has occured, the path name and file name of the script that has the error, the function name that has possibly caused the error and the line number on which the error occured. Should a malicious user succeed in causing an error on a site, all this information about the system is gained from the error output.
PHP Security's tag archives
PHP Security , Error Reporting …
Posted by admin in Tuesday, January 19th 2010
Topics: Security Tags: display_errors, Error reporting, ini_set, log_errors, PHP Security, php.ini, turn off error reporting, turn on error logging
PHP Security , Including Files
Posted by admin in Tuesday, January 19th 2010
This is rather basic, but still many scripts exist with file inclusion from GET. Too often scripts appear with the following type of line
PHP Security, Email Header Injection
Posted by admin in Tuesday, January 19th 2010
Topics: Security Tags: Email Header Injection, injection chars from email headers, PHP Security, SPAM
Email header injection is a leading cause of SPAM on the internet and comes from a simple omission when accepting user input from forms. Failure to adequately strip out possible injection characters leaves the headers easy prey to SPAMMERS, and when a spammer uses a form to send tens of thousands of email around the world, it is that domain that will find its way onto black lists.
As an example, a simple contact form may have fields “name”, “from”, “subject” and “message”. Lets look at a simple HTML form
PHP Security , Type and Length
Posted by admin in Tuesday, January 19th 2010
The minimum checks on any variables coming from other sources is for type and length. These type of checks help to assure that the data that is being recieved is of a type and length that is expected. An example might be numeric value that is required. If the number needs to be between 1 and 10, and a user submits 999, then there is a possibility of causing an error or warning that is displayed in the browser. These warnings give information about the path of the script that caused the error and so, a malicious user, gains valuable information about the system for an attack.
PHP Security , PHP_SELF
Posted by admin in Tuesday, January 19th 2010
The PHP super globals array is a great tool for accessing various input globally from scripts. The $_SERVER super global array contains a very useful member $_SERVER['PHP_SELF']. This globally available, predefined variable provides the filename of the currently executing script. However, it is vulnerable to cross site scripting (XSS) attacks. On its own it works fine as this example shows.
Special Links
Categories
- Command (9)
- Error (3)
- Information (6)
- Conferences (1)
- Programs (1)
- Codes (4)
- Security (17)
- Mysql (4)
- Oracle (1)
- Warning (1)
- Performance (2)
- Linux (6)
Best Links
Archives
- August 2010 (1)
- June 2010 (1)
- May 2010 (3)
- April 2010 (3)
- March 2010 (1)
- February 2010 (9)
- January 2010 (37)
Recent Articles
- bind/named : network unreachable resolving (IPv6)
- PHP Error Class ‘SoapClient’ not found
- Issues related to the DNS server for Linux
- How to Clear and Delete Last Logged In Users and Bad Login Attemps Log (wtmp and btmp)
- How to Read /var/log/btmp, Rotate the btmp Log With Logrotate
- Brute Force Detection (BFD)
- The Apache Software Foundation
- Automatic Server Reporting System – SrvReport
- Pushing 47 GETDISKUSED info
- PHP script to print all the GET & POST variables
Popular Tags
- arrat change array array change case array change key arrays array_change_key_case() array_change_key_case function display_errors dizi Email Header Injection Error reporting eval eval function eval php evaluate exploit E_USER_ERROR filter_var find string Including Files parse_url parse_url code parse_url example code parse_url function php array php array_change_key_case php command php dizi php find php find variable php functions PHP Performance PHP Security PHP_SELF See php variables strreplace str replace Str_replace() Str_replace php command Type and Length unset unset function url encode url encoding url recode
Recent Feedbacks
- Phpcommand in Pushing 47 GETDISKUSED info
- dental hygienist in Solution to "406 Not Acceptable" error
- TomPier in PHP script to print all the GET & POST variables
- lwddlhmr in Pushing 47 GETDISKUSED info
