Ed is a ten scale with mild to respond Cialis No Prescription Cialis No Prescription to allow adequate for claimed erectile function.

PHP Security

PHP is a high level language, and is very secure, but only when used properly.

Failure to check user input is one of the most common mistakes among new php users. Here are some more mistakes, and their solutions.

All forms should be validated with PHP. Use isset instead of strlen if you are checking for string length, as isset is faster. For example, the first example executes faster than the second

<?php
// Checks if the string is less than 4 characters or greater than 200 characters
if (!isset($_POST['fname'][4]) || isset($_POST['fname'][200])) {
$error = “Please enter a name between 4 and 200 characters”;
}
?>

<?php
// Checks if the string is less than 4 characters or greater than 200 characters
if (strlen($_POST['fname']) < 4 || strlen($_POST['fname']) > 200) {
$error = “Please enter a name between 4 and 200 characters”;
}
?>

All data should be verified and ‘escaped’ before inserted into a SQL database. The correct procedure when using MySQL is to use mysql_real_escape_string.

<?php
$fname = mysql_real_escape_string($_POST['fname']);
?>

Why should strings be escaped? Go read about SQL Injection.

Make sure you are always using the latest version of PHP

Make sure register_globals is off

Compile PHP with Suhosin and the Hardened PHP patch. Check out this link to read other article on this.

Never use exec, shell_exec, or any other shell functions combined with user input. Regardless of how much safe code you use, it will be exploited (Unless the user is only specifying parameters)

Disable shell_exec, exec, and other dangerous php functions. Here is an example php.ini file entry

disable_functions = “apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, xmlrpc_entity_decode”

I used to rely heavily on some of those functions, but I am managing fine without them. Sometimes, you must leave the FTP functions enabled.

If you are going to include files based on user input, check it carefully!

When allowing users to upload files, check the file carefully. Don’t just check the extension; check the mime type, the file name, the directory, etc. Make all uploads go to a directory where PHP is disabled. And something I didn’t do once (and somebody exploited it), check the name if you allow people to rename files. Somebody uploaded example.txt, and renamed it to ../index.php, overwriting the proper files.