Inheriting a legacy app can be an adventure. Sometimes it can be much more than that. Trying to securely lock down a legacy app can be a much larger prospect. Here is a “quick” first pass recommendation.Two core (not complete) pieces of locking down a system are:
- Validate input
- Escape output
This is relatively easy to accomplish on a new project or rewrite. Sifting through a 7 year old legacy app however is a much larger task. Why not try this:
grep -R -E ‘echo|\<\?=|print|flush\(|var_dump|exit|die’ *
This foo will give you wherever your are outputting information to the client. It is not perfect, but it will get you started on where you need to be escaping your output.
(Big thanks to the lady I was conversing with at php[tek]14 for bringing up the nucleus for this post.)