Secure php coding?

[xiao]

Can you maybe give me some links to articles about secure PHP coding?

Since in the Beta section, everyone posts vulnerability leaks, but I don't know which are the basic protections and most vulnerable spots etc.

 

Thanks

[sKunKbad]

Every decent php book I've ever read had at least a small section devoted to security. You might go to the bookstore and browse for a bit, find a book you like, and then go home and buy it on Amazon.

[Xyphon]

I can help a bit.

 

For a lot of things, use double quotes, insted of single. Well, its hard to explain when to use double or single, read up on it.

 

Also, use

<br />

insted of

<br>

 

Use <?PHP insted of <? or <?php

 

And check for a lot of possible things. My friend has everything, literally EVERYTHING secure on his site. the battle's 7000+ lines long. Even macros are unusable.

[Crew-Portal]

I can help a bit.

 

For a lot of things, use double quotes, insted of single. Well, its hard to explain when to use double or single, read up on it.

 

Also, use

<br />

insted of

<br>

 

Use <?PHP insted of <? or <?php

 

And check for a lot of possible things. My friend has everything, literally EVERYTHING secure on his site. the battle's 7000+ lines long. Even macros are unusable.

 

What its not more security safe using <?php <?PHP or <? they all do the same thuing. as far a <br> and <br /> They do the exact same except <br> is for Html While <br /> is for Xhtml.

[phpSensei]

http://www.devshed.com/c/a/PHP/PHP-Security-Mistakes/

http://phpsecurity.org/ - BOOK

http://www.governmentsecurity.org/articles/SQLinjectionBasicTutorial.php

http://www.devshed.com/c/a/Security/A-Quick-Look-at-Cross-Site-Scripting/

http://www.cgisecurity.com/articles/xss-faq.shtml

[xiao]

I can help a bit.

 

For a lot of things, use double quotes, insted of single. Well, its hard to explain when to use double or single, read up on it.

 

Also, use

<br />

insted of

<br>

 

Use <?PHP insted of <? or <?php

 

And check for a lot of possible things. My friend has everything, literally EVERYTHING secure on his site. the battle's 7000+ lines long. Even macros are unusable.

I'm not a PHP-guru, but can someone maybe explain how that are security leaks?

I thought

<br>

was just old HTML and

<br/>

was XHTML

[revraz]

They are not security leaks.  Not sure where he is getting his info from.

[xiao]

ok, already thought so.

Another small question.

In one of the links posted above, it states that I should always use

error_reporting(E_ALL);

I assume that while developping.

Would it help if I disable error reporting when running my site online (if that's possible), or report as few errors as possible?

[CMC]

Yes report errors during development but when the site is actually in use turn off error reporting. A good way to display user-friendly errors is using the try/catch block.

 

ex:

<?php
try{
$number = 1;
if($number != 2){
throw new Exception("Not the right number");
}else{
echo $number;
}
}catch(Exception $e){
echo $e->getMessage();
}
?>

[xiao]

I didn't really get that last part 

So catch 'catches' errors the server sends?

Would I have to make a custom message for every possible error? or..?