Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Any volunteer to test a PHP+MySQL based website's vulnerability?

Thanks, Lal

Re: volunteer

Following on from Lal's message. . .
Quoted text here. Click to load it
You're right to be concerned but going about it the wrong way.

*You* need to be the one dealing with the security.  *You* need to  
_understand_ the threats before you can deal with them.  There are  
plenty of on-line resources on PHP/MySQL and security to deal with the  
protection /mechanisms/ ...
...but only you can understand the /context/ in order to build a  
security model.  Only you can list the bad things that could happen in  
order to deal with them in depth.

PETER FOX Not the same since the submarine business went under
2 Tees Close, Witham, Essex.
Gravity beer in Essex  <http://www.eminent.demon.co.uk

Re: volunteer

Peter Fox wrote:
Quoted text here. Click to load it
Well, yes. You are right. The problem with security is, however, that  
there is bound to be a hacker that understands more than you do.

So let me add one thing to the above (as you should take a really good  
interest in security):

   Know What You Are Doing.

I don't mean as a programmer. You, as a programmer, don't do unexpected  
things, like giving passwords away or sending unwanted emails. Your  
application does. So I am really saying this to your application: Know  
What You Are Doing.
As a programmer, I want to know when things go wrong. Things that go  
wrong are usually my fault or at least my responsibility, so I want to  
know. Therefore I log errors.
For one of my last applications (which was thrown over the wall after  
being set up without any documentation), I had so many things to deal  
with that I enhanced my database class to just log all SQL commands,  
along with the site input. Not only the bad commands. I found this a  
great help, even when there were no more SQL errors. It showed all  
errors in input as well. So I knew what my application had done. If your  
site traffic is not too high, I can only suggest that you run a  
"general" log also. You can empty it once in a while if it gets too big,  
and when some security issue presents itself, you can search the logs  
and see how it was done.
Off course, this can be expanded to not only database issues, but e-mail  
traffic and other applications as well. This is where your notion of  
context must come in.

So learn about security, from books, colleagues, web sites, AND your own  
applications. If something goes wrong, just find out and learn from the  
hackers themselves.

Good luck!

Re: volunteer

Peter Fox wrote:
Quoted text here. Click to load it

One can hardly rely on programmers to write 100% secured--or for that
matter, functional--code. It's a good idea to have a second pair of
eyes to look for potential issues. The notion that someone would do
this for free is, of course, completely absurd. It's as though SQA is
not a real profession.

Re: volunteer

Thanks for all the great suggesstions. Whats a real profession? :-D If
free is to the word to question professionalism, then php, mysql, and
many others will all be unprofessional? :-D Just a thought. Lol. Thanks
again, nice advises

Re: volunteer

Lal wrote:
Quoted text here. Click to load it

Get a copy of Nessus:


and test your heart out automatically...  


Site Timeline