Hi all,
I would deeply appreciate some advice on the following problems.At the moment I am working on a mailing application in php for
mailing groups of people using addresses stored in a mysql database. The
basic application now finally works after quite a few mistakes and lots
of research into the inner workings of the mail function. I am now
confronted with the problem of making the application secure and more
comfortable to maintain i.e. adding functionality to edit users in the
database etc. Specifically I would appreciate it if you could give me
advice on the following topics:
1)Security: we are busy trying to install php4.0.3pl1 with mysql,imap
and mcrypt libraries, but have not succeded as yet due to php not
finding the lib-mcrypt.so. we have tried copying the contents of the
folder /usr/lib/libmcrypt/ to /usr/lib/ as suggested in various forums
but are having no luck there.(do you need the apache version?)
Apart form this, I was wondering what the best strategy is toward
security? I have arrived at the idea that a mixed strategy of user
authentication to the site plus using encrytion for passing passwords to
an mysql password protected database with most of the php logic being
included from files out of the server root as the most secure approach.
Is this overkill i.e. too much or is it ineffectual. Could advise me
here?
2)Sessions: Up to now the application was implemented in php3 and I
would like to move to php4 and use sessions for increased security and
to make the passing of variables to following pages less dependent on
what is passed back from the html form via POST or GET. I have been
reading up on user forums at www.php.net and www.phpbuilder.com on
sessions and there seems to be a general lack of reliablilty with
sessions, particularly with respect to the following areas:
session configuration:What exactly should one configure in php to enable
sessions?enable_track_vars,globals ? There is also the option of using
transparent session id's that are not shown in the url, but from what I
understand one must use the GET method to pass back session Id's to php
and one should include <?php_something_here.php?.SID?> into the link or
else the session ID is not passed back to the application.Could you
clarify these points for me?
session temporary files: there seems to be a bug in sessions that temp
files stored in /tmp/ are not deleted once the session has ended. I
understand Christian, who has been working on the my project has had the
same problem.
sessions only working some of the time:There also seems to be a bug that
sessions some times stop working i.e. variables sometimes just stop
existing across requests. have you headr anything about this?
php resetting form variables when sessions are enabled:is it true that
when sessions are enabled that variables in a php document received from
a form are reset when sessions are enabled.
