Hello there. You might have already heard of basic php security like, escaping all input before putting that into database and using htmlentites to block html from executing, and using pdo, etc. But today I am going to list some more advanced tips on PHP security.
PDO & MySQLi(Bound params):
PDO is known to be vulnerable to an encoding flaw, as demonstrated here: http://shiflett.org/blog/2006/jan/addsla...ape-string
The attacker can get around your little mysqli_real_escape_string magic and exploit your website
Coming straight to the point. You need to make sure:
If you:
* Use Modern Versions of MySQL (late 5.1, all 5.5, 5.6, etc) AND mysql_set_charset() / $mysqli->set_charset() / PDO's DSN charset parameter (in PHP 5.3.6)
OR
* Don't use a vulnerable character set for connection encoding (you only use utf8 / latin1 / ascii / etc)
list will be updated. I am too tired atm.
Themes, Templates and Scripts
Staying Safe | Advanced PHP Security Tips
Submitted by Sozin, 28-04-2015, 07:49 PM, Thread ID: 3303
Thread Closed