News Feed

News Archive
Looking for more information on how to do PHP the right way? Check out PHP: The Right Way
Definitive PHP security checklist
April 14, 2010 @ 09:25:37

On there's a recent post with a long list of security tips you can follow to help ensure some of the most common security issues are taken care of on your site.

There was a recent question about a PHP security checklist on a forum I frequent, and I've decided to write my own comprehensive checklist to fill the void. There's something for everyone but the security expert. In fact, you might find an issue that you never thought about. Securing PHP web applications would be a better title for this article.

Tips shared in the post include:

  • Have strong passwords be sure that your "password recovery questions" are not too obvious.
  • Be aware that you can initiate a request from something as simple as telnet, so that means that all incoming data can be forged.
  • Don't forget that inputted numbers can be very large, very small, zero, or negative. You don't want to deposit a negative number of credits!
  • The mime type/file type in the $_FILES array is provided by the user and can contain any value. Not only can the provided mime type be spoofed, it could also just be wrong or be overly generic. (Conclusion: The field is useless.)
  • Do extensive path checks to make sure you do not serve a non-uploaded file.
  • Never use user input directly in a pathname.
  • Be aware that a malicious user can sniff for packets to get a user's password. The only real solution to this problem is to use SSL.

There's lots more where this came from - a few pages of tips at least. There's not much in the way of actual code to show you how to integrate the tips into your application, but it's still a very useful list. You can also grab the full list as a downloadable cheat sheet [pdf].

0 comments voice your opinion now!
security checklist tip application

blog comments powered by Disqus

Similar Posts XML-Enabled Applications

Job Posting: Distribion Seeks PHP Application Developer (Dallas, Tx)

Hasin Hayder: Running Symfony 2 Applications in OpenShift

Richard McIntyre's Blog: Weaving Lithium #li3 into a legacy PHP application incrementally

SitePoint PHP Blog: Blueprint PHP application?

Community Events

Don't see your event here?
Let us know!

php7 laravel community api framework library video example opinion release interview voicesoftheelephpant podcast language version laravel5 extension introduction security series

All content copyright, 2015 :: - Powered by the Solar PHP Framework