SitePoint Sponsor

User Tag List

Results 1 to 4 of 4
  1. #1
    I solve practical problems. bronze trophy
    Michael Morris's Avatar
    Join Date
    Jan 2008
    Location
    Knoxville TN
    Posts
    2,026
    Mentioned
    64 Post(s)
    Tagged
    0 Thread(s)

    Quick Security Audit please

    This code is for a microsite where the client wants their twitter feed to be displayed. The site is completely static other than this element so I've decided to use a cache file instead of a database.

    The twitter class in use is here: http://github.com/j7mbo/twitter-api-php

    Code php:
    $content = null;
     
    if(file_exists(dirname(__FILE__).'/cache/twitter.json')) {
    	$content = json_decode(file_get_contents(dirname(__FILE__).'/cache/twitter.json'));
    	$content = ($content->checktime + 1200 > time() ) ? $content->tweets : null; 
    }
     
    if (is_null($content)) {
     
    	$twitter = new TwitterAPIExchange(array(
    	    'oauth_access_token' => 'redacted',
    	    'oauth_access_token_secret' => 'redacted',
    	    'consumer_key' => 'redacted',
    	    'consumer_secret' => 'redacted'
    	));
     
    	$content = array(
    		'tweets' => json_decode($twitter->setGetfield('redacted')
    			->buildOauth('https://api.twitter.com/1.1/statuses/user_timeline.json', 'GET')
    			->performRequest()
    		),
    		'checktime' => time()
    	);
    	file_put_contents(dirname(__FILE__).'/cache/twitter.json', json_encode($content));
    	$content = $content['tweets'];
    }

    The goal is to hit the API only once an hour and pull the most recent tweet. Presuming the cache directory permissions are strict as possible (webserver will be able to write) is there any security implications I'm overlooking?

    The only hardening I can think of is to position the cache directory outside the webserver browse scope.

  2. #2
    SitePoint Enthusiast
    Join Date
    Sep 2013
    Posts
    39
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I dont think there are any as far as I can see. What are you worried about anyway? They are only tweets

  3. #3
    I solve practical problems. bronze trophy
    Michael Morris's Avatar
    Join Date
    Jan 2008
    Location
    Knoxville TN
    Posts
    2,026
    Mentioned
    64 Post(s)
    Tagged
    0 Thread(s)
    I get nervous around disk writes.

  4. #4
    Utopia, Inc. silver trophy
    ScallioXTX's Avatar
    Join Date
    Aug 2008
    Location
    The Netherlands
    Posts
    9,067
    Mentioned
    153 Post(s)
    Tagged
    2 Thread(s)
    You could go for SQLite instead. But it looks good as far as I can tell. One thing I'd change is lose the checktime you have in the JSON file, and use the mtime of the file instead. Not for security, but to ensure you don't store data you don't actually need to store.
    Rémon - Hosting Advisor

    SitePoint forums will switch to Discourse soon! Make sure you're ready for it!

    Minimal Bookmarks Tree
    My Google Chrome extension: browsing bookmarks made easy


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •