Questions tagged [php]

Security aspects concerning code written in the programming language PHP which is often used for web applications.

1592 questions

163

votes

2 answers

I found unknown PHP code on my server. How do I de-obfuscate the code?

We've been getting a lot of noise regarding hacked PHP files here, and it's taking a lot of time to answer these questions. In many cases, they are off-topic. We've had a discussion about this on Information Security Meta, and many people want these…

asked Feb 23 '16 at 07:13

Mark Buffalo

22,498
8
74
91

143

votes

9 answers

Hosting company advised us to avoid PHP for security reasons. Are they right?

I'm doing a redesign for a client who's understandably concerned about security after having been hacked in the past. I had initially suggested using a simple PHP include for header and footer templates and a contact form they wanted. They are…

php shared-hosting

asked Jun 28 '16 at 16:40

Yumecosmos

1,373
2
9
8

120

votes

11 answers

Hacker used picture upload to get PHP code into my site

I'm working on a website — right now it's in early stages of testing, not yet launched and just has test data - thank goodness. First of all, a hacker figured out the password to log onto the websites 'administration' pages*. I think they used a key…

php file-upload validation

asked Jan 04 '17 at 10:04

Williamz902

1,285
2
8
6

votes

7 answers

How does hacking work?

I am specifically talking about web servers, running Unix. I have always been curious of how hackers get the entry point. I mean I don't see how a hacker can hack into the webpage when the only entry method they have into the server is a URL. I must…

penetration-test php unix

asked Jan 31 '12 at 18:31

user7360

votes

5 answers

Found suspicious, obfuscated PHP file. Is this a hack attempt on my website?

I just noticed that the top line of my index.php file got changed to what's below.

php attacks

asked Feb 17 '16 at 17:17

Scott

votes

6 answers

How to Securely Implement a "Remember Me" Feature?

Assuming you already have a website that implements all of the standard login stuff, what is the correct and most secure way to allow users to automatically be logged in for a certain time period (let's say 30 days)? This time period should be…

authentication web-application php appsec expiration-date

asked Nov 11 '10 at 22:32

colithium

votes

6 answers

Should I obscure database primary keys (IDs) in application front end?

I'm working on an application which allows a moderator to edit information of user. So, at the moment, I have URL's like http://www.example.com/user/1/edit http://www.example.com/user/2/edit I'm a bit worried here, as I'm directly exposing the…

php mysql

asked Apr 22 '14 at 13:31

Pruthvi Raj Nadimpalli

votes

3 answers

Security Review - password_hash implementation for PHP

I'm currently working on a "helper function" for PHP's core to make password hashing more secure and easier for the majority of developers. Basically, the goal is to make it so easy, that it's harder to invent your own implementation than to use the…

passwords hash php code-review c

asked Jun 27 '12 at 03:00

ircmaxell

1,416
12
16

votes

9 answers

Is it bad practice to use GET method as login username/password for administrators?

I work on web applications and as you know, having an administrator panel is a must in most cases. We can see that a lot of web applications have a specific login page for administrators in which there is a form (usually POST method) that admins can…

authentication web-application php http

asked Jan 04 '17 at 02:44

Amirreza Nasiri

votes

6 answers

Should I be concerned if my website throws stack information?

I have a simple login form on my web page and the URL looks like this: example.com/signup/signup.php?q=1 If I try something like this: example.com/signup/signup.php?q=1&() I'm redirected to a stack dump that looks something like this: exception…

web-application php vulnerability error-handling

asked Mar 24 '15 at 07:35

Kevin

votes

4 answers

How to approach replacing md5 for transporting Unity game data to a remote server

TL;DR I am working on a gaming system that uses UnityScript and C# on the client and PHP on the server. A MD5 hash of the data plus a shared secret is used to check that the data has not been modified in transit. Is MD5 good enough for this? What…

php .net md5 gaming

asked Jan 02 '17 at 21:30

Martin

1,057
1
11
18

votes

4 answers

How do you know your server has been compromised?

I recently helped a client who had their server hacked. The hackers added some PHP code into the header of the homepage redirecting the user to a porn website — but only if they came from Google. This made it slightly harder for the client to spot.…

linux php javascript detection

asked Sep 23 '11 at 08:27

Boz

votes

3 answers

Security implications of stolen .git/objects/ files

As a security in-charge, I just noticed that one of our production web apps was attacked by some hackers. The attacker accessed the .git/objects/ files. I already modified .htaccess to make .git and its content inaccessible. The attacker may get…

php apache configuration git htaccess

asked Mar 17 '21 at 12:24

Rudrakshya Barman

votes

5 answers

Password security in databases - today still best practice?

Possible Duplicate: Which password hashing method should I use? There are a ton of great posts about password security in databases on stack overflow and on other sites and as I am completely new to this I spent quite some hours trying to learn…

php mysql hash

asked Feb 29 '12 at 09:25

Chris

votes

2 answers

Risks of a PHP image upload form

My client wants a photography site where users can upload their photos in response to photography competitions. Though technically this isn't a problem, I want to know the risks associated with allowing any user to upload any image onto my server.…

php attack-prevention file-upload

asked Mar 19 '13 at 11:46

Starkers

2 3

…

99 100 Next