PHP|Tek Slides

iBlog - Ilia Alshanetsky


Quicksearch
Calendar
Back May '23
Sun Mon Tue Wed Thu Fri Sat
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30 31      
Syndicate This Blog

Wednesday, April 26. 2006

Posted by Ilia Alshanetsky in PHP, Talks

Comments (6)
Trackbacks (0)

PHP|Tek Slides

The slides from PHP|Tek are now up. The Security Tutorial slides can be found here and the PDO Introduction slides can be found here, to all attending thank you for listening and hopefully at-least a bit of the content was interesting and useful ;-)
Twitter Bookmark PHP|Tek Slides at del.icio.us Facebook Digg PHP|Tek Slides Bookmark PHP|Tek Slides at reddit.com Stumble It!

Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments
Display comments as (Linear | Threaded)

Nice slides but I thought I'd raise the following points:

* hiding your database connection settings in the environment or php configuration is all for nothing if you manage to inject a phpinfo() statement
* it's probably also work mentioning that you shouldn't leave a style page on a live server, particular on a url like /phpinfo.php
* security by obscurity seems an odd note to end on. Defence in depth yes, but obscurity? Take the "don't use an obvious url for admin function" I think you have to assume admin urls will leak. In fact, it's best to regard any URL a browser will see as something that Google might get wind of and index!

I used to use a large UK ISP, who generated print invoices from a webpage. They included the URL on them. I tried the URL and found that not only was it accessible, I could play around with the parameters and view invoices for other customers and even generate new invoices. I alerted them and closed my account :-)
#1 Paul Dixon (Homepage) on 2006-04-26 18:14 (Reply)
Well the idea behind obscurity is not to solve security problems, merely delay the hacker by making things different from usual. This is particularly effective against worms and automated tools that look for simularaties and use them to determine problems.
#1.1 Ilia Alshanetsky (Homepage) on 2006-04-29 17:01 (Reply)
Some stuff got stripped from my comment...

"...you shouldn't leave a style page.."

should really read

"...you shouldn't leave a phpinfo() page..."
#2 Paul Dixon (Homepage) on 2006-04-26 18:18 (Reply)
phpinfo() page is a debugging tool so exposing it to the world is not a particular good idea unless it is protected in some way (like http auth for example). So, you are absolutely in that respect, furthermore earlier versions of PHP had a number of XSS issues in this page, so that further adds to its danger.
#2.1 Ilia Alshanetsky (Homepage) on 2006-04-29 14:56 (Reply)
Can you create PDFs without those background image? Unless there's a way to disable background printing in PDF the printout is very unreadable on b/w and it wastes black color for nothing. thanks!
#3 Markus on 2006-04-27 01:39 (Reply)
Thanks for sharing these Ilia. Have your book, but to see the concepts summerised in the slides (and more) is very useful.
#4 Matthijs on 2006-04-29 04:49 (Reply)

Add Comment

Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.
 
 

Frontpage - Top level
Guide to PHP Security
Categories
Archives

Blog Administration