Jump to content

General Security Considerations


Recommended Posts

I don't know of a concise checklist, but can provide two key phrases for web searches: "sql injection" and "remote file inclusion".

 

SQL injection is specific to db applications. When you receive any input from a user, it's important to prevent them from embedding SQL statements in their input that subsequently get passed into your code, causing malicious data to be added into the database or secret data to be divulged from it. Prevention consists of careful coding practices in your code that receives and processes the user input.

 

Remote file inclusion (RFI) results when a) the server is configured so that a command such as a PHP include() is permitted to fetch the include file from a site other than the local one (i.e. the include file is in URL form with http: or ftp: in front of it), and b ) a malicious user or robot provides input containing a malicious URL, and c) the input-processing code accepts the user input as-is, fetches the malicious remote file, includes it into the currently executing script, allowing it to do its damage. Prevention consists of a server configuration that prohibits inclusion of non-local files, processing code (or .htaccess) that rejects malicious requests, and processing code that filters incoming data, only performing the include when the data matches expected permissible values.

 

Web searches on those will likely lead you to any lower priority things to be concerned about.

 

Another is called "cross-site scripting", but that isn't specific to a db-application or to PHP.

Edited by SteveW
Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...