PHP security.

I recently discovered a blog post that I had written back in 2008 but it is still relevant today So I have decided to release it now in 2013.

This was the original post:


I have been recently reading a book about security. And I thought it was good to share all this new knowledge with the rest of the world.

There may be lots of practices that I'll miss but this text intends to be tips to be considered while programming any PHP app. :


Filter all the data you manage:

Golden rule:
All data you receive on your PHP scripts is invalid until is filtered and validated.



Use SSL every time you send sensitive data. Such login details or credit card data.


Differentiate your variables between verified and unverified. Create an empty array where you can copy all clean variables. This way will be a good thing to do verify that you are using the correct valid variables:

$cleanVars = array();

//if a variable is validated successfully you copy the value into the new array:

switch ($_POST['colorEyes']){

case 'brown':
case 'blue':
case 'green':

$cleanVar['colorEyes'] = $_POST['colorEyes']

}

Once you have filtered all the data:

Use htmlentities() to escape HTML code and html_entity_decode() to decode it.

To send strings into SQL queries use: mysql_real_escape_string().

Ask for re-login some times for specially delicate movements such password reset or contact details among others.

To check if a string is alphanumeric use: ctype_alnum()

When receiving a file name link as string you don't want the hackers to be using relative or full paths, you want just file names and deal with the directories on the script. Erase all possibility of path edition on the variables using the function basename()



Include files:
Set the includes outside root directory.
They can be anywhere and make sure that only the server and only your internal user is able to access them no one else need them. Use .htacess for this matter.

Credentials such password and username for databases should be stored in a file named db.inc
Make sure that inc is treated like a php file and if u want to deny all access to INC files u can configure Apache htaccess to deny all requests to that file extension by normal users:

<Files ~ "\.inc(.php)?$">
Order allow,deny
Deny from all
Satisfy All
</Files>


Dangerous functions:

Try to avoid using the next functions:
eval , exec, shell exec, passthru, system, popen, preg_replace, proc_open, file_get_contents, readfile, file, ini_restore, symlink, fsockopen, escapeshellcmd

Then disable them on Apache with disable_functions. If some of the functions above has to be used then be very careful how you use them...


Apache security:

Have a look at the php.ini and have a look at these apache directives:

allow_url_fopen
disable_functions
display_errors
enable_dl
error_reporting
file_uploads
log_errors
magic_quotes_gpc
memory_limit
open_basedir
register_globals
safe_mode (not used anymore?)

They are all gathered in this php.net page, (you have to scroll down, it is not very well structured)...