[SOLVED] PHP Security Testing - Advice needed (please)

[s1yman]

Hi all, hope you are well.

 

I've heard a lot about php script in web pages being "vulnerable" and since I haven't learnt anything about php security I was wondering if anyone knows any free software or websites where I can scan my pages for potential holes and/or vulnerabilities?

 

Thanks in advance,

 

-Simon

[jackpf]

Firefox addons!

XSS me, SQL inject me. Stuff like that.

[s1yman]

I'll give it a try, thanks for the quick reply!

[ToonMariner]

every language used can be insecure - its not inherent to that language - its the quality of te code written that is invariably insecure.

[jackpf]

Basically, as a rule of thumb -

• Escape everything used in a query with mysql_real_escape_string()
  
• Escape all user input for html characters
  
• Turn off remote file inclusion in php.ini
  
• Do not rely on magic quotes
  
• Turn of register globals in php.ini
  

 

I think that's pretty much it, combined with a teaspoon of common sense.

[s1yman]

Firefox addons!

XSS me, SQL inject me. Stuff like that.

 

These are looking for forms, is it only scripts that process forms I need to worry about. Or is it all my scripts?

 

every language used can be insecure - its not inherent to that language - its the quality of te code written that is invariably insecure.

 

Yeah, I know someone didn't just turn around one day and go "let's pick on PHP!!!" As I said, I don't know much about PHP Security, so don't understand what would make a script secure or insecure?

[jackpf]

Generally, it's only user input you have to worry about, so yeah, mainly forms.

[s1yman]

kool - thanks for your help mate!

[jackpf]

No problem.