simonc Posted August 30, 2012 Share Posted August 30, 2012 What are the issues you always consider for security practices and what do they relate to? Quote Link to comment Share on other sites More sharing options...
Monkuar Posted August 30, 2012 Share Posted August 30, 2012 escape everything! check for negative intervals, use mysql/sessions instead of cookies/etc/etc/etc lists goes on forever Quote Link to comment Share on other sites More sharing options...
Christian F. Posted August 30, 2012 Share Posted August 30, 2012 I always keep Rule 0 in my mind: Do not underestimate the power of the dark side. Which means always validate input, escape output, handle all errors, don't show anything internal to the user, and make sure you take all the steps you can to protect your code and files. The quote is taken from Sverre H. Huseby's Innocent Code, a book I recommend everyone who's involved with web development to read. There's also a quick summary of the rules on the page, though they've started the index at 1 instead of 0 as in the book. Quote Link to comment Share on other sites More sharing options...
xyph Posted August 30, 2012 Share Posted August 30, 2012 The only time you should feel safe is with a very strong understanding of the technology and the underlying protocols. Even with proper guidance, it's very easy to implement incorrectly Quote Link to comment Share on other sites More sharing options...
Psycho Posted August 30, 2012 Share Posted August 30, 2012 Here are some things off the top of my head: 1. Never trust ANY input from the user: POST, GET, COOKIE, files, etc. Just because you have a select list doesn't mean the user will always be submitting a value from that select list. So, always analyze what should be a valid input and escape/validate accordingly. "How" you do that will be dependent upon how the data will be used and the type of data. See #2 2. Always escape/sanitize the data based upon context. You need to escape data differently based upon how it is used. It would be different for a DB query vs. displaying in the web page vs in an XML file. Some things to prevent: SQL Injection and XSS scripting. 3. Secure your files. You will likely have many files that are not meant for direct access (i.e. they are used as includes). You can put those in a directory that is not in the web root, use HTTACCESS files or put a check at the top of the file to prevent direct access. 4. Always verify access. If you have content that should only be shown to certain users you would want to check that security to determine if the links should be shown AND you should do the same before displaying the content. Never rely upon COOKIE data for storing credentials. Quote Link to comment Share on other sites More sharing options...
xyph Posted August 30, 2012 Share Posted August 30, 2012 I'm not sure how helpful this thread can be. Unless to manage to cover nearly every potential attack vector (database,filesystem,output,client trust,etc) we could potentially just be handing out a false sense of security. That can be a very dangerous thing Quote Link to comment Share on other sites More sharing options...
simonc Posted August 31, 2012 Author Share Posted August 31, 2012 All totally awesome suggestions guys, muchos love http://forums.phpfreaks.com/Smileys/nrg_alpha/happy-01.gif Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.