On Tue, Jun 2, 2009 at 7:39 PM, Shawn McKenzie wrote:
> Grant Peel wrote:
>> Hi all,
>>
>> I am currently setting up the next generation web server for our company and
>> am in need of general consulting/advice on php set up security issues.
>>
>> Any one with knowledge and expierience please fee
Grant Peel wrote:
???
I think you can safely assume that was a joke.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
???
- Original Message -
From: "Shawn McKenzie"
To:
Sent: Tuesday, June 02, 2009 7:39 PM
Subject: [PHP] Re: PHP Security
Grant Peel wrote:
Hi all,
I am currently setting up the next generation web server for our company
and am in need of general consulting/advice on php set up s
Andrew Hutchings wrote:
> I prefer prepared statements and would use them all the time if
> it wasn't for the fact that those queries aren't cached until
> recent versions of MySQL 5.1
Use PDO. It emulates prepared statements and doesn't avoid the query cache:
$db->setAttribute(PDO::ATTR_EMULATE_
Andrew Hutchings wrote:
> Avoid the O'Reilly one as it is flawed.
Hollow claims are disrespectful and harmful to professional discourse.
Perhaps you are motivated to persuade others that this is true and will
do so at any cost, even if it means spreading misinformation. I'm aware
of one person who
At 11:23 AM -0400 7/4/07, Andrew Hutchings wrote:
In article <[EMAIL PROTECTED]>
[EMAIL PROTECTED](Mark Kelly) wrote:
Hi.
On Wednesday 04 July 2007 13:01, Andrew Hutchings wrote:
Avoid the O'Reilly one as it is flawed.
In what way?
Its written by Chris Shiflett, isn't that enou
On Wed, Jul 04, 2007 at 11:36:06AM -0700, bruce wrote:
> andrew...
>
> are you sure about this... i would have thought that if you have an apache
> user 'apache' and allow php to be run as/by 'apache' than this would provide
> complete access to anything php needs to do as 'apache'.
>
> this shou
In article
<[EMAIL PROTECTED]>quickshifti
[EMAIL PROTECTED] ("Nathan Nobbe") wrote:
> [EMAIL PROTECTED]
> Content-Type: text/plain; charsetãO-8859-1;
> format\owedContent-Transfer-Encoding: quoted-printable
> Content-Disposition: inline
>
> the root user issue aside, i still dedicate a separa
In article
<[EMAIL PROTECTED]>[EMAIL PROTECTED]
("bruce") wrote:
> andrew...
>
> are you sure about this... i would have thought that if you have an
> apache user 'apache' and allow php to be run as/by 'apache' than this
> would providecomplete access to anything php needs to do as 'apache'.
the root user issue aside, i still dedicate a separate file in /var/log
for my php apps.
-nathan
On 7/4/07, Andrew Hutchings <[EMAIL PROTECTED]> wrote:
In article
<[EMAIL PROTECTED]>[EMAIL PROTECTED]
("bruce") wrote:
> andrew...
¾
> are you sure about this... i would have thought that if yo
'group' for the apache err log
files be accessed by this user...
so.. i ask again.. are you sure about this..
-Original Message-
From: Andrew Hutchings [mailto:[EMAIL PROTECTED]
Sent: Wednesday, July 04, 2007 10:39 AM
To: php-general@lists.php.net
Subject: Re: [PHP] Re: php secur
Andrew Hutchings wrote:
> In article
> <[EMAIL PROTECTED]>quickshift
> [EMAIL PROTECTED] ("Nathan Nobbe") wrote:
>
>> --=_Part_178329_18179255.1183569772294
>> Content-Type: text/plain; charset=ISO-8859-1;
>> format=flowedContent-Transfer-Encoding: 7bit
>> Content-Disposition: inline
>>
>
In article
<[EMAIL PROTECTED]>quickshift
[EMAIL PROTECTED] ("Nathan Nobbe") wrote:
> --=_Part_178329_18179255.1183569772294
> Content-Type: text/plain; charset=ISO-8859-1;
> format=flowedContent-Transfer-Encoding: 7bit
> Content-Disposition: inline
>
> this is getting good; i want to kno
this is getting good; i want to know why its *flawed* now too.
no pressure :)
-nathan
On 7/4/07, Stut <[EMAIL PROTECTED]> wrote:
Andrew Hutchings wrote:
> In article <[EMAIL PROTECTED]>
> [EMAIL PROTECTED](Mark Kelly) wrote:
>
>> Hi.
>>
>> On Wednesday 04 July 2007 13:01, Andrew Hutchings w
Andrew Hutchings wrote:
In article <[EMAIL PROTECTED]>
[EMAIL PROTECTED](Mark Kelly) wrote:
Hi.
On Wednesday 04 July 2007 13:01, Andrew Hutchings wrote:
Avoid the O'Reilly one as it is flawed.
In what way?
Its written by Chris Shiflett, isn't that enough reason?
There's no need
On Wed, 2007-07-04 at 11:23 -0400, Andrew Hutchings wrote:
> In article <[EMAIL PROTECTED]>
> [EMAIL PROTECTED](Mark Kelly) wrote:
>
> > Hi.
>
> > On Wednesday 04 July 2007 13:01, Andrew Hutchings wrote:
>
> >> Avoid the O'Reilly one as it is flawed.
>
> > In what way?
>
> Its written by
In article <[EMAIL PROTECTED]>
[EMAIL PROTECTED](Mark Kelly) wrote:
> Hi.
>
> On Wednesday 04 July 2007 13:01, Andrew Hutchings wrote:
>
>> Avoid the O'Reilly one as it is flawed.
> In what way?
Its written by Chris Shiflett, isn't that enough reason?
--
Andrew Hutchings - LinuxJed
Hi.
On Wednesday 04 July 2007 13:01, Andrew Hutchings wrote:
> Avoid the O'Reilly one as it is flawed.
In what way?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
I l wrote:
> Lets say you want to store someones picture.
Okay.
> In the database, you would insert the picture, who owns that picture,
> maybe
> the ip address and request headers of where that picture came from, the
> category, sub-category, sub-sub-category in which the picture belongs to,
> e
I beleive the performance hit is much higher than the %2 increase you
are refering to:
$ cat /.../loadtest.php
$ ./ab -n 1000 -c 50 http://.../loadtest.php
Time taken for tests: 1.653 seconds
Complete requests: 1000
...
Requests per second:604.96 [#/sec] (mean)
Time per request:
[EMAIL PROTECTED] wrote:
> Quoting I l <[EMAIL PROTECTED]>:
>> So, you would prefer storing the uploaded file in your directory than a
>> database? Have you tried either method?
>
> And, by the way, once you upload it into a database, it's not a file.
> It's just
> a data field.
Actually, internal
Quoting Richard Lynch <[EMAIL PROTECTED]>:
> Actually, internally, it *is* a file, or part of a file, depending on the
> database implementation details. (*)
Part of a file? Usually. A file? Rarely.
And as part of a file, it is likely to be accessed using a more poorly chosen
I/O model than if
>>Yeah, with any luck at all, your binary file will corrupt itself, and
>> then
>>make your entire database unreadable by anybody, even you.
> really? Then my companies database should be corrupt by now...right?
> Haven't
> had any problems yet. Well, its only been running for 2 years now.
Search
On Fri, 10 Dec 2004 14:07:21 -0800, [EMAIL PROTECTED]
<[EMAIL PROTECTED]> wrote:
> And, by the way, once you upload it into a database, it's not a file. It's
> just
> a data field.
And the data fields are just files on the file system. Look at the
way Postgres stores data.
The filesystem itsel
Yeah, with any luck at all, your binary file will corrupt itself, and then
make your entire database unreadable by anybody, even you.
really? Then my companies database should be corrupt by now...right? Haven't
had any problems yet. Well, its only been running for 2 years now.
I l wrote:
> the b
I l wrote:
> the best security practice is to store the jpg file or any other uploaded
> file in your mySql database. This way you never have to worry about
> someone
> executing php by the url like www.example.com/pic.jpg. To view the file,
> the
> user would type www.example.com/veiw.php?fileID=3
Quoting I l <[EMAIL PROTECTED]>:
> So, you would prefer storing the uploaded file in your directory than a
> database? Have you tried either method?
And, by the way, once you upload it into a database, it's not a file. It's just
a data field.
--
PHP General Mailing List (http://www.php.net/)
To
Quoting I l <[EMAIL PROTECTED]>:
> I never said that this method wouldn't cause you overhead. With all respect,
> I am simply stating that this method is much simpler. Sometimes you must
> choose simplicity over processing costs. What if there was another
> programmer editing your code? Or, you ca
Quoting I l <[EMAIL PROTECTED]>:
> Lets say you want to store someones picture.
>
> In the database, you would insert the picture, who owns that picture, maybe
> the ip address and request headers of where that picture came from, the
> category, sub-category, sub-sub-category in which the picture
I never said that this method wouldn't cause you overhead. With all respect,
I am simply stating that this method is much simpler. Sometimes you must
choose simplicity over processing costs. What if there was another
programmer editing your code? Or, you came back to the same code after one
yea
I l wrote:
Lets say you want to store someones picture.
In the database, you would insert the picture, who owns that picture,
maybe the ip address and request headers of where that picture came
from, the category, sub-category, sub-sub-category in which the picture
belongs to, etc. You can gathe
Lets say you want to store someones picture.
In the database, you would insert the picture, who owns that picture, maybe
the ip address and request headers of where that picture came from, the
category, sub-category, sub-sub-category in which the picture belongs to,
etc. You can gather and store
Quoting I l <[EMAIL PROTECTED]>:
> And finally, file management is much much easier when you store the files in
> a database.
There is a kind of database that is perfectly designed and equipped to store
files, and their very specific metadata properties, optimized for the correct
sort of access.
e and execute it on the server.
And finally, file management is much much easier when you store the files in
a database.
From: Chris Shiflett <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
To: I l <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
Subject: Re: [PHP] Re: PHP Security
Date: Thu, 9
--- I l <[EMAIL PROTECTED]> wrote:
> the best security practice is to store the jpg file or any other
> uploaded file in your mySql database. This way you never have
> to worry about someone executing php by the url like
> www.example.com/pic.jpg. To view the file, the user would type
> www.example
also keep information about the file uploaded in your mysql such as
IP address.
I cann't really see any security problems here.
From: John Nichel <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: [PHP] Re: PHP Security
Date: Thu, 09 Dec 2004 15:53:50 -0500
MIME-Version: 1.0
Rec
Richard Lynch wrote:
Chris Shiflett wrote:
--- Greg Donald <[EMAIL PROTECTED]> wrote:
http://seclists.org/lists/security-basics/2004/Dec/0080.html
Most of this is actually true.
The one statement that is unclear is the following:
"There are two kinds of flaws :
- flaws inherent to the php lan
Chris Shiflett wrote:
> --- Greg Donald <[EMAIL PROTECTED]> wrote:
>> http://seclists.org/lists/security-basics/2004/Dec/0080.html
>
> Most of this is actually true.
>
> The one statement that is unclear is the following:
>
> "There are two kinds of flaws :
> - flaws inherent to the php lan
>> Also, you *SHOULD* force the file to be saved on your server
>> with the correct extension. If a user can upload a JPEG with
>> .php on the end, or worse, with php in the middle of the
>> filename, and then your server puts that file in the web tree or
>> otherwise allows it to be executed, *YOU
--- Richard Lynch <[EMAIL PROTECTED]> wrote:
> I personally think that if you can't upload your images outside
> your web tree then, in fact, your server admin is at fault for not
> providing you a directory structure that allows that. Good
> security requires cooperation from both admin and Progra
--- Greg Donald <[EMAIL PROTECTED]> wrote:
> http://seclists.org/lists/security-basics/2004/Dec/0080.html
Most of this is actually true.
The one statement that is unclear is the following:
"There are two kinds of flaws :
- flaws inherent to the php langage itself, as seen before, in fil
Greg Donald wrote:
> On Wed, 8 Dec 2004 08:42:50 -0500, Joshua Beall <[EMAIL PROTECTED]>
> wrote:
>> Can you also provide a link to the relevant message in the mailing list
>> archive? I would like to read this myself.
>
> http://seclists.org/lists/security-basics/2004/Dec/0080.html
Everything de
On Wed, 8 Dec 2004 08:42:50 -0500, Joshua Beall <[EMAIL PROTECTED]> wrote:
> Can you also provide a link to the relevant message in the mailing list
> archive? I would like to read this myself.
http://seclists.org/lists/security-basics/2004/Dec/0080.html
--
Greg Donald
Zend Certified Engineer
On Wed, 24 Jul 2002, Scott Fletcher wrote:
> It work very nicely The whole process take 30 to 45 minutes for just
> one server. I wonder how does someone did 12 computers in 10 minutes.
> Cool!
cd /usr/src/local
tar -zxf php-4.2.2.tar.gz
cd php-4.2.2
../php-4.2.1/config.nice
make
At 10:22 AM 7/24/02 -0400, Scott Fletcher wrote:
>It work very nicely The whole process take 30 to 45 minutes for just
>one server. I wonder how does someone did 12 computers in 10 minutes.
>Cool!
For me the key to upgrading many servers is to compile once then copy the
resulting files to
On Wednesday 24 July 2002 22:22, Scott Fletcher wrote:
> It work very nicely The whole process take 30 to 45 minutes for just
> one server.
You've got a slow computer and/or you type too slow ;-)
> I wonder how does someone did 12 computers in 10 minutes.
> Cool!
For me it was a case of
38DA@hsus3">news:4B08FD7DB3CBD4119F560002A508C453015B38DA@hsus3...
> > From: Scott Fletcher [mailto:[EMAIL PROTECTED]]
> > Sent: Tuesday, July 23, 2002 12:43 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: [PHP] Re: PHP Security Advisory: Vulnerability
> > in PHP versions 4.2.0
> >
> >
PROTECTED]]
> > Sent: Tuesday, July 23, 2002 12:43 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: [PHP] Re: PHP Security Advisory: Vulnerability
> > in PHP versions 4.2.0
> >
> >
> > I don't know how to appy patches to the PHP software. I just fin
If all you're doing is applying the patch (not adding/removing any
extensions), you should be able to use
./config.nice
which will use all of the configuration commands from your last compile
(This is an extremely handy thing if your GD/Freetype setup was particularly
ornery the first time aroun
> From: Scott Fletcher [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, July 23, 2002 12:43 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [PHP] Re: PHP Security Advisory: Vulnerability
> in PHP versions 4.2.0
>
>
> I don't know how to appy patches to the PHP software.
Amended to this recent posting. Already started a new posting from scratch.
"Scott Fletcher" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I don't know how to appy patches to the PHP software. I just finish
> upgrading the website to work with PHP 4.2.1 fro
I don't know how to appy patches to the PHP software. I just finish
upgrading the website to work with PHP 4.2.1 from PHP 4.0.6. And now
this So, just patched it then configure openssl, mycrypt, curl, modssl
then do the usual stuff for PHP then apache, right??
"Adam Alkins" <[EMAIL PROTECT
Any real programmer should know that almost nothing is bug free, even if you
test it beyond your imagination. Something is always going to elude you and
be found by someone experimenting down the road.
For the widespread use of PHP, I'm rather impressed by the small amount of
vunerabilities disco
The correct path for the windows binary version is
http://www.php.net/do_download.php?download_file=php-4.2.2-Win32.zip
/lasso ([EMAIL PROTECTED])
Rouvas Stathis wrote:
> Hi all,
>
> Just wanting to notify everyone that
> the link for the PHP.4.2.2 download is broken.
>
> -Stathis.
>
>
Hi all,
Just wanting to notify everyone that
the link for the PHP.4.2.2 download is broken.
-Stathis.
--
Rouvas Stathis
[EMAIL PROTECTED]
http://www.di.uoa.gr/~rouvas
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
55 matches
Mail list logo
