PHP security

I need to learn PHP security.

 security takes time to learn. start by understanding in detail the request/response cycle. understand why https is important. understand headers and bodies. understand any request cannot be trusted. learn to implement owasp top 10. that's a good start actually.
burnedfacelessAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ray PaseurCommented:
PHP has a good starting point here:
http://php.net/manual/en/security.php

And you're right, it's a never-ending learning cycle because the threats are always evolving.

Also, you're not the first person to ask about this.  If you search E-E for "PHP Security" you will find many learning resources!
http://www.experts-exchange.com/searchResults.jsp?searchType=ALL&searchTerms=PHP+Security&searchSubmit=&asSubmit=true&asIgnored=true&asNoSuggestionNoResults=true
0
madunixCommented:
The most efficient way to manage application security risk is to take security into consideration right from the very beginning of the coding process and ensure that security is built in at every phase of the adopted software development lifecycle, so make sure, to educate yourself to deliver a code based on security standard. Keep it Simple and Keep it Clean.

https://www.owasp.org/index.php/Web_Service_Security_Cheat_Sheet
http://code.google.com/p/wasclist/
http://framework.zend.com/
0
burnedfacelessAuthor Commented:
Not accepting comments yet, thanks for the speedy replies.
0
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Maidine FouadEngineerCommented:
If you really want to secure php code you have to be kind of Utterly Paranoid

Below Some php Security Mistakes programmers make (not all of them but the most common ones) :

Leaving error reporting On ( hackers use this to find out intel about your site structure , DataBase type...)

Trusting User Input (especially with powerful commands like eval() )

Leaving Default Password on Mysql,Default Admin Page path ..

Leaving Installation Files Online

Not Enabling safe_mode on your Server
0
Ray PaseurCommented:
Further to what Fouad Maidine says...

It is not a mistake to leave error reporting on.  You really, really want error_reporting() on at all times.  What you might not want is the display_errors directive.

Nobody with any experience at all would ever trust user input or allow a user to specify which PHP instructions get executed.  All external input is tainted, by definition, and must be filtered.

PHP safe_mode does not exist any more.  It was removed years ago, at PHP 5.4.  Like Suhosin, safe_mode could cause run-time failures in tested code.  It was a hindrance without much, if any, benefit.  The real benefits come from following the PHP security guidelines.  The PHP community keeps these guidelines up-to-date.

You might also want to join, and become active in OWASP.  But please keep in mind that information technology security is a full-time, four year, college major.  Learning security is like learning to build a car.  It takes a long time and there are always others you can learn from at any point in your career.
1
Maidine FouadEngineerCommented:
Exactly Sir @Ray Passeur for the Php Errors , that's what i meant to say , Thank you for enlightening it

Safe mode is For Older Versions of course , Not Everyone is up to date tough ... Some hosting Companies where i live are still using Old Php Versions ... too lazy to update i guess...

Some of the unmentioned Important Security Topics in PHP are XSS injections , CSRF attacks , Character Encoding (Depends on the language and Encoding used tough ... not English ...)

Also session hijacking if it was not mentioned

Please do not that : The people who maintain the PHP language are most of the time not always concerned about backward compatibility ,With newer version of PHP you might find yourself with the rug pulled out from under you .
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
madunixCommented:
The following might provide the appropriate guidance
http://phpsec.org/projects/guide/
0
Ray PaseurCommented:
^^ PHPSec provided rudimentary guidance a decade ago.  It's obsolete today.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.