Sunday, 19 August 2007

PHP Application Security Rules

Some basic but very important rules for PHP Apps:

  1. Set register_globals off (default value is off);
  2. Initialize all variables;
  3. Set the error_reporting (E_ALL) off;
  4. Grant permissions to users only to the level needed
  5. Only pass an identifier in a cookie, not actual data
  6. Set display_errors off, log_errors on
  7. Use PHP data validation rather than javascript validation which can be disabled
  8. Purge phpinfo.php
  9. If you use phpmyadmin, please do change its initial password
  10. MySQL : only select the fields you need rather than 'select *'
  11. The Tidy extension can also be used for a whilelist approach to HTML
  12. Escape the data before outputting it. i.e. htmlspecialchars(); htmlentities(); strip_tags()
  13. Don't forget to use is_uploaded_file($_FILES['upload_file']['tmp_name']) to prevent 'uploading' fake files

Properly validate user input (may not be enough; always remember to escape user-supplied content given in HTML, unless sure it was filtered)

Newest login methods also provide user-chosen image to help prevent against tricking them with 'pseudo' sites

No comments: