PHPDeveloper: PHP News, Views and Community

Subscribe

@phpdeveloper.org

News Archive

Community News: Latest PECL Releases (06.17.2025)

Community News: Latest PECL Releases (06.10.2025)

Community News: Latest PECL Releases (06.03.2025)

Community News: Latest PECL Releases (05.27.2025)

Community News: Latest PEAR Releases (05.26.2025)

Community News: Latest PECL Releases (05.20.2025)

Community News: Latest PECL Releases (05.13.2025)

Community News: Latest PECL Releases (05.06.2025)

Community News: Latest PECL Releases (04.29.2025)

Community News: Latest PECL Releases (04.22.2025)

Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Hardened-PHP:
PHPsec Security Guide considered harmful

byaaron Jul 11, 2005 @ 17:23:56

A recent article on Hardened-PHP points out a couple errors in the PHP Security Consortium PHP Security Guide followed by a rant regarding the usefulness of the PHP Security Consortium in general

While the guide contains a few recommendations that are either unrealistic in shared environments or fill admins with terror, like putting database credentials into environment variables, which is obviously not a good idea with thousands of open phpinfo() scripts, there are also atleast two security bugs in their recommended practices.

Before continuing, it should be mentioned, that these bugs where disclosed to atleast 5 (if not 6) members of the PHP Security Consortium during the last 2-3 months (and nothing has changed, yet)

The specific errors that were mentioned are in the process of being fixed, and a very complete section on using a database to store session data is promised for an upcoming release

tagged:

Link: