|
PHP - Is There A List Of Safe Ways To Use Php?
Hello,
I've noticed that there are services that I can pay to have my code
checked for possibly unsafe / insecure code.
But I'd rather audit the code myself, as my code is not meant to make money.
Is there a list of safe ways to use PHP?
Also is there any automatic way to do this that is free?
For instance is there a code checker?
I've noticed there are a number of ways to do PHP wrongly
that can be easy to overlook. Is there a list of common PHP pitfalls?
Thanks.
Similar TutorialsIs there a shorter way to achieve this in a single foreach()? foreach ($_SESSION['cart']['content']['sizes'] as $content); foreach ($_SESSION['cart']['content']['sizem'] as $content); foreach ($_SESSION['cart']['content']['sizel'] as $content); I am thinking something like: foreach ($_SESSION['cart']['content']['sizes'] && $_SESSION['cart']['content']['sizem'] && $_SESSION['cart']['content']['sizel'] as $content); or foreach ($_SESSION['cart']['content'] = ['sizes'] || ['sizem'] || ['sizel'] as $content); I would realy like to study php, other than taking other codes and editing them i havnt got a clue. Hi all If there a better way of setting variables within classes than taking it through the __construct and setting via $this ?? e.g. class SectionsConnect { protected $var; public function __construct($var){ $this->var= $var; } } Can you not set the variable automatically as it comes in through the __construct? Thanks Magnetica What would be the simplest way? Do you use a method in the child class? Personally I use Code: [Select] parent::$this->whatever; But I was wondering what you guys do. Hello, mates! I am new to PHP. I want to store some data shared between requests. I know that it is possible with memcached and shared memory in Unix. What ways to do it could you advice? How could I realize background service in PHP? Thank you.
Is this an acceptable way to instantiate classes?
//$_SESSION['product'] = {'ProductA', 'ProductB', ... 'ProductX'}
$p = new $_SESSION['product']();
$p->save();
I am usually used to calling out classes explicitly where class name is not a variable but a hardcoded string. Sometimes I use if/then/else in order to do this. Here it is a variable and it bothers me a little bit. But PHP allows me to do this.
Is this an acceptable latest & gratest modern PHP object oriented web technology technique or not ?
using this below is it safe against hackers? Code: [Select] $post_id = intval($_GET['report']); if ($post_id < 1) message($lang_common['Bad request']); query: Code: [Select] $result = $db->query('SELECT subject, forum_id FROM '.$db->prefix.'topics WHERE id='.$topic_id) or error('Unable to fetch topic info', __FILE__, __LINE__, $db->error()); should i escape my $topic_id ? Code: [Select] $stick_topic = isset($_POST['stick_topic']) ? '1' : '0'; does this need to be escaped while entering the database or no because the values could only be 1 or 0 ? srry it's just i got hacked so i am trying to do my security #1 Hello all. Just wanted to run this past you guys to see if I am missing anything important. I am making a script that I plan to allow a lot of other people around the web to use, so I want to make sure it's as bullet proof as possible. I am passing two values and grabbing them with a _GET, one is a big number, and the other is only letters and 8 characters long. her's my code so far. Code: [Select] <?php $clan = $_GET['clanid']; // make sure its an INT //if(isint($clan)){ if(ereg("[^0-9]", $clan)){ //im an int. echo ("ERROR Invalid CLANID"); die; } // make sure its a 8 letter only word. $style=$_GET['style']; // cut style down to 8 characters long. $style=substr($style, 0, 8); if(ereg("[^a-zA-Z]+", $style)) { // Contains only letters. echo("ERROR Invalid STYLE NAME"); die; } ?> to my noob php eye's it looks pretty solid, I cant think of any way a malicious user could get past it, but like I said, thought I would run it past you guys first , you can never be to careful. Hi guys, I have been using the same code for years now to include my default page and pull content into my layouts.
I found the code online and its a bit confusing so was just wondering if its still safe to use, and is it all needed nowadays?
or is there a simpler way i could be doing this?
Thanks for any help
<?php
if (isset($_GET['nav']))
{
if (strpos($_GET['nav'], "/"))
{
$direc = substr(str_replace('..', '', $_GET['nav']), 0, strpos($_GET['nav'], "/")) . "/";
$file = substr(strrchr($_GET['nav'], "/"), 1);
if (file_exists($direc.$file.".php"))
{
require($direc.$file.".php");
} else {
require("error.php");
}
} else {
if (file_exists(basename($_GET['nav']).".php"))
{
require(basename($_GET['nav']).".php");
} else {
require("error.php");
}
}
} else {
require("links.php");
}
?>
I have a button that uses $_POST to send information to another page. The data is in a hidden input so it's not possible for users to change information. I have nothing to check if the data is correct on the other page. Is it still possible for people to change the $_POST data though? Or somehow send false $_POST data to the other page? Advice please. I am setting up a new machine here and I can't remember which to download. What information do you need to be aware of to know whether to install 'non thread safe' or 'thread safe'. I did some googling but didn't find anything that was clear. And is 5.3 good to go or should I stick with 5.2. Thanks in advance for your input! I am trying to implement what I call private uploads. Basically, users can check a box to indicate they want their file "private" If so, the upload location is then (exampled as): _domain_/private-folder/$randomfolder Upon uploading their file, the random folder is created, their file moved to the directory, the upload information stored to the database, .htaccess file is created like so: info to add to new .htaccess: Code: [Select] <files "*.*"> Deny from All </files> <files "*.*"> Allow from $domains </files> the string $domains is the domains they enter each seperated by a new line in a form textarea. The problem - how can I make sure this is safe. i.e. I want the string to be obviously proofed with php so that no matter what they input, only domains will be outputted. I don't need code written for me (maybe), I'm just unsure of the necessary methods I should use. Like 6 years ago I had made a forum software for me and my buddies to post on. It had worked all great until my friend had posted a character that skewed my whole database, unintentionly, he knew nothing about computers. But I really haven't dabbed in PHP since 2008, I'm just now getting back into it again. I need to know how I can make data from an input to be put into an MySQL database and not screw up my code. So something along the lines that make the code safe and not exploitable. Also any third party scripts on captcha would be great! I built a address book for customers and i realize now im not sure the best way to allow the customer to edit/delete their addresses, but stopping them from pulling/editing other customers info. Even if i use post data only they could still view the page source and see the address ID being posted to the next page and change it, to see or edit someone elses data... Should i encrypt the ID? Is that even good enough? Im using PHP/MYSQL Hi, I am using parameterized queries on my code, here's the relevant part Code: [Select] $params=$_POST['ITGtable']; $tsql2 = "SELECT COLUMN_NAME, DATA_TYPE, ORDINAL_POSITION, COLUMN_DEFAULT, CHARACTER_MAXIMUM_LENGTH, IS_NULLABLE FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=?"; /* Execute the statement with the specified parameter value. Display the returned data if no errors occur. */ $stmt2 = sqlsrv_query( $conn, $tsql2, $params); if( $stmt2 === false ) { echo "Statement 2 could not be executed.\n"; die( print_r(sqlsrv_errors(), true)); } else { $qty = sqlsrv_fetch_array( $stmt2); } Do I really have to sanitize $_POST['ITGtable'] for apostrophe, semicolon, etc, to avoid SQL injection problems? Or just with above code I should be safer (I did not say safe) against SQL injection? And if the answer is "No", what could be the sanitize code of function? I am using sqlsrv and MS-SQL database engine; most of the functions we have for sanitize inputs on MySQL are not available for MS-SQL. Thanks in advance, I am using this script for "remember me" option: if (isset($_POST['rememberme'])) { /* Set cookie to last 1 year */ setcookie('username', $_POST['user_name'], time() + 60 * 60 * 24 * 365); setcookie('password', sha1($_POST['user_pass']), time() + 60 * 60 * 24 * 365); } Is it safe to save user data in cookie or there is better way? Can somebody steal password if there is more than one user at same computer? What do you suggest? I am using seo friendly urls so when someone makes a post named "this is a post" the url will point to www.example.com/topic/this_is_a_post But when the user enters a character in their post name that means something in a url(? /) it obviously breaks. How can i make the urls safe from this without str_replace as i want to keep the characters. I am building an XML string to send to another server. The manual I am going off of says, Quote NOTE: * XML has a special set of characters that cannot be used in normal XML strings. These characters a Special Character Equivalent & & < < > > " " ' ' It goes on to say... Quote # To avoid problems with special characters, URLEncode special characters (example: ~ ! @ # % ^ &) before sending to the IS Gateway # If you are using POST method, UTF-8 encoding must be used. I am unsure of what to do based on the information above?! It looks like I might want to use urlencode?? Also, maybe I need either htmlentities (or possibly htmlspecialchars)?? Please enlighten me (and help protect my data)!! Thanks, Debbie Hey guys! I have a doubt and this is a question that relates Flash and PHP... I have a flash (swf) file that grabs/sends variables from/to php. That swf file is FULLY encrypted and the paths to the PHP urls are also encrypted. Is there any other way a hacker could find out where and which my PHP files are located/named? Any ideas, suggestions? Thanks in advance! Cheers, |
|||||||