448191 Posted September 9, 2007 Share Posted September 9, 2007 Seeing as how many people posting their site are not doing this, it should be made loud and clear: Turn off display_errors! Attackers have no business viewing your errors, nor the paths to your files. For those few who have no idea how to this and are too lazy to read the manual: ini_set('display_errors', 'off'); You should NOT turn off error_reporting. Attackers may have no business viewing your errors, you DO. Configure error_log as required. Another thing that many people are not doing: Do NOT place library files within your document root. If it's not intended to be accessed directly, it shouldn't be in your document root! Be careful with including dynamically generated filenames. include($_GET['page'].'.php'); ... is asking for trouble! If you must, use something like this: include('includeroot'.DIRECTORY_SEPARATOR.$_GET['page'].'.php'); To be on the safe side, use open_basedir. Validate, validate, validate! Mistrust ALL input. That includes anything in $_POST, $_GET, $_FILES or $_SERVER. These are the very most BASIC requirements for a public website. Link to comment Share on other sites More sharing options...
Recommended Posts