Friday, August 29

PHP Security Tips

There is a PHP Security Tips series in Zend, and here is the abstract:
1, Keep system up-to-date.
2, Don't output error message.
3, Use third-party security software or services.
4, Don't give critical files and folder default names.
5, Don't trust user. Filter Input, Escape Output.
6, Cast input numbers in SQL query.
7, Use session_regenerate_id(true) instead of session_regenerate_id().
8, Always validate user input. (AGAIN?)
9, Keep sensitive data and code out of your web tree.
10, Do not blindly send mail using information entered into a form to prevent email header injection.
11, Grant permissions to users only to the level needed.
12, Think carefully before using eval() for user input values. (AGAIN!)
13, PHPSecInfo. (TIP 3?)
14, Any data inside of a cookie can be potentially seen by others.(AND IT CAN BE MODIFIED AS WELL!)
15, Don’t forget to purge temporary system diagnostic files/code.
16, Keep Your Framework Up to Date.(TIP 1)
17, PHP Security Guide http://shiflett.org/php-security.pdf, design your application with security in mind.
18, Restrict the file types that you allow to upload, especially php file.
19, Consider your server network connection. For example, put database server behind firewall.
20, Read and learn.
21, Subscribe to the Security Focus newsletter, read and learn.

The notes in capital letters are mine.

Labels: