Truly Posted May 16, 2007 Share Posted May 16, 2007 Hi guys, time to pluck soem more information from your loaded minds.If I allow users to upload pictures to my server and specify that it has to be a file extension that corresponds to a picture (such as .jpg .gif etc) and then dont allow them to change anything after that is it possible that it could be a security problem? Can you hide an executable as a picture? Like a server wont run a file or execute a script if its name is *.jpg will it?And while we are on the topic of security, right now I am building a CMS and then plan or working on the login system and security when it is "done," is that logical or does security have to be integrated right away? Also does anyone know of some good tutorials on creating secure websites using php and maybe a little JS for validation if I cant avoid it .Thanks for all the help and advice. Link to comment Share on other sites More sharing options...
morrisjohnny Posted May 16, 2007 Share Posted May 16, 2007 The only part i can help you with is Security. It can be included AFTER you have a very simple CMS working although it would be easy to do as you are doing it.I'm making a CMS and have done a simple log in, but keep finding errors, such as (u can register with the same username more than once) So i'm havint to go back to that and changing my codes a bit. so it can be done after although it would be easier as you are doing it for the first time. Link to comment Share on other sites More sharing options...
justsomeguy Posted May 16, 2007 Share Posted May 16, 2007 Both of your questions can be answered with something like this:http://www.oreilly.com/catalog/phpsec/For files, if the execute bit on the file is set (assuming the server is Linux), and the directory that the file is in has execute permissions and the server is set up to execute files in that directory, then the file extension will not matter, the file could still be executed. The way to protect against this is to not have the web server execute files in web directories (scripts and executable files are not the same thing). When I build my own sites the user authentication is the very first thing I do (I actually just re-use something I already made), but there aren't any rules, if you want to finish your project and then go back through everything and add security you can. You might miss some things that you would have caught if you had done it at the same time, but it's not correct to say that your approach is "wrong". There aren't any rules. Link to comment Share on other sites More sharing options...
zppblood Posted May 16, 2007 Share Posted May 16, 2007 Links about securityhttp://www.securephpwiki.com/index.php/Main_Pagehttp://www.zdnet.com/http://www.w3.org/Security/Faq/http://www.owasp.org/ Link to comment Share on other sites More sharing options...
Truly Posted May 17, 2007 Author Share Posted May 17, 2007 thanks guys i appreciate the replies and will check out those links. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.