Security aspects concerning code written in the programming language PHP which is often used for web applications.
13
votes
3answers
896 views
What steps should be taken to validate user uploaded images within an application?
Recently I have worked on a number of applications that need to process user uploaded images steps have been taken to validate the extension and the mime type.
But what else can be done to ensure ...
18
votes
3answers
4k views
What are the best practices for hardening a php.ini file?
In order to secure a PHP installation, what are the best settings for a php.ini file? What is absolutely vital in terms of security? What is recommended for most use cases?
16
votes
4answers
5k views
How did anonymous use UTF-16 ASCII to fool PHP escaping?
A few months ago, anonymous took down a child pornography site using SQL-injection. I read in this article that anonymous claimed that "the server was using hardened PHP with escaping," but they were ...
6
votes
3answers
4k views
PHP functions for preventing XSS
Is there a proven library with functions for preventing XSS attacks? Many people don't realise that htmlspecialchars is not enough to prevent XSS attacks. There are various contexts that need their ...
29
votes
5answers
3k views
How to Securely Implement a “Remember Me” Feature?
Assuming you already have a website that implements all of the standard login stuff, what is the correct and most secure way to allow users to automatically be logged in for a certain time period ...
12
votes
2answers
3k views
Multibyte character exploits - PHP/MySQL
Could someone please point me to a link with some information on multibyte character exploits for MySQL? A friend brought them to my attention, but I've not been able to find much information on the ...
7
votes
4answers
686 views
Security attacks on PHP web applications
I know about following security attacks on php applications (html,php,js).
XSS
SQL Injection
CSFR
Session Hijacking /Fixation
Code Injection
Remote file injection
Should i know about any other or ...
27
votes
5answers
2k views
How to perform a security audit for a PHP application?
I have a PHP application that I would like to have audited for security. I'm familiar with most of the general security issues, but want to make sure I didn't miss anything.
What steps should I take ...
12
votes
4answers
511 views
what to do after suspected intrusion on hobby webserver
I maintain a server to host my files and a number of websites for hobbies and friends. I just noticed that the site summary being returned in google for one of my domains were all porn related ...
13
votes
3answers
631 views
How secure is aSSL (javascript)? Does it effectively mimic SSL?
Some of you may be familiar with the aSSL project, which uses AJAX/PHP to mimic the SSL protocol. It uses RSA 512 or 1024 for the keys, and AES for the actual data. It looks impressive to me in ...
6
votes
5answers
1k views
Why do people say that PHP is inherently insecure?
I've heard it said that PHP is inherently insecure. Is this true? Why?
4
votes
5answers
6k views
Mysql - two-way encryption of sensitive data (email addresses) outside of Apache, PHP and MySQL
We store user email addresses in our database, like many other websites. While we do take pride in the security measures in place, sometimes "just enough" is just not enough.
We've begun looking into ...
32
votes
3answers
2k views
Security Review - password_hash implementation for PHP
I'm currently working on a "helper function" for PHP's core to make password hashing more secure and easier for the majority of developers. Basically, the goal is to make it so easy, that it's harder ...
12
votes
2answers
2k views
How to do Ajax securely?
This question is inspired by this security question http://security.stackexchange.com/questions/1707
What are the threats in using Ajax? (Please note I am talking about security threats, not ...
21
votes
4answers
6k views
How do you know your server has been compromised?
I recently helped a client who had their server hacked. The hackers added some PHP code into the header of the homepage redirecting the user to a porn website — but only if they came from Google. This ...
