This actually is a pretty old short note and was brought from: http://salearningschool.com/displayArticle.php?table=Articles&articleID=1357&title=PHP%20Security%20-%20Guidelines
- Do not store sensitive information in Cookies
- Instead of cookies, store sensitive information in Sessions
- Sessions can also be hacked though safer than cookies
- PHP session id is pretty random; so in general this is not a problem.
- Reducing the session security problem: determine current user is the one who originally initiated session. if not, deny access
- Regenerate session ids after login, on initialization
- Change the session variable name and the path to save [session_save_path(), session_name (“xyz”) ]
- Reduce session runtime [session.gc_maxlifetime]
- use SSL [force users to use SSL]
- do not use .inc files and do not keep php code inside them
- Do not use dynamic file path for require and include
- Do not use relative file path [use absolute file path]
- Do not trust user input to prevent XSS
- use htmlspecialchars(). strip_tags(), htmlentities() on the user input
- To prevent Cross-site Request Forgeries (CSRF), check $_SERVER [‘HTTP_REFERER’]
- You may want to use token in your session to prevent CSRF. Re-authenticate for sensitive operations
- When you use third party tools, do not install them in their default loation
- When error situation occurs in your code, just stop
- Use authorization to allow a user the minimal right he/she needs
- Double check where you are using eval()
- use mysql_real_escape_string() on the user provided data to be used in Databasequeries
- Use prepared statements or stored procedures
- Double verify the data types. do not accept string where the data has to be integer [ctype_digit()., filter_var() do not use is_int() and is_numeric()]
- Keep log files and check your log files time to time
- do not display detail error messages in your live site. But you can log the erros for your own checking
- do not use standard login names such as administrator, root
- do not put your administration module under folder named admin
- You can even use a different file extension other than .php [but not .inc]
- Stop spamming using your contact form. Validate email address. use filter_var()
- encrypt sensitive information
- initialize variables when first declared
- Disable register_globals in php.ini
- do not use $_REQUEST, instead use $_GET and $_POST
- When developing use E_ALL to know all the possible errors. but turn off E_ALL in live site
- Type Cast and verify data. Only allow the appropriate data type
- use ctype_alnum(), ctype_alpha(), ctype_xdigit()
- Use htmlspecialchars() and htmlentities() more than using strip_tags()
- SQL escaping (to prevent SQL Injection): mysql_escape_string(), mysql_real_escape_string(), pg_escape_string(), pg_escape_bytea(), sqlite_escape_string()
- to avoid double escaping use get_magic_quotes_gpc()
- Session security technique: compare with the browser signature headers. if no match, destroy the session.
- for shared hosting use the following two php.ini directives properly: open_basedir, safe_mode
From: http://sitestree.com/?p=4659
Categories:PHP
Tags:
Post Data:2016-11-29 17:06:02
Shop Online: https://www.ShopForSoul.com/
(Big Data, Cloud, Security, Machine Learning): Courses: http://Training.SitesTree.com
In Bengali: http://Bangla.SaLearningSchool.com
http://SitesTree.com
8112223 Canada Inc./JustEtc: http://JustEtc.net (Software/Web/Mobile/Big-Data/Machine Learning)
Shop Online: https://www.ShopForSoul.com/
Medium: https://medium.com/@SayedAhmedCanada
