PHP Security – Guidelines
- Do not store sensitive information in Cookies
- Instead of cookies, store sensitive information in Sessions
- Sessions can also be hacked though safer than cookies
- PHP session id is pretty random; so in general this is not a problem.
- Reducing the session security problem: determine current user is the one who originally initiated session. if not, deny access
- Regenerate session ids after login, on initialization
- Change the session variable name and the path to save [session_save_path(), session_name (“xyz”) ]
- Reduce session runtime [session.gc_maxlifetime]
- use SSL [force users to use SSL]
- do not use .inc files and do not keep php code inside them
- Do not use dynamic file path for require and include
- Do not use relative file path [use absolute file path]
- Do not trust user input to prevent XSS
- use htmlspecialchars(). strip_tags(), htmlentities() on the user input
- To prevent Cross-site Request Forgeries (CSRF), check $_SERVER [‘HTTP_REFERER’]
- You may want to use token in your session to prevent CSRF. Re-authenticate for sensitive operations
- When you use third party tools, do not install them in their default loation
- When error situation occurs in your code, just stop
- Use authorization to allow a user the minimal right he/she needs
- Double check where you are using eval()
- use mysql_real_escape_string() on the user provided data to be used in Databasequeries
- Use prepared statements or stored procedures
- Double verify the data types. do not accept string where the data has to be integer [ctype_digit()., filter_var() do not use is_int() and is_numeric()]
- Keep log files and check your log files time to time
- do not display detail error messages in your live site. But you can log the erros for your own checking
- do not use standard login names such as administrator, root
- do not put your administration module under folder named admin
- You can even use a different file extension other than .php [but not .inc]
- Stop spamming using your contact form. Validate email address. use filter_var()
- encrypt sensitive information
- initialize variables when first declared
- Disable register_globals in php.ini
- do not use $_REQUEST, instead use $_GET and $_POST
- When developing use E_ALL to know all the possible errors. but turn off E_ALL in live site
- Type Cast and verify data. Only allow the appropriate data type
- use ctype_alnum(), ctype_alpha(), ctype_xdigit()
- Use htmlspecialchars() and htmlentities() more than using strip_tags()
- SQL escaping (to prevent SQL Injection): mysql_escape_string(), mysql_real_escape_string(), pg_escape_string(), pg_escape_bytea(), sqlite_escape_string()
- to avoid double escaping use get_magic_quotes_gpc()
- Session security technique: compare with the browser signature headers. if no match, destroy the session.
- for shared hosting use the following two php.ini directives properly: open_basedir, safe_mode
From: http://sitestree.com/?p=5336
Categories:16
Tags:
Post Data:2013-05-05 00:07:23
Shop Online: <a href='https://www.ShopForSoul.com/' target='new' rel="noopener">https://www.ShopForSoul.com/</a>
(Big Data, Cloud, Security, Machine Learning): Courses: <a href='http://Training.SitesTree.com' target='new' rel="noopener"> http://Training.SitesTree.com</a>
In Bengali: <a href='http://Bangla.SaLearningSchool.com' target='new' rel="noopener">http://Bangla.SaLearningSchool.com</a>
<a href='http://SitesTree.com' target='new' rel="noopener">http://SitesTree.com</a>
8112223 Canada Inc./JustEtc: <a href='http://JustEtc.net' target='new' rel="noopener">http://JustEtc.net (Software/Web/Mobile/Big-Data/Machine Learning) </a>
Shop Online: <a href='https://www.ShopForSoul.com'> https://www.ShopForSoul.com/</a>
Medium: <a href='https://medium.com/@SayedAhmedCanada' target='new' rel="noopener"> https://medium.com/@SayedAhmedCanada </a>
