Cool Chris I'm going to take a look at that movie. Dallas there is a section at the top of the ini file that lists some directives and their status to address security or performance issues, but as Chris mentioned your code could be as big of a risk as anything so pay attention to that. On 4/6/06, Chris Shiflett <shiflett@xxxxxxx> wrote: > Dallas Cahker wrote: > > I was looking to see if there was a quick checklist of settings > > for php to be disabled/enabled in the ini file to make the > > application more secure. > > Although there are some directives worth disabling (register_globals, > magic_quotes_gpc, allow_url_fopen), most vulnerabilities in PHP > applications are a result of flaws in the PHP code. There are no magic > php.ini configuration directives that can make your applications secure > - not that you were suggesting this, but it's woth explicitly stating. > > A couple of years ago, I tried to summarize several good practices into > a single mantra - filter input, escape output (FIEO). These practices > don't eliminate everything, but they're a very good first step and can > provide a solid foundation for secure PHP programming. > > I made a movie (webcast, screencast, or whatever you call them) about > auditing PHP applications, and it also covers filtering input and > escaping output: > > http://brainbulb.com/php-security-audit-howto.mov > > There's also the PHP Security Guide: > > http://phpsec.org/projects/guide/ > > We're in the process of writing a second version of the guide, in order > to address the following shortcomings: > > 1. The guide is several years old, so some techniques have been refined > and/or simplified in the meantime. > 2. The vocabulary is slightly inconsistent with the rest of the industry > in some cases. > 3. Not all major areas are covered, so it is incomplete. > 4. Some explanations are ambiguous and can yield misinterpretations. > > Lastly, I want to point out two of the primary attacks that are not > prevented with FIEO: > > 1. Cross-Site Request Forgeries (CSRF) > 2. Session Fixation > > Hope that helps get you started. > > Chris > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
