Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Re: Anyone have some basic security tips for PHP-programmers?

Re: Anyone have some basic security tips for PHP-programmers?

From: Sverre H. Huseby <shh_at_thathost.com>
Date: Tue, 25 Nov 2003 22:18:03 +0100

[Ulf Härnhammar]

| Moral of the story: always check lengths as well, [...]

[Andreas]

| Those are all bugs in the program being called. I see your point,
| but the solution in this case is to patch the flawed program.

I think you should nevertheless check the length. When validating
input, you check that the input match the rules of your application.
If input will end up in a database field of type VARCHAR(64), then
your application sort of expects the length to be no longer than 64,
and should check that it in fact is below this limit. Not just to
prevent buffer overflows down below, but to make sure there are no
unforeseen side effects (neither for the application nor for the poor
user).

Just my two kroner (NOK/DKK) / kronor (SEK). (to keep it Scandinavian)

Sverre. 

-- 
shh_at_thathost.com
http://shh.thathost.com/
Received on Nov 25 2003
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos