Some basic but very important rules for PHP Apps:
- Set register_globals off (default value is off);
- Initialize all variables;
- Set the error_reporting (E_ALL) off;
- Grant permissions to users only to the level needed
- Only pass an identifier in a cookie, not actual data
- Set display_errors off, log_errors on
- Use PHP data validation rather than javascript validation which can be disabled
- Purge phpinfo.php
- If you use phpmyadmin, please do change its initial password
- MySQL : only select the fields you need rather than 'select *'
- The Tidy extension can also be used for a whilelist approach to HTML
- Escape the data before outputting it. i.e. htmlspecialchars(); htmlentities(); strip_tags()
- Don't forget to use is_uploaded_file($_FILES['upload_file']['tmp_name']) to prevent 'uploading' fake files
Properly validate user input (may not be enough; always remember to escape user-supplied content given in HTML, unless sure it was filtered)
Newest login methods also provide user-chosen image to help prevent against tricking them with 'pseudo' sites
No comments:
Post a Comment