Comments for php security blog

Comment on (evil) Register Globals (on) by b23

b23 — Wed, 30 Jul 2008 21:24:21 +0000

Thank you Bijay Rungta!

Comment on (evil) Register Globals (on) by Bijay Rungta

Bijay Rungta — Wed, 30 Jul 2008 18:06:17 +0000

The register_globals directive is disabled (register_globals = Off) by default in PHP versions 4.2.0 and greater in the php config (php.ini). While it doesn’t represent a security vulnerability, it’s a security risk.

The text is a little misleading….
The last para should have read as
While leaving [emphasize]register_globals [emphasizeEvenMore]On[/emphasizeEvenMore][/emphasize] doesn’t represent a security vulnerability, it’s a security risk.

I had come here to confirm what is good and what’s bad…..

Thanks a lot..

Bijay Rungta

Comment on hide your php source code (expired) by b23

b23 — Sun, 27 Jul 2008 10:57:23 +0000

This post has expired, I think. I was not able to install the bcompiler again quickly.
Maybe you can ask any of the maintainers for help: http://pecl.php.net/package/bcompiler.

good luck.

Comment on hide your php source code (expired) by S.V. Sureshkumar

S.V. Sureshkumar — Thu, 24 Jul 2008 04:39:41 +0000

bcompiled code is not working in firefox 2 in ubundu 5 & Debian. Please give me the tips to run bcompiled code

Comment on hide your php source code (expired) by S.V. Sureshkumar

S.V. Sureshkumar — Tue, 15 Jul 2008 05:11:20 +0000

Bcompiled code (php5 ) not working for postgress database operation in Debaian/ubuntu environment. Please give me a replay to work the bcompiled code for database operation
SVS

Comment on Automated testing with Selenium IDE by Johny

Johny — Mon, 23 Jun 2008 13:07:56 +0000

It s nice for frontend Testing where you watch but for real automated one it seems to be not usable yet

Comment on Protect your application against SQL injections part 1 by Phill Brown

Phill Brown — Sun, 15 Jun 2008 02:10:43 +0000

Thanks for the article. It is great to come across different methods of prevention. I had previously simply escaped strings and not thought about integers.

Thanks

Comment on The null byte to hack includes by pitagora

pitagora — Mon, 02 Jun 2008 20:56:28 +0000

Who said that is bullet proof even if you don’t use null byte injection? What’s stopping me from referencing a php on my site? You if think it’s the fact that it will get executed on my server rather then you are double wrong. What’s stopping me to mess with my server to see php files just like txt files? Hell I don’t need to mess with anything…just install a default IIS that doesn’t know about php. Either that or I put one line of code in my .htaccess to redirect the php to a txt file.

Including files given by a variable is plain dumb…no matter how you look at it.

Comment on Books by Tobias Wassermann

Tobias Wassermann — Tue, 27 May 2008 21:54:18 +0000

Hi,

ich wollte eigentlich schon länger einmal Danke für die Rezension meines “Sichere Webanwendungen mit PHP”-Buchs sagen, jetzt schaffe ich es endlich einmal.

Gruß

Tobias

Comment on hide your php source code (expired) by me

me — Fri, 11 Apr 2008 04:52:45 +0000

is the protection of php source code only recommended on distributed php scripts or even in the web?

i mean, the index.php on the website, is there a possibility the php codes will be shown as well??