Thursday, December 17, 2009

PHP Security Blunders

these are the some blunders where mostly developers done during coding
Unvalidated Input Errors

One of -- if not the -- most common PHP security flaws is the unvalidated input error. User-provided data simply cannot be trusted. You should assume every one of your Web application users is malicious, since it's certain that some of them will be. Unvalidated or improperly validated input is the root cause of many of the exploits we'll discuss later in this article.
is code has a gaping security hole, since the $_GET[month] and $_GET[year] variables are not validated in any way. The application works perfectly, as long as the specified month is a number between 1 and 12, and the year is provided as a proper four-digit year. However, a malicious user might append ";ls -la" to the year value and thereby see a listing of your Website's html directory. An extremely malicious user could append ";rm -rf *" to the year value and delete your entire Website!
$month = $_GET['month'];
$year = $_GET['year'];

if (!preg_match("/^[0-9]{1,2}$/", $month)) die("Bad month, please re-enter.");
if (!preg_match("/^[0-9]{4}$/", $year)) die("Bad year, please re-enter.");

exec("cal $month $year", $result);
print "";
foreach ($result as $r) { print "$r
"; }
print "";
For my PHP applications, I prefer a directory structure based on the sample below. All function libraries, classes and configuration files are stored in the includes directory. Always name these include files with a .php extension, so that even if all your protection is bypassed, the Web server will parse the PHP code, and will not display it to the user. The www and admin directories are the only directories whose files can be accessed directly by a URL; the admin directory is protected by an .htaccess file that allows users entry only if they know a user name and password that's stored in the .htpasswd file in the root directory of the site.

/home
/httpd
/www.example.com
.htpasswd
/includes
cart.class.php
config.php
/logs
access_log
error_log
/www
index.php
/admin
.htaccess
index.php

Cross Site Scripting (XSS) Flaws

Cross site scripting, or XSS, flaws are a subset of user validation where a malicious user embeds scripting commands -- usually JavaScript -- in data that is displayed and therefore executed by another user.

For example, if your application included a forum in which people could post messages to be read by other users, a malicious user could embed a

SQL Injection Vulnerabilities

SQL injection vulnerabilities are yet another class of input validation flaws. Specifically, they allow for the exploitation of a database query. For example, in your PHP script, you might ask the user for a user ID and password, then check for the user by passing the database a query and checking the result.

SELECT * FROM users WHERE name='$username' AND pass='$password';

However, if the user who's logging in is devious, he may enter the following as his password:

' OR '1'='1

This results in the query being sent to the database as:

SELECT * FROM users WHERE name='known_user' AND pass='' OR '1'='1';

This will return the username without validating the password -- the malicious user has gained entry to your application as a user of his choice. To alleviate this problem, you need to escape dangerous characters from the user-submitted values, most particularly the single quotes ('). The simplest way to do this is to use PHP's addslashes() function.

if (get_magic_quotes_gpc()){
$_GET = array_map('stripslashes', $_GET);
$_POST = array_map('stripslashes', $_POST);
$_COOKIE = array_map('stripslashes', $_COOKIE);
}

in reference to:

"if (get_magic_quotes_gpc()){    $_GET = array_map('stripslashes', $_GET);    $_POST = array_map('stripslashes', $_POST);    $_COOKIE = array_map('stripslashes', $_COOKIE);   }"
- Top 7 PHP Security Blunders [PHP & MySQL Tutorials] (view on Google Sidewiki)

FREE PANDA CLOUD ANTIVIRUS 2010 DOWNLOAD QUICKLY

Now here, We have written a New post on “ Best Free Antivirus Softwares” and in that we added Panda Cloud Antivirus beta edition. We also covered it in a separate post here. Now Panda Cloud Antivirus 1.o Final edition has been released after 6 months of beta testing.
In version 1.0 Panda Cloud Antivirus developers have improved most of the issues submitted during the testing period. Some of the improvements it incorporates are:


Click here to Download Panda Cloud Antivirus 1.0 Final release

Thursday, December 3, 2009

Email Etiquettes

‘Netiquettes’ is the name given to the email etiquettes by the cyber gurus, which means the etiquettes of communication via Internet. Although netiquettes concerns all the various customs and conventions we follow when writing and sending messages through Internet, but in this article we will particularly discuss the emailing etiquettes of both the current employees and the job seekers.

People normally adopt email etiquettes by observing what others do, and gradually incorporate their actions into our own communications. We expect that after reading this article you would be able to develop your own style of writing an effective email.

in reference to:

"‘Netiquettes’ is the name given to the email etiquettes by the cyber gurus, which means the etiquettes of communication via Internet. Although netiquettes concerns all the various customs and conventions we follow when writing and sending messages through Internet, but in this article we will particularly discuss the emailing etiquettes of both the current employees and the job seekers. People normally adopt email etiquettes by observing what others do, and gradually incorporate their actions into our own communications. We expect that after reading this article you would be able to develop your own style of writing an effective email."
- Email Etiquettes – An Important Aspect of Professional Communication | Rozee Weblog (view on Google Sidewiki)