Sophie

Sophie

distrib > Mandriva > 9.1 > ppc > media > main > by-pkgid > 0afeee9cca140e167a996902b9a677c5 > files > 3172

php-manual-en-4.3.0-2mdk.noarch.rpm

<HTML
><HEAD
><TITLE
>Security</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
REL="HOME"
TITLE="PHP Manual"
HREF="index.html"><LINK
REL="UP"
TITLE="Getting Started"
HREF="getting-started.html"><LINK
REL="PREVIOUS"
TITLE="Configuration directives"
HREF="configuration.directives.html"><LINK
REL="NEXT"
TITLE="Installed as CGI binary"
HREF="security.cgi-bin.html"><META
HTTP-EQUIV="Content-type"
CONTENT="text/html; charset=ISO-8859-1"></HEAD
><BODY
CLASS="chapter"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>PHP Manual</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="configuration.directives.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="security.cgi-bin.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="chapter"
><H1
><A
NAME="security"
>Chapter 5. Security</A
></H1
><DIV
CLASS="TOC"
><DL
><DT
><B
>Table of Contents</B
></DT
><DT
><A
HREF="security.html#security.general"
>General considerations</A
></DT
><DT
><A
HREF="security.cgi-bin.html"
>Installed as CGI binary</A
></DT
><DT
><A
HREF="security.apache.html"
>Installed as an Apache module</A
></DT
><DT
><A
HREF="security.filesystem.html"
>Filesystem Security</A
></DT
><DT
><A
HREF="security.database.html"
>Database Security</A
></DT
><DT
><A
HREF="security.errors.html"
>Error Reporting</A
></DT
><DT
><A
HREF="security.registerglobals.html"
>Using Register Globals</A
></DT
><DT
><A
HREF="security.variables.html"
>User Submitted Data</A
></DT
><DT
><A
HREF="security.hiding.html"
>Hiding PHP</A
></DT
><DT
><A
HREF="security.current.html"
>Keeping Current</A
></DT
></DL
></DIV
><P
>&#13;   PHP is a powerful language and the interpreter, whether included
   in a web server as a module or executed as a separate
   <SPAN
CLASS="acronym"
>CGI</SPAN
> binary, is able to access files, execute
   commands and open network connections on the server.  These
   properties make anything run on a web server insecure by default.
   PHP is designed specifically to be a more secure language for
   writing CGI programs than Perl or C, and with correct selection of
   compile-time and runtime configuration options, and proper coding
   practices, it can give you exactly the combination of freedom and
   security you need.
  </P
><P
>&#13;   As there are many different ways of utilizing PHP, there are many
   configuration options controlling its behaviour.  A large
   selection of options guarantees you can use PHP for a lot of
   purposes, but it also means there are combinations of these
   options and server configurations that result in an insecure
   setup.
  </P
><P
>&#13;   The configuration flexibility of PHP is equally rivalled by the
   code flexibility. PHP can be used to build complete server
   applications, with all the power of a shell user, or it can be used
   for simple server-side includes with little risk in a tightly
   controlled environment. How you build that environment, and how
   secure it is, is largely up to the PHP developer.
  </P
><P
>&#13;   This chapter starts with some general security advice, explains
   the different configuration option combinations and the situations
   they can be safely used, and describes different considerations in
   coding for different levels of security.
  </P
><DIV
CLASS="sect1"
><H1
CLASS="sect1"
><A
NAME="security.general"
></A
>General considerations</H1
><P
>&#13;    A completely secure system is a virtual impossibility, so an
    approach often used in the security profession is one of balancing
    risk and usability. If every variable submitted by a user required
    two forms of biometric validation (such as a retinal scan and a
    fingerprint), you would have an extremely high level of
    accountability. It would also take half an hour to fill out a fairly
    complex form, which would tend to encourage users to find ways of
    bypassing the security.
   </P
><P
>&#13;    The best security is often inobtrusive enough to suit the
    requirements without the user being prevented from accomplishing
    their work, or over-burdening the code author with excessive
    complexity. Indeed, some security attacks are merely exploits of
    this kind of overly built security, which tends to erode over time.
   </P
><P
>&#13;    A phrase worth remembering: A system is only as good as the weakest
    link in a chain. If all transactions are heavily logged based on
    time, location, transaction type, etc. but the user is only
    verified based on a single cookie, the validity of tying the users
    to the transaction log is severely weakened.
   </P
><P
>&#13;    When testing, keep in mind that you will not be able to test all
    possibilities for even the simplest of pages. The input you
    may expect will be completely unrelated to the input given by
    a disgruntled employee, a cracker with months of time on their
    hands, or a housecat walking across the keyboard. This is why it's
    best to look at the code from a logical perspective, to discern
    where unexpected data can be introduced, and then follow how it is
    modified, reduced, or amplified.
   </P
><P
>&#13;    The Internet is filled with people trying to make a name for
    themselves by breaking your code, crashing your site, posting
    inappropriate content, and otherwise making your day interesting.
    It doesn't matter if you have a small or large site, you are
    a target by simply being online, by having a server that can be
    connected to. Many cracking programs do not discern by size, they
    simply trawl massive IP blocks looking for victims. Try not to
    become one.
   </P
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="configuration.directives.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="index.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="security.cgi-bin.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Configuration directives</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="getting-started.html"
ACCESSKEY="U"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Installed as CGI binary</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional