We’ve posted a new Expert Spotlight! Joe Anderson (DatabaseMX) has been on Experts Exchange since 2006. Learn more about this database architect, guitar aficionado, and Microsoft MVP.
PHP security
I need to learn PHP security.
security takes time to learn. start by understanding in detail the request/response cycle. understand why https is important. understand headers and bodies. understand any request cannot be trusted. learn to implement owasp top 10. that's a good start actually.
security takes time to learn. start by understanding in detail the request/response cycle. understand why https is important. understand headers and bodies. understand any request cannot be trusted. learn to implement owasp top 10. that's a good start actually.
Do more with
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
PHP has a good starting point here:
http://php.net/manual/en/security.php
And you're right, it's a never-ending learning cycle because the threats are always evolving.
Also, you're not the first person to ask about this. If you search E-E for "PHP Security" you will find many learning resources!
http://www.experts-exchange.com/searchResults.jsp?searchType=ALL&searchTerms=PHP+Security&searchSubmit=&asSubmit=true&asIgnored=true&asNoSuggestionNoResults=true
http://php.net/manual/en/security.php
And you're right, it's a never-ending learning cycle because the threats are always evolving.
Also, you're not the first person to ask about this. If you search E-E for "PHP Security" you will find many learning resources!
http://www.experts-exchange.com/searchResults.jsp?searchType=ALL&searchTerms=PHP+Security&searchSubmit=&asSubmit=true&asIgnored=true&asNoSuggestionNoResults=true
The most efficient way to manage application security risk is to take security into consideration right from the very beginning of the coding process and ensure that security is built in at every phase of the adopted software development lifecycle, so make sure, to educate yourself to deliver a code based on security standard. Keep it Simple and Keep it Clean.
https://www.owasp.org/index.php/Web_Service_Security_Cheat_Sheet
http://code.google.com/p/wasclist/
http://framework.zend.com/
https://www.owasp.org/index.php/Web_Service_Security_Cheat_Sheet
http://code.google.com/p/wasclist/
http://framework.zend.com/
If you really want to secure php code you have to be kind of Utterly Paranoid
Below Some php Security Mistakes programmers make (not all of them but the most common ones) :
Leaving error reporting On ( hackers use this to find out intel about your site structure , DataBase type...)
Trusting User Input (especially with powerful commands like eval() )
Leaving Default Password on Mysql,Default Admin Page path ..
Leaving Installation Files Online
Not Enabling safe_mode on your Server
Below Some php Security Mistakes programmers make (not all of them but the most common ones) :
Leaving error reporting On ( hackers use this to find out intel about your site structure , DataBase type...)
Trusting User Input (especially with powerful commands like eval() )
Leaving Default Password on Mysql,Default Admin Page path ..
Leaving Installation Files Online
Not Enabling safe_mode on your Server
Further to what Fouad Maidine says...
It is not a mistake to leave error reporting on. You really, really want error_reporting() on at all times. What you might not want is the display_errors directive.
Nobody with any experience at all would ever trust user input or allow a user to specify which PHP instructions get executed. All external input is tainted, by definition, and must be filtered.
PHP safe_mode does not exist any more. It was removed years ago, at PHP 5.4. Like Suhosin, safe_mode could cause run-time failures in tested code. It was a hindrance without much, if any, benefit. The real benefits come from following the PHP security guidelines. The PHP community keeps these guidelines up-to-date.
You might also want to join, and become active in OWASP. But please keep in mind that information technology security is a full-time, four year, college major. Learning security is like learning to build a car. It takes a long time and there are always others you can learn from at any point in your career.
It is not a mistake to leave error reporting on. You really, really want error_reporting() on at all times. What you might not want is the display_errors directive.
Nobody with any experience at all would ever trust user input or allow a user to specify which PHP instructions get executed. All external input is tainted, by definition, and must be filtered.
PHP safe_mode does not exist any more. It was removed years ago, at PHP 5.4. Like Suhosin, safe_mode could cause run-time failures in tested code. It was a hindrance without much, if any, benefit. The real benefits come from following the PHP security guidelines. The PHP community keeps these guidelines up-to-date.
You might also want to join, and become active in OWASP. But please keep in mind that information technology security is a full-time, four year, college major. Learning security is like learning to build a car. It takes a long time and there are always others you can learn from at any point in your career.
Exactly Sir @Ray Passeur for the Php Errors , that's what i meant to say , Thank you for enlightening it
Safe mode is For Older Versions of course , Not Everyone is up to date tough ... Some hosting Companies where i live are still using Old Php Versions ... too lazy to update i guess...
Some of the unmentioned Important Security Topics in PHP are XSS injections , CSRF attacks , Character Encoding (Depends on the language and Encoding used tough ... not English ...)
Also session hijacking if it was not mentioned
Please do not that : The people who maintain the PHP language are most of the time not always concerned about backward compatibility ,With newer version of PHP you might find yourself with the rug pulled out from under you .
Safe mode is For Older Versions of course , Not Everyone is up to date tough ... Some hosting Companies where i live are still using Old Php Versions ... too lazy to update i guess...
Some of the unmentioned Important Security Topics in PHP are XSS injections , CSRF attacks , Character Encoding (Depends on the language and Encoding used tough ... not English ...)
Also session hijacking if it was not mentioned
Please do not that : The people who maintain the PHP language are most of the time not always concerned about backward compatibility ,With newer version of PHP you might find yourself with the rug pulled out from under you .
Premium Content
You need an Expert Office subscription to comment.Start Free Trial