By mswatcher
via blog.tuvinh.com
Published: Oct 28 2009 / 04:12
PHP is a terrific language for the rapid development of dynamic Websites. It also has many features that are friendly to beginning programmers, such as the fact that it doesn’t require variable declarations. However, many of these features can lead a programmer inadvertently to allow security holes to creep into a Web application. The popular security mailing lists teem with notes of flaws identified in PHP applications, but PHP can be as secure as any other language once you understand the basic types of flaws PHP applications tend to exhibit.
Comments
OIS replied ago:
Unvalidated Input Errors - try the filter functions built into php, there is also the ctype functions.
Access Control Flaws - you should not have an .htaccess / index.php file in every directory, because you should only have one webroot folder with public php files and subfolders for static files you want the browser to have access to. Keep function/class/log/temp files outside the webroot folder.
Session ID Protection - at least use (long and better random) salts with the hash, but prefearably dont store password in session at all.
SQL Injection Vulnerabilities - use something like mysqli or PDO with prepared statements and stored procedures.
eelmore replied ago:
Language security != Implementor security
StephenCronin replied ago:
The original article is on Sitepoint: http://articles.sitepoint.com/article/php-security-blunders/1
It sucks when someone just copies another article word for word.
Pedro Santos replied ago:
Voted down because of copied content.
Voters For This Link (12)
Voters Against This Link (7)