volunteer

Any volunteer to test a PHP+MySQL based website's vulnerability?

Thanks, Lal

Following on from Lal's message. . .
>Any volunteer to test a PHP+MySQL based website's vulnerability?
>
>Thanks, Lal
>
You're right to be concerned but going about it the wrong way.

*You* need to be the one dealing with the security. *You* need to
_understand_ the threats before you can deal with them. There are
plenty of on-line resources on PHP/MySQL and security to deal with the
protection /mechanisms/ ...
....but only you can understand the /context/ in order to build a
security model. Only you can list the bad things that could happen in
order to deal with them in depth.

--
PETER FOX Not the same since the submarine business went under
peterfox@eminent.demon.co.uk.not.this.bit.no.html
2 Tees Close, Witham, Essex.
Gravity beer in Essex <http://www.eminent.demon.co.uk>

Peter Fox wrote:
> . . .
> *You* need to be the one dealing with the security. *You* need to
> _understand_ the threats before you can deal with them. There are
> plenty of on-line resources on PHP/MySQL and security to deal with the
> protection /mechanisms/ ...
> ...but only you can understand the /context/ in order to build a
> security model. Only you can list the bad things that could happen in
> order to deal with them in depth.
>
Well, yes. You are right. The problem with security is, however, that
there is bound to be a hacker that understands more than you do.

So let me add one thing to the above (as you should take a really good
interest in security):

Know What You Are Doing.

I don't mean as a programmer. You, as a programmer, don't do unexpected
things, like giving passwords away or sending unwanted emails. Your
application does. So I am really saying this to your application: Know
What You Are Doing.
As a programmer, I want to know when things go wrong. Things that go
wrong are usually my fault or at least my responsibility, so I want to
know. Therefore I log errors.
For one of my last applications (which was thrown over the wall after
being set up without any documentation), I had so many things to deal
with that I enhanced my database class to just log all SQL commands,
along with the site input. Not only the bad commands. I found this a
great help, even when there were no more SQL errors. It showed all
errors in input as well. So I knew what my application had done. If your
site traffic is not too high, I can only suggest that you run a
"general" log also. You can empty it once in a while if it gets too big,
and when some security issue presents itself, you can search the logs
and see how it was done.
Off course, this can be expanded to not only database issues, but e-mail
traffic and other applications as well. This is where your notion of
context must come in.

So learn about security, from books, colleagues, web sites, AND your own
applications. If something goes wrong, just find out and learn from the
hackers themselves.

Good luck!

Peter Fox wrote:
> You're right to be concerned but going about it the wrong way.
>
> *You* need to be the one dealing with the security. *You* need to
> _understand_ the threats before you can deal with them. There are
> plenty of on-line resources on PHP/MySQL and security to deal with the
> protection /mechanisms/ ...
> ...but only you can understand the /context/ in order to build a
> security model. Only you can list the bad things that could happen in
> order to deal with them in depth.

One can hardly rely on programmers to write 100% secured--or for that
matter, functional--code. It's a good idea to have a second pair of
eyes to look for potential issues. The notion that someone would do
this for free is, of course, completely absurd. It's as though SQA is
not a real profession.

Lal wrote:
>
> Any volunteer to test a PHP+MySQL based website's vulnerability?

Get a copy of Nessus:

http://www.nessus.org/

and test your heart out automatically...

Cheers,
NC

Thanks for all the great suggesstions. Whats a real profession? :-D If
free is to the word to question professionalism, then php, mysql, and
many others will all be unprofessional? :-D Just a thought. Lol. Thanks
again, nice advises