Gazan Posted January 26, 2009 Share Posted January 26, 2009 Hey there. Alright, i'm a PHP programmer who needs a lesson or two in programming SAFELY (so hackers can't injure). I've got loads of experience doing PHP scripts such as news system and all that.. But i never found out how to really code safely, so hackers can't get around my systems and such. Does anybody have links og anything to tutorials og walk-troughs that explains safe php coding, or can anybody give me some tips on how to code safely? Thanks Quote Link to comment https://forums.phpfreaks.com/topic/142550-safe-php-coding/ Share on other sites More sharing options...
DeanWhitehouse Posted January 26, 2009 Share Posted January 26, 2009 There is one on the main site about security Quote Link to comment https://forums.phpfreaks.com/topic/142550-safe-php-coding/#findComment-747040 Share on other sites More sharing options...
Gazan Posted January 26, 2009 Author Share Posted January 26, 2009 I can't seem to find it, woudl you link me? Quote Link to comment https://forums.phpfreaks.com/topic/142550-safe-php-coding/#findComment-747044 Share on other sites More sharing options...
DeanWhitehouse Posted January 26, 2009 Share Posted January 26, 2009 http://www.phpfreaks.com/tutorial/php-security Quote Link to comment https://forums.phpfreaks.com/topic/142550-safe-php-coding/#findComment-747047 Share on other sites More sharing options...
Gazan Posted January 26, 2009 Author Share Posted January 26, 2009 Alright, thanks for that Also got another question.. If you wan't to create a CMS with an install file. How do you insert the input from the person who's going to set it up as the main mysql_connect details? you store the information in, what? Quote Link to comment https://forums.phpfreaks.com/topic/142550-safe-php-coding/#findComment-747051 Share on other sites More sharing options...
Cosizzle Posted January 26, 2009 Share Posted January 26, 2009 nettuts had another good article on it some time ago http://nettuts.com/tutorials/tools-and-tips/can-you-hack-your-own-site-a-look-at-some-essential-security-considerations/ Quote Link to comment https://forums.phpfreaks.com/topic/142550-safe-php-coding/#findComment-747053 Share on other sites More sharing options...
DeanWhitehouse Posted January 26, 2009 Share Posted January 26, 2009 On my CMS i started i used a file called config.inc.php which just stored variables like the database details. Quote Link to comment https://forums.phpfreaks.com/topic/142550-safe-php-coding/#findComment-747059 Share on other sites More sharing options...
Gazan Posted January 26, 2009 Author Share Posted January 26, 2009 and how would i write the $_POST/$_REQUEST details into the .inc.php file? Quote Link to comment https://forums.phpfreaks.com/topic/142550-safe-php-coding/#findComment-747064 Share on other sites More sharing options...
DeanWhitehouse Posted January 26, 2009 Share Posted January 26, 2009 fread, fwrite, fopen and fclose, but not in that order Quote Link to comment https://forums.phpfreaks.com/topic/142550-safe-php-coding/#findComment-747065 Share on other sites More sharing options...
Gazan Posted January 26, 2009 Author Share Posted January 26, 2009 argh, alright. Thanks alot. Quote Link to comment https://forums.phpfreaks.com/topic/142550-safe-php-coding/#findComment-747069 Share on other sites More sharing options...
Gazan Posted January 26, 2009 Author Share Posted January 26, 2009 Last question. How would i retrieve the info (db name, pass, user, host) in the .inc.php file from a php file that contains mysql_connect("$dbname, bla bla bla..."); Quote Link to comment https://forums.phpfreaks.com/topic/142550-safe-php-coding/#findComment-747072 Share on other sites More sharing options...
DeanWhitehouse Posted January 26, 2009 Share Posted January 26, 2009 so if the file was like //config.inc.php file $db_name = "name"; //etc... then you could do $file = fopen("config.inc.php"); echo $db_name; that should do it i think, not 100% so test it out Quote Link to comment https://forums.phpfreaks.com/topic/142550-safe-php-coding/#findComment-747077 Share on other sites More sharing options...
Gazan Posted January 27, 2009 Author Share Posted January 27, 2009 Yeah, but problem is .. during the install i wan't to write the db name, db pass and db host TO the config.inc.file with a php script. I wan't to store value into the variables.. Quote Link to comment https://forums.phpfreaks.com/topic/142550-safe-php-coding/#findComment-747316 Share on other sites More sharing options...
redarrow Posted January 27, 2009 Share Posted January 27, 2009 look up sessions. Quote Link to comment https://forums.phpfreaks.com/topic/142550-safe-php-coding/#findComment-747331 Share on other sites More sharing options...
Philip Posted January 27, 2009 Share Posted January 27, 2009 Sessions aren't the answer to everything. As much as you may think so, they aren't. You could use file_get_contents(), perform the search & add in values, then file_put_contents(). Search for $db_name, $db_user, $db_pass, $db_table etc... If the values exist -change the values to the ones you want to set. Otherwise (if they messed with the file before hand) -insert them in Quote Link to comment https://forums.phpfreaks.com/topic/142550-safe-php-coding/#findComment-747333 Share on other sites More sharing options...
uniflare Posted January 27, 2009 Share Posted January 27, 2009 if ur making a config file, just make the first page of the install file -> the creation of the config file... Page 1-> Enter Configuration into a form, submit.... Page 2-> Save Configuration silently using fopen/fwrite/fclose, then include() the file, install the script. Quote Link to comment https://forums.phpfreaks.com/topic/142550-safe-php-coding/#findComment-747353 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.