Msg#: 4276578 posted 2:23 pm on Mar 4, 2011 (gmt 0)
The more code I write the more I become concerned about security, lately I have been relying more and more on php and MySQL to display content and have more flexibility but this could lead to vulnerabilities.
What do you guys recommend to analyze my code or the security overall across sites?
I know there is skipfish but I wasn't able to run/install it.
I know I could just google code scanners, but I would like to get some recommendations from the community here first.
Msg#: 4276578 posted 5:06 pm on Mar 4, 2011 (gmt 0)
It's not as hard as it seems. "Keep what you want and throw everything else away" is a good place to start. Unfortunately this means a little more front end work - say, for an email form, you expect an email address and ordinary text for all input. So you can remove any character that is not in that set, and only accept input from fields you expect. The email address field requires a bit more attention, assuring there is only one and it's a valid email pattern.
For run of the mill email injections, before cleansing you might look for known injection patterns. This allows you to stop the script immediately to avoid annoying emails that are "safe" but still come through. There's lots of ways to do it but this is a good place to start.
Msg#: 4276578 posted 6:13 pm on Mar 8, 2011 (gmt 0)
Thanks rocknbil and sorry for the late reply.
I have looked around and found some tools but they all seem to be very difficult to implement, I'd say that the best one can do is do as you say, keep one eye open at all times and try to be one step ahead, I'll keep looking for better ways to check for wholes anyways, I could find one that I like down the road...