SitePoint Sponsor

User Tag List

Results 1 to 7 of 7
  1. #1
    SitePoint Wizard subnet_rx's Avatar
    Join Date
    Aug 2001
    Location
    Hattiesburg, MS
    Posts
    1,085
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    How safe is PHP?

    I've read a book recently that suggests that I should "sanitize" every variable coming from user input.

    How safe is it to use forms and PHP? Using simple code(ex. $_POST) and suggested ini settings(safe mode on, globals off)?

    What percentage of time do you devote to security for a particular script?

  2. #2
    SitePoint Wizard mark_W's Avatar
    Join Date
    Mar 2004
    Location
    West Midlands, United Kingdom
    Posts
    2,631
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Security should always be treated as a priority. In terms of user input via forms, you should validate everything. Get rid of unwanted characters, strip slashes etc. You should always have register globals set to off.

    Mark

  3. #3
    Non-Member Icheb's Avatar
    Join Date
    Mar 2003
    Location
    Germany
    Posts
    1,474
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    PHP is as safe and as unsafe as you want it to be. It's neither inherently unsafe nor inherently safe.

  4. #4
    Non-Member redhits's Avatar
    Join Date
    May 2004
    Location
    Romania
    Posts
    301
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If you want it to be safer try to always use $_SESSION ...

  5. #5
    Non-Member Icheb's Avatar
    Join Date
    Mar 2003
    Location
    Germany
    Posts
    1,474
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yeah ... as ... if ... that's ... any ... safer ... than ... other ... approaches ...

  6. #6
    SitePoint Wizard subnet_rx's Avatar
    Join Date
    Aug 2001
    Location
    Hattiesburg, MS
    Posts
    1,085
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    well, obviously, there are safeguards built into the language, my question was, are they enough? The same book tells me to use $_SESSION, but Icheb doesn't think even that's enough. Like I said, I could spend 90% of script production researching and writing security code, or 5%. What's a suitable level of security for a script?

  7. #7
    Non-Member Icheb's Avatar
    Join Date
    Mar 2003
    Location
    Germany
    Posts
    1,474
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It always, always depends on how you implement it. Do you check that you always only process the input you expect? For an example, do you make sure you process numbers when you expect only numbers? Are you safe concerning SQL injection attacks and cross site scripting attacks?
    If so, you already made sure most of the hacking attempts done on the internet fail.
    You don't have to spend 90% of your time on security. Most you can do is always think how your script could be abused and hacked, and then built safeguards to make sure that won't happen.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •