Forms can create all kinds of security holes in PHP applications. The biggest reason for this is that you can never be sure just what kind of input you’ll be getting.
There are some steps you can take later on to protect your applications from this unknown input. But first, let’s take a look at why you can never trust a user’s input and just how easy it is for someone to spoof a form.
(more…)
A couple weeks ago, I wrote a short article about how to create a multi-page form.
The simple solution I suggested involved a foreach loop that cycled through the $_POST array and sent every value along in a hidden input element. After a bit of reflection (and some useful comments), I realized there’s a teeny tiny security hole in that approach - so I’ve slightly modified it to close the loophole.
(more…)
If you’re working with a user-management system in PHP (or any scripting language), than you’re likely using either the md5() or crypt() function to encode and store the user’s password.
An oft-asked question - and oft-misunderstood - is what is the difference? Is one better than the other?
(more…)
If you’re working on a user-management system, you may find it useful to be able to create a random password for users.
Some systems generate these initially and have the user log in to set a permanent password. You might also have a “Reset” button, where the script generates a random password and e-mails it to the user.
This quick tutorial will show you how to create an 8 character random password containing a mix of letters and numbers. Or, if you’re impatient, jump straight to the function’s source code
(more…)
Every php-script that involves some kind of user login and database interaction has one very important feature - password checking and encryption.
There are a bunch of ways you could create and check passwords - from an insecure string in a database to an encrypted “hash” that you check against user input. This tutorial will show you how to use the crypt() function to store and check passwords in a php script.
(more…)
While browsing through Technorati, I just stumbled on a post about a shell script attack. It seems the poor chap got a shell script uploaded to his server, and the attacker used it to create a bunch of bogus files full of hyperlinks.
The original post has some header information about this particular hack (a modified c100 shell), as well as a link to some search results about the file. I looked through the source code for the shell script and tested it out on my local server - getting some link-filled files is the least that this script could do.
(more…)
Subscribe to the Web Cash feed and stay up to date on all the latest tips, tricks, and tutorials.
Web Dev Links (DZone)