docs:programming:php:security

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

docs:programming:php:security [2007/03/23 22:39] – created billhdocs:programming:php:security [2008/08/03 00:25] (current) – external edit 127.0.0.1
Line 1: Line 1:
 +====== Security ======
 +
 +===== Error Reporting =====
 +By default, php is usually configured to be in a verbose error reporting mode.  This is helpful for debugging, while the project is being coded.  However, this is not desirable for a production environment.  While you should spare no effort to make your code as secure as possible, the output from an error message in php could help a hacker find a way to exploit something on your site.
 +  * see [[error_handling]] for more information
 +
 +===== Security Recap (Tips) =====
 +Source: Programming PHP, 2nd Edition, Chapter 12
 +  * Filter input to be sure that all data you receive from remote sources is the data you expect.  Remember, the stricter your filtering logic, the safer your application.
 +  * Escape output to be sure that your data isn't misinterpreted by a remote system.
 +  * Always initialize your variables.  This is especially important when the register_globals directive is enabled.
 +  * Disable register_globals, magic_quotes_gpc, and allow_url_fopen.  See http://www.php.net for details on these directives.
 +  * Whenever you construct a filename, check the components with basename() and realpath().
 +  * Store includes outside of the document root.  It is better to not name your included files with the .inc extension.  Name them with a .php extension, or some other less obvious extension.
 +  * Always call session_regenerate_id() whenever a user's privilege level changes.
 +  * Whenever you construct a filename from a user-supplied component, check the components with basename() and realpath().
 +  * Don't create a file and then change its permissions.  Instead, set umask() so that the file is created with the correct permissions.
 +  * Don't use user-supplied data with eval(), preg_replace() with the /e option, or any of the system commands (exec(), system(), popen(), passthru(), and the backtick(``) operator).