Jump to content
Larry Ullman's Book Forums

Search the Community

Showing results for tags 'security'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Single Editions
    • Modern Javascript: Develop and Design
    • The Yii Book
    • Effortless Flex 4 Development
    • Building a Web Site with Ajax: Visual QuickProject
    • Ruby: Visual QuickStart Guide
    • C++ Programming: Visual QuickStart Guide
    • C Programming: Visual QuickStart Guide
    • Adobe AIR: Visual QuickPro Guide
  • PHP and MySQL for Dynamic Web Sites: Visual QuickPro Guide
    • PHP and MySQL for Dynamic Web Sites: Visual QuickPro Guide (5th Edition)
    • PHP and MySQL for Dynamic Web Sites: Visual QuickPro Guide (4th Edition)
    • PHP 6 and MySQL 5 for Dynamic Web Sites: Visual QuickPro Guide (3rd Edition)
    • PHP and MySQL for Dynamic Web Sites: Visual QuickPro Guide (2nd Edition)
    • PHP and MySQL for Dynamic Web Sites: Visual QuickPro Guide (1st Edition)
  • PHP for the Web: Visual QuickStart Guide
    • PHP for the Web: Visual QuickStart Guide (5th Edition)
    • PHP for the Web: Visual QuickStart Guide (4th Edition)
    • PHP for the Web: Visual QuickStart Guide (3rd Edition)
    • PHP for the World Wide Web: Visual QuickStart Guide (2nd Edition)
    • PHP for the World Wide Web: Visual QuickStart Guide (1st Edition)
  • Effortless E-commerce with PHP and MySQL
    • Effortless E-Commerce with PHP and MySQL (2nd Edition)
    • Effortless E-Commerce with PHP and MySQL
  • PHP Advanced: Visual QuickPro Guide
    • PHP Advanced and Object-Oriented Programming: Visual QuickPro Guide (3rd Edition)
    • PHP 5 Advanced: Visual QuickPro Guide (2nd Edition)
    • PHP Advanced: Visual QuickPro Guide
  • MySQL: Visual QuickStart Guide
    • MySQL: Visual QuickStart Guide (2nd Edition)
    • MySQL: Visual QuickStart Guide (1st Edition)
  • Other
    • Announcements
    • Newsletter, Blog, and Other Topics
    • Forum Issues
    • Social

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Found 17 results

  1. Hi Larry, I am loving the book, as I work towards converting lots of Classic ASP to PHP 7. I have in the past created hundreds of Stored Procedures in MSSQL. One thing that has bugged me in the past was that I found it hard to search for variables, etc., in the Stored Procedures when I changed something. In addition to liking the fact that they will be in my (easily searchable) code, I like the security and performance perks of using Prepared Statements as I translate these Stored Procedures... but I am wondering: Would Stored Procedures or Stored Functions be faster than Prepared Statements? Again, thank you for making such an excellent book - it's really helping me get up to the next level in my coding abilities. Thanks, Jim
  2. Really enjoying your book. On page 345 you mention that file uploads entail creating a folder that everyone can write (chmod 777). Wouldn't the best practice be to change the owner to www-data and set chmod 755 (on Linux systems)? Would this pose similar or any security risks? Would you still want to configure the .htaccess file (to restrict the folder to only make mp3s publically viewable for instance)?
  3. I have a website that I am going to turn into a store and I am reading your book. It says that it might be best to use an ssl connection only on pages where it is needed. I don't know how to implement ssl only on specific pages. How do we do that. Right now I only know how to either add it to every page using the .htaccess file or not at all. What code do I use to only make some pages secure? Because if I only use https on some links, if I click on a page of my site that doesn't have https and then click on a page that does, my browser then makes all the other links I click on in my site use https too. Is that normal. That is also after I remove my .htaccess code that makes all pages contain https.
  4. Hello: I am reading this book and following on the examples. I finished the ex1 and I am testing the site. I notice that When i Log out from an account then refresh the page I go back to the index.php (which is OK). Now the problem is when i use the back button of the browser. If i go back to the log out page then back again (to the page where I logged out from) at first there will be an error, but if i refresh the page There i am logged back in with all the credentials as if i never logged out. This of course is a flaw. Imagine I am on an public place and I log out of a site and go. then someone (accidentally or maliciously) sits on the same pc and hits back on the browser twice and all of a sudden he is logged in on my account. My question is: How can i fix this security hole ? can someone point me in the right direction? Thank you. By the way Mr Ullman, if you reading this GREAT BOOK!!!. Sorry for the long post. Thank you in advance to all who answer.
  5. Right now on my website I created when someone is logged in they can go to the url in the address bar and change the id number associated with the url. for example one page I have is add_image.php?id=4 4 is the id associated with the article. If someone changes the 4 to a 7 for example. Then my page will show the other user's data on my page without them even entering that other person's login info. How do I make sure people can't see other user's data when they change the id number. I am using the scripts from this book. Maybe I missed something. I am using sessions properly as far as I can tell. I really would need some help with this. please give an example of secure code to use. thank you
  6. My local newspaper had a short article: "5-year-old beats Xbox security" A 5-year-old San Diego boy has outwitted the sharpest minds at Microsoft--he's found a backdoor to the xBox. He logged into his father's xBox Live account. When the password login screen appeared, he simply hit the space button a few times and hit enter. His father noticed him playing games he supposedly couldn't access. They reported the issue to Microsoft, which fixed the bug and listed the boy on its website as a "security researcher". Probably most of us are doing our security the way Larry taught us, and I hope we are smarter than Microsoft.
  7. Hi, I recently restructured a website along the modularization lines (page 44 onwards). The content modules all start with a check to see if the BASE_URL constant has been defined and redirect the user if it has not been defined. This is clear and works just fine in the visitor-accessible part of the site. In the administration part of my website, the modules also check to make sure that an administrator is using the script via a check to a session set up like page 82 onwards. I am having trouble with 'headers already sent' and understand why this is happening and know how to fix that. But my question is do I need both the BASE_URL constant check as well as the administrator/session check in the admin content scripts? There are no financials in the website and also no sensitive data in the database though I need to ensure that non-administrators cannot use the admin scripts. Your thoughts/advice will be welcomed. Cheers from Oz.
  8. For security reasons Larry says we should create certain folders outside of the "httpdocs" or main web directory. My web hosting company will not let me. This web hosting company is inexpensive, just about $48.00 a year for domain and all. I think I need to change because of the security concerns. Would you agree? If so is there some hosting companies that you suggest? Or can I set up an old XP computer or Win 98 to be a web server and it be as inexpensive to run? Thanks for your input.
  9. 2 problems with my code, the filter_var doesn't seem to work at all for any of my variables, also the spam_scrubber function doesn't seem to clean \r, and \n, when put in my contact form, it cleans all the rest though just fine. <?php // resources.php function spam_scrubber($value){ $very_bad = array('to:', 'cc:', 'bcc:', 'content-type:', 'mime-version:', 'multipart-mixed:', 'content-transfer-encoding:'); foreach ($very_bad as $v){ if (stripos($value, $v) !== false) return ''; } $value = str_replace(array( "\r", "\n", "%0a", "%0d"), ' ', $value); return trim($value); }//end of spam_scrubber function $scrubbed = array_map('spam_scrubber', $_POST); $comments = strip_tags($scrubbed['comments']); $url = $scrubbed['url']; if (isset($url)){ filter_var($url, FILTER_VALIDATE_URL, FILTER_SANITIZE_URL); } else { echo NULL; } $url2 = $scrubbed['url2']; if (isset($url2)){ filter_var($url2, FILTER_VALIDATE_URL, FILTER_SANITIZE_URL); } else { echo NULL; } $linkpageurl = $scrubbed['linkpageurl']; if (isset($linkpageurl)){ filter_var($linkpageurl, FILTER_VALIDATE_URL, FILTER_SANITIZE_URL); } else { echo NULL; } $linkpageurl2 = $scrubbed['linkpageurl2']; if (isset($linkpageurl2)){ filter_var($linkpageurl2, FILTER_VALIDATE_URL, FILTER_SANITIZE_URL); } else { echo NULL; } $email = $scrubbed['email']; if (isset($email)){ filter_var($email, FILTER_VALIDATE_EMAIL, FILTER_SANITIZE_EMAIL); } else { echo NULL; } $pagerank = $scrubbed['pagerank']; if (isset($pagerank)){ filter_var($pagerank, FILTER_VALIDATE_INT, FILTER_SANITIZE_NUMBER_INT); } else { echo NULL; } if (!empty($email) && !empty($url) && !empty($linkpageurl) && !empty($comments) && !empty($pagerank)){ $body = "Email: {$email}\n\n Url: {$url}\n\n Url2: {$url2}\n\n Pagerank: {$pagerank}\n\n Linkpageurl: {$linkpageurl} \n\n Linkpageurl2: {$linkpageurl2}\n\n Comments: {$comments}"; $body = wordwrap($body, 70); $headers = "From: {$email}\r\n"; mail('email@example.com', 'Link Exchange Form Submission', $body, $headers); echo '<p><em>Thank you for contacting us.</em></p><div id="formecho"><h3>Form submission received, we will get back to you soon.</h3></div>'; $_POST = array(); } else { echo '<p style="font-weight: bold; color: #C00">Please fill out the form completely.</p>'; } ?> <div id="form"> <form action="linkexchangecontactform2.php" method="post"> <p><b>Email:</b> <input type="text" size="30" maxlength="50" name="email" value="<?php if(isset($scrubbed['submit']))echo $scrubbed['email']; ?>" /></p> <p><b>Url:</b> <input type="text" size="30" maxlength="50" name="url" value="<?php if(isset($scrubbed['url']))echo $scrubbed['url']; ?>" /></p> <p><b>2nd Url (leave empty if you have just 1 website):</b><br /> <input type="text" size="30" maxlength="50" name="url2" value="<?php if(isset($scrubbed['url2']))echo $scrubbed['url2']; ?>" /></p> <p><b>Pagerank:</b> <input type="text" size="5" maxlength="10" name="pagerank" value="<?php if(isset($scrubbed['pagerank']))echo $scrubbed['pagerank']; ?>" /></p> <p><b>Link page url:</b> <input type="text" size="30" maxlength="50" name="linkpageurl" value="<?php if(isset($scrubbed['linkpageurl']))echo $scrubbed['linkpageurl']; ?>" /></p> <p><b>2nd Link page url (leave empty if you have just 1 website):</b><br /> <input type="text" size="30" maxlength="50" name="linkpageurl2" value="<?php if(isset($scrubbed['linkpageurl2']))echo $scrubbed['linkpageurl2']; ?>" /></p> <p><b>Comments:</b><br> <textarea name="comments" rows="7" cols="40"><?php if (isset($scrubbed['comments'])) echo $scrubbed['comments']; ?></textarea></p> <p><input type="submit" name="submit" value="Submit" /></p> </form></div>
  10. Hello, I'm new to this forum, and unsure whether or not this is the right place to post this. I'm working on a membership system for a local organization which initially will have contact information (names, addresses, telephone numbers, email addresses, birth dates, etc) as well as other info related to the organization in a MySQL database. There are no plans to add data that is any more sensitive (i.e. credit card numbers), and we will never be doing any kind of e-commerce. There is also a separate part of the existing site, created using Wordpress, that (as far as I can see) has no need whatsoever to be secured with https. But because there is a login for managing this contact information, I am asking: is it recommended, or even necessary that the site use https for the pages behind the login? And, if it is indeed recommended, are there sites you can recommend for implementing this: info about SSL certificates, etc. Thanks very much, and especially thank you for your books. I have PHP and MySQL for dynamic web sites, and I've been using it since 2006.
  11. I have various questions, inspired by the book “Effortless E-Commerce With PHP and MySQL”, regarding website security. Question #1 On page 34, it discusses using the open_basedir setting. How is this achieved exactly? ... I am assuming this is something you write into a php.ini file, but there was not a php.ini file in the downloadable example scripts. What would the code in the php.ini file look like exactly? Question #2 On page 35, it discusses changing a setting to disable register_globals. How is this achieved exactly? Question #3 On page 36, it discusses changing the sessions directory. First, is this referring to this kind of session? : $_SESSION['myName'] = “Johnny”; Second, how is this done? Do I get this directory changed by talking to the tech support peeps at my hosting company? Question #4 On page 36, it discusses changing MySQL so that it is only accessible from localhost or 127.0.0.1. Afterward, being able to change options –skip-name-resolve and – skip-networking. How is this done? Is all of this done via the hosting company's c-panel or working with the hosting company's tech support? Thank you for getting me pushed in the right direction.
  12. I really like your book! I wish I knew PHP & MySQL as well as you do! Anyway, I intend to have an e-commerce site going someday and security is of course something I'm paranoid about. I don't trust myself with handling all the security because I'd never feel peace of mind. Are there companies who test the security of your website for you? You know... who try to mess things up, look for holes, try to get the information you're protecting, etc., then report to you what needs to be changed. You'd have to trust these companies of course... Thanks
  13. Hi All I'm on page 41 (in Security Fundamentals). Referring to: "For sensitive data being stored, but not stored in a database, change your sessions directory, and use the Web root directory's parent folder (see Figure 2.5)." Could someone elaborate on what this means? I'm not sure what a sessions directory is. When it refers to "sessions", is it talking about session variables that we can create?... like if I wanted to store the logged-in users first name in $_SESSION['userFirstName']? Is temporarily storing potentially sensitive data in session variables not secure? I'm pretty new at this, so please use plenty of laymen terms Thank you so much.
  14. In a current project I have a large database that basically holds people and their personal information e.g. each contact can have multiple phone numbers, email addresses, residential addresses etc... As a result data security and integrity are very important. I started of sketching out the database schema and it seems fairly straight-forward. I'd create a people table which contains the individual people and then a series of other tables to hold their personal information each in a one-to-many relationship. E.g. Each person can have multiple phone numbers. All seemed fine until I started thinking through the use cases. If someone updates their mobile number and saves their details I would essentially have to delete all their numbers and then add them all again because you can't easily tell if details were deleted, updated or inserted to the contact. I think any effort to package the existing ID with each number would simply be messy. So first, is there anything wrong with deleting and re-inserting all one-to-many relationships? It will lead to big gaps in the primary key which I guess can be fixed by calling something like repair etc... For reference this database will have several million users. This seemed messy so I considered storing the one-to-many relationships as serialised objects within a single table because then I wouldn't have to worry about maintaining FK relationships and having large gaps in the primary keys. This led me to looking at NoSQL solutions as this seems to be basically what they do. I read the mogoDB article from Larry's newsletter and thought it might be worth considering. Any thoughts? PS. In general I only have to update or fetch the objects I don't have to search based on a phone number etc...
  15. Does displaying your phpinfo() page on your server pose any security risks?
  16. Hi A somewhat philosophical question here regarding web security. On pages 229 and 489 you show a schematic whereby the php scripts are in a subdirectory of the webpage. Wouldn't it be more secure to put the 'includes' directory in the same place as 'mysql.connect.php' and call it with ../includes/script.php? This would make it a little harder for malicious people to access programs from their browser. ...just a thought....
  17. I am trying to understand this bullet point on page 368: "Watch how database references are used. For example, if a person's user ID is their primary key from the database and this is stored in a cookie (as in Chapter 11, "Cookies and Sessions"), a malicious user just needs to change that cookie value to access another user's account". Page 349 tells us that when a session is created, it also creates a browser cookie. For example when tracking user activity, checking to see which user modified a table. Here some methods in the book: (1.) A solution on page 358: Page 358 provides a method for improving sessions security by checking if the $SESSION['agent'] is set, and then also checking if the the $_SESSION['agent'] matches the $_SERVER['HTTP_USER_AGENT'] (2.) A solution on page 360: Page 360 introduces session_regenerate_id(), which provides a new session ID. MY QUESTION: While these are nice methods to use, should we not store a users ID like so? $_SESSION['user_id'] = $data['user_id']; Here, the users primary ID is stored into the session. I am thinking of plenty scenarios where this is necessary like tracking user activity. I have already built a nice database design and script that uses the users primary id as a way to track their activity. Is this the right way to do it? Is this unsecure? Thanks, Mark
×
×
  • Create New...