Paul Dixon on :
Nice slides but I thought I'd raise the following points:
* hiding your database connection settings in the environment or php configuration is all for nothing if you manage to inject a phpinfo() statement
* it's probably also work mentioning that you shouldn't leave a style page on a live server, particular on a url like /phpinfo.php
* security by obscurity seems an odd note to end on. Defence in depth yes, but obscurity? Take the "don't use an obvious url for admin function" I think you have to assume admin urls will leak. In fact, it's best to regard any URL a browser will see as something that Google might get wind of and index!
I used to use a large UK ISP, who generated print invoices from a webpage. They included the URL on them. I tried the URL and found that not only was it accessible, I could play around with the parameters and view invoices for other customers and even generate new invoices. I alerted them and closed my account
* hiding your database connection settings in the environment or php configuration is all for nothing if you manage to inject a phpinfo() statement
* it's probably also work mentioning that you shouldn't leave a style page on a live server, particular on a url like /phpinfo.php
* security by obscurity seems an odd note to end on. Defence in depth yes, but obscurity? Take the "don't use an obvious url for admin function" I think you have to assume admin urls will leak. In fact, it's best to regard any URL a browser will see as something that Google might get wind of and index!
I used to use a large UK ISP, who generated print invoices from a webpage. They included the URL on them. I tried the URL and found that not only was it accessible, I could play around with the parameters and view invoices for other customers and even generate new invoices. I alerted them and closed my account
