News Feed
Sections




News Archive
Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

SK89Q.com:
Definitive PHP security checklist
April 14, 2010 @ 09:25:37

On SK89Q.com there's a recent post with a long list of security tips you can follow to help ensure some of the most common security issues are taken care of on your site.

There was a recent question about a PHP security checklist on a forum I frequent, and I've decided to write my own comprehensive checklist to fill the void. There's something for everyone but the security expert. In fact, you might find an issue that you never thought about. Securing PHP web applications would be a better title for this article.

Tips shared in the post include:

  • Have strong passwords be sure that your "password recovery questions" are not too obvious.
  • Be aware that you can initiate a request from something as simple as telnet, so that means that all incoming data can be forged.
  • Don't forget that inputted numbers can be very large, very small, zero, or negative. You don't want to deposit a negative number of credits!
  • The mime type/file type in the $_FILES array is provided by the user and can contain any value. Not only can the provided mime type be spoofed, it could also just be wrong or be overly generic. (Conclusion: The field is useless.)
  • Do extensive path checks to make sure you do not serve a non-uploaded file.
  • Never use user input directly in a pathname.
  • Be aware that a malicious user can sniff for packets to get a user's password. The only real solution to this problem is to use SSL.

There's lots more where this came from - a few pages of tips at least. There's not much in the way of actual code to show you how to integrate the tips into your application, but it's still a very useful list. You can also grab the full list as a downloadable cheat sheet [pdf].

0 comments voice your opinion now!
security checklist tip application


blog comments powered by Disqus

Similar Posts

Quinton Parker's Blog: vim tips for php programmers

Job Posting: RealPage Seeks Senior Application Developer (Carrollton, TX)

Secunia.com: PHP "glob()" Code Execution Vulnerability

Community News: WordPress 2.0.6 Released to Resolve Security Issues

Zend Developer Zone: "Building Your Own Ajax Web Applications" (Book Review)


Community Events





Don't see your event here?
Let us know!


language list threedevsandamaybe podcast unittest refactor framework opinion introduction release laravel series api symfony2 developer testing community install code interview

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework