December 2010
Intermediate to advanced
363 pages
12h 21m
English
book
Pro PHP Security: From Application Security Principles to the Implementation of XSS Defenses, Second Edition
by Chris Snyder, Michael Southwell, Thomas Myer
Content preview from Pro PHP Security: From Application Security Principles to the Implementation of XSS Defenses, Second EditionBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
Summary
We have continued our discussion of threats to your PHP application and your users' data by considering remote execution, an exploit where an attacker takes advantage of your application's openness to user-submitted input that is then executed by PHP.
After describing how remote execution works, and what dangers it presents, we provided six strategies for countering it:
- Limit allowable filename extensions for uploads.
- Allow only trusted, human users to import code.
- Do not use the
eval()function with untrusted input. - Do not include untrusted files.
- Properly escape all shell commands.
- Beware of
preg_replace()patterns with theemodifier.
We then pointed out that, in attempting to prevent remote execution exploits, you need to balance ...