Good Night (here in Poland)
> Good Morning (at least here in Nevada)

> Anyone have any hints for good PHP practices (Looking for kind of a "This
> is one of the most common PHP security flaws" kind of thing)?
Firstly , the easiest way to enable the following lines for every .php
script, or into master index.php :

foreach ($_GET as $k => $v) {
$_GET[$k]=addslashes($_GET[$k]);
$v=addslashes($v);
$v=ereg_replace(';','',$v);
eval(" \$$k = \"$v\" ;");
}
foreach ($_POST as $k => $v) {
$_POST[$k]=addslashes($_POST[$k]);
$v=addslashes($v);
$v=ereg_replace(';','',$v);
eval(" \$$k = \"$v\" ;");
}

- this will probably tottally protect you against SQL_INJECTIONS (but you
cant use ';` or others in 2 way db simply)

the next good way is keeping track of openning user items on your site in
that way:

all of functions (object of your web) are iniciated by one function, eg :

function FUNCTION_INIT() {
global $this,$FUNCTION_INIT,$ARG1,$ARG1_VAL;
if($FUNCTION_INIT) {
if(!($_SESSION[CURRENT_FUNCTION]==$FUNCTION_INIT)) {
$_SESSION[LAST_FUNCTION]=$_SESSION[CURRENT_FUNCTION];
$_SESSION[LAST1_FUNCTION]=$_SESSION[LAST_FUNCTION];
}
$_SESSION[CURRENT_FUNCTION]=$FUNCTION_INIT;
}
if($_POST[FUNCTION_INIT]) { $_POST[FUNCTION_INIT]($ARG1,$ARG1_VAL) ;
} else if($FUNCTION_INIT) {
$FUNCTION_INIT($ARG1,$ARG1_VAL);
}

which are executed by URL:
....php?FUNCTION_INIT=show_something&ARG1=ID&ARG1_VAL=132

the main concept of that is: i keep secured, what function is accessible
from what other function...
you can then easily control accessing the functions.
I use session_variables.

remember to verify, (whe submitting) if user has permitions for access the
record he wants to update/delete. You must enable in db_query function the
same select, and verify that, user has clicked URL on that what he has seen
on his web explorer, or he is hacking and type other ID, which he normally
wouldn't see.

A.Binder

[ reply ]