PHP Security

Introduction

  1. Everything is Tainted Until Proved Otherwise
    Separating the data you know is valid from the data that might be tainted is the first step in building more robust security.
  2. Keeping Things Separate
    Not jumbling data fields inside of code means that the data can't be used to inject code. Where separating the data isn't possible then escaping the data is better than nothing.
  3. Least Privilege
    Limiting access to just what is needed minimises how much damage can be caused if things go wrong.
  4. Defense in Depth
    Just because you already checked something doesn't mean you shouldn't perform further checks in later code - just in case someone finds a way past the first check.
  5. Security and Usability
    Everything you do to make it more secure makes it less user friendly.
  6. Escaping Data and Security
    You should never rely on escaping data to provide security.
  7. Filter Input, Escape Output
    Why filtering your data and escaping your data are sometimes both required and why filtering always is.
  8. Sanitize or Escape
    Apparently some people associate security so closely with injection attacks they completely overlook all the hundreds of other possible security issues.
  9. Proper Processing of Variables in PHP
    Data validation normally makes up more than half of the code that any script runs and yet many beginners leave it out completely.
  10. Preventing Injection
    What valid data would you expect to be able to be used for an injection attack? Obviously none. So if you make sure that all data is valid then how can an injection attack possibly be successful?
  11. Preventing Injection
    What valid data would you expect to be able to be used for an injection attack? Obviously none. So if you make sure that all data is valid then how can an injection attack possibly be successful?
  12. Securely Passing Info Between Sites
    A look at one way in which we can set up a login system between two sites where logging into one gives access to the other without providing any easy way for someone to intercept the data being passed and use it to login themselves.
  13. Tainted Data and Validating/Sanitising
    These are such essential and basic security measures that so many beginners overlook that it is worth mentioning again.
  14. Backup to DropBox
    One way to protect your data from tampering is to back it up off site.

Specifics

  1. Register Globals
    This option was turned off by default in PHP 4.2 and longer exists in PHP 7 for a number of very good reasons.
  2. Prevent Includes Running Separately
    A small piece of code in the top of all your includes will prevent someone being able to run them independently.
  3. >Direct Page Access and Security
    The problem of making sure multiple pages are accessed in order is not quite as easily solved as blocking direct access.
  4. error_log
    Turning off error reporting stops your visitors seeing error messages and perhaps using what it tells them to help breach your security. It doesn't prevent you from seeing the error messages, you just need to look somewhere else to see them.

Passwords

  1. Password Hashes
    PHP now includes functions specifically for hashing passwords.
  2. Security and Password Resets
    With passwords hashed you need to provide a way for people to obtain a new password. Here we look at various aspects of how to make that process secure.

More tutorials still to come.

go to top

FaceBook Follow
Twitter Follow
Donate