10 (Very) Basic Tips for PHP Web Application Security
Barebones list for the things you should be looking for when developing a web app in PHP. Some of it applies to all web apps, not just PHP.
-
Use HTML_Safe (or a similar javascript stripping library) to check for and remove javascript when you’re accepting data that will be output to a page.
-
Check every get and post variable for validity.
Every web site has url like “dosomething.php?id=3”. Make sure that id you’re accepting is actually a number (or whatever type you’re allowing).
-
Escape strings before sending to the database. Not doing so leaves you wide open to SQL injection.
-
Make sure display_errors, magic_quotes, and register globals are all off. Log the errors to the error_log instead.
-
If you have root access, don’t fall to far behind in stable releases. Bugs are fixed all the time.
-
Do not blindly send mail to the address entered in a form. It’s easy for someone to perform header injection and spam thousands of people before you’ll even notice. Do not under any circumstances use Jack’s formmail. Your IP will get banned by major mail servers.
-
Use a firewall/iptables. Turn off all ports you aren’t using.
-
Do not write any sensitive data to a cookie. I thought this was obvious but I’ve seen it enough where I throw it in the list.
-
Don’t put senstive directories in robots.txt as your only security. Password protect your admin areas.
-
Back up your stuff offsite. Have the offsite computer connect to the server to download the backup, not the other way around.