PHP Security

[Conrad11]

Hi there,

I thought it was time i learnt more about PHP, specifically PHP security.

Now, I have read this guide a couple of times, which I found in the Sticky: Guide

Does this cover all the points, as I am attempting to make a website with a login, and other database stuff.

It says in the guide, that having sensitive information in a file with a .php extension is fine, so can I store database details in there? Just to make sure, is there anyway anyone can get at it, unless the "hack" through the ftp or w/e. I mean without FTP access?

Is there any other security articles you recommend me reading before attempting to create things like login and database stuff?

Thanks...

 

[Conrad11]

Hi there,

Thanks for the replies.

I have not read through that guide yet Inquisitor, but I will be sure to before I start.

Do you feel there is anything that is important to read before attempting a login type script? Any pointers, or things I should take note of

I will also be having an uploader on the site and I want to make sure only one type of file can be uploaded, but I am abut 99.9% sure that it doesn't have a MIME type as it is application specific, is there anything I can do in this case to prevent malicious file uploads?

Would I say, don't allow x,y and z mime types instead of saying only allow this MIME type?

Thanks...

 

[Conrad11]

Hi there,

The one file I want to upload, is an application specific file, which I very much (99.9%) doubt has a MIME type, so how do i make a whitelist?

Thanks....

 

[Conrad11]

Hi there,

I could ask them to zip up the file, or can a zip be malicious.

Also the file could only be 1.5KB max, so would that help? Or can u get malicious files which are that size and smaller?

Thanks...