Jump to content

Search the Community

Showing results for tags 'security'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Welcome to PHP Freaks
    • Announcements
    • Introductions
  • PHP Coding
    • PHP Coding Help
    • Regex Help
    • Third Party Scripts
    • FAQ/Code Snippet Repository
  • SQL / Database
    • MySQL Help
    • PostgreSQL
    • Microsoft SQL - MSSQL
    • Other RDBMS and SQL dialects
  • Client Side
    • HTML Help
    • CSS Help
    • Javascript Help
    • Other
  • Applications and Frameworks
    • Applications
    • Frameworks
    • Other Libraries
  • Web Server Administration
    • PHP Installation and Configuration
    • Linux
    • Apache HTTP Server
    • Microsoft IIS
    • Other Web Server Software
  • Other
    • Application Design
    • Other Programming Languages
    • Editor Help (Dreamweaver, Zend, etc)
    • Website Critique
    • Beta Test Your Stuff!
  • Freelance, Contracts, Employment, etc.
    • Services Offered
    • Job Offerings
  • General Discussion
    • PHPFreaks.com Website Feedback
    • Miscellaneous

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...


  • Start





Website URL








Donation Link

Found 13 results

  1. Hi, My ISP doesn't allow direct access to mysql Server so I created a bridge and stored the PHP code in the main web folder (https://www.mydomain.com/post.php). The bridge works fine and is used mainly for my IOT projects. In the same web folder, is located the conn.php code containing the server's credentials. The question is, how safe is the PHP code at that location? I can create a subfolder but not sure if it matters as far as security is concerned. TIA
  2. I'm curious to get opinions on using strip_tags() for fields that will be encrypted in a database. I often see websites that say "choose a password that contains X certain characters but not Z other characters." And I got curious. Let's say there's a registration form where a new user creates a username and password, and the server will store the password as ... sha1( $user_entered_value ) ... or some other sort of hashed/encrypted string. In this case, why would it ever matter that a user had entered <div> or some other such text in their password? The password will only ever
  3. Hi, Below is how I am handling the database data before I display it on a page. . $query = "SQL QUERY to retrieve some data"; . . while ($stmt->fetch()) { $fname = html_escape($fname); $lname = html_escape($lname); $city = html_escape($city); $cell = html_escape($cell); // verify that $xid is numeric. if(($xid = fcheckNumber($xid)) === false) die('Internal error. Conatct Admin'; // verify that $role has a valid value against a set of values. if(($role = html_escape(fcheckRole($role)))=== false) die('Internal error. Conatct Admin'; // verify that $email is correctly formatted as a
  4. Hi all, I am sorry if I am posting this in the wrong place. If so, kindly transfer it to the appropriate section. I was using code that used recaptcha and that worked perfectly well. Now it has stopped working. The recaptcha dialog box simply does not display. Does anyone have any clue what could be going on? Has someone else also faced this similar problem recently Thanks all.
  5. Hi, Playing with hardening a little, and implemented samesite flag within a cookie, or at least tried to. Code like: session_set_cookie_params(0, "/; SameSite=Strict", "domain.com", true, true); $params = session_get_cookie_params(); session_start(); setcookie("PHPSESSID", session_id(), $params["lifetime"], $params["path"], $params["domain"], $params["secure"], $params["httponly"]); Warning: PHP Warning: Cookie paths cannot contain any of the following ',; \t\r\n\013\014' in /homepages/39/d582945504/htdocs/portal-x/inc/cookies.php on line 21 Not sure if it's a
  6. Hi all ! I would have liked to continue this question on my previous post but since it became too long I thought I'ld post a new one. I would like to add the following bit of code on my reset page $current = 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']; if(isset($_SERVER['HTTP_REFERER'])) $referrer = $_SERVER['HTTP_REFERER']; if ( $referrer === $current ) { }else { } to ensure that the page is being called from where it should be called. Is this OK or is there a better ( read more secure ) way to do it? (I think I re
  7. Hi all, I have a website with a secure login. Once logged in, I can invoke an embedded actionscript movie. This embedded movie then invokes a php file on the server. I have the headers information below: index.php?ppage (logged in) best.php?r='xxxx..' (invoked the embedded movie that invokes best.php) I have this feeling that the file best.php invoked by the movie is not being done securely enough because it's called off the movie and I cannot figure out what should I be checking to ensure that the movie invoking best.php is the correct one. I hope I am able to convey my doub
  8. Hi I have a question about generating a unique access token. I have read a lot on the internet about just using the php 'random_bytes' function. However I have found a scenario (although highly unlikely) where a session could potentially be hijacked. User 1 logs in and gets an access token of 'abcdef' (simplifying things). User 1 uses the system for a period of time but the token expires but doesn't get refreshed yet (as user 1 is idle) (so client still has access token stored on client). In the mean time User 1 decides to use a different device to login to their accoun
  9. Securing my upload folder “upl” The upl folder is used to store anything that is uploaded by the user for their needs that is not a part of the back end, as such all content in this folder is subject to being locked down and and supplied after checking credentials. The upl folder has an .htaccess file that locks down all remote access. order deny,allow deny from all When something is needed from this directory we jump that wall with the help of apache after credentials are verified. I think this is straight forward so far. For image
  10. Hi all ! In my previous question asked today I said that I am using dropdown lists for selecting country, state, city and pin. The initial lists are blank and use the selection of country to trigger the loading of states and choosing a state triggers the loading of cities and so I am using ajax for this purpose - more specifically the $ajax() function of jquery. In a normal call to a php page, the integrity is maintained via sessions, and csrf is prevented via tokens embedded in the form, but how do I take care of these when data is being passed through the ajax call ? Any other se
  11. Hi all ! I am using this tutorial and I am modifying it to include csrf protection. The index.php uses getToken(); to generate an anti-csrf token which is then inserted in the form as a hidden input field as below: <tr> <td> <select id="country_dropdown" > <option value="-1">Select country</option> <?php while($stmt->fetch()) { ?> <option value="<?php echo $country_id ?>"><?php echo $country_name ?></option } <?php // token added as hidden field
  12. I apologize if it's the wrong section, I don't know which other section this question would belong in and it is the most popular section on the forum. Say I have a site where users are can purchase "packages" and to do so, they are sending payments directly to the company using a payment processor. The company tracks all the payments in the back-end. The users are also able to see their earnings, balance and withdrawals. Normally a user can make a withdrawal request and the company will send that user his earning balance. After the user receives his earnings in his bank account, h
  13. Hi all, I just changed one of my forms to use drop down lists for storing Country, State, City and Pin values. The values for each of these fields come from individual tables in the database having the same name as these fields. Since the values of pin or picodes are dependent on the city and their value in turn is dependent on the state and so on, so the tables need to check for data integrity. However, the tables not only need to check for data integrity in the sense that a value should exist in the parent table, it also needs to be verified that the data comes from the cor
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.