Hi Richard, Monday, November 7, 2005, 9:50:59 PM, you wrote: > I've heard that php is not particularly secure, making it > problematic if you intend to create a web site with commerce, etc. > Is there a particular news group that addresses security issues? I'm > looking for some guidlines on ensuring that my site is secure from > malicious hackers. The security of the application will be ultimately down to two factors: you, and your hosting environment. Server security is beyond the scope of this mailing list, and is a multi-faceted and complex area. Shoring up your OS, Apache and the likes can take years of skill. Or of course, your sys admin / web host does this all for you. Even so, it's an area not to be ignored. You can write the most secure application in the world, but if you've gone and chmod 777'd your directories on a shared box, you're anyones target. The security of your application is down to you however. There is a PHP security mailing list, but it's more for announcements than discussion. As for guidelines there are many free on-line resources, and you'd do worse than to start here: http://phpsec.org/library/ The majority of those documents are aimed at experienced PHP developers however. And the majority of blatant security holes come from the inexperienced who weren't aware of what they were doing wrong in the first place. There are several books available on the subject now, any (or all) of them would give you the grounding you need to know BEFORE you start coding: Pro PHP Security by Snyder & Southwell (Apress) php architect's Guide to PHP Security by Ilia Alshanetsky (Nanobooks) Essential PHP Security by Chris Shiflett (O'Reilly) Also some on-line talks: http://brainbulb.com/talks php architect magazine has a security column each month as well (www.phparch.com) There's a lot of reading material out there. Just make sure you read it _before_ you start building, it'll save you days, if not weeks, of code changes. Cheers, Rich -- Zend Certified Engineer PHP Development Services http://www.corephp.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
