Programming PHP with Security in Mind

Writing code that prevents some common types of attacks is rather easy—here are some guidelines.
Conclusions

I hope these guidelines help you have more secure web applications. The big lessons here are never trust user input, never trust variables that are passed between scripts (as through GET), never trust variables that came from a web form and never trust a variable if is not initialized in your script. If you cannot initialize a variable in your script, be sure to validate it.

Nuno Loureiro is a cofounder of Ethernet, lda (www.eth.pt). He has been programming PHP for over three years and has coordinated several big web applications. He likes climbing and trekking and can be reached at nuno@eth.pt.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

aa

Anonymous's picture

window.location='http://www.yahoo.com'

Is there any way

amir's picture

Is there any way that a user can not get a page by typing url in address bar.
User only redirected to the target pages by submit a form or else....

i wanted to ask about the leftframe.php

gloadz's picture

look at this for e.g.
http://www.tvdekho.com/frameleft.php?url= has a left frame and then look at this
http://www.tvdekho.com/external.php?url=aHR0cDovL3d3dy52aWRlb3N0YXRlLnR2...

how is this formed. Please contact me.

Plagiarism

Anonymous's picture

the URL of the actual article is:
http://www.developer.com/lang/article.php/918141

Plagiarism

Anonymous's picture

I think that there are too many coincidences (same sub-topics and code snippets) with an article(http://www.developer.com/lang/archives.php), published a year prior to this one. It is just not honest not to give credit!

Most articles about security

Anonymous's picture

Most articles about security and PHP cover the same topics.
Just because they both gave the "sendmail" example it doesn't really mean anything. But everyone can read both articles and judge for themselves. :-)

CSS?

Anonymous's picture

Since when is CSS not cascading style sheets? You can't just invent acronyms for something that overlap other well known ones.

Re: CSS?

Anonymous's picture

It's also very common for people to introduce some short name for a long name so they don't have to write down the endless name all the time. So even if it's not officially used for Cross-Side-Scripting, doesn't mean he's inventing. He's just applying some writing style that is rather common. Yeah, I read books :P

Nice article, enjoyed reading it.

Re: CSS?

Anonymous's picture

XSS for cross-site scripting.

Re: CSS?

Anonymous's picture

Actually CSS stands for both Cascading Style Sheets and (for a while) Cross Site Scripting. usually now though Cross Site Scripting is refered to XSS

Re: CSS?

Anonymous's picture

IANAL (I Am Not A Linguist)

Re: Programming PHP with Security in Mind

Anonymous's picture

alert ('http://www.cgisecurity.com/cgi-bin/cookie.cgi');

Wouldn't it be great if this article would run on a secure cms?

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix