====== Security ======

===== Error Reporting =====
By default, php is usually configured to be in a verbose error reporting mode.  This is helpful for debugging, while the project is being coded.  However, this is not desirable for a production environment.  While you should spare no effort to make your code as secure as possible, the output from an error message in php could help a hacker find a way to exploit something on your site.
  * see [[error_handling]] for more information

===== Security Recap (Tips) =====
Source: Programming PHP, 2nd Edition, Chapter 12
  * Filter input to be sure that all data you receive from remote sources is the data you expect.  Remember, the stricter your filtering logic, the safer your application.
  * Escape output to be sure that your data isn't misinterpreted by a remote system.
  * Always initialize your variables.  This is especially important when the register_globals directive is enabled.
  * Disable register_globals, magic_quotes_gpc, and allow_url_fopen.  See http://www.php.net for details on these directives.
  * Whenever you construct a filename, check the components with basename() and realpath().
  * Store includes outside of the document root.  It is better to not name your included files with the .inc extension.  Name them with a .php extension, or some other less obvious extension.
  * Always call session_regenerate_id() whenever a user's privilege level changes.
  * Whenever you construct a filename from a user-supplied component, check the components with basename() and realpath().
  * Don't create a file and then change its permissions.  Instead, set umask() so that the file is created with the correct permissions.
  * Don't use user-supplied data with eval(), preg_replace() with the /e option, or any of the system commands (exec(), system(), popen(), passthru(), and the backtick(``) operator).