php-security

PHP - Protecting site from folders with 777 permissions

Usually, I try to set my folders to have permission 775, but some web-hosting refuses to let PHP writes or move files to any folders unless it has permission 777 (it may be open_dir or safe mode). Are there any ways to prevent any PHP files from being ran from such folders, in case a malicious PHP script has been uploaded there? ...

What's the best technique to protect my framework from visitors who are not logged in?

First of all, I would like to say that I have used the search box looking for a similar question and was unsuccessful, maybe because of my poor english skills. I have a a 'homemade' framework. I have certain PHP files that must only be visible for the admin. The way I currently do this is check within every single page to see if a sessi...

How to do Php Security check for input fields and input treatment ?

Hi, How to do Php Security check for input user fields and input user treatment(please if you can solve example1+2)? Example1: check if user insert url or something else: <label>url: </label> <input type="text"> Example2: check if user insert html or something else <label>paste html: </label> <textarea></textarea> thanks ...

PHP stream security

Why is not secure allow to access to resources with URIs like "http://example.com/badcode.txt"? What means non-file-based? i'm reading this PHP security check list: http://www.sk89q.com/2009/08/definitive-php-security-checklist/ thx ^_^ ...

Allow embed tag in HTMLPurifier?

I use this configuration: $config = HTMLPurifier_Config::createDefault(); $config->set('Core.Encoding', 'UTF-8'); $config->set('HTML.Doctype', 'XHTML 1.0 Strict'); $config->set('HTML.SafeObject', true); $config->set('Output.FlashCompat', true); $config->set('HTML.Allowed', 'object[width|height|data],param[name|value],embed[src|type|allo...

Limiting unserialize() to return arrays?

Is there any way to limit PHP's unserialize() to only parse arrays? For security reasons. Suppose there is is an evil __unserialize() magic method in the unserialized object I don't wanna call! ...