On Fri, Apr 8, 2011 at 3:24 PM, nighthawk1256 <eric1@xxxxxxxxxxxxxxx> wrote: > hey guys/girls, > > whats the best way to learn about security in php? Here are some relevant topics to consider: - Validate input (only accept what you're expecting, via GET, POST, and COOKIE, and don't try to fix an invalid value, throw it out.) - Use prepared statements (PDO makes this easy and generalizes quite well across popular DB's.) - Only give the bare minimum permissions required to accomplish a task (e.g., I usually have one SQL user account for reads, and one that allows for reads and writes.) - When errors occur, don't leak important system information to your users. - Hash passwords (with a salt) that are stored so you're never storing the literal value. - If you use an authentication system that's implemented with cookies (sessions-based or custom), all requests should run over https instead of http. - Escape output according to context (html, attribute, or url.) If you google the above topics, you'll find some great sites/blogs that address these topics in detail. Adam P.S. - Or, you can just use my one-file web framework which helps you automatically address all but the https issue above :) Sorry, it's a Friday so I couldn't resist the shameless plug. -- Nephtali: A simple, flexible, fast, and security-focused PHP framework http://nephtaliproject.com
