Haifa linux club:PHP lecture
Prev Next


Security notes


1.
<? if($pass=="NotCool") { $auth =1; } ?>
This is my secret page !
<? if($auth) { echo "My secrets .. shhhh !"; }
  else { 
?>
in order to read My secrets you must enter password : <br>
<FORM METHOD="POST" ACTION="<?= $PHP_SELF ?>">
enter password:<INPUT TYPE="PASSWORD" NAME="pass"><br>
<INPUT TYPE="SUBMIT">
</FORM>
<? ?>

2.include($libdir . "/myscript.php");

3.use is_uploaded_file() to verify upload

4.check all variable you get from get/post/cookie.
if you use one of them in a mysql query
- use :
$name1 = str_replace("'","''",$name1);
If you know you have to get a number
use is_numeric() :
if (!is_numeric($somenum)) { die("go away lammer !");}

5.block warnings and error messages -
change php.ini or use error_reporting(0)




HOME