xiao Posted December 13, 2007 Share Posted December 13, 2007 Can you maybe give me some links to articles about secure PHP coding? Since in the Beta section, everyone posts vulnerability leaks, but I don't know which are the basic protections and most vulnerable spots etc. Thanks Quote Link to comment https://forums.phpfreaks.com/topic/81576-secure-php-coding/ Share on other sites More sharing options...
sKunKbad Posted December 13, 2007 Share Posted December 13, 2007 Every decent php book I've ever read had at least a small section devoted to security. You might go to the bookstore and browse for a bit, find a book you like, and then go home and buy it on Amazon. Quote Link to comment https://forums.phpfreaks.com/topic/81576-secure-php-coding/#findComment-414326 Share on other sites More sharing options...
Xyphon Posted December 13, 2007 Share Posted December 13, 2007 I can help a bit. For a lot of things, use double quotes, insted of single. Well, its hard to explain when to use double or single, read up on it. Also, use <br /> insted of <br> Use <?PHP insted of <? or <?php And check for a lot of possible things. My friend has everything, literally EVERYTHING secure on his site. the battle's 7000+ lines long. Even macros are unusable. Quote Link to comment https://forums.phpfreaks.com/topic/81576-secure-php-coding/#findComment-414333 Share on other sites More sharing options...
Crew-Portal Posted December 13, 2007 Share Posted December 13, 2007 I can help a bit. For a lot of things, use double quotes, insted of single. Well, its hard to explain when to use double or single, read up on it. Also, use <br /> insted of <br> Use <?PHP insted of <? or <?php And check for a lot of possible things. My friend has everything, literally EVERYTHING secure on his site. the battle's 7000+ lines long. Even macros are unusable. What its not more security safe using <?php <?PHP or <? they all do the same thuing. as far a <br> and <br /> They do the exact same except <br> is for Html While <br /> is for Xhtml. Quote Link to comment https://forums.phpfreaks.com/topic/81576-secure-php-coding/#findComment-414353 Share on other sites More sharing options...
phpSensei Posted December 13, 2007 Share Posted December 13, 2007 http://www.devshed.com/c/a/PHP/PHP-Security-Mistakes/ http://phpsecurity.org/ - BOOK http://www.governmentsecurity.org/articles/SQLinjectionBasicTutorial.php http://www.devshed.com/c/a/Security/A-Quick-Look-at-Cross-Site-Scripting/ http://www.cgisecurity.com/articles/xss-faq.shtml Quote Link to comment https://forums.phpfreaks.com/topic/81576-secure-php-coding/#findComment-414359 Share on other sites More sharing options...
xiao Posted December 14, 2007 Author Share Posted December 14, 2007 I can help a bit. For a lot of things, use double quotes, insted of single. Well, its hard to explain when to use double or single, read up on it. Also, use <br /> insted of <br> Use <?PHP insted of <? or <?php And check for a lot of possible things. My friend has everything, literally EVERYTHING secure on his site. the battle's 7000+ lines long. Even macros are unusable. I'm not a PHP-guru, but can someone maybe explain how that are security leaks? I thought <br> was just old HTML and <br/> was XHTML Quote Link to comment https://forums.phpfreaks.com/topic/81576-secure-php-coding/#findComment-414985 Share on other sites More sharing options...
revraz Posted December 14, 2007 Share Posted December 14, 2007 They are not security leaks. Not sure where he is getting his info from. Quote Link to comment https://forums.phpfreaks.com/topic/81576-secure-php-coding/#findComment-414987 Share on other sites More sharing options...
xiao Posted December 14, 2007 Author Share Posted December 14, 2007 ok, already thought so. Another small question. In one of the links posted above, it states that I should always use error_reporting(E_ALL); I assume that while developping. Would it help if I disable error reporting when running my site online (if that's possible), or report as few errors as possible? Quote Link to comment https://forums.phpfreaks.com/topic/81576-secure-php-coding/#findComment-414995 Share on other sites More sharing options...
CMC Posted December 14, 2007 Share Posted December 14, 2007 Yes report errors during development but when the site is actually in use turn off error reporting. A good way to display user-friendly errors is using the try/catch block. ex: <?php try{ $number = 1; if($number != 2){ throw new Exception("Not the right number"); }else{ echo $number; } }catch(Exception $e){ echo $e->getMessage(); } ?> Quote Link to comment https://forums.phpfreaks.com/topic/81576-secure-php-coding/#findComment-415067 Share on other sites More sharing options...
xiao Posted December 14, 2007 Author Share Posted December 14, 2007 I didn't really get that last part So catch 'catches' errors the server sends? Would I have to make a custom message for every possible error? or..? Quote Link to comment https://forums.phpfreaks.com/topic/81576-secure-php-coding/#findComment-415078 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.