Getting Started
Nature and Scope of the Problem
Understanding Filtering, Validation,
and Output Escaping
Preventing the Most
Common Forms of Attack
Protecting Against Common
Website Vulnerabilities
Protecting Against
SQL Injection Attacks
About the Author
LAB: Improving security on an existing website to prevent
exploits of common vulnerabilities
Protect against information disclosure
.
Suppress the display of errors
Set
display_errors
off in either
php.ini
or in
index.php
Protect against insufficient authorization
.
Block guests from viewing or changing member information
Use the ACL class
See hints in Model/Acl.php, View/members.php, change.php, admin.php
Protect against predictable resource location
.
Change the name of the
admin
page
Be sure to change controls in
View/View.php
,
Model/Acl.php
and
index.php
as well
Protect against improper access controls
.
Implement password hashing
Backup database and then run
Model/hash_passwords.php
Modify
Model/Members::loginByName()
to use "hash()" with the "ripemd256" algorithm
Test user: conrad.perry@fastmedia.com / listened8591uncl
Avoid misconfiguration
.
Set the
open_basedir
parameter
Modify the rights of the "uploads" folder
Protect file uploads in the contact form
.
Make sure PHP files are not accepted
Implement safety procedures when uploading a file
Modify
View/contact.php
+
o
-