Re: PHP
From: Nathan Cook (security@pcsedu.com)Date: 09/03/01
- Previous message: Chris Coakley: "Re: Secure Password in database"
- In reply to: teo@gecadsoftware.com: "Re: PHP"
- Next in thread: Matt Block: "RE: PHP"
- Reply: Matt Block: "RE: PHP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <003d01c13440$107d8f60$a300000a@pcsedu.com> From: "Nathan Cook" <security@pcsedu.com> To: <secprog@securityfocus.com> Subject: Re: PHP Date: Mon, 3 Sep 2001 00:15:45 -0600
Hello!
> From: <teo@gecadsoftware.com>
> To: <secprog@securityfocus.com>
> yep, but such a page would have to know what is needed or not on a page, so it
> would become a `fat server' to say so, keeping the track of all pages.
More or less, I would just restrict where the variables can come from, i.e.: it
is easier to fake get vars, and cookie vars rather than post vars. You may be
able to get even more creative and strrev() (string reverse) all the variables,
or even encrypt and decrypt before and after sending with HTTP_PREPEND and
HTTP_APPEND to run before and after the script.
The http_prepend and http_append just opens up a lot of doors of opportunity for
such encryption.
Hope that helps!
Nathan Cook
ncook@pcsedu.com
- Previous message: Chris Coakley: "Re: Secure Password in database"
- In reply to: teo@gecadsoftware.com: "Re: PHP"
- Next in thread: Matt Block: "RE: PHP"
- Reply: Matt Block: "RE: PHP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
