This is a last article in this series.
More Information
The following resources can help you expand on this brief introduction:
- Essential PHP Security by Chris Shiflett (O’Reilly) and its companion website at http://phpsecurity.org/
- The Open Web Application Security Project at https://www.owasp.org/
- The PHP Security Consortium at http://phpsec.org/
Security Recap and Summary
Because security is such an important issue, we want to reiterate the main points of this series of tutorials as well as add a few additional tips:
- Filter input to be sure that all data you receive from remote sources is the data you expect. Remember, the stricter your filtering logic, the safer your application.
- Escape output in a context-aware manner to be sure that your data isn’t misinterpreted by a remote system.
- Always initialize your variables. This is especially important when the
register_globals
directive is enabled. - Disable
register_globals
,magic_quotes_gpc
, andallow_url_fopen
. See http://www.php.net for details on these directives. - Whenever you construct a filename, check the components with
basename()
andrealpath()
. - Store includes outside of the document root. It is better to not name your included files with the .inc extension. Name them with a .php extension, or some other less obvious extension.
- Always call
session_regenerate_id()
whenever a user’s privilege level changes. - Whenever you construct a filename from a user-supplied component, check the components with
basename()
andrealpath()
. - Don’t create a file and then change its permissions. Instead, set
umask()
so that the file is created with the correct permissions. - Don’t use user-supplied data with
eval()
,preg_replace()
with the/e
option, or any of the system commands—exec()
,system()
,popen()
,passthru()
, and thebacktick (`)
operator.
Here is the list of of Article in this Series:
- PHP – Securing your Web Application : Introduction
- PHP – Securing your Web Application : Filter Input
- PHP – Securing your Web Application : Cross-Site Scripting
- PHP – Securing your Web Application : SQL Injection
- PHP – Securing your Web Application : Escape Output
- PHP – Securing your Web Application : Filenames
- PHP – Securing your Web Application : Session Fixation
- PHP – Securing your Web Application : File Uploads
- PHP – Securing your Web Application : File Access
- PHP – Securing your Web Application : PHP Code
- PHP – Securing your Web Application : Shell Commands
- PHP – Securing your Web Application : More information and Summary
Please share the article if you like let your friends learn PHP Security. Please comment any suggestion or queries.
Thanks Kevin Tatroe, Peter MacIntyre and Rasmus Lerdorf. Special Thanks to O’Relly.