Managing X.509 certificates using PHP
2012-01-22
To generate, sign and verify certificates you need to have OpenSSL module installed and provide file with OpenSSL configuration. Here is an example OpenSSL configuration file: [ req ] default_bits = 1024 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes =...Prevent hotlinking using mod rewrite
2010-09-06
Save your bandwidth and protect your content with simple mod rewrite rules. Just create .htaccess file in your website root directory and add code below, edited to match your needs: Options +FollowSymLinks Options +Indexes RewriteEngine On RewriteCond %{HTTP_REFERER} !^$ #your domain name RewriteCond %{HTTP_REFERER} !domain.com #all file...Secure login over HTTP
2010-09-01
It is important to keep passwords secure by storing hash of password in database or $_SESSION variables, so if anybody would get to those, they still couldn't easily know what your password is. But it doesn't matter how secure you make it on server side, if everything could be seen on user side. What I mean is, if user is logging in...Making database backup and storing it in file
2010-08-03
Here are two useful function, one makes a backup of specified database and stores it in file, other restores database from a backup file made by first function. <?php //backup function to create database backups files //$con - database connection //$db - database name //$path - path where to save backup file //$sep - custom seperator...PHP easter eggs
2010-08-03
There is an easter egg in PHP configuration that also allows you to detect a possible vulnerability. Inside the php source within php-source/ext/standard/info.h (lines 53 to 56), there are 4 code defining PHP logos like this: <?php #define PHP_LOGO_GUID "PHPE9568F34-D428-11d2-A769-00AA001ACF42" #define PHP_EGG_LOGO_GUID...Strip slashes based on magic_quotes settings
2010-07-30
Here is a function that checks magic_quotes and then accordingly strips slashes in your text. It can be used to clean text before using mysql_real_escape string, if you can't disable magic_quotes. Or just clean text after taking it out of database: <?php function strip($val) { if (TRUE ==...Emulate register_globals off
2010-07-30
Here is a function that emulates register_globals off, if you can't disable it yourself, you can use this function in the beginning of the script: <?php // Emulate register_globals off function unregister_GLOBALS() { if (!ini_get('register_globals')) { return; } // Might want to change this perhaps to a...Don't use index.php or index.html
2010-07-27
Don't use index.php or other common file names like home.php or welcome.php to access your site. Of course in depends on your server security, but there are many scripts that are searching files with these names and tries to delete them. It is much better to give file a custom name, maybe depending on your site name. And then to make it...PHP configuration
2010-07-20
You can view your PHP configuration using phpinfo() function, but never leave it so others could access it, because PHP configuration contains information, that hackers might find useful. So use it, but so only you can access it. First thing to do is to turn the register_globals off. It is already done in latest PHP versions, but it...Session security - fixation and hijacking
2010-06-19
There are couple things you need to keep in mind, when dealing with sessions. Of course you can store session data in database with your own identifiers and prevent it from being hijacked. But if you choose to use $_SESSION variables, then first thing to keep in mind, that all sessions are saved in files in plain text, so it is possible to view...Creating your own CAPTCHA
2010-05-15
To create your own CAPTCHA you need to create file that will generate CAPTCHAs image, let's call it img.php. Then put this content inside it: <?php session_start(); // function to create random pixels function imageset9pixel($image,$x,$y,$color){ for($i=$x-1;$i<$x+1;$i++){ ...How to stop bots, antibot practices
2010-04-19
The simplest way is to create an input in form, and hide it using CSS. Because no human can see it, so it should be aways empty. Lazy bots that are filling forms, are filling usually all fields, so you can just check if hidden input is filled, then it must be a bot. A bit more complex, but also more secure way is to create CAPTCHA...Preventing SQL Injections and Cross-Site Scripting
2010-04-19
To secure your site from SQL Injections and Cross-Site Scripting you must validate every user input field. And don't forget about url adress, you must verify $_GET data, too. There is a simple way to do this, without checking every user input. You can do all with this function: <?php //$arr array to be checked, $html -...
