PHP security

burnedfaceless
burnedfaceless used Ask the Experts™
on
I need to learn PHP security.

 security takes time to learn. start by understanding in detail the request/response cycle. understand why https is important. understand headers and bodies. understand any request cannot be trusted. learn to implement owasp top 10. that's a good start actually.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Most Valuable Expert 2011
Top Expert 2016
Commented:
PHP has a good starting point here:
http://php.net/manual/en/security.php

And you're right, it's a never-ending learning cycle because the threats are always evolving.

Also, you're not the first person to ask about this.  If you search E-E for "PHP Security" you will find many learning resources!
http://www.experts-exchange.com/searchResults.jsp?searchType=ALL&searchTerms=PHP+Security&searchSubmit=&asSubmit=true&asIgnored=true&asNoSuggestionNoResults=true
Commented:
The most efficient way to manage application security risk is to take security into consideration right from the very beginning of the coding process and ensure that security is built in at every phase of the adopted software development lifecycle, so make sure, to educate yourself to deliver a code based on security standard. Keep it Simple and Keep it Clean.

https://www.owasp.org/index.php/Web_Service_Security_Cheat_Sheet
http://code.google.com/p/wasclist/
http://framework.zend.com/

Author

Commented:
Not accepting comments yet, thanks for the speedy replies.
Expert Spotlight: Joe Anderson (DatabaseMX)

We’ve posted a new Expert Spotlight!  Joe Anderson (DatabaseMX) has been on Experts Exchange since 2006. Learn more about this database architect, guitar aficionado, and Microsoft MVP.

Maidine FouadEngineer
Commented:
If you really want to secure php code you have to be kind of Utterly Paranoid

Below Some php Security Mistakes programmers make (not all of them but the most common ones) :

Leaving error reporting On ( hackers use this to find out intel about your site structure , DataBase type...)

Trusting User Input (especially with powerful commands like eval() )

Leaving Default Password on Mysql,Default Admin Page path ..

Leaving Installation Files Online

Not Enabling safe_mode on your Server
Most Valuable Expert 2011
Top Expert 2016
Commented:
Further to what Fouad Maidine says...

It is not a mistake to leave error reporting on.  You really, really want error_reporting() on at all times.  What you might not want is the display_errors directive.

Nobody with any experience at all would ever trust user input or allow a user to specify which PHP instructions get executed.  All external input is tainted, by definition, and must be filtered.

PHP safe_mode does not exist any more.  It was removed years ago, at PHP 5.4.  Like Suhosin, safe_mode could cause run-time failures in tested code.  It was a hindrance without much, if any, benefit.  The real benefits come from following the PHP security guidelines.  The PHP community keeps these guidelines up-to-date.

You might also want to join, and become active in OWASP.  But please keep in mind that information technology security is a full-time, four year, college major.  Learning security is like learning to build a car.  It takes a long time and there are always others you can learn from at any point in your career.
Engineer
Commented:
Exactly Sir @Ray Passeur for the Php Errors , that's what i meant to say , Thank you for enlightening it

Safe mode is For Older Versions of course , Not Everyone is up to date tough ... Some hosting Companies where i live are still using Old Php Versions ... too lazy to update i guess...

Some of the unmentioned Important Security Topics in PHP are XSS injections , CSRF attacks , Character Encoding (Depends on the language and Encoding used tough ... not English ...)

Also session hijacking if it was not mentioned

Please do not that : The people who maintain the PHP language are most of the time not always concerned about backward compatibility ,With newer version of PHP you might find yourself with the rug pulled out from under you .

Commented:
The following might provide the appropriate guidance
http://phpsec.org/projects/guide/
Most Valuable Expert 2011
Top Expert 2016

Commented:
^^ PHPSec provided rudimentary guidance a decade ago.  It's obsolete today.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial