1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Php security expert needed

Discussion in 'Services' started by TheWebJunkie, Mar 15, 2005.

  1. #1
    Hello guys i am looking for a php security expert i know this is probably the wrong place to post this, but i know for a fact alot more people will view it here than if i post it in the "buy/sell/trade/" section.

    I need someone to look though my script and make sure its all secure, unhackable and not exploitable.

    If your upto the job please pm me
     
    TheWebJunkie, Mar 15, 2005 IP
  2. carowan

    carowan Peon

    Messages:
    473
    Likes Received:
    24
    Best Answers:
    0
    Trophy Points:
    0
    As Seller:
    100% - 0
    As Buyer:
    100% - 0
    #2
    I have been thinking along these lines as well.

    Is there a site that has some newbie PHP security info? I want to make sure that my new forum doesnt get hacked.
     
    carowan, Mar 15, 2005 IP
  3. Bernard

    Bernard Well-Known Member

    Messages:
    1,608
    Likes Received:
    107
    Best Answers:
    0
    Trophy Points:
    185
    As Seller:
    100% - 0
    As Buyer:
    100% - 0
    #3
    Bernard, Mar 15, 2005 IP
  4. nullbit

    nullbit Peon

    Messages:
    489
    Likes Received:
    19
    Best Answers:
    0
    Trophy Points:
    0
    As Seller:
    100% - 0
    As Buyer:
    100% - 0
    #4
    A few tips:

    Don't trust user input - especially when used in SQL queries, the most common exploits are SQL injections, always quote variables in queries (even if they don't need to be) use mysql_escape_string, and cast variables to whatever the variable type _should_ be ( e.g. $int_for_db = (int)$var; )

    Don't use super globals - this is only a problem if you're running a old version of php, or have enabled them in php.ini

    Don't include files based on user assigned variables - this can be done safely, but it's easier to just avoid it completely.

    Patch your system, and lock it down with a firewall - More general security advice, but most hacks are from exploits released in the wild targeting unpatched systems. Also, you should disable _all_ unused services, or at least block them on the public interface using iptables (or on an IIS server, whatever firewall is available)

    The most important point is not to trust the users, please assume all users are malicious, and want to 0wn you.
     
    nullbit, Mar 15, 2005 IP
  5. J.D.

    J.D. Peon

    Messages:
    1,198
    Likes Received:
    65
    Best Answers:
    0
    Trophy Points:
    0
    As Seller:
    100% - 0
    As Buyer:
    100% - 0
    #5
    Guys, this info is great, but he's looking for an audit, not an advice (correct me if I'm wrong, TheWebJunkie).

    J.D.
     
    J.D., Mar 15, 2005 IP
  6. noppid

    noppid gunnin' for the quota

    Messages:
    4,246
    Likes Received:
    232
    Best Answers:
    0
    Trophy Points:
    135
    As Seller:
    100% - 0
    As Buyer:
    100% - 0
    #6
    Can you post your code? You want this private?

    I've got plenty of php forms that I wrote and rewrote for other folks. My forms have been fine. The other folks had kiddie scripters playing havoc on um. That no longer happens. ;)

    The poster above laid it out pretty good for ya.

    How many lines of code and how many form and url variables we taking? Holler if I can help.
     
    noppid, Mar 15, 2005 IP
  7. nullbit

    nullbit Peon

    Messages:
    489
    Likes Received:
    19
    Best Answers:
    0
    Trophy Points:
    0
    As Seller:
    100% - 0
    As Buyer:
    100% - 0
    #7
    WebJunkie, I would advise you to not post your scripts. If they do contain exploitable code, posting on a public forum is _not_ a good idea.
     
    nullbit, Mar 15, 2005 IP
  8. TheWebJunkie

    TheWebJunkie Banned

    Messages:
    630
    Likes Received:
    18
    Best Answers:
    0
    Trophy Points:
    0
    As Seller:
    100% - 0
    As Buyer:
    100% - 0
    #8
    Dont worry i wont be posting my code at all.
     
    TheWebJunkie, Mar 15, 2005 IP
  9. noppid

    noppid gunnin' for the quota

    Messages:
    4,246
    Likes Received:
    232
    Best Answers:
    0
    Trophy Points:
    135
    As Seller:
    100% - 0
    As Buyer:
    100% - 0
    #9
    What was your point then?
     
    noppid, Mar 15, 2005 IP
  10. J.D.

    J.D. Peon

    Messages:
    1,198
    Likes Received:
    65
    Best Answers:
    0
    Trophy Points:
    0
    As Seller:
    100% - 0
    As Buyer:
    100% - 0
    #10
    Just like the man said, he's looking for an audit. That is, if you consider yourself a security expert and want to make a few bucks, PM him. If you agree on details, he will ship you the code in a secure way :D

    J.D.
     
    J.D., Mar 15, 2005 IP
  11. dbtech

    dbtech Guest

    Messages:
    61
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    0
    As Seller:
    100% - 0
    As Buyer:
    100% - 0
    #11
    Hey, I am one of the members of a Computer Development and Security Company. Deadbolt Computer Technologies offers various services in the field of computer security some of which are,

    Web Site Security Assessment
    Web Server Security Asssessment
    Home and Office Computer Security Assessment
    E-commerce Security Testing
    Computer Security Consultation
    Web application Security Consultation
    Security Seminars/Lectures
    Pen testing

    Our staff includes very famous and well known experts, we have worked with companies such as Symantec, Trend-Micro, Cnet (dw.com.com) and helped them solve security issues on thier websites. Our client list also includes Rentacoder.com which is one of the leading free lance software websites.

    We guarantee that you will not have to pay anything unless we find vulnerabilities on your website.

    Our services include remote auditing without source code and source code auditing. We are skilled in many languages such as Php, Asp, Perl, Vb, C, C++, Html, Javascript etc.

    I personally am currently authoring a book on php security.
     
    dbtech, May 20, 2005 IP
  12. jlawrence

    jlawrence Peon

    Messages:
    1,368
    Likes Received:
    81
    Best Answers:
    0
    Trophy Points:
    0
    As Seller:
    100% - 0
    As Buyer:
    100% - 0
    #12
    First, start with your server - is that as secure as it can be ??
    It doesn't matter a toss if your script is secure if the underlying server isn't.
    I don't specialize in security, so I'm not the best person to carry out a security audit. But last time I paid for one to be done, it cost a quite considerable amount.
    As I said above, your actual script is only part of the equation. You need to take everything into account.

    Also, If you're on a shared hosting service you need to audit every other site on that server.
     
    jlawrence, May 21, 2005 IP
  13. dbtech

    dbtech Guest

    Messages:
    61
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    0
    As Seller:
    100% - 0
    As Buyer:
    100% - 0
    #13
    Consider http://www.dbtech.org, some of the most experienced experts work there. They have worked with Symantec, Microsoft, Cnet, Rentacoder etc etc
     
    dbtech, Aug 1, 2005 IP
  14. J.D.

    J.D. Peon

    Messages:
    1,198
    Likes Received:
    65
    Best Answers:
    0
    Trophy Points:
    0
    As Seller:
    100% - 0
    As Buyer:
    100% - 0
    #14
    Seems like an ordinary small-size company that doesn't have much experience. Their security tips are lame, just as their online tools or the Papers section. There's nothing on the website that would indicate that they know what they are doing.

    J.D.
     
    J.D., Aug 1, 2005 IP
  15. celecn

    celecn Peon

    Messages:
    7
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    As Seller:
    100% - 0
    As Buyer:
    100% - 0
    #15
    Dear Sir,
    The main security issue in an php web application should be SQL injection and XSS attack, you should correct php script, as well as change the server settings.

    I am a full time developer from China who is specializing in C++/C# and Web site Development(ASP.NET & PHP), very familiar with Windows, Window mobile, IPhone and Linux platform. Once I started to work, I will keep you posted by using a daily summary to report work progress. I also can help you with Server clustering, Software localization including Simplified Chinese and Traditional Chinese etc. Look forward to working with you! For more detailed info about my profile, please contact me at celecn AT gmail DOT com!

    Thanks,
    David
     
    celecn, Jul 22, 2008 IP