info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Do you know of a guide on how to idiot proof php for use on the public web?
12 views
Skip to first unread message
re...@mynetblog.com
Mar 1, 2017, 1:20:47 PM3/1/17
to
Do you know of a guide on how to idiot proof php for use on the public web?
I have great concerns about people XSS'ing my site or other serious stuff. My problem is that I assume everything is going to get attacked and am afraid to put any php where people can access it.
A very long time ago I had this CGI page to allow people to enter a URL they wanted to see and when they submitted the form it would display the link on a result page. I know this is very bad to do this type of thing now because of XSS vulnerabilities. However, I don't know about all the other hacks people use to exploit php.
I just recently found out about the proxy variable where people set a "proxy" variable in their request header that when sent to a CGI script turns into http_proxy environment variable. So, I blocked that. (I think.)
Attackers are actively scanning my site for vulnerabilities so I am fearful of putting anything on my site that they can attack because I know they will exploit any hole they find.
I only know how to write simple and short php scripts and some very basic SQL queries.
I have great concerns about people XSS'ing my site or other serious stuff. My problem is that I assume everything is going to get attacked and am afraid to put any php where people can access it.
A very long time ago I had this CGI page to allow people to enter a URL they wanted to see and when they submitted the form it would display the link on a result page. I know this is very bad to do this type of thing now because of XSS vulnerabilities. However, I don't know about all the other hacks people use to exploit php.
I just recently found out about the proxy variable where people set a "proxy" variable in their request header that when sent to a CGI script turns into http_proxy environment variable. So, I blocked that. (I think.)
Attackers are actively scanning my site for vulnerabilities so I am fearful of putting anything on my site that they can attack because I know they will exploit any hole they find.
I only know how to write simple and short php scripts and some very basic SQL queries.
0 new messages