With a multitude of technology-savvy users with unknown motives on the Internet, security is an ongoing process. A series of 5 articles by Clancy Malcolm and John Coggeshall and published by O'Reilly, the PHP Security Collection offers practical, solid advice to help secure your PHP scripts and applications.
The first two articles penned by Malcolm, Ten Security Checks for PHP, Parts 1 and 2, point out 10 common security mistakes programmers make when writing their code. But, what is especially nice is the structure Malcom uses to convey this information: after pointing out a potential risk, he then goes on to identifies what type of code one should look for and suggests possible fixes or improvements. He explains SQL injection attacks, why global variables shouldn't be trusted, why the .php extension should be used for all script files as opposed to .inc or .class and more. Reading through the list helped me to identify some risks my own code had and to secure it.
The final three articles penned by Coggeshall, PHP Security, Parts 1, 2 and 3, discuss the importance of security when programming with PHP. In part 1 he teaches it's important to be keep in mind how a malicious user could make a script behave in an unintended manner when writing the application. Coggeshall stresses outside data should never be trusted and sensitive data should not be stored in the web tree, and urges coders to implement the recommended security precautions found in the PHP manual.
Coggeshall spends the most of part 2 getting "down and dirty" and showing how PHP system calls can be exploited and how they can be secured. Part 3 highlights the administrator's and programmer's most powerful (yet often neglected) tool of defense, the system logs. An appropriate error-logging mechanism is crucial for keeping runtime errors from revealing too much information about the internals of a script and yet still provide adequate information to developers.
Common coding errors can leave an application vulnerable to attack, so it's important to "think like the bad guys" while writing your code. The 5 articles of O'Reilly's PHP Security Collections help a coder do just that. With comprehensive coverage of basic attacks to advanced attacks to defense, Malcolm's and Coggeshall's articles are a must read.
DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware.
/ 3