Jump to content

Recommended Posts

Seeing as how many people posting their site are not doing this, it should be made loud and clear:

 

Turn off display_errors!

 

Attackers have no business viewing your errors, nor the paths to your files.

 

For those few who have no idea how to this and are too lazy to read the manual:

 

ini_set('display_errors', 'off');

 

You should NOT turn off error_reporting. Attackers may have no business viewing your errors, you DO. Configure error_log as required.

 

Another thing that many people are not doing:

 

Do NOT place library files within your document root.

 

If it's not intended to be accessed directly, it shouldn't be in your document root!

 

Be careful with including dynamically generated filenames.

 

include($_GET['page'].'.php');

 

... is asking for trouble!

 

If you must, use something like this:

 

include('includeroot'.DIRECTORY_SEPARATOR.$_GET['page'].'.php');

 

To be on the safe side, use open_basedir.

 

Validate, validate, validate!

 

Mistrust ALL input. That includes anything in $_POST, $_GET, $_FILES or $_SERVER.

 

These are the very most BASIC requirements for a public website.

Link to comment
https://forums.phpfreaks.com/topic/68573-some-common-mistakes/
Share on other sites

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.