Looking for PHP security tips

Are there any well known and common mistakes, things that usually are
not thought about? Any security related things that I should
definitely not do? I know there is good literature out there about
this topic and I have consulted some PHP books and websites. But no
book can substitute an expert's experience.

Any piece of advice is gladly appreciated!
Thanks!
Karl

First off is a bit of role=playing to make you more aware of potential
problems. Just second guess ANYTHING that is coming in from outside
your application, whether ity is GET, POST and how you handle it.

If you use referencing to web locations based GET and POST, those
could be used to divert content or your customers to bad places.

If you display GET POST data embedded PHP scripts could make your app
do things you don't want it to.

If you store GET POST data to a database, it could be maligned to
contain cammands to do thing to/with your database you did not expect.

Even if the data does not contain some obvious exploit, what if it is
bad (too big, small, ?) or of the wrong type verify for potential
problems there. (userrs doing some email shenanigans is another
factor too)

Modules that are added by include() or refernced by others sould be
examined to make sure they are not activated by unknown scripts
outside of youre web site.

Now if you share a web server you may also have the problem of bad
neighbors on the same server attempting to check out your session
data.

Transmitting sensitive data is another issue, if you are doing
anything with SSNs, credit cards, or other sensitive data use an SSL.

If you google for PHP security you can find lots of articles, read
many some offer better tips then otyhers.

On Feb 3, 9:38 pm, "Karl Nierler" <mr_mil...@gmx.netwrote:
<snip>

My customers are worried abour security in PHP. I have written many
small PHP applications before where security wasn't a major concern.

Some customers may not be willing to spend $ and so they may prefer
shared host.

Shared host are viable to session related attacks if default file
based session is used--so you may want to add db based session
handler.

>I have always checked user input and posted variables and used
mysql_real_escape_string() or intval() to prevent SQL-injection and
htmlentities() to prevent CSS.

Some customers may not be willing to spend $ and so they may prefer
shared host.

Shared host are viable to session related attacks if default file
based session is used--so you may want to add db based session
handler.

Unlike XSS, new common attack is session riding--so you may have to
add secret tokens in every forms and Ajax based user info retrieval
(remember GMail's contact list attack)

--
<?php echo 'Just another PHP saint'; ?>
Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com/

[My previous reply is messed up; please ignore that]

On Feb 3, 9:38 pm, "Karl Nierler" <mr_mil...@gmx.netwrote:
<snip>

My customers are worried abour security in PHP. I have written many
small PHP applications before where security wasn't a major concern.

Some customers may not be willing to spend $ and so they may prefer
shared host.

Shared host are viable to session related attacks if default file
based session is used--so you may want to add db based session
handler.

I have always checked user input and posted variables and used
mysql_real_escape_string() or intval() to prevent SQL-injection and
htmlentities() to prevent CSS.

<snip>

mysql_real_escape_string() is no more secure; use prepared statements
<http://ilia.ws/archives/103-mysql_re...rsus-Prepared-
Statements.html>

Unlike XSS, new common attack is session riding--so you may have to
add secret tokens in every forms and Ajax based user info retrieval
(remember GMail's contact list attack)

--
<?php echo 'Just another PHP saint'; ?>
Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com/