IBM has a great article about writing secure PHP applications titled “Seven habits for writing secure PHP applications.” The seven habits include 19 different “lessons.”
Go read the article for the details, but here is a quick outline:
Habit 1: Validate input
Habit 2: Guard your file system
- Downloading a file
- Checking for valid file name characters
Habit 3: Guard your database
- Executing an SQL statement
- Guarding with validation and mysql_real_escape_string()
Habit 4: Guard your session
- Storing data in session
- The session files in the /tmp directory
- The contents of a session file
- session_set_save_handler() function example
Habit 5: Guard against XSS vulnerabilities
- Form for inputting text
- showResults.php
- Malicious input text sample
- A more secure form
Habit 6: Guard against invalid posts
- A form for processing text
- A form for collecting your data
- A form with invalid data
- Using a one-time form token
Habit 7: Protect against Cross-Site Request Forgeries (CSRF attacks)
- A CSRF example
- Getting the data from $_REQUEST
- Getting the data only from $_POST
0 Responses to “Writing Secure PHP Applications.”