PHP Security Consortium: PHPSecInfo Test Details - allow_url_fopen. Test Description This test checks to see if allow_url_fopen is enabled.
Security Implications If enabled, allow_url_fopen allows PHP's file functions -- such as file_get_contents() and the include and require statements -- can retrieve data from remote locations, like an FTP or web site. Programmers frequently forget this and don't do proper input filtering when passing user-provided data to these functions, opening them up to code injection vulnerabilities. A large number of code injection vulnerabilities reported in PHP-based web applications are caused by the combination of enabling allow_url_fopen and bad input filtering.
PhpMyAdmin. Powerful component based mailing library for PHP – Swift Mailer. PHP Configuration Directives. By Darrell Brogdon 02/15/2001 In a previous article, I gave an overview of what the php.ini file is and how you might use it.
Now let's get into detail on some of the more useful directives and learn how to use them. output_buffering One of the newest (and greatest) features of PHP is the ability to send header lines anywhere within a script. This directive turns on output buffering for all files. Implicit_flush This directive is used mainly for debugging purposes because of performance. Framework: Documentation: Zend_Acl - Zend Framework Manual. eAccelerator. APC. The PHP Extension Community Library. Planet PHP. Security. PHP Video Tutorials For Web Designers - KillerPHP.com. Sending emails in PHP & email injection attacks. PHP’s inbuilt mail() function provides very limited mail functionality.
Although its easy to send text emails, but thats pretty much the only thing you can do with it. If you need extended functionality like HTML emails or attachments, you can always go through a couple of hundred pages of mail specifications at IETF . Or you can stop trying to reinvent the wheel and use existing PHP mail libraries. Two such excellent libraries are: PHPMailer has been around for a long time is definitely more popular and well known but its development seems to have petered out. Swift Mailer on the other hand is relatively new and is more actively developed.
PHPMailer offers no protection against header injections. Characters outside the 7-bit printable ASCII range are encoded into a 7-bit format making them incapable of affecting the header structure. So I guess that this another reason for choosing Swift Mailer. Email injection or mail form spamming $from = "sender@anotherdomain.xxx Cc:victim@domain2.xxx"; PHP DevCenter. PHP Tutorials Examples phPro - Tutorials Articles Examples Development. CodeDiesel : PHP and MySQL Journal : Articles and ideas related to php and mysql development.
PHP Freaks Forums - Index. Description of core php.ini directives. Here's a short explanation of the configuration directives. include_path string Specifies a list of directories where the require, include, fopen(), file(), readfile() and file_get_contents() functions look for files.
The format is like the system's PATH environment variable: a list of directories separated with a colon in Unix or semicolon in Windows. PHP considers each entry in the include path separately when looking for files to include. It will check the first path, and if it doesn't find it, check the next path, until it either locates the included file or returns with a warning or an error.
Example #1 Unix include_path include_path=". Example #2 Windows include_path include_path=". Using a . in the include path allows for relative includes as it means the current directory. Hardening PHP from php.ini. 30 November -0001 PHP's default configuration file, php.ini (usually found in /etc/php.ini on most Linux systems) contains a host of functionality that can be used to help secure your web applications.
Unfortunately many PHP users and administrators are unfamiliar with the various options that are available with php.ini and leave the file in it's stock configuration. By utilizing a few of the security related options in the configuration file you can greatly strengthen the security posture of web applications running on your server. Safe Mode PHP safe mode is a comprehensive "attempt to solve the shared server security problem" that includes many useful features. Safe mode will also restrict executables that may be run by scripts in the same way it restricts file and directory access. To enable safe mode, alter (or add) the safe mode directive in the php.ini to: PhpUserGroups.org. New York PHP Community Meetup and User Group. New York PHP User Group Community. PHP Manual.
Summary « TUTORIAL. PHP Help, PHP Code - Codewalkers.com.