14 Jan 10 PHP Security

As a PHP programmer, there are a couple of things you can do quickly and easily to increase the security of your PHP code installation.

Look into PHP’s “safe mode” feature, ESPECIALLY if you’re running a webserver that takes the general public can upload scripts to. Here you’ll find a list of the functions disabled or restricted by safe mode. It is not strictly PHP’s job to restrict these types of functions, however unless you really know what you’re doing, the list of functions restricted by safemode is a good starting point for building secure applications. These are generally functions that allow file and directory manipulation, and socket manipulation. If it’s not possible within your environment to disable them all, disable as many of these functions as possible.

Although not that common, if I’m writing an application that heavily relies on functions that manipulate directories or sockets, I’ll prefer to create a C daemon or similar to handle this side of things and simply use PHP to communicate with it. (more…)

Tags: cross site scripting, directory, error reporting, magic quotes, MySQL, mysql_real_escape_string, PHP, php security, safe mode, socket, sql injection, xss

Filed in Development, PHP, Technology with 0 Comments

02 Sep 09 Security Consultant – Basic NMAP Usage

nmap is one of the most useful tools for a security consultant in a penetration testing environment. It has a massive range of options, and only the most basic will be considered in this tutorial.

It goes without saying, that nmap should only be run against IPs and ports that you yourself have gained authorization to test. Here goes:
(more…)

Tags: daemon, ethernet, firewall, frame, ftp, header, ids, IP, mangle, nmap, paket, pen test, pen testing, penetration testing, POP3, port, security, Security Consultant, security consulting, socket, tcp, timing, udp