Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
I'm writing a little website (webapp) in php+codeigniter, I'd really like to make it open source (to attract collaborators and to have a free VCS hosting).
Is that a good practice?
This mine security?
Which are the best tools to change important data before uploading? (like config files with db names and passwords used for testing etc..)
Is that a good practice? Will this mine security?
Yes, it can be a good practice. If your project is interesting and you think that is has potential for attracting contributors, and you are comfortable with your source code not being "your ownership", then this is a good move.
It has benefits, but of course it has its drawbacks. You'll get new ideas, you can learn much, you will have someone to talk to about the project and ideas, and with a bit of luck you can create a great team. You won't be alone doing the work. Your project may grow, and become important.
Any drawbacks? Well, the fact, as I mentioned, that your code is not your own property anymore. Then the fact that you will be forced to confrontation, and sometimes to arguments among the contributors: you will start a community, with all the related challenges. I think it is worth it, anyway. Then, for example, security. In the medium term, if you have contributors, your security will increase for sure, because more people will be looking at the code and can spot problems, and fix them. In the short term however, someone malicious may look into it and find a weak spot and use it. So you should have your code reviewed by some contributors first, with a private disclosure, before going fully open source.
Which are the best tools to change important data before uploading?
You should put all the important data into a single configuration file, which is client-dependent, and distribute a template for it. If this file is called "config.php", then EXCLUDE this file from the distribution, and distribute a "config-dist.php" file, with example values: at first installation, the user will fill the data, and they will stay there even if you update.
Related
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 2 months ago.
Improve this question
I'm trying to offer to the users (will be open to the internet, anyone can register) a WYSYWIG editor where users can input BLADE code to code their pages.
I want to provide them with the ability to create small functions to parse arrays/strings so I saw the #php tag of Blade useful for this.
My question: I can't find anywhere if this is like a sandboxed environment where only certain "safe" functions can be run or if this is more like an eval() and thus allowing people to basically inject PHP code to destroy the server and/or pull sensitive content?
I tried testing running basic commands with blade, but I would like a professional opinion on whether it's a bad idea regarding security (like, know exploits or other performance issues)
Thank you
Having a WYSIWIG open to the public on it's own has it's own challenges, because you will have to look into sanitizing the input/output otherwise you'll be opening yourself up to XSS attacks.
Allowing PHP code as well is obviously going to have lots of security risks, I wouldn't advise it personally - but it is technically possible. There are other online php sandbox editiors available, how exactly they secure themselves is beyond me. There are a lot of clever tricks that can be done, trying to whitelist or blacklist functions you deem as safe/unsafe is probably the way to go - but I still personally wouldn't feel comfortable implementing something like that. You may think you've covered all possible attacks, but it only takes one that bypasses what you've setup to essentially take over your server.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 7 years ago.
Improve this question
I am considering redoing my WordPress website by rewriting myself to get something a little lighter weight. The only problem I see myself getting into is rewriting my WooCommerce section. I certainly don't want anyone getting in danger. I will only be using Paypal but we still have to collect shipping information.
Is it too much of a security risk to write my own online store?
Simple answer: Unless you are an expert, it is generally too risky to write your own anything. Well, you can write stuff, just don't use it or publish it for others to use unless you're damn sure it's secure. Since you're asking, I'm going to assume you're not an expert.
The only problem I see myself getting into is rewriting my WooCommerce section. I certainly don't want anyone getting in danger. I will only be using Paypal but we still have to collect shipping information. Any thoughts?
I can't speak to the security features of WooCommerce, as I've never audited a WooCommerce project as of this writing.
Unless you can do it better than what's available, use what's available. They might have prevented vulnerabilities that you would never even have thought could exist.
However, if you're doing it for your own educational purposes, please do experiment with your own solutions. You might find a better way to implement a feature than what already exists and possibly not realize it.
As long as you make it plain and clear that the code is experimental, and you don't actually deploy it to a production system without getting examined by a security expert, the "don't write your own" advice can be ignored.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 1 year ago.
Improve this question
For a new project of mine, I want to protect my code. I've already searched this and other forums, but most topics were a few years old and software can change.
I know that the "big three" are ZendGuard, ionCube and SourceGuardian. Now while Zend has a fairly good reputation for being secure, it is too expensive for my needs, so I'm left with ionCube and SourceGuardian. I did some research to determine how secure each product is and I came across freelancer.com, where people hire other people to decrypt and deobfuscate their source code. I've found relatively many ionCube adverts -- also some with the most recent version of the ionCube encoder. On the other hand, the SourceGuardian projects that I found were all encrypted using older versions of the software. Zend's product seems to be the safest, since I didn't really find anything.
Since I don't want to waste a few hundred dollars on a product that only makes my code harder to read, I wanted to know: what is your opinion on the security of PHP encoding software and which of the products do you deem the best?
Ioncube and dynamic keys. Protect as many functions as you can in all your PHP files with different keygen() functions. I know people that decode a single PHP file for 30$ if the file contains one or two keygen() functions. If your file contains more keygens the price changes.
My project contains 1000 PHP files with 8 protected functions on average in each file and the license check is present practically in every file. Only 15% drop in performance.
1000 files x $30 x 4 = $120,000
The cost for cracking/decoding is bigger than the cost of the software itself.
Plus, a skilled programmer may need 2 to 5 hours to figure out the logic of a single keygen.
If you want to "protect" your code, you have 3 options:
Don't make your code public. Simple enough, if your PHP code isn't public, no one can see it or mess with it.
Make your code public, and abandon "protecting" your code (What's called an "Open Source Project").
Don't use PHP. Use some sort of other compiled language, like Java or C.
Those are the options you get. Any obfocuser and be deobfocused when enough time, effort and persistence is given to it. Plus, one small mistake and you'll never be able to read your code again.
I think if you really want to protect your code, you need to find better ways than code obfuscator, Encoder of any type or whatever make your code more difficult to read. The best deal is to manage well who has the access to your code, and make a good contract with all parts envolved in the project.
Take a look at my question some time ago -> https://softwareengineering.stackexchange.com/questions/29496/open-source-php-encoder
and this another question
Can you "compile" PHP code?
I think it will head you in your decisions about buy some software that promisses the impossible.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 6 years ago.
Improve this question
I'm writing the documentation for a WordPress theme project that I've been working on for a long time. The theme is usable and stable enough for release. I'm releasing it, plus its documentation and tutorials for free but am charging for support/customization. However, there are some issues with the code (optimization, mostly) that I've been unable to resolve after months of trying. While I've learned a lot about PHP while doing this project, I'm still a novice and I want people to know that I'm aware that my code has these specific issues, and that with support (via donations or them purchasing support from me), I might be able to hire someone in the future to fix these problems.
My question is, should I include a disclaimer that basically states what I just said above in the documentation? So that people are aware right from the start that while my product is usable and I'm confident in it, it still has these known issues that were beyond my skill level to fix? Non-coders would probably not notice the issues much, but more advanced people in the community may...
...or would it be best to not mention the known issues or my novice skill level at all, and wait to see if people bring them up?
We have a standard 'Known Issues' section in our release documentation. I'd say yes.
If you were going to invest money or time in a new acquisition, would you want to know about its limitations? Probably, so make that information available. You might lose one or two potential users who consider the known issues showstoppers, but they're people who would have got frustrated when they discovered the issues anyway.
Yes, it's always good to have a known issues section; if nothing else, to keep your inbox empty of the same emails complaining about the same bugs you already know about.
In my opinion, you should just list all of these issues/bugs and state that you are currently trying to fix them. You don't want to be bombarded with e-mails of issues you already know about.
would it be best to not mention the known issues or my novice skill level at all, and wait to see if people bring them up?
I can bet they will come up. Don't think that they will not come across these issues. Better to publish the known issues. It should have sections one is things to avoid and then if the user does that, what the user should do to come out of it. If I am paying for any software I would certainly like to know what are the limitations first.
Definitely Yes! A well-informed user is better than a frustrated one!
Treat your customer the way that you would want to be treated.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 months ago.
Improve this question
I know all the security issues. SQL injection, XSS issues, SSL, session hijacking , I have read security books etc. But yet, I feel that a backroom boy laugh me !
I want to hack my site ethically before backroom boy did this illegally?. From Where I can start? How can I make sure that I use security preventions correctly?
Thanks
Is this a trick question or something? Like, "Where's the beginning of a perfect ring?"
You say that you know the issues which you need to worry about. Write everyone that comes to mind into a list. Analyze that list, determine some priority order and get to it! If you know the issues, you should know ways to attack those issues.
I did find this decent looking article, which may very well provide you exactly what you're asking:
http://goodfellas.shellcode.com.ar/docz/web/php-fuzzing.pdf
What I was looking for is PHP Fuzzer, to add another layer of testing.
Found this list:
http://www.infosecinstitute.com/blog/2005/12/fuzzers-ultimate-list.html
At this page, which explains fuzzing a bit, hence its appearance here:
http://www.owasp.org/index.php/Fuzzing
If you can hack your site, it's a bad thing. The only real gotcha is probably CSRF. Aside from that, you might want to setup TLS or something to secure against man in the middle attacks. Since you seem to know about input sanitization, I'd assume you don't have to worry about abuse of things like eval, include (or anything else that opens a file), system, etc.