News Feed

News Archive
Looking for more information on how to do PHP the right way? Check out PHP: The Right Way
Definitive PHP security checklist
April 14, 2010 @ 09:25:37

On there's a recent post with a long list of security tips you can follow to help ensure some of the most common security issues are taken care of on your site.

There was a recent question about a PHP security checklist on a forum I frequent, and I've decided to write my own comprehensive checklist to fill the void. There's something for everyone but the security expert. In fact, you might find an issue that you never thought about. Securing PHP web applications would be a better title for this article.

Tips shared in the post include:

  • Have strong passwords be sure that your "password recovery questions" are not too obvious.
  • Be aware that you can initiate a request from something as simple as telnet, so that means that all incoming data can be forged.
  • Don't forget that inputted numbers can be very large, very small, zero, or negative. You don't want to deposit a negative number of credits!
  • The mime type/file type in the $_FILES array is provided by the user and can contain any value. Not only can the provided mime type be spoofed, it could also just be wrong or be overly generic. (Conclusion: The field is useless.)
  • Do extensive path checks to make sure you do not serve a non-uploaded file.
  • Never use user input directly in a pathname.
  • Be aware that a malicious user can sniff for packets to get a user's password. The only real solution to this problem is to use SSL.

There's lots more where this came from - a few pages of tips at least. There's not much in the way of actual code to show you how to integrate the tips into your application, but it's still a very useful list. You can also grab the full list as a downloadable cheat sheet [pdf].

0 comments voice your opinion now!
security checklist tip application

blog comments powered by Disqus

Similar Posts

PHP Security Blog: Holes in most preg_match() filters

DevArticles: Sending Email with AJAX - Developing the Client-Side Application Layer

Symfony Blog: Symfony2 Security Audit

ThinkPHP Blog: SQL injections for dummies - and how to fix them

Jim Bird: How to Cheat at Application Security

Community Events

Don't see your event here?
Let us know!

list part2 example php7 series yii2 opinion podcast interview introduction community project testing framework application composer symfony api laravel language

All content copyright, 2015 :: - Powered by the Solar PHP Framework